Windows Kernel(1) NTLDR

Posted on

Windows 内核加载器(NTLDR)

当一台计算机启动后,会读取引导驱动器(软盘,硬盘等等)的第一个扇区0x7c00处的代码,即MBR代码。然后,MBR代码搜索系统活动分区表,并加载分区引导记录PBR代码到内存中。PBR代码负责解析FAT或NTFS文件格式,并找到NTLDR。随后,从PBR代码转到NTLDR的前半部分——startup.com的代码中来。startup.com将会检测物理地址,开启A20地址线,重定位GDT、IDT,开启保护模式,加载osloader.exe。随后osloader.exe开始启动。

分解NTLDR:找到NTLDR文件,用Hex编辑器打开,搜索字符串“MZ”,从文件开始到“MZ”之前为startup.com的内容,从“MZ”所在地址到文件结束为osloader.exe的内容。

使用IDA Pro打开 startup.com,可以看到:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
seg000:0100                 public start
seg000:0100 start           proc near
seg000:0100                 jmp     start_0
seg000:0100 start           endp
seg000:0100
seg000:0103 ; ---------------------------------------------------------------------------
seg000:0103                 jmp     short loc_10109
seg000:0103 ; ---------------------------------------------------------------------------
seg000:0105                 db 90h
seg000:0106                 db 3 dup(0)
seg000:0109 ; ---------------------------------------------------------------------------
seg000:0109
seg000:0109 loc_10109:                              ; CODE XREF: seg000:0103↑j
seg000:0109                 push    dx
seg000:010A                 mov     ax, bx
seg000:010C                 push    cs
seg000:010D                 pop     es
seg000:010E                 assume es:seg000
seg000:010E                 xor     ebx, ebx
seg000:0111                 mov     dx, 1
seg000:0114                 call    sub_1014B
seg000:0117                 jmp     loc_1026B
seg000:011A ; ---------------------------------------------------------------------------
seg000:011A
seg000:011A loc_1011A:                              ; CODE XREF: seg000:02D5↓j
seg000:011A                 mov     cs:6, dl
seg000:011F                 push    ax
seg000:0120                 movzx   edx, byte ptr [si+2]
seg000:0125                 movzx   eax, word ptr [si]
seg000:0129                 mul     edx
seg000:012C                 shr     eax, 4
seg000:0130                 mov     cs:7, ax
seg000:0134                 mov     cx, es
seg000:0136                 add     cx, ax
seg000:0138                 mov     es, cx
seg000:013A                 assume es:nothing
seg000:013A                 pop     ax
seg000:013B
seg000:013B loc_1013B:                              ; CODE XREF: seg000:0145↓j
seg000:013B                 call    sub_1016E
seg000:013E                 jb      loc_10147
seg000:0142                 call    sub_1014B
seg000:0145                 jmp     short loc_1013B
seg000:0147 ; ---------------------------------------------------------------------------
seg000:0147
seg000:0147 loc_10147:                              ; CODE XREF: seg000:013E↑j
seg000:0147                 pop     dx
seg000:0148                 jmp     start_0

其中start_0为startup.com的真正的入口地址,进入start_0:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
eg000:02D8 start_0         proc near               ; CODE XREF: start↑j
seg000:02D8                                         ; seg000:0148↑j
seg000:02D8                 mov     bx, 30C0h
seg000:02DB                 shr     bx, 4
seg000:02DE                 mov     ax, cs
seg000:02E0                 add     ax, bx
seg000:02E2                 mov     ss, ax
seg000:02E4                 assume ss:nothing
seg000:02E4                 mov     sp, 1528h
seg000:02E7                 push    dx
seg000:02E8                 mov     ds, ax
seg000:02EA                 assume ds:nothing
seg000:02EA                 mov     es, ax
seg000:02EC                 assume es:nothing
seg000:02EC                 movzx   edx, ax
seg000:02F0                 shl     edx, 4
seg000:02F4                 add     edx, 1DB0h
seg000:02FB                 mov     ds:dword_13D7E, edx
seg000:0300                 xor     bp, bp
seg000:0302                 movzx   ebp, bp
seg000:0306                 movzx   esp, sp
seg000:030A                 mov     ds:word_1467C, ds
seg000:030E                 call    SuMain
seg000:030E start_0         endp

进入SuMain函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
seg000:1AC0 SuMain          proc near               ; CODE XREF: start_0+36↑p
seg000:1AC0
seg000:1AC0 var_1E          = word ptr -1Eh
seg000:1AC0 var_1C          = word ptr -1Ch
seg000:1AC0 var_1A          = word ptr -1Ah
seg000:1AC0 var_18          = word ptr -18h
seg000:1AC0 var_16          = word ptr -16h
seg000:1AC0 var_14          = word ptr -14h
seg000:1AC0 var_12          = word ptr -12h
seg000:1AC0 var_10          = word ptr -10h
seg000:1AC0 var_E           = word ptr -0Eh
seg000:1AC0 var_C           = dword ptr -0Ch
seg000:1AC0 var_8           = word ptr -8
seg000:1AC0 var_6           = word ptr -6
seg000:1AC0 var_4           = word ptr -4
seg000:1AC0 arg_0           = byte ptr  4
seg000:1AC0
seg000:1AC0                 enter   1Eh, 0
seg000:1AC4                 push    si
seg000:1AC5                 push    di
seg000:1AC6                 mov     al, [bp+arg_0]
seg000:1AC9                 mov     ds:15C4h, al
seg000:1ACC                 call    sub_1276A
seg000:1ACF                 call    sub_104B6
seg000:1AD2                 call    sub_11219
seg000:1AD5                 cbw
seg000:1AD6                 cmp     ax, 0
seg000:1AD9                 jnz     short loc_11ADE
seg000:1ADB                 jmp     loc_11AED
seg000:1ADE ; ---------------------------------------------------------------------------
seg000:1ADE
seg000:1ADE loc_11ADE:                              ; CODE XREF: SuMain+19↑j
seg000:1ADE                 mov     word ptr ds:1628h, 1
seg000:1AE4                 mov     word ptr ds:162Ah, 0
seg000:1AEA                 jmp     loc_11AF9
seg000:1AED ; ---------------------------------------------------------------------------
seg000:1AED
seg000:1AED loc_11AED:                              ; CODE XREF: SuMain+1B↑j
seg000:1AED                 mov     word ptr ds:1628h, 0
seg000:1AF3                 mov     word ptr ds:162Ah, 0
seg000:1AF9
seg000:1AF9 loc_11AF9:                              ; CODE XREF: SuMain+2A↑j
seg000:1AF9                 call    sub_1194C
seg000:1AFC                 cbw
seg000:1AFD                 cmp     ax, 0
seg000:1B00                 jz      short loc_11B05
seg000:1B02                 jmp     loc_11B56
seg000:1B05 ; ---------------------------------------------------------------------------
seg000:1B05
seg000:1B05 loc_11B05:                              ; CODE XREF: SuMain+40↑j
seg000:1B05                 cmp     word ptr ds:1628h, 1
seg000:1B0A                 jz      short loc_11B0F
seg000:1B0C                 jmp     loc_11B53
seg000:1B0F ; ---------------------------------------------------------------------------
seg000:1B0F
seg000:1B0F loc_11B0F:                              ; CODE XREF: SuMain+4A↑j
seg000:1B0F                 cmp     word ptr ds:162Ah, 0
seg000:1B14                 jz      short loc_11B19
seg000:1B16                 jmp     loc_11B53
seg000:1B19 ; ---------------------------------------------------------------------------
seg000:1B19
seg000:1B19 loc_11B19:                              ; CODE XREF: SuMain+54↑j
seg000:1B19                 call    sub_10548
seg000:1B1C                 mov     [bp+var_4], ax
seg000:1B1F                 call    sub_11756
seg000:1B22                 mov     [bp+var_1E], ax
seg000:1B25                 mov     [bp+var_1C], dx
seg000:1B28                 mov     ax, [bp+var_1E]
seg000:1B2B                 mov     dx, [bp+var_1C]
seg000:1B2E                 add     ax, 80h ; '€'
seg000:1B31                 adc     dx, 0
seg000:1B34                 mov     cx, [bp+var_4]
seg000:1B37                 mov     bx, 0
seg000:1B3A                 cmp     dx, bx
seg000:1B3C                 jbe     short loc_11B41
seg000:1B3E                 jmp     loc_11B50
seg000:1B41 ; ---------------------------------------------------------------------------
seg000:1B41
seg000:1B41 loc_11B41:                              ; CODE XREF: SuMain+7C↑j
seg000:1B41                 jnb     short loc_11B46
seg000:1B43                 jmp     loc_11B4D
seg000:1B46 ; ---------------------------------------------------------------------------
seg000:1B46
seg000:1B46 loc_11B46:                              ; CODE XREF: SuMain:loc_11B41↑j
seg000:1B46                 cmp     ax, cx
seg000:1B48                 jb      short loc_11B4D
seg000:1B4A                 jmp     loc_11B50
seg000:1B4D ; ---------------------------------------------------------------------------
seg000:1B4D
seg000:1B4D loc_11B4D:                              ; CODE XREF: SuMain+83↑j
seg000:1B4D                                         ; SuMain+88↑j
seg000:1B4D                 call    sub_10548
seg000:1B50
seg000:1B50 loc_11B50:                              ; CODE XREF: SuMain+7E↑j
seg000:1B50                                         ; SuMain+8A↑j
seg000:1B50                 jmp     loc_11B56
seg000:1B53 ; ---------------------------------------------------------------------------
seg000:1B53
seg000:1B53 loc_11B53:                              ; CODE XREF: SuMain+4C↑j
seg000:1B53                                         ; SuMain+56↑j
seg000:1B53                 call    sub_10548
seg000:1B56
seg000:1B56 loc_11B56:                              ; CODE XREF: SuMain+42↑j
seg000:1B56                                         ; SuMain:loc_11B50↑j
seg000:1B56                 mov     ax, ds:15C8h
seg000:1B59                 mov     dx, ds:15CAh
seg000:1B5D                 mov     word ptr [bp+var_C], ax
seg000:1B60                 mov     word ptr [bp+var_C+2], dx
seg000:1B63
seg000:1B63 loc_11B63:                              ; CODE XREF: SuMain+D4↓j
seg000:1B63                 les     bx, [bp+var_C]
seg000:1B66                 cmp     word ptr es:[bx], 0
seg000:1B6A                 jz      short loc_11B6F
seg000:1B6C                 jmp     loc_11B79
seg000:1B6F ; ---------------------------------------------------------------------------
seg000:1B6F
seg000:1B6F loc_11B6F:                              ; CODE XREF: SuMain+AA↑j
seg000:1B6F                 cmp     word ptr es:[bx+2], 0
seg000:1B74                 jnz     short loc_11B79
seg000:1B76                 jmp     loc_11B97
seg000:1B79 ; ---------------------------------------------------------------------------
seg000:1B79
seg000:1B79 loc_11B79:                              ; CODE XREF: SuMain+AC↑j
seg000:1B79                                         ; SuMain+B4↑j
seg000:1B79                 les     bx, [bp+var_C]
seg000:1B7C                 cmp     word ptr es:[bx+4], 0
seg000:1B81                 jz      short loc_11B86
seg000:1B83                 jmp     loc_11B90
seg000:1B86 ; ---------------------------------------------------------------------------
seg000:1B86
seg000:1B86 loc_11B86:                              ; CODE XREF: SuMain+C1↑j
seg000:1B86                 cmp     word ptr es:[bx+6], 0
seg000:1B8B                 jnz     short loc_11B90
seg000:1B8D                 jmp     loc_11B97
seg000:1B90 ; ---------------------------------------------------------------------------
seg000:1B90
seg000:1B90 loc_11B90:                              ; CODE XREF: SuMain+C3↑j
seg000:1B90                                         ; SuMain+CB↑j
seg000:1B90                 add     word ptr [bp+var_C], 8
seg000:1B94                 jmp     loc_11B63
seg000:1B97 ; ---------------------------------------------------------------------------
seg000:1B97
seg000:1B97 loc_11B97:                              ; CODE XREF: SuMain+B6↑j
seg000:1B97                                         ; SuMain+CD↑j
seg000:1B97                 les     bx, [bp+var_C]
seg000:1B9A                 cmp     word ptr es:[bx], 0
seg000:1B9E                 jz      short loc_11BA3
seg000:1BA0                 jmp     loc_11BF0
seg000:1BA3 ; ---------------------------------------------------------------------------
seg000:1BA3
seg000:1BA3 loc_11BA3:                              ; CODE XREF: SuMain+DE↑j
seg000:1BA3                 cmp     word ptr es:[bx+2], 0
seg000:1BA8                 jz      short loc_11BAD
seg000:1BAA                 jmp     loc_11BF0
seg000:1BAD ; ---------------------------------------------------------------------------
seg000:1BAD
seg000:1BAD loc_11BAD:                              ; CODE XREF: SuMain+E8↑j
seg000:1BAD                 les     bx, [bp+var_C]
seg000:1BB0                 cmp     word ptr es:[bx+6], 8
seg000:1BB5                 jbe     short loc_11BBA
seg000:1BB7                 jmp     loc_11BF0
seg000:1BBA ; ---------------------------------------------------------------------------
seg000:1BBA
seg000:1BBA loc_11BBA:                              ; CODE XREF: SuMain+F5↑j
seg000:1BBA                 jnb     short loc_11BBF
seg000:1BBC                 jmp     loc_11BC9
seg000:1BBF ; ---------------------------------------------------------------------------
seg000:1BBF
seg000:1BBF loc_11BBF:                              ; CODE XREF: SuMain:loc_11BBA↑j
seg000:1BBF                 cmp     word ptr es:[bx+4], 0
seg000:1BC4                 jb      short loc_11BC9
seg000:1BC6                 jmp     loc_11BF0
seg000:1BC9 ; ---------------------------------------------------------------------------
seg000:1BC9
seg000:1BC9 loc_11BC9:                              ; CODE XREF: SuMain+FC↑j
seg000:1BC9                                         ; SuMain+104↑j
seg000:1BC9                 mov     ax, 400h
seg000:1BCC                 mov     dx, 0
seg000:1BCF                 push    dx
seg000:1BD0                 push    ax
seg000:1BD1                 les     bx, [bp+var_C]
seg000:1BD4                 push    word ptr es:[bx+6]
seg000:1BD8                 push    word ptr es:[bx+4]
seg000:1BDC                 call    sub_12EC4
seg000:1BDF                 push    dx
seg000:1BE0                 push    ax
seg000:1BE1                 push    17B6h
seg000:1BE4                 call    sub_12808
seg000:1BE7                 add     sp, 6
seg000:1BEA                 jmp     $+3
seg000:1BED ; ---------------------------------------------------------------------------
seg000:1BED
seg000:1BED loc_11BED:                              ; CODE XREF: SuMain+12A↑j
seg000:1BED                                         ; SuMain:loc_11BED↓j
seg000:1BED                 jmp     loc_11BED
seg000:1BF0 ; ---------------------------------------------------------------------------
seg000:1BF0
seg000:1BF0 loc_11BF0:                              ; CODE XREF: SuMain+E0↑j
seg000:1BF0                                         ; SuMain+EA↑j ...
seg000:1BF0                 mov     ax, ds:1DECh
seg000:1BF3                 mov     dx, ds:1DEEh
seg000:1BF7                 mov     cx, 1DB0h
seg000:1BFA                 add     cx, ax
seg000:1BFC                 mov     ax, 18h
seg000:1BFF                 add     cx, ax
seg000:1C01                 mov     [bp+var_1A], cx
seg000:1C04                 mov     bx, [bp+var_1A]
seg000:1C07                 mov     ax, [bx+1Ch]
seg000:1C0A                 mov     dx, [bx+1Eh]
seg000:1C0D                 mov     [bp+var_14], ax
seg000:1C10                 mov     [bp+var_12], dx
seg000:1C13                 mov     bx, [bp+var_1A]
seg000:1C16                 mov     ax, [bx+38h]
seg000:1C19                 mov     dx, [bx+3Ah]
seg000:1C1C                 mov     [bp+var_8], ax
seg000:1C1F                 mov     [bp+var_6], dx
seg000:1C22                 mov     ax, [bp+var_14]
seg000:1C25                 mov     dx, [bp+var_12]
seg000:1C28                 mov     ds:163Ch, ax
seg000:1C2B                 mov     ds:163Eh, dx
seg000:1C2F                 mov     bx, [bp+var_1A]
seg000:1C32                 mov     ax, [bp+var_14]
seg000:1C35                 mov     dx, [bp+var_12]
seg000:1C38                 add     ax, [bx+60h]
seg000:1C3B                 adc     dx, [bx+62h]
seg000:1C3E                 mov     ds:1640h, ax
seg000:1C41                 mov     ds:1642h, dx
seg000:1C45                 mov     ax, ds:15C8h
seg000:1C48                 mov     dx, ds:15CAh
seg000:1C4C                 mov     word ptr [bp+var_C], ax
seg000:1C4F                 mov     word ptr [bp+var_C+2], dx
seg000:1C52                 jmp     loc_11D3E
seg000:1C55 ; ---------------------------------------------------------------------------
seg000:1C55
seg000:1C55 loc_11C55:                              ; CODE XREF: SuMain+261↓j
seg000:1C55                                         ; SuMain+284↓j ...
seg000:1C55                 les     bx, [bp+var_C]
seg000:1C58                 cmp     word ptr es:[bx+4], 0
seg000:1C5D                 jz      short loc_11C62
seg000:1C5F                 jmp     loc_11C6C
seg000:1C62 ; ---------------------------------------------------------------------------
seg000:1C62
seg000:1C62 loc_11C62:                              ; CODE XREF: SuMain+19D↑j
seg000:1C62                 cmp     word ptr es:[bx+6], 0
seg000:1C67                 jnz     short loc_11C6C
seg000:1C69                 jmp     loc_11D24
seg000:1C6C ; ---------------------------------------------------------------------------
seg000:1C6C
seg000:1C6C loc_11C6C:                              ; CODE XREF: SuMain+19F↑j
seg000:1C6C                                         ; SuMain+1A7↑j
seg000:1C6C                 les     bx, [bp+var_C]
seg000:1C6F                 mov     ax, es:[bx]
seg000:1C72                 mov     dx, es:[bx+2]
seg000:1C76                 les     bx, [bp+var_C]
seg000:1C79                 add     ax, es:[bx+4]
seg000:1C7D                 adc     dx, es:[bx+6]
seg000:1C81                 mov     [bp+var_10], ax
seg000:1C84                 mov     [bp+var_E], dx
seg000:1C87                 les     bx, [bp+var_C]
seg000:1C8A                 mov     ax, [bp+var_14]
seg000:1C8D                 mov     dx, [bp+var_12]
seg000:1C90                 cmp     es:[bx+2], dx
seg000:1C94                 jbe     short loc_11C99
seg000:1C96                 jmp     loc_11D1D
seg000:1C99 ; ---------------------------------------------------------------------------
seg000:1C99
seg000:1C99 loc_11C99:                              ; CODE XREF: SuMain+1D4↑j
seg000:1C99                 jnb     short loc_11C9E
seg000:1C9B                 jmp     loc_11CA6
seg000:1C9E ; ---------------------------------------------------------------------------
seg000:1C9E
seg000:1C9E loc_11C9E:                              ; CODE XREF: SuMain:loc_11C99↑j
seg000:1C9E                 cmp     es:[bx], ax
seg000:1CA1                 jbe     short loc_11CA6
seg000:1CA3                 jmp     loc_11D1D
seg000:1CA6 ; ---------------------------------------------------------------------------
seg000:1CA6
seg000:1CA6 loc_11CA6:                              ; CODE XREF: SuMain+1DB↑j
seg000:1CA6                                         ; SuMain+1E1↑j
seg000:1CA6                 mov     ax, [bp+var_14]
seg000:1CA9                 mov     dx, [bp+var_12]
seg000:1CAC                 cmp     [bp+var_E], dx
seg000:1CAF                 jnb     short loc_11CB4
seg000:1CB1                 jmp     loc_11D1D
seg000:1CB4 ; ---------------------------------------------------------------------------
seg000:1CB4
seg000:1CB4 loc_11CB4:                              ; CODE XREF: SuMain+1EF↑j
seg000:1CB4                 jbe     short loc_11CB9
seg000:1CB6                 jmp     loc_11CC1
seg000:1CB9 ; ---------------------------------------------------------------------------
seg000:1CB9
seg000:1CB9 loc_11CB9:                              ; CODE XREF: SuMain:loc_11CB4↑j
seg000:1CB9                 cmp     [bp+var_10], ax
seg000:1CBC                 ja      short loc_11CC1
seg000:1CBE                 jmp     loc_11D1D
seg000:1CC1 ; ---------------------------------------------------------------------------
seg000:1CC1
seg000:1CC1 loc_11CC1:                              ; CODE XREF: SuMain+1F6↑j
seg000:1CC1                                         ; SuMain+1FC↑j
seg000:1CC1                 mov     ax, [bp+var_10]
seg000:1CC4                 mov     dx, [bp+var_E]
seg000:1CC7                 sub     ax, [bp+var_14]
seg000:1CCA                 sbb     dx, [bp+var_12]
seg000:1CCD                 cmp     dx, [bp+var_6]
seg000:1CD0                 jnb     short loc_11CD5
seg000:1CD2                 jmp     loc_11CEF
seg000:1CD5 ; ---------------------------------------------------------------------------
seg000:1CD5
seg000:1CD5 loc_11CD5:                              ; CODE XREF: SuMain+210↑j
seg000:1CD5                 jbe     short loc_11CDA
seg000:1CD7                 jmp     loc_11CE2
seg000:1CDA ; ---------------------------------------------------------------------------
seg000:1CDA
seg000:1CDA loc_11CDA:                              ; CODE XREF: SuMain:loc_11CD5↑j
seg000:1CDA                 cmp     ax, [bp+var_8]
seg000:1CDD                 ja      short loc_11CE2
seg000:1CDF                 jmp     loc_11CEF
seg000:1CE2 ; ---------------------------------------------------------------------------
seg000:1CE2
seg000:1CE2 loc_11CE2:                              ; CODE XREF: SuMain+217↑j
seg000:1CE2                                         ; SuMain+21D↑j
seg000:1CE2                 mov     [bp+var_8], 0
seg000:1CE7                 mov     [bp+var_6], 0
seg000:1CEC                 jmp     loc_11D0D
seg000:1CEF ; ---------------------------------------------------------------------------
seg000:1CEF
seg000:1CEF loc_11CEF:                              ; CODE XREF: SuMain+212↑j
seg000:1CEF                                         ; SuMain+21F↑j
seg000:1CEF                 mov     ax, [bp+var_10]
seg000:1CF2                 mov     dx, [bp+var_E]
seg000:1CF5                 sub     ax, [bp+var_14]
seg000:1CF8                 sbb     dx, [bp+var_12]
seg000:1CFB                 sub     [bp+var_8], ax
seg000:1CFE                 sbb     [bp+var_6], dx
seg000:1D01                 mov     ax, [bp+var_10]
seg000:1D04                 mov     dx, [bp+var_E]
seg000:1D07                 mov     [bp+var_14], ax
seg000:1D0A                 mov     [bp+var_12], dx
seg000:1D0D
seg000:1D0D loc_11D0D:                              ; CODE XREF: SuMain+22C↑j
seg000:1D0D                 mov     ax, ds:15C8h
seg000:1D10                 mov     dx, ds:15CAh
seg000:1D14                 mov     word ptr [bp+var_C], ax
seg000:1D17                 mov     word ptr [bp+var_C+2], dx
seg000:1D1A                 jmp     loc_11D24
seg000:1D1D ; ---------------------------------------------------------------------------
seg000:1D1D
seg000:1D1D loc_11D1D:                              ; CODE XREF: SuMain+1D6↑j
seg000:1D1D                                         ; SuMain+1E3↑j ...
seg000:1D1D                 add     word ptr [bp+var_C], 8
seg000:1D21                 jmp     loc_11C55
seg000:1D24 ; ---------------------------------------------------------------------------
seg000:1D24
seg000:1D24 loc_11D24:                              ; CODE XREF: SuMain+1A9↑j
seg000:1D24                                         ; SuMain+25A↑j
seg000:1D24                 les     bx, [bp+var_C]
seg000:1D27                 cmp     word ptr es:[bx+4], 0
seg000:1D2C                 jz      short loc_11D31
seg000:1D2E                 jmp     loc_11D3E
seg000:1D31 ; ---------------------------------------------------------------------------
seg000:1D31
seg000:1D31 loc_11D31:                              ; CODE XREF: SuMain+26C↑j
seg000:1D31                 cmp     word ptr es:[bx+6], 0
seg000:1D36                 jz      short loc_11D3B
seg000:1D38                 jmp     loc_11D3E
seg000:1D3B ; ---------------------------------------------------------------------------
seg000:1D3B
seg000:1D3B loc_11D3B:                              ; CODE XREF: SuMain+276↑j
seg000:1D3B                 jmp     loc_11D55
seg000:1D3E ; ---------------------------------------------------------------------------
seg000:1D3E
seg000:1D3E loc_11D3E:                              ; CODE XREF: SuMain+192↑j
seg000:1D3E                                         ; SuMain+26E↑j ...
seg000:1D3E                 cmp     [bp+var_6], 0
seg000:1D42                 jbe     short loc_11D47
seg000:1D44                 jmp     loc_11C55
seg000:1D47 ; ---------------------------------------------------------------------------
seg000:1D47
seg000:1D47 loc_11D47:                              ; CODE XREF: SuMain+282↑j
seg000:1D47                 jnb     short loc_11D4C
seg000:1D49                 jmp     loc_11D55
seg000:1D4C ; ---------------------------------------------------------------------------
seg000:1D4C
seg000:1D4C loc_11D4C:                              ; CODE XREF: SuMain:loc_11D47↑j
seg000:1D4C                 cmp     [bp+var_8], 0
seg000:1D50                 jbe     short loc_11D55
seg000:1D52                 jmp     loc_11C55
seg000:1D55 ; ---------------------------------------------------------------------------
seg000:1D55
seg000:1D55 loc_11D55:                              ; CODE XREF: SuMain:loc_11D3B↑j
seg000:1D55                                         ; SuMain+289↑j ...
seg000:1D55                 cmp     [bp+var_6], 0
seg000:1D59                 jnb     short loc_11D5E
seg000:1D5B                 jmp     loc_11DD0
seg000:1D5E ; ---------------------------------------------------------------------------
seg000:1D5E
seg000:1D5E loc_11D5E:                              ; CODE XREF: SuMain+299↑j
seg000:1D5E                 jbe     short loc_11D63
seg000:1D60                 jmp     loc_11D6C
seg000:1D63 ; ---------------------------------------------------------------------------
seg000:1D63
seg000:1D63 loc_11D63:                              ; CODE XREF: SuMain:loc_11D5E↑j
seg000:1D63                 cmp     [bp+var_8], 0
seg000:1D67                 ja      short loc_11D6C
seg000:1D69                 jmp     loc_11DD0
seg000:1D6C ; ---------------------------------------------------------------------------
seg000:1D6C
seg000:1D6C loc_11D6C:                              ; CODE XREF: SuMain+2A0↑j
seg000:1D6C                                         ; SuMain+2A7↑j
seg000:1D6C                 push    187Bh
seg000:1D6F                 call    sub_12808
seg000:1D72                 add     sp, 2
seg000:1D75                 mov     ax, ds:15C8h
seg000:1D78                 mov     dx, ds:15CAh
seg000:1D7C                 mov     word ptr [bp+var_C], ax
seg000:1D7F                 mov     word ptr [bp+var_C+2], dx
seg000:1D82
seg000:1D82 loc_11D82:                              ; CODE XREF: SuMain+307↓j
seg000:1D82                 les     bx, [bp+var_C]
seg000:1D85                 cmp     word ptr es:[bx+4], 0
seg000:1D8A                 jz      short loc_11D8F
seg000:1D8C                 jmp     loc_11D99
seg000:1D8F ; ---------------------------------------------------------------------------
seg000:1D8F
seg000:1D8F loc_11D8F:                              ; CODE XREF: SuMain+2CA↑j
seg000:1D8F                 cmp     word ptr es:[bx+6], 0
seg000:1D94                 jnz     short loc_11D99
seg000:1D96                 jmp     loc_11DCA
seg000:1D99 ; ---------------------------------------------------------------------------
seg000:1D99
seg000:1D99 loc_11D99:                              ; CODE XREF: SuMain+2CC↑j
seg000:1D99                                         ; SuMain+2D4↑j
seg000:1D99                 les     bx, [bp+var_C]
seg000:1D9C                 mov     ax, es:[bx]
seg000:1D9F                 mov     dx, es:[bx+2]
seg000:1DA3                 les     bx, [bp+var_C]
seg000:1DA6                 add     ax, es:[bx+4]
seg000:1DAA                 adc     dx, es:[bx+6]
seg000:1DAE                 push    dx
seg000:1DAF                 push    ax
seg000:1DB0                 les     bx, [bp+var_C]
seg000:1DB3                 push    word ptr es:[bx+2]
seg000:1DB7                 push    word ptr es:[bx]
seg000:1DBA                 push    1956h
seg000:1DBD                 call    sub_12808
seg000:1DC0                 add     sp, 0Ah
seg000:1DC3                 add     word ptr [bp+var_C], 8
seg000:1DC7                 jmp     loc_11D82
seg000:1DCA ; ---------------------------------------------------------------------------
seg000:1DCA
seg000:1DCA loc_11DCA:                              ; CODE XREF: SuMain+2D6↑j
seg000:1DCA                 jmp     $+3
seg000:1DCD ; ---------------------------------------------------------------------------
seg000:1DCD
seg000:1DCD loc_11DCD:                              ; CODE XREF: SuMain:loc_11DCA↑j
seg000:1DCD                                         ; SuMain:loc_11DCD↓j
seg000:1DCD                 jmp     loc_11DCD
seg000:1DD0 ; ---------------------------------------------------------------------------
seg000:1DD0
seg000:1DD0 loc_11DD0:                              ; CODE XREF: SuMain+29B↑j
seg000:1DD0                                         ; SuMain+2A9↑j
seg000:1DD0                 call    sub_11240
seg000:1DD3                 call    sub_12196
seg000:1DD6                 push    0
seg000:1DD8                 call    near ptr sub_10311
seg000:1DDB                 add     sp, 2
seg000:1DDE                 push    1630h
seg000:1DE1                 push    162Ch
seg000:1DE4                 call    sub_11E00
seg000:1DE7                 add     sp, 4
seg000:1DEA                 mov     [bp+var_18], ax
seg000:1DED                 mov     [bp+var_16], dx
seg000:1DF0                 push    [bp+var_16]
seg000:1DF3                 push    [bp+var_18]
seg000:1DF6                 call    sub_10511
seg000:1DF9                 add     sp, 4
seg000:1DFC                 pop     di
seg000:1DFD                 pop     si
seg000:1DFE                 leave
seg000:1DFF                 retn
seg000:1DFF SuMain          endp ; sp-analysis failed

(未完待续)