Using drutil_insert_get_mem

B.R.

unread,

Aug 20, 2012, 11:20:09 AM8/20/12

to DynamoRIO Users

Hello,

I am now using drutil_insert_get_mem_addr to compute memory addresses used at analysis time.

However I have strange readings and I believe I made mistakes instrumenting the memory context.

He is my code sample:
reg_id_t reg1 = DR_REG_XBX; /* We can optimize it by picking dead reg */
reg_id_t reg2 = DR_REG_XCX; /* reg2 must be ECX or RCX for jecxz */
dr_save_reg(drcontext, bb, instr, reg1, SPILL_SLOT_2);
dr_save_reg(drcontext, bb, instr, reg2, SPILL_SLOT_3);

drutil_insert_get_mem_addr(drcontext, bb, instr, operand, reg1, reg2);

/* memory operand address shall be computed with registers context before the instruction has been executed */
dr_insert_clean_call(drcontext, bb, instr, (void *)processMemOperand, false, 4, OPND_CREATE_INTPTR(1), OPND_CREATE_INTPTR(tIns), OPND_CREATE_INTPTR(operandSize), OPND_CREATE_INTPTR(reg_get_value(reg1, &mcontext)));

/* Supplementary call for (re)filling values *after* the instruction has been executed */
dr_insert_clean_call(drcontext, bb, next_instr, (void *)fillMemValues, false, 1, OPND_CREATE_INTPTR(tIns));

dr_restore_reg(drcontext, bb, instr, reg1, SPILL_SLOT_2);
dr_restore_reg(drcontext, bb, instr, reg2, SPILL_SLOT_3);

Things you'll need to understand that piece of code:
processMemOperand takes:
- int 1 -> I/O mode (W)
- tIns -> pointer on structure storing instruction data
- size of operand -> needed for safe_read
- computed address to read from

The second clean call calls a procedure reading the memory address stored in the tIns structure after the instruction has been executed. This is done for written memory operands only.

Sample (XP's hostname.exe):
(6A 28) PUSH 28
(68 B0100001) PUSH hostname.010010B0

Output:
6a28
Written register: esp = 7ffc4
Written memory: 7ffd4000 (4) = 0 --> should be 7ffc0 (4) = 28 (new ESP value + value stored on stack)
Written register: esp = 7ffc0

68b0100001
Read register: esp = 7ffc0
Written memory: 7ffd4000 (4) = 0 --> should be 7ffbc (4) = 10010B0 (new ESP value + value stored on stack)
Written register: esp = 7ffbc

Am I doing it right? I guess not... but where/why?
---
B.

Reid Kleckner

unread,

Aug 20, 2012, 11:42:11 AM8/20/12

to dynamor...@googlegroups.com

Oh, this:

OPND_CREATE_INTPTR(reg_get_value(reg1, &mcontext))

It looks like you are getting the mcontext at instrumentation time, not execution time, so you are getting the value reg1 holds just before the bb is first executed.

You probably want opnd_create_reg(reg1).

--
You received this message because you are subscribed to the Google Groups "DynamoRIO Users" group.
To post to this group, send email to dynamor...@googlegroups.com.
To unsubscribe from this group, send email to dynamorio-use...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dynamorio-users?hl=en.

B.R.

unread,

Aug 20, 2012, 2:07:27 PM8/20/12

to DynamoRIO Users

Here is the corrected piece of code:

reg_id_t reg1 = DR_REG_XBX; /* We can optimize it by picking dead reg */
reg_id_t reg2 = DR_REG_XCX; /* reg2 must be ECX or RCX for jecxz */
dr_save_reg(drcontext, bb, instr, reg1, SPILL_SLOT_2);
dr_save_reg(drcontext, bb, instr, reg2, SPILL_SLOT_3);

drutil_insert_get_mem_addr(drcontext, bb, instr, operand, reg1, reg2);

/* memory operand address shall be computed with registers context before the instruction has been executed */

dr_insert_clean_call(drcontext, bb, instr, (void *)processWriteMemOperand, false, 4, OPND_CREATE_INTPTR(1), OPND_CREATE_INTPTR(tIns), OPND_CREATE_INTPTR(operandSize), OPND_CREATE_INTPTR(reg1));

/* Supplementary call for (re)filling values *after* the instruction has been executed */
dr_insert_clean_call(drcontext, bb, next_instr, (void *)fillMemValues, false, 1, OPND_CREATE_INTPTR(tIns));

dr_restore_reg(drcontext, bb, instr, reg1, SPILL_SLOT_2);
dr_restore_reg(drcontext, bb, instr, reg2, SPILL_SLOT_3);

I still get a strange memory context at analysis time (based on series of reg_get_value(DR_REG_XXX, &mcontext) calls):
EAX = 20502800
EBX = 20502800
ECX = 40
EDX = 205dd290
EBP = 2056eeec
ESP = 7ffc4
EDI = 205dd290
ESI = 20502800

Output of hostname.exe provides the following:
@10011d7
Written memory 20502800 (4) = 0 (read 4)

Where did I make sth wrong?
---
B.

On Mon, Aug 20, 2012 at 12:00 PM, B.R. <reallfqq-...@yahoo.fr> wrote:

Yes, it was the purpose of the answer to my own message. :oP

However, OPND_CREATE_INTPTR(reg1) is better since it creqtes a reference to the actual register whereas opnd_create_reg(reg1) creates a whole new register.
If opnd_create_reg is used, the value 0 is read in analysis context and not the actual value.

Anyway...

I moved the reg_get_value in the analysis procedure, and I output the value returned to test whether it is correct or not.
2 facts:
- The value returned is the one contained in EBX as requested (the output of is checked against reg_get_value(DR_REG_XBX, &mcontext) at analysis time)
- The value is still not correct: the nenory contxt holds 16342800 (random value with no correspondance to real values) :o\

Am I getting mad again? :oP
---
B.

Reid Kleckner

unread,

Aug 20, 2012, 2:31:06 PM8/20/12

to dynamor...@googlegroups.com

OK, passing the register id should work too.

OPND_CREATE_INTPTR(tIns) might be a problem if you aren't ensuring that tIns always points to valid memory at execution, but I'm assuming you have some strategy for dealing with that.

I can't say what's wrong from looking at these snippets. Are you sure these values are wrong? From the register values you dumped, it looks like the operand is [eax], and eax = 20502800. The other registers seem to be pointers within the same region.

B.R.

unread,

Aug 20, 2012, 2:38:11 PM8/20/12

to dynamor...@googlegroups.com

Yes, I am sure.

I detailed the instructions in a previous post.
hostname.exe starts with 2 PUSH.

PUSH = 1 register read (old value of ESP), 1 register write (new value of ESP), 1 memory write (new value put at top of stack)
DynamoRIO also detects 1 immediate operand --> WTF?

I traced the binary with some Pin tools which returns understable values + I checked them inside debugger and they are correct.

In conclusion: Those values are indeed crap.
The question is: why? I probably made at least one mistake but they are not to be found yet.
---
B.

Reid Kleckner

unread,

Aug 20, 2012, 2:49:43 PM8/20/12

to dynamor...@googlegroups.com

On Mon, Aug 20, 2012 at 2:38 PM, B.R. <reallfqq-...@yahoo.fr> wrote:

Yes, I am sure.

I detailed the instructions in a previous post.
hostname.exe starts with 2 PUSH.

OK, it wasn't clear that these were the same memory operands, but that makes sense.

PUSH = 1 register read (old value of ESP), 1 register write (new value of ESP), 1 memory write (new value put at top of stack)
DynamoRIO also detects 1 immediate operand --> WTF?

Well, yes, the instruction was "PUSH 28". The immediate operand is 28.

I traced the binary with some Pin tools which returns understable values + I checked them inside debugger and they are correct.

In conclusion: Those values are indeed crap.
The question is: why? I probably made at least one mistake but they are not to be found yet.

I would look at the assembly dump of the bb before and after instrumentation. This will make clear who writes ebx.

You can create it yourself with instrlist_disassemble, or crank up the logging with -ops '-loglevel 3' and look in the logs directory. If you used the custom VS build you described, I'm not sure if the logs will get created properly.

Derek Bruening

unread,

Aug 20, 2012, 2:59:00 PM8/20/12

to dynamor...@googlegroups.com

What code is obtaining the mcontext? Are you getting the values of the regs you spilled from the spill slots instead of the mcontext?

--

B.R.

unread,

Aug 20, 2012, 3:24:37 PM8/20/12

to dynamor...@googlegroups.com

> Well, yes, the instruction was "PUSH 28". The immediate operand is 28.

Just... lol
My bad 0,0
Supplementary question, though: How do you get an immediate int value?
You have opnd_is_immed (opnd_t opnd), opnd_is_immed_int (opnd_t opnd) and opnd_is_immed_float (opnd_t opnd) functions to check the operand type, but only the opnd_get_immed_float (opnd_t opnd) to get a float value.
Float -> int conversion seems a bit risky.

> What code is obtaining the mcontext? Are you getting the values of the regs you spilled from the spill slots instead of the mcontext?

dr_mcontext_t mcontext;
mcontext.size = sizeof(dr_mcontext_t);
mcontext.flags = (dr_mcontext_flags_t)(DR_MC_INTEGER|DR_MC_CONTROL);
bool mcontextOK = dr_get_mcontext(dr_get_current_drcontext(), &mcontext);

... and using &mcontext as a pointer to the mcontext structure (in local address space only, thus only valid in the current function).
---
B.

Reid Kleckner

unread,

Aug 20, 2012, 4:01:46 PM8/20/12

to dynamor...@googlegroups.com

On Mon, Aug 20, 2012 at 3:24 PM, B.R. <reallfqq-...@yahoo.fr> wrote:

> Well, yes, the instruction was "PUSH 28". The immediate operand is 28.

Just... lol
My bad 0,0
Supplementary question, though: How do you get an immediate int value?
You have opnd_is_immed (opnd_t opnd), opnd_is_immed_int (opnd_t opnd) and opnd_is_immed_float (opnd_t opnd) functions to check the operand type, but only the opnd_get_immed_float (opnd_t opnd) to get a float value.
Float -> int conversion seems a bit risky.

Uh oh, a bug in our Doxygen comments:

DR_API

/* Assumes opnd is an immediate integer, returns its value. */

ptr_int_t

opnd_get_immed_int(opnd_t opnd);

It should be "/** ... */".

> What code is obtaining the mcontext? Are you getting the values of the regs you spilled from the spill slots instead of the mcontext?
dr_mcontext_t mcontext;
mcontext.size = sizeof(dr_mcontext_t);
mcontext.flags = (dr_mcontext_flags_t)(DR_MC_INTEGER|DR_MC_CONTROL);
bool mcontextOK = dr_get_mcontext(dr_get_current_drcontext(), &mcontext);

... and using &mcontext as a pointer to the mcontext structure (in local address space only, thus only valid in the current function).

Meaning inside the analysis routine? That should work. I'd look at the generated code.

B.R.

unread,

Aug 20, 2012, 4:03:15 PM8/20/12

to B.R., dynamor...@googlegroups.com

Btw,

> OPND_CREATE_INTPTR(tIns) might be a problem if you aren't ensuring that tIns always points to valid memory at execution, but I'm assuming you have some strategy for dealing with that.

Yes I ensured the address is valid, the tIns structure allocation is handled manually through malloc and free.
It is allocated at instrumentation time, before being passed as a parameter to the analysis procedure and is only deleted through the event_exit callback.

However this structure is not involved in the trouble getting a register value from the context. This address is not stored there. The only thing I'll write to it is the value stored at that address.
---
B.

On Mon, Aug 20, 2012 at 3:24 PM, B.R. <reallfqq-...@yahoo.fr> wrote:

B.R.

unread,

Aug 20, 2012, 4:06:03 PM8/20/12

to dynamor...@googlegroups.com

> Uh oh, a bug in our Doxygen comments

:oP

> Meaning inside the analysis routine?

Yes. I get even insulted by my own tool when mcontextOK is false... Respectless creation, I tell you
---
B.

--

B.R.

unread,

Aug 20, 2012, 4:36:44 PM8/20/12

to dynamor...@googlegroups.com

I called instrlist_disassemble before and after the bb instrumentation loop.
I used a custom file with fopen/fclose.
I had to use the following to transform the FILE* into a HANDLE: (HANDLE)_get_osfhandle(_fileno(outFile))
Not very convenient...

Not related but I got this message at runtime:
> gethostname:Unknown error number
It's related to the file I/O operations

TAG 0x7c81cac9
+0    L3              57                   push   edi
+1    L3              6a ff                push   0xff
+3    L3              ff d6                call   esi
END 0x7c81cac9

TAG 0x7c81cac9
+0    L3              57                   push   edi
+1    L3              6a ff                push   0xff
+3    L3              ff d6                call   esi
END 0x7c81cac9

Hmm... Doesn't seem to bring much information :oD
Did I miss something?

You are right about the log trouble. I gave up a long time ago on that particular subject with DynamoRIO on Windows...
---
B.

--

B.R.

unread,

Aug 20, 2012, 4:58:02 PM8/20/12

to DynamoRIO Users

My bad once again... Am I tired or what?

Here is the BBL debug output:
TAG 0x010011d7
+0    L3              6a 28                push   $0x00000028 %esp -> %esp 0xfffffffc(%esp)
+2    L3              68 b0 10 00 01       push   $0x010010b0 %esp -> %esp 0xfffffffc(%esp)
+7    L3              e8 91 01 00 00       call   $0x01001374 %esp -> %esp 0xfffffffc(%esp)
END 0x010011d7

TAG 0x010011d7
+0    m4 @0x233112a4 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+5    m4 @0x233112e4 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+10   m4 @0x23311370 89 60 0c             mov    dword ptr [eax+0x0c], esp
+13   m4 @0x233138cc bc 24 10 28 23       mov    esp, 0x23281024
+18   m4 @0x23311ab0 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+24   m4 @0x23312774 67 64 8b 26 34 00    mov    esp, dword ptr [fs:0x34]
+30   m4 @0x233119a4 89 a0 70 01 00 00    mov    dword ptr [eax+0x00000170], esp
+36   m4 @0x233117dc 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+42   m4 @0x233119e4 89 a0 74 01 00 00    mov    dword ptr [eax+0x00000174], esp
+48   m4 @0x233113fc 8b a0 78 01 00 00    mov    esp, dword ptr [eax+0x00000178]
+54   m4 @0x2331157c 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+60   m4 @0x23311710 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+66   m4 @0x2331102c 89 a0 7c 01 00 00    mov    dword ptr [eax+0x0000017c], esp
+72   m4 @0x233115c8 8b a0 80 01 00 00    mov    esp, dword ptr [eax+0x00000180]
+78   m4 @0x233116d0 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+84   m4 @0x2331185c 8b a0 60 01 00 00    mov    esp, dword ptr [eax+0x00000160]
+90   m4 @0x2331106c 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+95   m4 @0x23311614 68 00 00 00 00       push   0x00000000
+100 m4 @0x233113bc 9c                   pushfd
+101 m4 @0x23311190 60                   pushad
+102 m4 @0x23311228                       <label>
+102 m4 @0x23311144 68 15 00 00 00       push   0x00000015
+107 m4 @0x23311c64 68 90 00 00 00       push   0x00000090
+112 m4 @0x23311a64 68 f0 b3 35 23       push   0x2335b3f0
+117 m4 @0x233128bc 68 00 00 00 00       push   0x00000000
+122 m4 @0x23311494 e8 9f 6d cf ec       call   0x10005350
+127 m4 @0x23311918 8d 64 24 10          lea    esp, [esp+0x10]
+131 m4 @0x23311a24 61                   popad
+132 m4 @0x23311af0 9d                   popfd
+133 m4 @0x23312800 8d a4 24 1c 01 00 00 lea    esp, [esp+0x0000011c]
+140 m4 @0x233110ac 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+145 m4 @0x23311750 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+150 m4 @0x233111dc bc 00 f0 fd 7f       mov    esp, 0x7ffdf000
+155 m4 @0x2331181c 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+161 m4 @0x23311684 8b a0 70 01 00 00    mov    esp, dword ptr [eax+0x00000170]
+167 m4 @0x23311790 67 64 89 26 34 00    mov    dword ptr [fs:0x34], esp
+173 m4 @0x23311448 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+179 m4 @0x23311530 89 a0 78 01 00 00    mov    dword ptr [eax+0x00000178], esp
+185 m4 @0x233129bc 8b a0 74 01 00 00    mov    esp, dword ptr [eax+0x00000174]
+191 m4 @0x2331377c 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+197 m4 @0x23311958 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+203 m4 @0x233127b4 89 a0 80 01 00 00    mov    dword ptr [eax+0x00000180], esp
+209 m4 @0x233128fc 8b a0 7c 01 00 00    mov    esp, dword ptr [eax+0x0000017c]
+215 m4 @0x233118c0 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+221 m4 @0x2331297c 8b 60 0c             mov    esp, dword ptr [eax+0x0c]
+224 m4 @0x23312a3c 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+229 m4 @0x23313c4c 67 64 89 1e ec 0e    mov    dword ptr [fs:0x00000eec], ebx
+235 m4 @0x23313e04 67 64 89 0e e8 0e    mov    dword ptr [fs:0x00000ee8], ecx
+241 m4 @0x23313e50 8d 5c 24 fc          lea    ebx, [esp-0x04]
+245 m4 @0x23314018 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+250 m4 @0x23313fcc 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+255 m4 @0x233135f4 89 60 0c             mov    dword ptr [eax+0x0c], esp
+258 m4 @0x233141ac bc 24 10 28 23       mov    esp, 0x23281024
+263 m4 @0x233132b0 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+269 m4 @0x233130dc 67 64 8b 26 34 00    mov    esp, dword ptr [fs:0x34]
+275 m4 @0x23313ee8 89 a0 70 01 00 00    mov    dword ptr [eax+0x00000170], esp
+281 m4 @0x233139ac 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+287 m4 @0x23314284 89 a0 74 01 00 00    mov    dword ptr [eax+0x00000174], esp
+293 m4 @0x23313394 8b a0 78 01 00 00    mov    esp, dword ptr [eax+0x00000178]
+299 m4 @0x23313128 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+305 m4 @0x23314098 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+311 m4 @0x23313b8c 89 a0 7c 01 00 00    mov    dword ptr [eax+0x0000017c], esp
+317 m4 @0x23313348 8b a0 80 01 00 00    mov    esp, dword ptr [eax+0x00000180]
+323 m4 @0x233140e4 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+329 m4 @0x2331342c 8b a0 60 01 00 00    mov    esp, dword ptr [eax+0x00000160]
+335 m4 @0x23313174 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+340 m4 @0x233141f8 68 00 00 00 00       push   0x00000000
+345 m4 @0x23313d6c 9c                   pushfd
+346 m4 @0x23313bcc 60                   pushad
+347 m4 @0x23313f34                       <label>
+347 m4 @0x233131c0 68 14 00 00 00       push   0x00000014
+352 m4 @0x23313954 68 f0 b3 35 23       push   0x2335b3f0
+357 m4 @0x23313db8 e8 df 64 cf ec       call   0x10004a90
+362 m4 @0x233139ec 8d 64 24 08          lea    esp, [esp+0x08]
+366 m4 @0x23313544 61                   popad
+367 m4 @0x23313f80 9d                   popfd
+368 m4 @0x233145a8 8d a4 24 1c 01 00 00 lea    esp, [esp+0x0000011c]
+375 m4 @0x233145f4 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+380 m4 @0x23314640 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+385 m4 @0x2331468c bc 00 f0 fd 7f       mov    esp, 0x7ffdf000
+390 m4 @0x233146d8 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+396 m4 @0x23314724 8b a0 70 01 00 00    mov    esp, dword ptr [eax+0x00000170]
+402 m4 @0x23314770 67 64 89 26 34 00    mov    dword ptr [fs:0x34], esp
+408 m4 @0x233147bc 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+414 m4 @0x23314808 89 a0 78 01 00 00    mov    dword ptr [eax+0x00000178], esp
+420 m4 @0x23314854 8b a0 74 01 00 00    mov    esp, dword ptr [eax+0x00000174]
+426 m4 @0x233148a0 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+432 m4 @0x233148ec 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+438 m4 @0x23314938 89 a0 80 01 00 00    mov    dword ptr [eax+0x00000180], esp
+444 m4 @0x23314984 8b a0 7c 01 00 00    mov    esp, dword ptr [eax+0x0000017c]
+450 m4 @0x233149d0 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+456 m4 @0x23314a1c 8b 60 0c             mov    esp, dword ptr [eax+0x0c]
+459 m4 @0x23314a68 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+464 m4 @0x23314b18 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+469 m4 @0x23314ab4 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+474 m4 @0x23314b7c 89 60 0c             mov    dword ptr [eax+0x0c], esp
+477 m4 @0x23314bc8 bc 24 10 28 23       mov    esp, 0x23281024
+482 m4 @0x23314c14 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+488 m4 @0x23314c60 67 64 8b 26 34 00    mov    esp, dword ptr [fs:0x34]
+494 m4 @0x23314cac 89 a0 70 01 00 00    mov    dword ptr [eax+0x00000170], esp
+500 m4 @0x23314cf8 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+506 m4 @0x23314d44 89 a0 74 01 00 00    mov    dword ptr [eax+0x00000174], esp
+512 m4 @0x23314d90 8b a0 78 01 00 00    mov    esp, dword ptr [eax+0x00000178]
+518 m4 @0x23314ddc 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+524 m4 @0x23314e28 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+530 m4 @0x23314e74 89 a0 7c 01 00 00    mov    dword ptr [eax+0x0000017c], esp
+536 m4 @0x23314ec0 8b a0 80 01 00 00    mov    esp, dword ptr [eax+0x00000180]
+542 m4 @0x23314f0c 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+548 m4 @0x23314f58 8b a0 60 01 00 00    mov    esp, dword ptr [eax+0x00000160]
+554 m4 @0x23314fa4 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+559 m4 @0x23314ff0 68 00 00 00 00       push   0x00000000
+564 m4 @0x2331503c 9c                   pushfd
+565 m4 @0x2331507c 60                   pushad
+566 m4 @0x23315130                       <label>
+566 m4 @0x23315300 68 00 00 00 00       push   0x00000000
+571 m4 @0x2331529c 68 14 00 00 00       push   0x00000014
+576 m4 @0x23315238 68 90 00 00 00       push   0x00000090
+581 m4 @0x233151d4 68 f0 b3 35 23       push   0x2335b3f0
+586 m4 @0x23315170 68 01 00 00 00       push   0x00000001
+591 m4 @0x23315364 e8 9f 65 cf ec       call   0x10004b50
+596 m4 @0x233153c8 8d 64 24 14          lea    esp, [esp+0x14]
+600 m4 @0x23315414 61                   popad
+601 m4 @0x233154dc 9d                   popfd
+602 m4 @0x23315534 8d a4 24 1c 01 00 00 lea    esp, [esp+0x0000011c]
+609 m4 @0x23315580 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+614 m4 @0x233155cc 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+619 m4 @0x23315618 bc 00 f0 fd 7f       mov    esp, 0x7ffdf000
+624 m4 @0x23315664 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+630 m4 @0x233156b0 8b a0 70 01 00 00    mov    esp, dword ptr [eax+0x00000170]
+636 m4 @0x233156fc 67 64 89 26 34 00    mov    dword ptr [fs:0x34], esp
+642 m4 @0x23315748 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+648 m4 @0x23315794 89 a0 78 01 00 00    mov    dword ptr [eax+0x00000178], esp
+654 m4 @0x233157e0 8b a0 74 01 00 00    mov    esp, dword ptr [eax+0x00000174]
+660 m4 @0x2331582c 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+666 m4 @0x23315878 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+672 m4 @0x233158c4 89 a0 80 01 00 00    mov    dword ptr [eax+0x00000180], esp
+678 m4 @0x23315910 8b a0 7c 01 00 00    mov    esp, dword ptr [eax+0x0000017c]
+684 m4 @0x2331595c 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+690 m4 @0x233159a8 8b 60 0c             mov    esp, dword ptr [eax+0x0c]
+693 m4 @0x233159f4 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+698 m4 @0x2331683c 67 64 8b 1e ec 0e    mov    ebx, dword ptr [fs:0x00000eec]
+704 m4 @0x23316888 67 64 8b 0e e8 0e    mov    ecx, dword ptr [fs:0x00000ee8]
+710 L3              6a 28                push   0x28
+712 m4 @0x23312a7c 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+717 m4 @0x233136a4 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+722 m4 @0x23312abc 89 60 0c             mov    dword ptr [eax+0x0c], esp
+725 m4 @0x23312afc bc 24 10 28 23       mov    esp, 0x23281024
+730 m4 @0x23312b3c 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+736 m4 @0x23312b7c 67 64 8b 26 34 00    mov    esp, dword ptr [fs:0x34]
+742 m4 @0x2331293c 89 a0 70 01 00 00    mov    dword ptr [eax+0x00000170], esp
+748 m4 @0x233134c4 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+754 m4 @0x23313478 89 a0 74 01 00 00    mov    dword ptr [eax+0x00000174], esp
+760 m4 @0x23312bbc 8b a0 78 01 00 00    mov    esp, dword ptr [eax+0x00000178]
+766 m4 @0x23312c08 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+772 m4 @0x23312c54 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+778 m4 @0x233129fc 89 a0 7c 01 00 00    mov    dword ptr [eax+0x0000017c], esp
+784 m4 @0x23313a2c 8b a0 80 01 00 00    mov    esp, dword ptr [eax+0x00000180]
+790 m4 @0x233136e4 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+796 m4 @0x23312ca0 8b a0 60 01 00 00    mov    esp, dword ptr [eax+0x00000160]
+802 m4 @0x23313504 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+807 m4 @0x23312ce0 68 00 00 00 00       push   0x00000000
+812 m4 @0x23313590 9c                   pushfd
+813 m4 @0x23312d38 60                   pushad
+814 m4 @0x23313a78                       <label>
+814 m4 @0x23312e28 68 15 00 00 00       push   0x00000015
+819 m4 @0x23312ddc 68 90 00 00 00       push   0x00000090
+824 m4 @0x23312d9c 68 f0 b3 35 23       push   0x2335b3f0
+829 m4 @0x23313ac4 68 01 00 00 00       push   0x00000001
+834 m4 @0x23312e74 e8 9f 6d cf ec       call   0x10005350
+839 m4 @0x23312ed8 8d 64 24 10          lea    esp, [esp+0x10]
+843 m4 @0x23312f3c 61                   popad
+844 m4 @0x23312f7c 9d                   popfd
+845 m4 @0x23313730 8d a4 24 1c 01 00 00 lea    esp, [esp+0x0000011c]
+852 m4 @0x23312fe0 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+857 m4 @0x23313044 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+862 m4 @0x23313090 bc 00 f0 fd 7f       mov    esp, 0x7ffdf000
+867 m4 @0x233142d0 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+873 m4 @0x23313658 8b a0 70 01 00 00    mov    esp, dword ptr [eax+0x00000170]
+879 m4 @0x23313264 67 64 89 26 34 00    mov    dword ptr [fs:0x34], esp
+885 m4 @0x233132fc 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+891 m4 @0x23313b4c 89 a0 78 01 00 00    mov    dword ptr [eax+0x00000178], esp
+897 m4 @0x23314148 8b a0 74 01 00 00    mov    esp, dword ptr [eax+0x00000174]
+903 m4 @0x23313d14 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+909 m4 @0x23314238 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+915 m4 @0x23313e9c 89 a0 80 01 00 00    mov    dword ptr [eax+0x00000180], esp
+921 m4 @0x233133e0 8b a0 7c 01 00 00    mov    esp, dword ptr [eax+0x0000017c]
+927 m4 @0x23313218 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+933 m4 @0x23314058 8b 60 0c             mov    esp, dword ptr [eax+0x0c]
+936 m4 @0x23313c0c 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+941 m4 @0x23315aa4 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+946 m4 @0x23315a40 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+951 m4 @0x23315b08 89 60 0c             mov    dword ptr [eax+0x0c], esp
+954 m4 @0x23315b54 bc 24 10 28 23       mov    esp, 0x23281024
+959 m4 @0x23315ba0 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+965 m4 @0x23315bec 67 64 8b 26 34 00    mov    esp, dword ptr [fs:0x34]
+971 m4 @0x23315c38 89 a0 70 01 00 00    mov    dword ptr [eax+0x00000170], esp
+977 m4 @0x23315c84 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+983 m4 @0x23315cd0 89 a0 74 01 00 00    mov    dword ptr [eax+0x00000174], esp
+989 m4 @0x23315d1c 8b a0 78 01 00 00    mov    esp, dword ptr [eax+0x00000178]
+995 m4 @0x23315d68 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+1001 m4 @0x23315db4 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+1007 m4 @0x23315e00 89 a0 7c 01 00 00    mov    dword ptr [eax+0x0000017c], esp
+1013 m4 @0x23315e4c 8b a0 80 01 00 00    mov    esp, dword ptr [eax+0x00000180]
+1019 m4 @0x23315e98 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+1025 m4 @0x23315ee4 8b a0 60 01 00 00    mov    esp, dword ptr [eax+0x00000160]
+1031 m4 @0x23315f30 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+1036 m4 @0x23315f7c 68 00 00 00 00       push   0x00000000
+1041 m4 @0x23315fc8 9c                   pushfd
+1042 m4 @0x23316008 60                   pushad
+1043 m4 @0x233160bc                       <label>
+1043 m4 @0x233160fc 68 f0 b3 35 23       push   0x2335b3f0
+1048 m4 @0x23316160 e8 cf 51 cf ec       call   0x10003780
+1053 m4 @0x233161c4 8d 64 24 04          lea    esp, [esp+0x04]
+1057 m4 @0x23316210 61                   popad
+1058 m4 @0x233162d8 9d                   popfd
+1059 m4 @0x23316330 8d a4 24 1c 01 00 00 lea    esp, [esp+0x0000011c]
+1066 m4 @0x2331637c 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+1071 m4 @0x233163c8 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+1076 m4 @0x23316414 bc 00 f0 fd 7f       mov    esp, 0x7ffdf000
+1081 m4 @0x23316460 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+1087 m4 @0x233164ac 8b a0 70 01 00 00    mov    esp, dword ptr [eax+0x00000170]
+1093 m4 @0x233164f8 67 64 89 26 34 00    mov    dword ptr [fs:0x34], esp
+1099 m4 @0x23316544 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+1105 m4 @0x23316590 89 a0 78 01 00 00    mov    dword ptr [eax+0x00000178], esp
+1111 m4 @0x233165dc 8b a0 74 01 00 00    mov    esp, dword ptr [eax+0x00000174]
+1117 m4 @0x23316628 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+1123 m4 @0x23316674 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+1129 m4 @0x233166c0 89 a0 80 01 00 00    mov    dword ptr [eax+0x00000180], esp
+1135 m4 @0x2331670c 8b a0 7c 01 00 00    mov    esp, dword ptr [eax+0x0000017c]
+1141 m4 @0x23316758 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+1147 m4 @0x233167a4 8b 60 0c             mov    esp, dword ptr [eax+0x0c]
+1150 m4 @0x233167f0 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+1155 m4 @0x23316938 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+1160 m4 @0x233168d4 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+1165 m4 @0x2331699c 89 60 0c             mov    dword ptr [eax+0x0c], esp
+1168 m4 @0x233169e8 bc 24 10 28 23       mov    esp, 0x23281024
+1173 m4 @0x23316a34 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+1179 m4 @0x23316a80 67 64 8b 26 34 00    mov    esp, dword ptr [fs:0x34]
+1185 m4 @0x23316acc 89 a0 70 01 00 00    mov    dword ptr [eax+0x00000170], esp
+1191 m4 @0x23316b18 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+1197 m4 @0x23316b64 89 a0 74 01 00 00    mov    dword ptr [eax+0x00000174], esp
+1203 m4 @0x23316bb0 8b a0 78 01 00 00    mov    esp, dword ptr [eax+0x00000178]
+1209 m4 @0x23316bfc 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+1215 m4 @0x23316c48 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+1221 m4 @0x23316c94 89 a0 7c 01 00 00    mov    dword ptr [eax+0x0000017c], esp
+1227 m4 @0x23316ce0 8b a0 80 01 00 00    mov    esp, dword ptr [eax+0x00000180]
+1233 m4 @0x23316d2c 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+1239 m4 @0x23316d78 8b a0 60 01 00 00    mov    esp, dword ptr [eax+0x00000160]
+1245 m4 @0x23316dc4 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+1250 m4 @0x23316e10 68 00 00 00 00       push   0x00000000
+1255 m4 @0x23316e5c 9c                   pushfd
+1256 m4 @0x23316e9c 60                   pushad
+1257 m4 @0x23316f50                       <label>
+1257 m4 @0x23371278 68 01 00 00 00       push   0x00000001
+1262 m4 @0x23371214 68 00 00 00 00       push   0x00000000
+1267 m4 @0x233711b0 68 01 00 00 00       push   0x00000001
+1272 m4 @0x2337114c 68 01 00 00 00       push   0x00000001
+1277 m4 @0x233710e8 68 00 00 00 00       push   0x00000000
+1282 m4 @0x23371084 68 d7 11 00 01       push   0x010011d7
+1287 m4 @0x23371020 68 02 00 00 00       push   0x00000002
+1292 m4 @0x23316f90 68 f0 b3 35 23       push   0x2335b3f0
+1297 m4 @0x233712dc e8 8f 55 cf ec       call   0x10003b40
+1302 m4 @0x23371340 8d 64 24 20          lea    esp, [esp+0x20]
+1306 m4 @0x2337138c 61                   popad
+1307 m4 @0x23371454 9d                   popfd
+1308 m4 @0x233714ac 8d a4 24 1c 01 00 00 lea    esp, [esp+0x0000011c]
+1315 m4 @0x233714f8 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+1320 m4 @0x23371544 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+1325 m4 @0x23371590 bc 00 f0 fd 7f       mov    esp, 0x7ffdf000
+1330 m4 @0x233715dc 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+1336 m4 @0x23371628 8b a0 70 01 00 00    mov    esp, dword ptr [eax+0x00000170]
+1342 m4 @0x23371674 67 64 89 26 34 00    mov    dword ptr [fs:0x34], esp
+1348 m4 @0x233716c0 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+1354 m4 @0x2337170c 89 a0 78 01 00 00    mov    dword ptr [eax+0x00000178], esp
+1360 m4 @0x23371758 8b a0 74 01 00 00    mov    esp, dword ptr [eax+0x00000174]
+1366 m4 @0x233717a4 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+1372 m4 @0x233717f0 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+1378 m4 @0x2337183c 89 a0 80 01 00 00    mov    dword ptr [eax+0x00000180], esp
+1384 m4 @0x23371888 8b a0 7c 01 00 00    mov    esp, dword ptr [eax+0x0000017c]
+1390 m4 @0x233718d4 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+1396 m4 @0x23371920 8b 60 0c             mov    esp, dword ptr [eax+0x0c]
+1399 m4 @0x2337196c 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+1404 m4 @0x233719dc 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+1409 m4 @0x23371a1c 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+1414 m4 @0x23371a68 89 60 0c             mov    dword ptr [eax+0x0c], esp
+1417 m4 @0x23371ab4 bc 24 10 28 23       mov    esp, 0x23281024
+1422 m4 @0x23371b00 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+1428 m4 @0x23371b4c 67 64 8b 26 34 00    mov    esp, dword ptr [fs:0x34]
+1434 m4 @0x23371b98 89 a0 70 01 00 00    mov    dword ptr [eax+0x00000170], esp
+1440 m4 @0x23371be4 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+1446 m4 @0x23371c30 89 a0 74 01 00 00    mov    dword ptr [eax+0x00000174], esp
+1452 m4 @0x23371c7c 8b a0 78 01 00 00    mov    esp, dword ptr [eax+0x00000178]
+1458 m4 @0x23371cc8 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+1464 m4 @0x23371d14 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+1470 m4 @0x23371d60 89 a0 7c 01 00 00    mov    dword ptr [eax+0x0000017c], esp
+1476 m4 @0x23371dac 8b a0 80 01 00 00    mov    esp, dword ptr [eax+0x00000180]
+1482 m4 @0x23371df8 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+1488 m4 @0x23371e44 8b a0 60 01 00 00    mov    esp, dword ptr [eax+0x00000160]
+1494 m4 @0x23371e90 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+1499 m4 @0x23371edc 68 00 00 00 00       push   0x00000000
+1504 m4 @0x23371f28 9c                   pushfd
+1505 m4 @0x23371f80 60                   pushad
+1506 m4 @0x23372034                       <label>
+1506 m4 @0x233721a0 68 15 00 00 00       push   0x00000015
+1511 m4 @0x2337213c 68 90 00 00 00       push   0x00000090
+1516 m4 @0x233720d8 68 98 bd 35 23       push   0x2335bd98
+1521 m4 @0x23372074 68 00 00 00 00       push   0x00000000
+1526 m4 @0x23372204 e8 9f 6d cf ec       call   0x10005350
+1531 m4 @0x23372268 8d 64 24 10          lea    esp, [esp+0x10]
+1535 m4 @0x233722b4 61                   popad
+1536 m4 @0x2337237c 9d                   popfd
+1537 m4 @0x233723d4 8d a4 24 1c 01 00 00 lea    esp, [esp+0x0000011c]
+1544 m4 @0x23372420 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+1549 m4 @0x2337246c 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+1554 m4 @0x233724b8 bc 00 f0 fd 7f       mov    esp, 0x7ffdf000
+1559 m4 @0x23372504 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+1565 m4 @0x23372550 8b a0 70 01 00 00    mov    esp, dword ptr [eax+0x00000170]
+1571 m4 @0x2337259c 67 64 89 26 34 00    mov    dword ptr [fs:0x34], esp
+1577 m4 @0x233725e8 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+1583 m4 @0x23372634 89 a0 78 01 00 00    mov    dword ptr [eax+0x00000178], esp
+1589 m4 @0x23372680 8b a0 74 01 00 00    mov    esp, dword ptr [eax+0x00000174]
+1595 m4 @0x233726cc 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+1601 m4 @0x23372718 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+1607 m4 @0x23372764 89 a0 80 01 00 00    mov    dword ptr [eax+0x00000180], esp
+1613 m4 @0x233727b0 8b a0 7c 01 00 00    mov    esp, dword ptr [eax+0x0000017c]
+1619 m4 @0x233727fc 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+1625 m4 @0x23372848 8b 60 0c             mov    esp, dword ptr [eax+0x0c]
+1628 m4 @0x23372894 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+1633 m4 @0x23373808 67 64 89 1e ec 0e    mov    dword ptr [fs:0x00000eec], ebx
+1639 m4 @0x23373854 67 64 89 0e e8 0e    mov    dword ptr [fs:0x00000ee8], ecx
+1645 m4 @0x233738a0 8d 5c 24 fc          lea    ebx, [esp-0x04]
+1649 m4 @0x233738ec 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+1654 m4 @0x23373938 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+1659 m4 @0x23373984 89 60 0c             mov    dword ptr [eax+0x0c], esp
+1662 m4 @0x233739d0 bc 24 10 28 23       mov    esp, 0x23281024
+1667 m4 @0x23373a1c 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+1673 m4 @0x23373a68 67 64 8b 26 34 00    mov    esp, dword ptr [fs:0x34]
+1679 m4 @0x23373ab4 89 a0 70 01 00 00    mov    dword ptr [eax+0x00000170], esp
+1685 m4 @0x23373b00 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+1691 m4 @0x23373b4c 89 a0 74 01 00 00    mov    dword ptr [eax+0x00000174], esp
+1697 m4 @0x23373b98 8b a0 78 01 00 00    mov    esp, dword ptr [eax+0x00000178]
+1703 m4 @0x23373be4 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+1709 m4 @0x23373c30 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+1715 m4 @0x23373c7c 89 a0 7c 01 00 00    mov    dword ptr [eax+0x0000017c], esp
+1721 m4 @0x23373cc8 8b a0 80 01 00 00    mov    esp, dword ptr [eax+0x00000180]
+1727 m4 @0x23373d14 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+1733 m4 @0x23373d60 8b a0 60 01 00 00    mov    esp, dword ptr [eax+0x00000160]
+1739 m4 @0x23373dac 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+1744 m4 @0x23373df8 68 00 00 00 00       push   0x00000000
+1749 m4 @0x23373e5c 9c                   pushfd
+1750 m4 @0x23373eb4 60                   pushad
+1751 m4 @0x23373f68                       <label>
+1751 m4 @0x2337400c 68 14 00 00 00       push   0x00000014
+1756 m4 @0x23373fa8 68 98 bd 35 23       push   0x2335bd98
+1761 m4 @0x23374070 e8 df 64 cf ec       call   0x10004a90
+1766 m4 @0x233740d4 8d 64 24 08          lea    esp, [esp+0x08]
+1770 m4 @0x23374120 61                   popad
+1771 m4 @0x233741e8 9d                   popfd
+1772 m4 @0x23374240 8d a4 24 1c 01 00 00 lea    esp, [esp+0x0000011c]
+1779 m4 @0x2337428c 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+1784 m4 @0x233742d8 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+1789 m4 @0x23374324 bc 00 f0 fd 7f       mov    esp, 0x7ffdf000
+1794 m4 @0x23374370 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+1800 m4 @0x233743bc 8b a0 70 01 00 00    mov    esp, dword ptr [eax+0x00000170]
+1806 m4 @0x23374408 67 64 89 26 34 00    mov    dword ptr [fs:0x34], esp
+1812 m4 @0x23374454 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+1818 m4 @0x233744a0 89 a0 78 01 00 00    mov    dword ptr [eax+0x00000178], esp
+1824 m4 @0x233744ec 8b a0 74 01 00 00    mov    esp, dword ptr [eax+0x00000174]
+1830 m4 @0x23374538 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+1836 m4 @0x23374584 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+1842 m4 @0x233745d0 89 a0 80 01 00 00    mov    dword ptr [eax+0x00000180], esp
+1848 m4 @0x2337461c 8b a0 7c 01 00 00    mov    esp, dword ptr [eax+0x0000017c]
+1854 m4 @0x23374668 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+1860 m4 @0x233746b4 8b 60 0c             mov    esp, dword ptr [eax+0x0c]
+1863 m4 @0x23374700 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+1868 m4 @0x2337474c 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+1873 m4 @0x23374798 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+1878 m4 @0x233747e4 89 60 0c             mov    dword ptr [eax+0x0c], esp
+1881 m4 @0x23374830 bc 24 10 28 23       mov    esp, 0x23281024
+1886 m4 @0x2337487c 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+1892 m4 @0x233748c8 67 64 8b 26 34 00    mov    esp, dword ptr [fs:0x34]
+1898 m4 @0x23374914 89 a0 70 01 00 00    mov    dword ptr [eax+0x00000170], esp
+1904 m4 @0x23374960 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+1910 m4 @0x233749ac 89 a0 74 01 00 00    mov    dword ptr [eax+0x00000174], esp
+1916 m4 @0x233749f8 8b a0 78 01 00 00    mov    esp, dword ptr [eax+0x00000178]
+1922 m4 @0x23374a44 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+1928 m4 @0x23374a90 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+1934 m4 @0x23374adc 89 a0 7c 01 00 00    mov    dword ptr [eax+0x0000017c], esp
+1940 m4 @0x23374b28 8b a0 80 01 00 00    mov    esp, dword ptr [eax+0x00000180]
+1946 m4 @0x23374b74 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+1952 m4 @0x23374bc0 8b a0 60 01 00 00    mov    esp, dword ptr [eax+0x00000160]
+1958 m4 @0x23374c0c 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+1963 m4 @0x23374c58 68 00 00 00 00       push   0x00000000
+1968 m4 @0x23374cbc 9c                   pushfd
+1969 m4 @0x23374d14 60                   pushad
+1970 m4 @0x23374dc8                       <label>
+1970 m4 @0x23374f98 68 00 00 00 00       push   0x00000000
+1975 m4 @0x23374f34 68 14 00 00 00       push   0x00000014
+1980 m4 @0x23374ed0 68 90 00 00 00       push   0x00000090
+1985 m4 @0x23374e6c 68 98 bd 35 23       push   0x2335bd98
+1990 m4 @0x23374e08 68 01 00 00 00       push   0x00000001
+1995 m4 @0x23374ffc e8 9f 65 cf ec       call   0x10004b50
+2000 m4 @0x23375060 8d 64 24 14          lea    esp, [esp+0x14]
+2004 m4 @0x233750ac 61                   popad
+2005 m4 @0x23375174 9d                   popfd
+2006 m4 @0x233751cc 8d a4 24 1c 01 00 00 lea    esp, [esp+0x0000011c]
+2013 m4 @0x23375218 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+2018 m4 @0x23375264 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+2023 m4 @0x233752b0 bc 00 f0 fd 7f       mov    esp, 0x7ffdf000
+2028 m4 @0x233752fc 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+2034 m4 @0x23375348 8b a0 70 01 00 00    mov    esp, dword ptr [eax+0x00000170]
+2040 m4 @0x23375394 67 64 89 26 34 00    mov    dword ptr [fs:0x34], esp
+2046 m4 @0x233753e0 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+2052 m4 @0x2337542c 89 a0 78 01 00 00    mov    dword ptr [eax+0x00000178], esp
+2058 m4 @0x23375478 8b a0 74 01 00 00    mov    esp, dword ptr [eax+0x00000174]
+2064 m4 @0x233754c4 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+2070 m4 @0x23375510 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+2076 m4 @0x2337555c 89 a0 80 01 00 00    mov    dword ptr [eax+0x00000180], esp
+2082 m4 @0x233755a8 8b a0 7c 01 00 00    mov    esp, dword ptr [eax+0x0000017c]
+2088 m4 @0x233755f4 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+2094 m4 @0x23375640 8b 60 0c             mov    esp, dword ptr [eax+0x0c]
+2097 m4 @0x2337568c 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+2102 m4 @0x233764d4 67 64 8b 1e ec 0e    mov    ebx, dword ptr [fs:0x00000eec]
+2108 m4 @0x23376520 67 64 8b 0e e8 0e    mov    ecx, dword ptr [fs:0x00000ee8]
+2114 L3              68 b0 10 00 01       push   0x010010b0
+2119 m4 @0x233728e0 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+2124 m4 @0x2337292c 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+2129 m4 @0x23372978 89 60 0c             mov    dword ptr [eax+0x0c], esp
+2132 m4 @0x233729c4 bc 24 10 28 23       mov    esp, 0x23281024
+2137 m4 @0x23372a10 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+2143 m4 @0x23372a5c 67 64 8b 26 34 00    mov    esp, dword ptr [fs:0x34]
+2149 m4 @0x23372aa8 89 a0 70 01 00 00    mov    dword ptr [eax+0x00000170], esp
+2155 m4 @0x23372af4 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+2161 m4 @0x23372b40 89 a0 74 01 00 00    mov    dword ptr [eax+0x00000174], esp
+2167 m4 @0x23372b8c 8b a0 78 01 00 00    mov    esp, dword ptr [eax+0x00000178]
+2173 m4 @0x23372bd8 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+2179 m4 @0x23372c24 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+2185 m4 @0x23372c70 89 a0 7c 01 00 00    mov    dword ptr [eax+0x0000017c], esp
+2191 m4 @0x23372cbc 8b a0 80 01 00 00    mov    esp, dword ptr [eax+0x00000180]
+2197 m4 @0x23372d08 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+2203 m4 @0x23372d54 8b a0 60 01 00 00    mov    esp, dword ptr [eax+0x00000160]
+2209 m4 @0x23372da0 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+2214 m4 @0x23372dec 68 00 00 00 00       push   0x00000000
+2219 m4 @0x23372e50 9c                   pushfd
+2220 m4 @0x23372ea8 60                   pushad
+2221 m4 @0x23372f5c                       <label>
+2221 m4 @0x233730c8 68 15 00 00 00       push   0x00000015
+2226 m4 @0x23373064 68 90 00 00 00       push   0x00000090
+2231 m4 @0x23373000 68 98 bd 35 23       push   0x2335bd98
+2236 m4 @0x23372f9c 68 01 00 00 00       push   0x00000001
+2241 m4 @0x2337312c e8 9f 6d cf ec       call   0x10005350
+2246 m4 @0x23373190 8d 64 24 10          lea    esp, [esp+0x10]
+2250 m4 @0x233731dc 61                   popad
+2251 m4 @0x233732a4 9d                   popfd
+2252 m4 @0x233732fc 8d a4 24 1c 01 00 00 lea    esp, [esp+0x0000011c]
+2259 m4 @0x23373348 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+2264 m4 @0x23373394 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+2269 m4 @0x233733e0 bc 00 f0 fd 7f       mov    esp, 0x7ffdf000
+2274 m4 @0x2337342c 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+2280 m4 @0x23373478 8b a0 70 01 00 00    mov    esp, dword ptr [eax+0x00000170]
+2286 m4 @0x233734c4 67 64 89 26 34 00    mov    dword ptr [fs:0x34], esp
+2292 m4 @0x23373510 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+2298 m4 @0x2337355c 89 a0 78 01 00 00    mov    dword ptr [eax+0x00000178], esp
+2304 m4 @0x233735a8 8b a0 74 01 00 00    mov    esp, dword ptr [eax+0x00000174]
+2310 m4 @0x233735f4 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+2316 m4 @0x23373640 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+2322 m4 @0x2337368c 89 a0 80 01 00 00    mov    dword ptr [eax+0x00000180], esp
+2328 m4 @0x233736d8 8b a0 7c 01 00 00    mov    esp, dword ptr [eax+0x0000017c]
+2334 m4 @0x23373724 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+2340 m4 @0x23373770 8b 60 0c             mov    esp, dword ptr [eax+0x0c]
+2343 m4 @0x233737bc 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+2348 m4 @0x233756d8 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+2353 m4 @0x23375724 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+2358 m4 @0x23375770 89 60 0c             mov    dword ptr [eax+0x0c], esp
+2361 m4 @0x233757bc bc 24 10 28 23       mov    esp, 0x23281024
+2366 m4 @0x23375808 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+2372 m4 @0x23375854 67 64 8b 26 34 00    mov    esp, dword ptr [fs:0x34]
+2378 m4 @0x233758a0 89 a0 70 01 00 00    mov    dword ptr [eax+0x00000170], esp
+2384 m4 @0x233758ec 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+2390 m4 @0x23375938 89 a0 74 01 00 00    mov    dword ptr [eax+0x00000174], esp
+2396 m4 @0x23375984 8b a0 78 01 00 00    mov    esp, dword ptr [eax+0x00000178]
+2402 m4 @0x233759d0 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+2408 m4 @0x23375a1c 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+2414 m4 @0x23375a68 89 a0 7c 01 00 00    mov    dword ptr [eax+0x0000017c], esp
+2420 m4 @0x23375ab4 8b a0 80 01 00 00    mov    esp, dword ptr [eax+0x00000180]
+2426 m4 @0x23375b00 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+2432 m4 @0x23375b4c 8b a0 60 01 00 00    mov    esp, dword ptr [eax+0x00000160]
+2438 m4 @0x23375b98 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+2443 m4 @0x23375be4 68 00 00 00 00       push   0x00000000
+2448 m4 @0x23375c48 9c                   pushfd
+2449 m4 @0x23375ca0 60                   pushad
+2450 m4 @0x23375d54                       <label>
+2450 m4 @0x23375d94 68 98 bd 35 23       push   0x2335bd98
+2455 m4 @0x23375df8 e8 cf 51 cf ec       call   0x10003780
+2460 m4 @0x23375e5c 8d 64 24 04          lea    esp, [esp+0x04]
+2464 m4 @0x23375ea8 61                   popad
+2465 m4 @0x23375f70 9d                   popfd
+2466 m4 @0x23375fc8 8d a4 24 1c 01 00 00 lea    esp, [esp+0x0000011c]
+2473 m4 @0x23376014 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+2478 m4 @0x23376060 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+2483 m4 @0x233760ac bc 00 f0 fd 7f       mov    esp, 0x7ffdf000
+2488 m4 @0x233760f8 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+2494 m4 @0x23376144 8b a0 70 01 00 00    mov    esp, dword ptr [eax+0x00000170]
+2500 m4 @0x23376190 67 64 89 26 34 00    mov    dword ptr [fs:0x34], esp
+2506 m4 @0x233761dc 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+2512 m4 @0x23376228 89 a0 78 01 00 00    mov    dword ptr [eax+0x00000178], esp
+2518 m4 @0x23376274 8b a0 74 01 00 00    mov    esp, dword ptr [eax+0x00000174]
+2524 m4 @0x233762c0 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+2530 m4 @0x2337630c 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+2536 m4 @0x23376358 89 a0 80 01 00 00    mov    dword ptr [eax+0x00000180], esp
+2542 m4 @0x233763a4 8b a0 7c 01 00 00    mov    esp, dword ptr [eax+0x0000017c]
+2548 m4 @0x233763f0 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+2554 m4 @0x2337643c 8b 60 0c             mov    esp, dword ptr [eax+0x0c]
+2557 m4 @0x23376488 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+2562 m4 @0x2337656c 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+2567 m4 @0x233765b8 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+2572 m4 @0x23376604 89 60 0c             mov    dword ptr [eax+0x0c], esp
+2575 m4 @0x23376650 bc 24 10 28 23       mov    esp, 0x23281024
+2580 m4 @0x2337669c 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+2586 m4 @0x233766e8 67 64 8b 26 34 00    mov    esp, dword ptr [fs:0x34]
+2592 m4 @0x23376734 89 a0 70 01 00 00    mov    dword ptr [eax+0x00000170], esp
+2598 m4 @0x23376780 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+2604 m4 @0x233767cc 89 a0 74 01 00 00    mov    dword ptr [eax+0x00000174], esp
+2610 m4 @0x23376818 8b a0 78 01 00 00    mov    esp, dword ptr [eax+0x00000178]
+2616 m4 @0x23376864 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+2622 m4 @0x233768b0 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+2628 m4 @0x233768fc 89 a0 7c 01 00 00    mov    dword ptr [eax+0x0000017c], esp
+2634 m4 @0x23376948 8b a0 80 01 00 00    mov    esp, dword ptr [eax+0x00000180]
+2640 m4 @0x23376994 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+2646 m4 @0x233769e0 8b a0 60 01 00 00    mov    esp, dword ptr [eax+0x00000160]
+2652 m4 @0x23376a2c 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+2657 m4 @0x23376a78 68 00 00 00 00       push   0x00000000
+2662 m4 @0x23376adc 9c                   pushfd
+2663 m4 @0x23376b34 60                   pushad
+2664 m4 @0x23376be8                       <label>
+2664 m4 @0x23376ee4 68 01 00 00 00       push   0x00000001
+2669 m4 @0x23376e80 68 00 00 00 00       push   0x00000000
+2674 m4 @0x23376e1c 68 01 00 00 00       push   0x00000001
+2679 m4 @0x23376db8 68 01 00 00 00       push   0x00000001
+2684 m4 @0x23376d54 68 00 00 00 00       push   0x00000000
+2689 m4 @0x23376cf0 68 d9 11 00 01       push   0x010011d9
+2694 m4 @0x23376c8c 68 05 00 00 00       push   0x00000005
+2699 m4 @0x23376c28 68 98 bd 35 23       push   0x2335bd98
+2704 m4 @0x23376f48 e8 8f 55 cf ec       call   0x10003b40
+2709 m4 @0x23376fac 8d 64 24 20          lea    esp, [esp+0x20]
+2713 m4 @0x23376ff8 61                   popad
+2714 m4 @0x233770c0 9d                   popfd
+2715 m4 @0x23377118 8d a4 24 1c 01 00 00 lea    esp, [esp+0x0000011c]
+2722 m4 @0x23377164 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+2727 m4 @0x233771b0 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+2732 m4 @0x233771fc bc 00 f0 fd 7f       mov    esp, 0x7ffdf000
+2737 m4 @0x23377248 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+2743 m4 @0x23377294 8b a0 70 01 00 00    mov    esp, dword ptr [eax+0x00000170]
+2749 m4 @0x233772e0 67 64 89 26 34 00    mov    dword ptr [fs:0x34], esp
+2755 m4 @0x2337732c 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+2761 m4 @0x23377378 89 a0 78 01 00 00    mov    dword ptr [eax+0x00000178], esp
+2767 m4 @0x233773c4 8b a0 74 01 00 00    mov    esp, dword ptr [eax+0x00000174]
+2773 m4 @0x23377410 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+2779 m4 @0x2337745c 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+2785 m4 @0x233774a8 89 a0 80 01 00 00    mov    dword ptr [eax+0x00000180], esp
+2791 m4 @0x233774f4 8b a0 7c 01 00 00    mov    esp, dword ptr [eax+0x0000017c]
+2797 m4 @0x23377540 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+2803 m4 @0x2337758c 8b 60 0c             mov    esp, dword ptr [eax+0x0c]
+2806 m4 @0x233775d8 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+2811 m4 @0x23377648 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+2816 m4 @0x23377688 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+2821 m4 @0x233776d4 89 60 0c             mov    dword ptr [eax+0x0c], esp
+2824 m4 @0x23377720 bc 24 10 28 23       mov    esp, 0x23281024
+2829 m4 @0x2337776c 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+2835 m4 @0x233777b8 67 64 8b 26 34 00    mov    esp, dword ptr [fs:0x34]
+2841 m4 @0x23377804 89 a0 70 01 00 00    mov    dword ptr [eax+0x00000170], esp
+2847 m4 @0x23377850 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+2853 m4 @0x2337789c 89 a0 74 01 00 00    mov    dword ptr [eax+0x00000174], esp
+2859 m4 @0x233778e8 8b a0 78 01 00 00    mov    esp, dword ptr [eax+0x00000178]
+2865 m4 @0x23377934 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+2871 m4 @0x23377980 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+2877 m4 @0x233779cc 89 a0 7c 01 00 00    mov    dword ptr [eax+0x0000017c], esp
+2883 m4 @0x23377a18 8b a0 80 01 00 00    mov    esp, dword ptr [eax+0x00000180]
+2889 m4 @0x23377a64 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+2895 m4 @0x23377ab0 8b a0 60 01 00 00    mov    esp, dword ptr [eax+0x00000160]
+2901 m4 @0x23377afc 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+2906 m4 @0x23377b48 68 00 00 00 00       push   0x00000000
+2911 m4 @0x23377b94 9c                   pushfd
+2912 m4 @0x23377bec 60                   pushad
+2913 m4 @0x23377ca0                       <label>
+2913 m4 @0x23377e0c 68 15 00 00 00       push   0x00000015
+2918 m4 @0x23377da8 68 90 00 00 00       push   0x00000090
+2923 m4 @0x23377d44 68 d0 bd 35 23       push   0x2335bdd0
+2928 m4 @0x23377ce0 68 00 00 00 00       push   0x00000000
+2933 m4 @0x23377e70 e8 9f 6d cf ec       call   0x10005350
+2938 m4 @0x23377ed4 8d 64 24 10          lea    esp, [esp+0x10]
+2942 m4 @0x23377f20 61                   popad
+2943 m4 @0x23377fe8 9d                   popfd
+2944 m4 @0x23378040 8d a4 24 1c 01 00 00 lea    esp, [esp+0x0000011c]
+2951 m4 @0x2337808c 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+2956 m4 @0x233780d8 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+2961 m4 @0x23378124 bc 00 f0 fd 7f       mov    esp, 0x7ffdf000
+2966 m4 @0x23378170 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+2972 m4 @0x233781bc 8b a0 70 01 00 00    mov    esp, dword ptr [eax+0x00000170]
+2978 m4 @0x23378208 67 64 89 26 34 00    mov    dword ptr [fs:0x34], esp
+2984 m4 @0x23378254 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+2990 m4 @0x233782a0 89 a0 78 01 00 00    mov    dword ptr [eax+0x00000178], esp
+2996 m4 @0x233782ec 8b a0 74 01 00 00    mov    esp, dword ptr [eax+0x00000174]
+3002 m4 @0x23378338 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+3008 m4 @0x23378384 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+3014 m4 @0x233783d0 89 a0 80 01 00 00    mov    dword ptr [eax+0x00000180], esp
+3020 m4 @0x2337841c 8b a0 7c 01 00 00    mov    esp, dword ptr [eax+0x0000017c]
+3026 m4 @0x23378468 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+3032 m4 @0x233784b4 8b 60 0c             mov    esp, dword ptr [eax+0x0c]
+3035 m4 @0x23378500 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+3040 m4 @0x23379474 67 64 89 1e ec 0e    mov    dword ptr [fs:0x00000eec], ebx
+3046 m4 @0x233794c0 67 64 89 0e e8 0e    mov    dword ptr [fs:0x00000ee8], ecx
+3052 m4 @0x2337950c 8d 5c 24 fc          lea    ebx, [esp-0x04]
+3056 m4 @0x23379558 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+3061 m4 @0x233795a4 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+3066 m4 @0x233795f0 89 60 0c             mov    dword ptr [eax+0x0c], esp
+3069 m4 @0x2337963c bc 24 10 28 23       mov    esp, 0x23281024
+3074 m4 @0x23379688 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+3080 m4 @0x233796d4 67 64 8b 26 34 00    mov    esp, dword ptr [fs:0x34]
+3086 m4 @0x23379720 89 a0 70 01 00 00    mov    dword ptr [eax+0x00000170], esp
+3092 m4 @0x2337976c 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+3098 m4 @0x233797b8 89 a0 74 01 00 00    mov    dword ptr [eax+0x00000174], esp
+3104 m4 @0x23379804 8b a0 78 01 00 00    mov    esp, dword ptr [eax+0x00000178]
+3110 m4 @0x23379850 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+3116 m4 @0x2337989c 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+3122 m4 @0x233798e8 89 a0 7c 01 00 00    mov    dword ptr [eax+0x0000017c], esp
+3128 m4 @0x23379934 8b a0 80 01 00 00    mov    esp, dword ptr [eax+0x00000180]
+3134 m4 @0x23379980 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+3140 m4 @0x233799cc 8b a0 60 01 00 00    mov    esp, dword ptr [eax+0x00000160]
+3146 m4 @0x23379a18 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+3151 m4 @0x23379a64 68 00 00 00 00       push   0x00000000
+3156 m4 @0x23379ac8 9c                   pushfd
+3157 m4 @0x23379b20 60                   pushad
+3158 m4 @0x23379bd4                       <label>
+3158 m4 @0x23379c78 68 14 00 00 00       push   0x00000014
+3163 m4 @0x23379c14 68 d0 bd 35 23       push   0x2335bdd0
+3168 m4 @0x23379cdc e8 df 64 cf ec       call   0x10004a90
+3173 m4 @0x23379d40 8d 64 24 08          lea    esp, [esp+0x08]
+3177 m4 @0x23379d8c 61                   popad
+3178 m4 @0x23379e54 9d                   popfd
+3179 m4 @0x23379eac 8d a4 24 1c 01 00 00 lea    esp, [esp+0x0000011c]
+3186 m4 @0x23379ef8 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+3191 m4 @0x23379f44 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+3196 m4 @0x23379f90 bc 00 f0 fd 7f       mov    esp, 0x7ffdf000
+3201 m4 @0x23379fdc 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+3207 m4 @0x2337a028 8b a0 70 01 00 00    mov    esp, dword ptr [eax+0x00000170]
+3213 m4 @0x2337a074 67 64 89 26 34 00    mov    dword ptr [fs:0x34], esp
+3219 m4 @0x2337a0c0 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+3225 m4 @0x2337a10c 89 a0 78 01 00 00    mov    dword ptr [eax+0x00000178], esp
+3231 m4 @0x2337a158 8b a0 74 01 00 00    mov    esp, dword ptr [eax+0x00000174]
+3237 m4 @0x2337a1a4 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+3243 m4 @0x2337a1f0 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+3249 m4 @0x2337a23c 89 a0 80 01 00 00    mov    dword ptr [eax+0x00000180], esp
+3255 m4 @0x2337a288 8b a0 7c 01 00 00    mov    esp, dword ptr [eax+0x0000017c]
+3261 m4 @0x2337a2d4 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+3267 m4 @0x2337a320 8b 60 0c             mov    esp, dword ptr [eax+0x0c]
+3270 m4 @0x2337a36c 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+3275 m4 @0x2337a3b8 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+3280 m4 @0x2337a404 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+3285 m4 @0x2337a450 89 60 0c             mov    dword ptr [eax+0x0c], esp
+3288 m4 @0x2337a49c bc 24 10 28 23       mov    esp, 0x23281024
+3293 m4 @0x2337a4e8 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+3299 m4 @0x2337a534 67 64 8b 26 34 00    mov    esp, dword ptr [fs:0x34]
+3305 m4 @0x2337a580 89 a0 70 01 00 00    mov    dword ptr [eax+0x00000170], esp
+3311 m4 @0x2337a5cc 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+3317 m4 @0x2337a618 89 a0 74 01 00 00    mov    dword ptr [eax+0x00000174], esp
+3323 m4 @0x2337a664 8b a0 78 01 00 00    mov    esp, dword ptr [eax+0x00000178]
+3329 m4 @0x2337a6b0 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+3335 m4 @0x2337a6fc 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+3341 m4 @0x2337a748 89 a0 7c 01 00 00    mov    dword ptr [eax+0x0000017c], esp
+3347 m4 @0x2337a794 8b a0 80 01 00 00    mov    esp, dword ptr [eax+0x00000180]
+3353 m4 @0x2337a7e0 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+3359 m4 @0x2337a82c 8b a0 60 01 00 00    mov    esp, dword ptr [eax+0x00000160]
+3365 m4 @0x2337a878 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+3370 m4 @0x2337a8c4 68 00 00 00 00       push   0x00000000
+3375 m4 @0x2337a928 9c                   pushfd
+3376 m4 @0x2337a980 60                   pushad
+3377 m4 @0x2337aa34                       <label>
+3377 m4 @0x2337ac04 68 00 00 00 00       push   0x00000000
+3382 m4 @0x2337aba0 68 14 00 00 00       push   0x00000014
+3387 m4 @0x2337ab3c 68 90 00 00 00       push   0x00000090
+3392 m4 @0x2337aad8 68 d0 bd 35 23       push   0x2335bdd0
+3397 m4 @0x2337aa74 68 01 00 00 00       push   0x00000001
+3402 m4 @0x2337ac68 e8 9f 65 cf ec       call   0x10004b50
+3407 m4 @0x2337accc 8d 64 24 14          lea    esp, [esp+0x14]
+3411 m4 @0x2337ad18 61                   popad
+3412 m4 @0x2337ade0 9d                   popfd
+3413 m4 @0x2337ae38 8d a4 24 1c 01 00 00 lea    esp, [esp+0x0000011c]
+3420 m4 @0x2337ae84 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+3425 m4 @0x2337aed0 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+3430 m4 @0x2337af1c bc 00 f0 fd 7f       mov    esp, 0x7ffdf000
+3435 m4 @0x2337af68 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+3441 m4 @0x2337afb4 8b a0 70 01 00 00    mov    esp, dword ptr [eax+0x00000170]
+3447 m4 @0x2337b000 67 64 89 26 34 00    mov    dword ptr [fs:0x34], esp
+3453 m4 @0x2337b04c 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+3459 m4 @0x2337b098 89 a0 78 01 00 00    mov    dword ptr [eax+0x00000178], esp
+3465 m4 @0x2337b0e4 8b a0 74 01 00 00    mov    esp, dword ptr [eax+0x00000174]
+3471 m4 @0x2337b130 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+3477 m4 @0x2337b17c 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+3483 m4 @0x2337b1c8 89 a0 80 01 00 00    mov    dword ptr [eax+0x00000180], esp
+3489 m4 @0x2337b214 8b a0 7c 01 00 00    mov    esp, dword ptr [eax+0x0000017c]
+3495 m4 @0x2337b260 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+3501 m4 @0x2337b2ac 8b 60 0c             mov    esp, dword ptr [eax+0x0c]
+3504 m4 @0x2337b2f8 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+3509 m4 @0x2337c140 67 64 8b 1e ec 0e    mov    ebx, dword ptr [fs:0x00000eec]
+3515 m4 @0x2337c18c 67 64 8b 0e e8 0e    mov    ecx, dword ptr [fs:0x00000ee8]
+3521 L3              e8 91 01 00 00       call   0x01001374
+3526 m4 @0x2337854c 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+3531 m4 @0x23378598 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+3536 m4 @0x233785e4 89 60 0c             mov    dword ptr [eax+0x0c], esp
+3539 m4 @0x23378630 bc 24 10 28 23       mov    esp, 0x23281024
+3544 m4 @0x2337867c 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+3550 m4 @0x233786c8 67 64 8b 26 34 00    mov    esp, dword ptr [fs:0x34]
+3556 m4 @0x23378714 89 a0 70 01 00 00    mov    dword ptr [eax+0x00000170], esp
+3562 m4 @0x23378760 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+3568 m4 @0x233787ac 89 a0 74 01 00 00    mov    dword ptr [eax+0x00000174], esp
+3574 m4 @0x233787f8 8b a0 78 01 00 00    mov    esp, dword ptr [eax+0x00000178]
+3580 m4 @0x23378844 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+3586 m4 @0x23378890 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+3592 m4 @0x233788dc 89 a0 7c 01 00 00    mov    dword ptr [eax+0x0000017c], esp
+3598 m4 @0x23378928 8b a0 80 01 00 00    mov    esp, dword ptr [eax+0x00000180]
+3604 m4 @0x23378974 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+3610 m4 @0x233789c0 8b a0 60 01 00 00    mov    esp, dword ptr [eax+0x00000160]
+3616 m4 @0x23378a0c 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+3621 m4 @0x23378a58 68 00 00 00 00       push   0x00000000
+3626 m4 @0x23378abc 9c                   pushfd
+3627 m4 @0x23378b14 60                   pushad
+3628 m4 @0x23378bc8                       <label>
+3628 m4 @0x23378d34 68 15 00 00 00       push   0x00000015
+3633 m4 @0x23378cd0 68 90 00 00 00       push   0x00000090
+3638 m4 @0x23378c6c 68 d0 bd 35 23       push   0x2335bdd0
+3643 m4 @0x23378c08 68 01 00 00 00       push   0x00000001
+3648 m4 @0x23378d98 e8 9f 6d cf ec       call   0x10005350
+3653 m4 @0x23378dfc 8d 64 24 10          lea    esp, [esp+0x10]
+3657 m4 @0x23378e48 61                   popad
+3658 m4 @0x23378f10 9d                   popfd
+3659 m4 @0x23378f68 8d a4 24 1c 01 00 00 lea    esp, [esp+0x0000011c]
+3666 m4 @0x23378fb4 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+3671 m4 @0x23379000 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+3676 m4 @0x2337904c bc 00 f0 fd 7f       mov    esp, 0x7ffdf000
+3681 m4 @0x23379098 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+3687 m4 @0x233790e4 8b a0 70 01 00 00    mov    esp, dword ptr [eax+0x00000170]
+3693 m4 @0x23379130 67 64 89 26 34 00    mov    dword ptr [fs:0x34], esp
+3699 m4 @0x2337917c 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+3705 m4 @0x233791c8 89 a0 78 01 00 00    mov    dword ptr [eax+0x00000178], esp
+3711 m4 @0x23379214 8b a0 74 01 00 00    mov    esp, dword ptr [eax+0x00000174]
+3717 m4 @0x23379260 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+3723 m4 @0x233792ac 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+3729 m4 @0x233792f8 89 a0 80 01 00 00    mov    dword ptr [eax+0x00000180], esp
+3735 m4 @0x23379344 8b a0 7c 01 00 00    mov    esp, dword ptr [eax+0x0000017c]
+3741 m4 @0x23379390 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+3747 m4 @0x233793dc 8b 60 0c             mov    esp, dword ptr [eax+0x0c]
+3750 m4 @0x23379428 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+3755 m4 @0x2337b344 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+3760 m4 @0x2337b390 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+3765 m4 @0x2337b3dc 89 60 0c             mov    dword ptr [eax+0x0c], esp
+3768 m4 @0x2337b428 bc 24 10 28 23       mov    esp, 0x23281024
+3773 m4 @0x2337b474 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+3779 m4 @0x2337b4c0 67 64 8b 26 34 00    mov    esp, dword ptr [fs:0x34]
+3785 m4 @0x2337b50c 89 a0 70 01 00 00    mov    dword ptr [eax+0x00000170], esp
+3791 m4 @0x2337b558 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+3797 m4 @0x2337b5a4 89 a0 74 01 00 00    mov    dword ptr [eax+0x00000174], esp
+3803 m4 @0x2337b5f0 8b a0 78 01 00 00    mov    esp, dword ptr [eax+0x00000178]
+3809 m4 @0x2337b63c 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+3815 m4 @0x2337b688 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+3821 m4 @0x2337b6d4 89 a0 7c 01 00 00    mov    dword ptr [eax+0x0000017c], esp
+3827 m4 @0x2337b720 8b a0 80 01 00 00    mov    esp, dword ptr [eax+0x00000180]
+3833 m4 @0x2337b76c 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+3839 m4 @0x2337b7b8 8b a0 60 01 00 00    mov    esp, dword ptr [eax+0x00000160]
+3845 m4 @0x2337b804 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+3850 m4 @0x2337b850 68 00 00 00 00       push   0x00000000
+3855 m4 @0x2337b8b4 9c                   pushfd
+3856 m4 @0x2337b90c 60                   pushad
+3857 m4 @0x2337b9c0                       <label>
+3857 m4 @0x2337ba00 68 d0 bd 35 23       push   0x2335bdd0
+3862 m4 @0x2337ba64 e8 cf 51 cf ec       call   0x10003780
+3867 m4 @0x2337bac8 8d 64 24 04          lea    esp, [esp+0x04]
+3871 m4 @0x2337bb14 61                   popad
+3872 m4 @0x2337bbdc 9d                   popfd
+3873 m4 @0x2337bc34 8d a4 24 1c 01 00 00 lea    esp, [esp+0x0000011c]
+3880 m4 @0x2337bc80 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+3885 m4 @0x2337bccc 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+3890 m4 @0x2337bd18 bc 00 f0 fd 7f       mov    esp, 0x7ffdf000
+3895 m4 @0x2337bd64 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+3901 m4 @0x2337bdb0 8b a0 70 01 00 00    mov    esp, dword ptr [eax+0x00000170]
+3907 m4 @0x2337bdfc 67 64 89 26 34 00    mov    dword ptr [fs:0x34], esp
+3913 m4 @0x2337be48 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+3919 m4 @0x2337be94 89 a0 78 01 00 00    mov    dword ptr [eax+0x00000178], esp
+3925 m4 @0x2337bee0 8b a0 74 01 00 00    mov    esp, dword ptr [eax+0x00000174]
+3931 m4 @0x2337bf2c 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+3937 m4 @0x2337bf78 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+3943 m4 @0x2337bfc4 89 a0 80 01 00 00    mov    dword ptr [eax+0x00000180], esp
+3949 m4 @0x2337c010 8b a0 7c 01 00 00    mov    esp, dword ptr [eax+0x0000017c]
+3955 m4 @0x2337c05c 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+3961 m4 @0x2337c0a8 8b 60 0c             mov    esp, dword ptr [eax+0x0c]
+3964 m4 @0x2337c0f4 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+3969 m4 @0x2337c1d8 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+3974 m4 @0x2337c224 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+3979 m4 @0x2337c270 89 60 0c             mov    dword ptr [eax+0x0c], esp
+3982 m4 @0x2337c2bc bc 24 10 28 23       mov    esp, 0x23281024
+3987 m4 @0x2337c308 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+3993 m4 @0x2337c354 67 64 8b 26 34 00    mov    esp, dword ptr [fs:0x34]
+3999 m4 @0x2337c3a0 89 a0 70 01 00 00    mov    dword ptr [eax+0x00000170], esp
+4005 m4 @0x2337c3ec 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+4011 m4 @0x2337c438 89 a0 74 01 00 00    mov    dword ptr [eax+0x00000174], esp
+4017 m4 @0x2337c484 8b a0 78 01 00 00    mov    esp, dword ptr [eax+0x00000178]
+4023 m4 @0x2337c4d0 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+4029 m4 @0x2337c51c 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+4035 m4 @0x2337c568 89 a0 7c 01 00 00    mov    dword ptr [eax+0x0000017c], esp
+4041 m4 @0x2337c5b4 8b a0 80 01 00 00    mov    esp, dword ptr [eax+0x00000180]
+4047 m4 @0x2337c600 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+4053 m4 @0x2337c64c 8b a0 60 01 00 00    mov    esp, dword ptr [eax+0x00000160]
+4059 m4 @0x2337c698 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
+4064 m4 @0x2337c6e4 68 00 00 00 00       push   0x00000000
+4069 m4 @0x2337c748 9c                   pushfd
+4070 m4 @0x2337c7a0 60                   pushad
+4071 m4 @0x2337c854                       <label>
+4071 m4 @0x2337cb50 68 01 00 00 00       push   0x00000001
+4076 m4 @0x2337caec 68 00 00 00 00       push   0x00000000
+4081 m4 @0x2337ca88 68 01 00 00 00       push   0x00000001
+4086 m4 @0x2337ca24 68 01 00 00 00       push   0x00000001
+4091 m4 @0x2337c9c0 68 00 00 00 00       push   0x00000000
+4096 m4 @0x2337c95c 68 de 11 00 01       push   0x010011de
+4101 m4 @0x2337c8f8 68 05 00 00 00       push   0x00000005
+4106 m4 @0x2337c894 68 d0 bd 35 23       push   0x2335bdd0
+4111 m4 @0x2337cbb4 e8 8f 55 cf ec       call   0x10003b40
+4116 m4 @0x2337cc18 8d 64 24 20          lea    esp, [esp+0x20]
+4120 m4 @0x2337cc64 61                   popad
+4121 m4 @0x2337cd2c 9d                   popfd
+4122 m4 @0x2337cd84 8d a4 24 1c 01 00 00 lea    esp, [esp+0x0000011c]
+4129 m4 @0x2337cdd0 67 64 a3 e4 0e       mov    dword ptr [fs:0x00000ee4], eax
+4134 m4 @0x2337ce1c 67 64 a1 f4 0e       mov    eax, dword ptr [fs:0x00000ef4]
+4139 m4 @0x2337ce68 bc 00 f0 fd 7f       mov    esp, 0x7ffdf000
+4144 m4 @0x2337ceb4 67 64 89 26 30 00    mov    dword ptr [fs:0x30], esp
+4150 m4 @0x2337cf00 8b a0 70 01 00 00    mov    esp, dword ptr [eax+0x00000170]
+4156 m4 @0x2337cf4c 67 64 89 26 34 00    mov    dword ptr [fs:0x34], esp
+4162 m4 @0x2337cf98 67 64 8b 26 b4 0f    mov    esp, dword ptr [fs:0x00000fb4]
+4168 m4 @0x2337cfe4 89 a0 78 01 00 00    mov    dword ptr [eax+0x00000178], esp
+4174 m4 @0x2337d030 8b a0 74 01 00 00    mov    esp, dword ptr [eax+0x00000174]
+4180 m4 @0x2337d07c 67 64 89 26 b4 0f    mov    dword ptr [fs:0x00000fb4], esp
+4186 m4 @0x2337d0c8 67 64 8b 26 1c 0f    mov    esp, dword ptr [fs:0x00000f1c]
+4192 m4 @0x2337d114 89 a0 80 01 00 00    mov    dword ptr [eax+0x00000180], esp
+4198 m4 @0x2337d160 8b a0 7c 01 00 00    mov    esp, dword ptr [eax+0x0000017c]
+4204 m4 @0x2337d1ac 67 64 89 26 1c 0f    mov    dword ptr [fs:0x00000f1c], esp
+4210 m4 @0x2337d1f8 8b 60 0c             mov    esp, dword ptr [eax+0x0c]
+4213 m4 @0x2337d244 67 64 a1 e4 0e       mov    eax, dword ptr [fs:0x00000ee4]
END 0x010011d7

Hmpff, 4200+ lines to read :oP
Anything interesting in here? I'll try to find it...
---
B.

Reid Kleckner

unread,

Aug 20, 2012, 5:14:12 PM8/20/12

to dynamor...@googlegroups.com

I meant to dump the bb *after* instrumentation, so you can see what code gets generated for the spills and drutil_insert_get_mem_addr().

On Mon, Aug 20, 2012 at 4:36 PM, B.R. <reallfqq-...@yahoo.fr> wrote:

I called instrlist_disassemble before and after the bb instrumentation loop.
I used a custom file with fopen/fclose.
I had to use the following to transform the FILE* into a HANDLE: (HANDLE)_get_osfhandle(_fileno(outFile))
Not very convenient...

This has to do with isolating DR from the app. If DR called fopen or fwrite, it would probably allocate memory on the app's heap and acquire app locks. This can have really bad consequences for isolation, so DR has been designed to be as independent of other libraries as possible. Classic examples are trying to call malloc while instrumenting malloc, or clobbering errno on Linux. DR forwards the libc independent wrappers it uses to clients in case they need them.

Today, fopen and C++ mostly Just Work for clients because we have a private loader for Windows and Linux, but it has taken time to get there. DR itself still cannot use libc because that would create a bootstrapping problem.

B.R.

unread,

Aug 20, 2012, 5:13:58 PM8/20/12

to DynamoRIO Users

Sorry for the big mail message.
I could have put it in a txt file... 0,0

Here is the output of my trace to check against the BBL debug:
EAX = 232a2800
EBX = 232a2800
ECX = 40
EDX = 2337d2b4
EBP = 2330eeec
ESP = 7ffc4
EDI = 2337d2b4
ESI = 232a2800
---
B.

B.R.

unread,

Aug 20, 2012, 6:24:18 PM8/20/12

to dynamor...@googlegroups.com

Ok, I got the global picture on the reasons.
Thanks for the details.

You'll find another BBL trace which I 'minified' (line number is half what it was) by tracing only the 'memory write' operand of the 0x10011d7 instruction (PUSH 28)

Registers state in analysis context:
EAX = 1da22800
EBX = 1da22800
ECX = 40
EDX = 1da94d00
EBP = 1da8eeec
ESP = 7ffc4
EDI = 1da94d00
ESI = 1da22800
---
B.

hostname_minified.txt

Reid Kleckner

unread,

Aug 20, 2012, 7:58:45 PM8/20/12

to dynamor...@googlegroups.com

Two things.

1. I think there's something wrong with the intel syntax disassembly. All those mov esp <-> [fs:...] instrs around the clean calls don't make sense. Those are more likely xmm spills. I can try to repro the syntax issue tomorrow.

2. I think there is an ordering issue. There are two full clean calls before the spills you inserted before push 0x28. Another is that you are inserting the register restores before push 28, yet are still passing reg1 to the second clean call (I think).

B.R.

unread,

Aug 21, 2012, 9:17:03 AM8/21/12

to B.R., dynamor...@googlegroups.com

Hello,

I just modified the code to make the restoration routines appear before the next instruction.
Nothing changed: the computed address is still weird.

Did you manage to reproduce the problem?
Do you wish to get an AT&T syntax-based output?
---
B.

On Mon, Aug 20, 2012 at 8:48 PM, B.R. <reallfqq-...@yahoo.fr> wrote:

1. Yes I use the Intel syntax, I switched to it early at instrumentation time. I can produce another output with the AT&T one tomorrow if you wish so.

2. It depends at which output you look.
Please forget everything about the first one (which I copied raw into an email). There was a ton of pollution in it, plus some other calls I inserted, trying to narrow the problem area.
To be more specific, I added among other things another clean call before the instruction execution which only job was to read the EBX register. I was seeking for possible conflicts resulting to a bad memory context at analysis time.

Anyway...

You are right about my mistake regarding the restoration of the memory context: I looked in my code in my previous message and the restoration has been inserted before the instruction...
I guess we found the bug. :o\
I'll test that immediately tomorrow, first thing in the day.

I sincerely hope that was not that simple... oO
---
B.

--

B.R.

unread,

Aug 20, 2012, 2:24:16 PM8/20/12

to DynamoRIO Users

To help solve the problem, I notice that I am calling drutil_insert_get_mem_addr() on the drcontext instance provided at instrumentation time, while at analysis time, I use the mcontext taken from the drcontext retrieved through dr_get_current_drcontext().

Are those drcontexts consistent?
---
B.

On Mon, Aug 20, 2012 at 2:07 PM, B.R. <reallfqq-...@yahoo.fr> wrote:

B.R.

unread,

Aug 20, 2012, 8:48:02 PM8/20/12

to dynamor...@googlegroups.com

1. Yes I use the Intel syntax, I switched to it early at instrumentation time. I can produce another output with the AT&T one tomorrow if you wish so.

2. It depends at which output you look.
Please forget everything about the first one (which I copied raw into an email). There was a ton of pollution in it, plus some other calls I inserted, trying to narrow the problem area.
To be more specific, I added among other things another clean call before the instruction execution which only job was to read the EBX register. I was seeking for possible conflicts resulting to a bad memory context at analysis time.

Anyway...

You are right about my mistake regarding the restoration of the memory context: I looked in my code in my previous message and the restoration has been inserted before the instruction...
I guess we found the bug. :o\
I'll test that immediately tomorrow, first thing in the day.

I sincerely hope that was not that simple... oO

---
B.

--

B.R.

unread,

Aug 20, 2012, 11:32:37 AM8/20/12

to DynamoRIO Users

I guess I just found out the problem:

the reg_get_value function is called at instrumentation time while the drutil_insert_get_mem_addr is called at analysis time.
Thus, the wrong context is used when reading the register value.

I am going to test the following:
- Passing the register name (and not its value) to the analysis procedure
- Gathering the register value at the beginning of the analysis procedure
- Restoring register values right afterwards inside the analysis procedure

In the meanwhile, tell me if you see something wrong in what I wrote/write :oP
---
B.

On Mon, Aug 20, 2012 at 11:20 AM, B.R. <reallfqq-...@yahoo.fr> wrote:

B.R.

unread,

Aug 20, 2012, 12:00:19 PM8/20/12

to dynamor...@googlegroups.com

Yes, it was the purpose of the answer to my own message. :oP

However, OPND_CREATE_INTPTR(reg1) is better since it creqtes a reference to the actual register whereas opnd_create_reg(reg1) creates a whole new register.
If opnd_create_reg is used, the value 0 is read in analysis context and not the actual value.

Anyway...

I moved the reg_get_value in the analysis procedure, and I output the value returned to test whether it is correct or not.
2 facts:
- The value returned is the one contained in EBX as requested (the output of is checked against reg_get_value(DR_REG_XBX, &mcontext) at analysis time)
- The value is still not correct: the nenory contxt holds 16342800 (random value with no correspondance to real values) :o\

Am I getting mad again? :oP
---
B.

On Mon, Aug 20, 2012 at 11:42 AM, Reid Kleckner <r...@google.com> wrote:

B.R.

unread,

Aug 21, 2012, 10:24:46 AM8/21/12

to DynamoRIO Users

Hello,

Since I'll touch things in my module, here is the same trace output as yesterday (trace of BBL @10011d7) with AT&T syntax.
Loads of forth and back on the ESP register still.

Here is the analysis context registers value:
EAX = 24fd2800
EBX = 24fd2800
ECX = 40
EDX = 25044d00
EBP = 2503eeec
ESP = 7ffc4
EDI = 25044d00
ESI = 24fd2800
---
B.

hostname_minified_at-t.txt

B.R.

unread,

Aug 21, 2012, 11:24:09 AM8/21/12

to DynamoRIO Users

Making further tests, it seems to be troublesome to insert the dr_restore_reg calls before the next instruction and not the current one.

The trouble is composed of some stall (ie infinite loop on a jmp instruction). :o\
---
B.

Reid Kleckner

unread,

Aug 21, 2012, 11:43:42 AM8/21/12

to dynamor...@googlegroups.com

Yeah, this won't work if the instruction in question uses ebx/ecx. I don't have an easy solution. The normal thing to do would be to look at the source of the store so that you know the value that will be stored before the instruction actually executes. But this requires more effort in the client to handle the various x86 instrs that can store to memory.

In your case maybe you can save the address in tIns to pass it between the two calls.

I think I found a bug in the clean call impl, but I need to come up with a proper fix. Since you're building DR from source, try adding:

cc->preserve_mcontext = true;

... to clean_call_info_init() in dynamorio/core/x86/mangle.c.

B.R.

unread,

Aug 21, 2012, 12:06:14 PM8/21/12

to dynamor...@googlegroups.com

I tried that. Didn't seem to have much effect:
- Crash when restoration isnerted before current instruction
- Stall when restoration before next instruction

I thought that since I inserted context save/restoration on each memory operand there could ba some conflicts between those insertions.
Even when managing to only insert 1 save and 1 restoration per instruction, it doesn't seem to have much impact.
---
B.

B.R.

unread,

Aug 21, 2012, 5:04:35 PM8/21/12

to DynamoRIO Users

OK I was facing some design flaws: I don't have thos random output anymore.
However I haven't reached a working solution on those memory operands. I'll keep you updated on the topic, but consider it standby meanwhile.
---
B.

B.R.

unread,

Aug 21, 2012, 6:23:14 PM8/21/12

to B.R., DynamoRIO Users

Ok, I made it.

Thanks Reid, your fix is very welcome: it doesn't work without it.
Strange to see a structure partly initialized...

The memory address gathering works like a charm.

Thanks a lot for your help Reid & Derek!
---
B.

B.R.

unread,

Aug 23, 2012, 12:09:19 PM8/23/12

to dynamor...@googlegroups.com

Hello again Reid,

Your little patch worked in most cases.
However it seems I still encounter the same strange memory readings when explicit segments are used:

Binary: XP's hostname.exe
Instruction: @1001379 (64a1 00000000) mov eax, dword ptr fs:[0]
Output :

DynamoRIO: Memory read @7ffdf000 (4) = 23aaee94
Expected: Memory read @7ffdf000 (4) = 7ffe0

Binary: XP's hostname.exe
Instruction: @1001380 (648925 00000000) mov dword ptr fs:[0], esp
Output :

DynamoRIO: Memory write @7ffdf000 (4) = 23aaeea4
Expected: Memory write @7ffdf000 (4) = 7ffb0

The correct value appear in the other operands and the execution is correctly processed.
The problem seems to come omly from the DynamoRIO's memory context representation.

You'll find the dump of the corresponding basic block as attachment.
---
B.

bb_0x01001374

Reid Kleckner

unread,

Aug 23, 2012, 12:21:50 PM8/23/12

to dynamor...@googlegroups.com

I looked at it quickly and I don't see any obvious problems with the clean calls.

Is this the bug in drutil_insert_get_mem_addr that Derek fixed?

http://code.google.com/p/dynamorio/issues/detail?id=866

Have you updated to pull in this revision?

http://code.google.com/p/dynamorio/source/detail?r=1528

B.R.

unread,

Aug 23, 2012, 2:23:35 PM8/23/12

to dynamor...@googlegroups.com

Hello,

I was still a trevision 1534 with the 'cci->preserve_mcontext = true;' patch you provided to me.

I just update the from the SVN repository and I guess I'm experiencing a regression.

rev 1545 without the patch: @10011d7 (6a28) --> memory write @7ffd4000 (4) = 0 --> Incorrect
rev 1545 with the patch: @10011d7 (6a28) --> memory write @7ffc0 (4) = 28 --> Correct

Maybe the Issue #874 didn't do the right thing?

I'll stress that when I reported some trouble, I also had some design issue in my tool, like I notified you later. In the corrected one, the patch you provided me with was (and still seems to be) useful.
Intel on that is apparently that rev 1534 works way better than 1545 (@10011d7 is the very first usercode instruction of hostname.exe...)...

Since I also read in rev 872 that "maybe" I use an old machine: I'm using Windows XP SP3 with the latest updates. It is virtualized, but I guess OS virtualization is not the source of our problems here.
---
B.

B.R.

unread,

Aug 23, 2012, 2:51:40 PM8/23/12

to DynamoRIO Users

I omitted to conclude:

With rev 1545 patched, problems still lie for the 1001379 and 1001380 instruction I provided earlier:
@1001379 --> Memory read @7ffdf000 = 1f31ee94 (value 7ffe0 expected)
@1001380 --> Memory write @7ffdf000 = 1f31eea4 (value 7ffb0 expected)

You'll find the instrumented bb as attachment.
---
B.

bb_0x01001374

B.R.

unread,

Aug 23, 2012, 5:54:12 PM8/23/12

to DynamoRIO Users

The only thing which is for sure is that the patch you provided me solves the problem for most of the cases, explicit segments such as FS excluded.

Do you notice a difference in your tests by using it or not?
Can't you reproduce my bug?
---
B.

Reid Kleckner

unread,

Aug 23, 2012, 7:42:02 PM8/23/12

to dynamor...@googlegroups.com

We've been busy with major regressions on the Chrome waterfall, but I'll try to look at drutil_insert_get_mem_addr() when I have a moment.

B.R.

unread,

Aug 23, 2012, 8:12:27 PM8/23/12

to dynamor...@googlegroups.com

No problem, higher priorities rise higher concern :o)

When you'll have time for DynamoRIO again, I made a little exe to test memory read/write with the FS segment.
Useful to test memory address computation and memory context altogether ;o)
---
B.

segment.xex

Reply all

Reply to author

Forward

Using drutil_insert_get_mem_addr

B.R.

Reid Kleckner

B.R.

Reid Kleckner

B.R.

Reid Kleckner

Derek Bruening

B.R.

Reid Kleckner

B.R.

B.R.

B.R.

B.R.

Reid Kleckner

B.R.

B.R.

Reid Kleckner

B.R.

B.R.

B.R.

B.R.

B.R.

B.R.

B.R.

Reid Kleckner

B.R.

B.R.

B.R.

B.R.

Reid Kleckner

B.R.

B.R.

B.R.

Reid Kleckner

B.R.