format PE GUI 4.0 section '.text' code readable executable entry start start: xor ebx, ebx push ofn call [GetOpenFileNameA] test eax, eax jnz @f push ebx call [ExitProcess] @@: call [GetVersion] test eax, eax sets [b9x] js install_9x mov [img_name+2], bl push ebx push ebx push 3 push ebx push 3 push 80000000h push dn call [CreateFileA] inc eax jnz @f norights: push 10h push ebx push norightsmsg mbx: push ebx call [MessageBoxA] push ebx call [ExitProcess] @@: lea esi, [eax-1] push ebx push tmp push 12 push sdn push ebx push ebx push 0x2D1080 push esi call [DeviceIoControl] test eax, eax jnz @f cnr: push esi call [CloseHandle] jmp norights @@: push ebx push tmp push 20h push pi push ebx push ebx push 0x74004 push esi call [DeviceIoControl] test eax, eax jz cnr push esi call [CloseHandle] cmp [sdn], 7 jz @f push 10h push 0 push nohd jmp mbx @@: mov al, byte [sdn+4] or al, 80h mov [mtldr_code+7], al mov eax, [pi] mov edx, [pi+4] shrd eax, edx, 9 shr edx, 9 jz @f m1e: push 10h push ebx push m1 jmp mbx @@: install_cmn: mov [mtldr_code+8], eax mov esi, img_name mov edi, img_real_name mov byte [esi+2], '\' push 256 push edi push esi call [GetShortPathNameA] cmp eax, 256 jb @f push 10h push ebx push ptl jmp mbx @@: test eax, eax jnz @f push esi edi mov ecx, 256/4 rep movsd pop edi esi @@: cmp byte [edi], 0 jz lcd cmp byte [edi], 'A' jb lcc cmp byte [edi], 'Z' ja lcc add byte [edi], 20h lcc: inc edi jmp @b lcd: mov esi, img_real_name cmp [b9x], 0 jnz @f cmp byte [esi], 'c' jnz notc @@: push 256/4 pop ecx lea edi, [esi+ecx*4] rep movsd mov edi, esi xor eax, eax or ecx, -1 repnz scasb dec edi std mov al, '\' repnz scasb cld inc edi inc edi mov eax, 'mtld' stosd mov al, 'r' stosb jmp cmn notc: mov dword [mtldr_name], 'C:\m' mov dword [mtldr_name+4], 'tldr' mov edi, mtldr_name+8 cmn: and word [edi], 0 mf: push mtldr_name call [GetFileAttributesA] inc eax jnz @f call [GetLastError] cmp eax, 2 jz fo @@: cmp byte [edi], 0 jnz @f mov byte [edi], '0' jmp mf @@: cmp byte [edi], '9' jae @f mfi: inc byte [edi] jmp mf @@: ja @f mov byte [edi], 'A' jmp mf @@: cmp byte [edi], 'Z' jb mfi nomx: push 10h push ebx push nom jmp mbx fo: cmp [b9x], 0 jnz install_9x_2 call write_mtldr1 push ecx call [GetVersion] pop ecx cmp al, 6 jae install_vista mov al, 2 mov edi, tmp_data neg ecx add ecx, 2000h - mtldr_code_size push ebx push tmp push ecx push edi push esi rep stosb call [WriteFile] push esi call [CloseHandle] push bootini mov edi, systitle+1 mov esi, ostitle mov byte [edi-1], '"' @@: lodsb test al, al jz @f stosb jmp @b @@: mov word [edi], '"' push bootini call [GetFileAttributesA] push eax and al, not 1 push eax push bootini call [SetFileAttributesA] push bootini push systitle push mtldr_name push mtldr_name push mtldr_name call [CharToOemA] push osstr call [WritePrivateProfileStringA] xchg eax, [esp] push eax push bootini call [SetFileAttributesA] pop eax test eax, eax jnz suci ; failed, delete written mtldr call delete_mtldr push 10h push ebx push insterr jmp mbx suci: push 40h push suct push succ jmp mbx install_9x: mov al, [img_name] or al, 20h sub al, 'a'-1 mov byte [regs], al push ebx push ebx push 3 push ebx push 3 push 80000000h push vwin32 call [CreateFileA] inc eax jz norights dec eax xchg eax, esi push ebx push tmp push 28 push regs push 28 push regs push 1 push esi call [DeviceIoControl] push eax push esi call [CloseHandle] pop eax test eax, eax @@: jz norights mov al, [diskinfobuf+3] cmp al, 0xFF jz @b cmp al, 80h jb norights mov [mtldr_code+7], al cmp dword [diskinfobuf+12], 0 jnz m1e mov eax, [diskinfobuf+8] jmp install_cmn install_9x_2: push ebx push ebx push 3 push ebx push 1 push 80000000h push config call [CreateFileA] inc eax jnz @f ie2: push 10h push ebx push insterr2 jmp mbx @@: dec eax xchg eax, esi push ebx push esi call [GetFileSize] inc eax jz ie2 dec eax xchg eax, ebp push 4 push 1000h push ebp push ebx call [VirtualAlloc] xchg eax, edi test edi, edi jz ie2 push ebx push tmp push ebp push edi push esi call [ReadFile] push esi call [CloseHandle] push ebx push 80h push 2 push ebx push ebx push 40000000h push config call [CreateFileA] inc eax jz ie2 dec eax xchg eax, esi mov eax, dword [edi] or eax, 0x20202000 cmp eax, '[men' jz menu push ostitle call [lstrlenA] cmp eax, 17 ja bt1 push esi edi mov esi, ostitle mov edi, mtldr_code+23Ah mov ecx, eax rep movsb mov dword [edi], '? [y' mov dword [edi+4], '/n]:' mov word [edi+8], ' ' pop edi esi jmp ct1 bt1: push img_real_name+3 call [lstrlenA] add eax, mtldr_code_size+1+100h mov word [mtldr_code+0x19], ax ct1: push ebx push tmp push 8 push install push esi call [WriteFile] cfgd: mov eax, mtldr_name push eax push eax push eax call [CharToOemA] call [lstrlenA] push ebx push tmp push eax push mtldr_name push esi call [WriteFile] push ebx push tmp push 2 push newline push esi call [WriteFile] push ebx push tmp push ebp push edi push esi call [WriteFile] push esi call [CloseHandle] call write_mtldr1 push ostitle call [lstrlenA] cmp eax, 11 jbe @f push ebx push tmp push ld2sz push ld2 push esi push ebx push tmp push eax push ostitle push esi push ebx push tmp push ld1sz push ld1 push esi call [WriteFile] call [WriteFile] call [WriteFile] @@: push esi call [CloseHandle] jmp suci menu: push edi or ecx, -1 mes: mov al, 0xA repnz scasb cmp byte [edi], '[' jz med cmp dword [edi], 'menu' jnz mes cmp dword [edi+4], 'item' jnz mes cmp byte [edi+8], '=' jnz mes mov eax, [edi+9] or eax, ' ' cmp eax, 'koli' jnz mes mov eax, [edi+13] and eax, 0xFFFFFF or eax, ' ' cmp eax, 'bri' jnz mes movzx eax, byte [edi+16] or al, 0x20 mov [menuitems+eax], 1 jmp mes med: cmp word [edi-4], 0x0A0D jnz @f dec edi dec edi jmp med @@: sub edi, [esp] push ebx push tmp push edi push dword [esp+12] push esi call [WriteFile] add [esp], edi sub ebp, edi mov ecx, 7 cmp [menuitems+0x20], 0 jnz @f cmp [menuitems+','], 0 jz mef @@: mov eax, '0' mel1: cmp [menuitems+eax], 0 jz med1 inc eax cmp al, '9'+1 jb mel1 jnz @f mov al, 'a' jmp mel1 @@: cmp al, 'z' jbe mel1 push ebx push tmp push ebp push dword [esp+12] push esi call [WriteFile] push esi call [CloseHandle] jmp nomx med1: mov [menuitem+7], al mov ecx, 8 mef: push ebx push tmp push ecx push menuitem push esi push ebx push tmp push ecx push menuitem push esi push ebx push tmp push 9 push mis push esi call [WriteFile] call [WriteFile] push ebx push tmp push title9xsz push title9x push esi call [WriteFile] push ebx push tmp push ostitle call [lstrlenA] push eax push ostitle push esi call [WriteFile] push ebx push tmp push title9x2sz push title9x2 push esi call [WriteFile] call [WriteFile] push ebx push tmp push 11 push sec9x2 push esi call [WriteFile] mov byte [mtldr_code+1], 37h pop edi jmp cfgd install_vista: push esi call [CloseHandle] mov edi, sbn call adjust_privilege mov edi, srn call adjust_privilege push ebx push ebx call [CoInitializeEx] test eax, eax js we push ebx push ebx push ebx push 3 push ebx push ebx push ebx push -1 push ebx call [CoInitializeSecurity] test eax, eax jns @f we2: call [CoUninitialize] we: call delete_mtldr push 10h push ebx push wmierr jmp mbx @@: push ebx push esp push IID_IWbemLocator push 1 push ebx push CLSID_WbemLocator call [CoCreateInstance] pop edi test eax, eax js we2 push ebx push esp push ebx push ebx push ebx push ebx push ebx push ebx push ns push edi mov esi, [edi] call dword [esi+12] push eax push edi call dword [esi+8] pop eax pop edi test eax, eax js we2 push ebx push ebx push 3 push 3 push ebx push ebx push 10 push edi call [CoSetProxyBlanket] test eax, eax jns @f we3: mov eax, [edi] push edi call dword [eax+8] jmp we2 @@: xor esi, esi push osp push osn push bs call call_method test eax, eax js we3 mov esi, guid mov ebp, menuitems push esi call [CoCreateGuid] push 2000h/2 push ebp push esi call [StringFromGUID2] mov esi, [varout+8] push con push bs call call_method jns @f wecei: mov ebp, coerr wece: mov eax, [esi] push esi call dword [eax+8] mov eax, [edi] push edi call dword [eax+8] call [CoUninitialize] call delete_mtldr push 10h push ebx push ebp jmp mbx @@: pop eax push esi push eax mov ebp, tmp_data mov dword [vartmpstr+8], ebp mov dword [vari32+8], 0x12000004 push 2000h/2 push ebp push -1 push ostitle push ebx push ebx call [MultiByteToWideChar] mov esi, [varout+8] push ssen push bo call call_method mov ebp, setproperr js wece2 sub dword [esp], 24 mov byte [vari32+8], 2 push 2000h/2 push tmp_data push -1 push mtldr_name+2 push ebx push ebx call [MultiByteToWideChar] push ssen push bo call call_method js wece2 mov dword [vari32+8], 0x11000001 mov ecx, tmp_data mov dword [ecx], '\' + ('?' shl 16) mov dword [ecx+4], '?' + ('\' shl 16) xor eax, eax mov dword [ecx+12], eax mov al, [mtldr_name+1] shl eax, 16 mov al, [mtldr_name] mov dword [ecx+8], eax push spden push bo call call_method js wece2 mov eax, [esi] push esi call dword [eax+8] pop eax pop esi push eax push oon push bs call call_method mov ebp, orerr js wece3 pop eax push esi push eax mov esi, [varout+8] mov dword [vari32+8], 0x24000001 push gen push bo call call_method js wece2 push esi mov esi, [varout+8] push ebx push ebx push varout push ebx push idsn mov eax, [esi] push esi call dword [eax+16] push eax mov eax, [esi] push esi call dword [eax+8] pop eax pop esi test eax, eax js wece2 push esi cmp word [varout], 2008h jnz wece4 mov esi, [varout+8] cmp word [esi], 1 jnz wece4 push dword [esi+20] mov eax, [esi+16] inc eax push eax push esp push esi call [SafeArrayRedim] pop ecx pop ecx test eax, eax js wece4 push menuitems call [SysAllocString] test eax, eax jz wece4 push eax mov ecx, [esi+16] add ecx, [esi+20] dec ecx push ecx mov ecx, esp push eax push ecx push esi call [SafeArrayPutElement] pop ecx call [SysFreeString] pop esi push solen push bo call call_method js wece2 push varout call [VariantClear] mov eax, [esi] push esi call dword [eax+8] pop eax pop esi mov eax, [esi] push esi call dword [eax+8] mov eax, [edi] push edi call dword [eax+8] call [CoUninitialize] jmp suci wece4: pop esi wece2: mov eax, [esi] push esi call dword [eax+8] pop eax pop esi push eax wece3: mov dword [vartmpstr+8], menuitems pop eax push dop push don push bs call call_method pop eax jmp wece write_mtldr1: push ebx push 80h push 2 push ebx push ebx push 40000000h push mtldr_name call [CreateFileA] inc eax jnz @f push 10h push ebx push noc jmp mbx @@: dec eax xchg eax, esi push ebx push tmp push mtldr_code_size push mtldr_code push esi call [WriteFile] push img_real_name push img_real_name call [CharToOemA] mov edi, img_real_name+3 push edi call [lstrlenA] inc eax push eax push ebx push tmp push eax push edi push esi call [WriteFile] pop ecx ret delete_mtldr: push mtldr_name push mtldr_name push mtldr_name call [OemToCharA] call [DeleteFileA] ret adjust_privilege: cmp [advapi32], 0 jnz @f push advapi32_name call [LoadLibraryA] mov [advapi32], eax mov esi, eax test esi, esi jz ape push opts push esi call [GetProcAddress] mov [OpenProcessToken], eax test eax, eax jz ape push lpvs push esi call [GetProcAddress] mov [LookupPrivilegeValueA], eax test eax, eax jz ape push atps push esi call [GetProcAddress] mov [AdjustTokenPrivileges], eax test eax, eax jz ape @@: push ebx push esp push 28h call [GetCurrentProcess] push eax call [OpenProcessToken] test eax, eax pop esi jz ape push 2 push ebx push ebx mov eax, esp push 1 push eax push edi push ebx call [LookupPrivilegeValueA] test eax, eax jz ape2 mov eax, esp push ebx push ebx push ebx push eax push ebx push esi call [AdjustTokenPrivileges] test eax, eax jz ape2 add esp, 10h push esi call [CloseHandle] ret ape2: add esp, 10h push esi call [CloseHandle] ape: push 10h push ebx push apf jmp mbx call_method: push ebx mov eax, esp push ebx push eax push ebx push ebx push dword [eax+8] mov eax, [edi] push edi call dword [eax+24] xchg edi, [esp] test eax, eax js r push ebx mov eax, esp push ebx push eax push ebx push dword [eax+16] mov eax, [edi] push edi call dword [eax+76] push eax mov eax, [edi] push edi call dword [eax+8] pop eax pop edi test eax, eax js r push ebx push esp push ebx mov eax, [edi] push edi call dword [eax+60] push eax mov eax, [edi] push edi call dword [eax+8] pop eax pop edi test eax, eax js r cml1: mov eax, [esp+16] add dword [esp+16], 8 cmp dword [eax], 0 jz cme1 push ebx push dword [eax+4] push ebx push dword [eax] mov eax, [edi] push edi call dword [eax+20] test eax, eax js r2 jmp cml1 cme1: and dword [varout], 0 mov ecx, [esp+8] test esi, esi jz cms push ebx push ebx push varout push ebx push rpn mov eax, [esi] push esi call dword [eax+16] test eax, eax js r2 cmp word [varout], 8 jnz r2 mov ecx, [varout+8] cms: pop edx push edx push ebx mov eax, esp push ebx push eax push edi push ebx push ebx push dword [eax+16] push ecx mov eax, [edx] push edx call dword [eax+96] push eax mov eax, [edi] push edi call dword [eax+8] push varout call [VariantClear] pop eax pop edi test eax, eax js r push ebx push ebx push varout push ebx push retvaln mov eax, [edi] push edi call dword [eax+16] test eax, eax js r2 mov eax, 80000000h cmp word [varout], 11 jnz r2 cmp word [varout+8], 0 jz r2 mov eax, [esp+16] mov eax, [eax-4] test eax, eax jz r2 push ebx push ebx push varout push ebx push eax mov eax, [edi] push edi call dword [eax+16] test eax, eax js r2 cmp word [varout], 13 setnz al shl eax, 31 r2: push eax mov eax, [edi] push edi call dword [eax+8] pop eax r: pop edi test eax, eax ret 8 ofn_hook: cmp dword [esp+8], 2 jnz @f push 260 push ostitle push 23 push dword [esp+12+4] call [GetDlgItemTextA] @@: xor eax, eax ret 10h section '.data' data readable writable data resource from 'rsrc.res' end data align 4 ofn: dd 76 dd 0 dd ofn_title_template dd filter dd 0 dd 0 dd 0 dd img_name dd 100h dd 0 dd 0 dd 0 dd ofn_title dd 818A4h dd 0 dd aImg dd 0 dd ofn_hook dd 0 ofn_title_template: dw 1,-1 dd 0 dd 0 dd 56000444h dw 2 dw 0,0,275,28 dw 0,0,0 dw 8 dd 0 du 'MS Sans Serif',0 align 4 dd 0 dd 0 dd 50010000h dw 5,12,45,9 dw -1 dw 0 dw -1,82h du 'Title:',0 dw 0 align 4 dd 0 dd 204h dd 50010080h dw 54,10,218,12 dw 23 dw 0 dw -1,81h du 'KolibriOS',0 dw 0 filter db 'Image files (*.img)',0,'*.img',0,'All files',0,'*.*',0,0 ofn_title db 'Select KolibriOS image file',0 aImg db 'img',0 norightsmsg db 'Cannot query drive info.',10 db 'Probably it is invalid drive or you are not administrator',0 nohd db 'Image must be on hard disk!',0 m1 db 'Please mail to diamondz@land.ru',0 nom db "Too many mtldr's found!",0 noc db 'Cannot create mtldr file!',0 osstr db 'operating systems',0 bootini db 'c:\boot.ini',0 insterr db 'Cannot write to boot.ini. Probably you are not administrator.',0 insterr2 db 'Cannot open config.sys',0 ptl db 'Path is too long',0 succ db 'Installation successful!',0 suct db 'Success',0 vwin32 db '\\.\vwin32',0 config db 'C:\config.sys',0 sec9x2 db ']',13,10 install db 'install=' newline db 13,10 menuitem db 'kolibri',0 mis db 'menuitem=' title9x db ',Load ' title9xsz = $ - title9x title9x2 db 13,10,13,10,'[' title9x2sz = $ - title9x2 ld1 db 'Load ' ld1sz = $ - ld1 ld2 db '? [y/n]: ',0 ld2sz = $ - ld2 apf db 'Cannot adjust backup and restore privileges',0 opts db 'OpenProcessToken',0 lpvs db 'LookupPrivilegeValueA',0 atps db 'AdjustTokenPrivileges',0 sbn db 'SeBackupPrivilege',0 srn db 'SeRestorePrivilege',0 wmierr db 'BCD WMI API: initialization error',0 coerr db 'Cannot create BCD object for KolibriOS loader',0 setproperr db 'Cannot create BCD element in object for KolibriOS loader',0 orerr db 'Cannot add KolibriOS loader in BCD display list',0 ns du 'root\wmi',0 retvaln du 'ReturnValue' emptystr du 0 rpn du '__Relpath',0 bs du 'BcdStore',0 bo du 'BcdObject',0 osn du 'OpenStore',0 con du 'CreateObject',0 don du 'DeleteObject',0 oon du 'OpenObject',0 ssen du 'SetStringElement',0 spden du 'SetPartitionDeviceElement',0 gen du 'GetElement',0 solen du 'SetObjectListElement',0 fn du 'File',0 storen du 'Store',0 idn du 'Id',0 idsn du 'Ids',0 tn du 'Type',0 obn du 'Object',0 sn du 'String',0 dtn du 'DeviceType',0 aon du 'AdditionalOptions',0 pn du 'Path',0 en du 'Element',0 bg du '{9dea862c-5cdd-4e70-acc1-f32b344d4795}',0 align 4 advapi32 dd 0 regs: dd 0 dd diskinfobuf dd 86Fh dd 440Dh dd 0 dd 0 dd 1 diskinfobuf: db 10h,0,0,0FFh times 0Ch db 0 IID_IWbemLocator: dd 0DC12A687h dw 737Fh dw 11CFh db 88h, 4Dh, 00h, 0AAh, 00h, 4Bh, 2Eh, 24h CLSID_WbemLocator: dd 4590F811h dw 1D3Ah dw 11D0h db 89h, 1Fh, 00h, 0AAh, 00h, 4Bh, 2Eh, 24h IID_IWbemClassObject: dd 0DC12A681h dw 737Fh dw 11CFh db 88h, 4Dh, 00h, 0AAh, 00h, 4Bh, 2Eh, 24h varemptystr: dd 8, 0, emptystr, 0 vartmpstr: dd 8, 0, menuitems, 0 varbootmgr: dd 8, 0, bg, 0 vari32: dd 3, 0, 10400008h, 0 vari32_pd: dd 3, 0, 2, 0 osp: dd fn, varemptystr dd 0, storen dd idn, vartmpstr dd tn, vari32 dd 0, obn dd tn, vari32 dd sn, vartmpstr dd 0, 0 dd tn, vari32 dd dtn, vari32_pd dd aon, varemptystr dd pn, vartmpstr dd 0, 0 dd idn, varbootmgr dd 0, obn dd tn, vari32 dd 0, en dd tn, vari32 dd idsn, varout dd 0, 0 dop: dd idn, vartmpstr dd 0, 0 data import macro thunk a {a#_thunk:dw 0 db `a,0} dd 0,0,0, rva kernel32_name, rva kernel32_thunks dd 0,0,0, rva user32_name, rva user32_thunks dd 0,0,0, rva comdlg32_name, rva comdlg32_thunks dd 0,0,0, rva ole32_name, rva ole32_thunks dd 0,0,0, rva oleaut32_name, rva oleaut32_thunks dd 0,0,0,0,0 kernel32_name db 'kernel32.dll',0 user32_name db 'user32.dll',0 advapi32_name db 'advapi32.dll',0 comdlg32_name db 'comdlg32.dll',0 ole32_name db 'ole32.dll',0 oleaut32_name db 'oleaut32.dll',0 kernel32_thunks: GetVersion dd rva GetVersion_thunk CreateFileA dd rva CreateFileA_thunk DeviceIoControl dd rva DeviceIoControl_thunk CloseHandle dd rva CloseHandle_thunk GetFileAttributesA dd rva GetFileAttributesA_thunk SetFileAttributesA dd rva SetFileAttributesA_thunk GetLastError dd rva GetLastError_thunk ReadFile dd rva ReadFile_thunk WriteFile dd rva WriteFile_thunk ExitProcess dd rva ExitProcess_thunk WritePrivateProfileStringA dd rva WritePrivateProfileStringA_thunk GetShortPathNameA dd rva GetShortPathNameA_thunk lstrlenA dd rva lstrlenA_thunk VirtualAlloc dd rva VirtualAlloc_thunk GetFileSize dd rva GetFileSize_thunk DeleteFileA dd rva DeleteFileA_thunk MultiByteToWideChar dd rva MultiByteToWideChar_thunk GetCurrentProcess dd rva GetCurrentProcess_thunk LoadLibraryA dd rva LoadLibraryA_thunk GetProcAddress dd rva GetProcAddress_thunk dw 0 thunk GetVersion thunk CreateFileA thunk DeviceIoControl thunk CloseHandle thunk GetFileAttributesA thunk SetFileAttributesA thunk GetLastError thunk ReadFile thunk WriteFile thunk ExitProcess thunk WritePrivateProfileStringA thunk GetShortPathNameA thunk lstrlenA thunk VirtualAlloc thunk GetFileSize thunk DeleteFileA thunk MultiByteToWideChar thunk GetCurrentProcess thunk LoadLibraryA thunk GetProcAddress user32_thunks: MessageBoxA dd rva MessageBoxA_thunk CharToOemA dd rva CharToOemA_thunk OemToCharA dd rva OemToCharA_thunk GetDlgItemTextA dd rva GetDlgItemTextA_thunk dw 0 thunk MessageBoxA thunk CharToOemA thunk OemToCharA thunk GetDlgItemTextA comdlg32_thunks: GetOpenFileNameA dd rva GetOpenFileNameA_thunk dw 0 thunk GetOpenFileNameA ole32_thunks: CoInitializeEx dd rva CoInitializeEx_thunk CoUninitialize dd rva CoUninitialize_thunk CoInitializeSecurity dd rva CoInitializeSecurity_thunk CoCreateInstance dd rva CoCreateInstance_thunk CoSetProxyBlanket dd rva CoSetProxyBlanket_thunk CoCreateGuid dd rva CoCreateGuid_thunk StringFromGUID2 dd rva StringFromGUID2_thunk dw 0 thunk CoInitializeEx thunk CoUninitialize thunk CoInitializeSecurity thunk CoCreateInstance thunk CoSetProxyBlanket thunk CoCreateGuid thunk StringFromGUID2 oleaut32_thunks: VariantClear dd rva VariantClear_thunk SafeArrayRedim dd rva SafeArrayRedim_thunk SafeArrayPutElement dd rva SafeArrayPutElement_thunk SysAllocString dd rva SysAllocString_thunk SysFreeString dd rva SysFreeString_thunk dw 0 thunk VariantClear thunk SafeArrayRedim thunk SafeArrayPutElement thunk SysAllocString thunk SysFreeString end data mtldr_code: file 'mtldr_for_installer' mtldr_code_size = $ - mtldr_code dn db '\\.\' img_name rb 256 img_real_name rb 256 mtldr_name rb 256 tmp_data rb 2000h ostitle rb 260 systitle rb 262 align 4 OpenProcessToken dd ? LookupPrivilegeValueA dd ? AdjustTokenPrivileges dd ? tmp dd ? sdn rd 3 pi rd 8 varout rd 4 guid rd 4 b9x db ? menuitems rb 100h