AMI-Aptio-BIOS-Reversed/AmiModulePkg/SecureFlash/SecFlashUpd/VerifyFwCapsule/Recovery_export.json at 044d619a3711096220a1d7168f6add97af67afa0

Fork: 0
ajax / AMI-Aptio-BIOS-Reversed
Find file
Newer
Older
AMI-Aptio-BIOS-Reversed / AmiModulePkg / SecureFlash / SecFlashUpd / VerifyFwCapsule / Recovery_export.json
Ajax Dong 2 days ago 27 KB Restructure the repo
Raw Blame History
{"jsonrpc": "2.0", "result": {"structuredContent": {"format": "json", "functions": [{"addr": "0x260", "name": "InternalMemCopyMem", "prototype": "char *__cdecl(char *dst, char *src, unsigned int count)", "size": "0x3f", "comments": {}, "asm": "InternalMemCopyMem (.text @ 0x260):\n260  push esi\n261  push edi\n262  mov esi, [esp+8+src]\n266  mov edi, [esp+8+dst]\n26a  mov edx, [esp+8+count]\n26e  lea eax, [esi+edx-1]\n272  cmp esi, edi\n274  jnb loc_27A\n276  cmp eax, edi\n278  jnb loc_28C\n27a  mov ecx, edx\n27c  and edx, 3\n282  shr ecx, 2\n285  movsd ,\n287  jmp loc_293\n28c  mov esi, eax\n28e  lea edi, [edi+edx-1]\n292  std\n293  mov ecx, edx\n295  movsb ,\n297  cld\n298  mov eax, [esp+8+dst]\n29c  pop edi\n29d  pop esi\n29e  retn", "code": "char *__cdecl InternalMemCopyMem(char *dst, char *src, unsigned int count_1)\n{\n  unsigned int count; // edx\n  char *dst_1; // edi\n  char *src_1; // esi\n\n  count = count_1; /*0x26a*/\n  if ( src < dst && &src[count_1 - 1] >= dst ) /*0x278*/\n  {\n    src_1 = &src[count_1 - 1]; /*0x28c*/\n    dst_1 = &dst[count_1 - 1]; /*0x28e*/\n  }\n  else\n  {\n    count = count_1 & 3; /*0x27c*/\n    qmemcpy(dst, src, 4 * (count_1 >> 2)); /*0x285*/\n    src_1 = &src[4 * (count_1 >> 2)]; /*0x285*/\n    dst_1 = &dst[4 * (count_1 >> 2)]; /*0x285*/\n  }\n  qmemcpy(dst_1, src_1, count); /*0x295*/\n  return dst; /*0x29c*/\n}", "xrefs": {"to": [{"addr": "0xf4", "type": "data"}, {"addr": "0x1cc", "type": "data"}], "from": [{"addr": "0x261", "type": "code"}]}}, {"addr": "0x2c0", "name": "SetMem", "prototype": "void *__cdecl(void *buf, unsigned int count, char value)", "size": "0x15", "comments": {}, "asm": "SetMem (.text @ 0x2c0):\n2c0  push edi\n2c1  mov eax, dword ptr [esp+4+value]\n2c5  mov edi, [esp+4+buf]\n2c9  mov ecx, [esp+4+count]\n2cd  stosb ,\n2cf  mov eax, [esp+4+buf]\n2d3  pop edi\n2d4  retn", "code": "void *__cdecl SetMem(void *buf, unsigned int count, char value)\n{\n  memset(buf, value, count); /*0x2cd*/\n  return buf; /*0x2d3*/\n}", "xrefs": {"to": [], "from": [{"addr": "0x2c1", "type": "code"}]}}, {"addr": "0x2e0", "name": "SetMem64", "prototype": "int __cdecl(int, int, int, int)", "size": "0x1f", "comments": {}, "asm": "SetMem64 (.text @ 0x2e0):\n2e0  push edi\n2e1  mov ecx, [esp+4+arg_4]\n2e5  mov eax, [esp+4+arg_8]\n2e9  mov edx, [esp+4+arg_C]\n2ed  mov edi, [esp+4+arg_0]\n2f1  mov [edi+ecx*8-8], eax\n2f5  mov [edi+ecx*8-4], edx\n2f9  loop loc_2F1,\n2fb  mov eax, edi\n2fd  pop edi\n2fe  retn", "code": "int __cdecl SetMem64(int a1, int a2, int a3, int a4)\n{\n  do /*0x2f9*/\n  {\n    *(_DWORD *)(a1 + 8 * a2 - 8) = a3; /*0x2f1*/\n    *(_DWORD *)(a1 + 8 * a2-- - 4) = a4; /*0x2f5*/\n  }\n  while ( a2 ); /*0x2f9*/\n  return a1; /*0x2fd*/\n}", "xrefs": {"to": [], "from": [{"addr": "0x2e1", "type": "code"}]}}, {"addr": "0x300", "name": "SetMem32", "prototype": "void *__cdecl(void *buf, unsigned int count, int value)", "size": "0x15", "comments": {}, "asm": "SetMem32 (.text @ 0x300):\n300  push edi\n301  mov eax, [esp+4+value]\n305  mov edi, [esp+4+buf]\n309  mov ecx, [esp+4+count]\n30d  stosd ,\n30f  mov eax, [esp+4+buf]\n313  pop edi\n314  retn", "code": "void *__cdecl SetMem32(void *buf, unsigned int count, int value)\n{\n  memset32(buf, value, count); /*0x30d*/\n  return buf; /*0x313*/\n}", "xrefs": {"to": [], "from": [{"addr": "0x301", "type": "code"}]}}, {"addr": "0x320", "name": "_ModuleEntryPoint", "prototype": "EFI_STATUS(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable)", "size": "0x12", "comments": {}, "asm": "_ModuleEntryPoint (.text @ 0x320):\n320  mov eax, [esp+SystemTable]\n324  push offset unk_1E50\n329  push eax\n32a  mov ecx, [eax]\n32c  call dword ptr [ecx+18h]\n32f  pop ecx\n330  pop ecx\n331  retn", "code": "EFI_STATUS ModuleEntryPoint(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable)\n{\n  return (*(int (__cdecl **)(EFI_SYSTEM_TABLE *, void *))(LODWORD(SystemTable->Hdr.Signature) + 24))( /*0x331*/\n           SystemTable,\n           &unk_1E50);\n}", "xrefs": {"to": [{"addr": "0xf0", "type": "data"}], "from": [{"addr": "0x324", "type": "code"}]}}, {"addr": "0x332", "name": "RecoveryLoadCapsule", "prototype": "int __fastcall(int, int, int, unsigned int)", "size": "0x10b", "comments": {}, "asm": "RecoveryLoadCapsule (.text @ 0x332):\n332  push ecx\n333  push ebx\n334  push ebp\n335  push esi\n336  push edi\n337  mov edi, [esp+14h+arg_4]\n33b  mov ebp, edx\n33d  mov ebx, ecx\n33f  cmp edi, dword_1EE0\n345  jbe loc_36C\n347  mov esi, [ebx]\n349  mov eax, edi\n34b  shr eax, 0Ch\n34e  push offset qword_1EE8\n353  inc eax\n354  push eax\n355  push 6\n357  push ebx\n358  call dword ptr [esi+48h]\n35b  add esp, 10h\n35e  test eax, eax\n360  js loc_437\n366  mov dword_1EE0, edi\n36c  push offset aLoadingRecover\n371  push 44h\n373  call DebugPrint\n378  push dword ptr qword_1EE8\n37e  push [esp+20h+arg_0]\n382  push ebp\n383  push ebx\n384  call dword ptr [ebp+8]\n387  mov esi, eax\n389  push esi\n38a  push offset aDoneStatusR\n38f  push 44h\n391  call DebugPrint\n396  add esp, 24h\n399  test esi, esi\n39b  jns loc_3A4\n39d  mov eax, esi\n39f  jmp loc_437\n3a4  mov ecx, dword_1F6C\n3aa  mov eax, [ecx+25h]\n3ad  test eax, eax\n3af  jnz loc_3BB\n3b1  mov eax, dword_1EE0\n3b6  mov [ecx+25h], eax\n3b9  jmp loc_3D4\n3bb  cmp eax, 1004000h... [1839 chars total]", "code": "int __fastcall RecoveryLoadCapsule(int a1, int a2, int a3, unsigned int a4)\n{\n  int v4; // edi\n  int result; // eax\n  int v8; // esi\n  unsigned int n0x1004000; // eax\n  signed int v10; // ebx\n  int v11; // [esp+10h] [ebp-4h] BYREF\n\n  v4 = a4; /*0x337*/\n  if ( a4 > dword_1EE0 ) /*0x345*/\n  {\n    result = (*(int (__cdecl **)(int, int, unsigned int, __int64 *))(*(_DWORD *)a1 + 72))( /*0x358*/\n               a1,\n               6,\n               (a4 >> 12) + 1,\n               &qword_1EE8);\n    if ( result < 0 ) /*0x360*/\n      return result; /*0x360*/\n    dword_1EE0 = v4; /*0x366*/\n  }\n  sub_8D0(68, (int)\"Loading Recovery Image...\"); /*0x373*/\n  v8 = (*(int (__cdecl **)(int, int, int, _DWORD))(a2 + 8))(a1, a2, a3, qword_1EE8); /*0x387*/\n  sub_8D0(68, (int)\"done. Status: %r\\n\", v8);\n  if ( v8 < 0 ) /*0x39b*/\n    return v8; /*0x39d*/\n  n0x1004000 = *(_DWORD *)(dword_1F6C + 37); /*0x3aa*/\n  if ( n0x1004000 ) /*0x3af*/\n  {\n    if ( n0x1004000 > 0x1004000 ) /*0x3c0*/\n      qword_1EE8 += n0x10040... [1429 chars total]", "xrefs": {"to": [{"addr": "0x4bb", "type": "code"}], "from": [{"addr": "0x333", "type": "code"}]}}, {"addr": "0x43d", "name": "PeiLocateProtocol", "prototype": "int __fastcall(int, unsigned __int8 (__cdecl *sub_4DA)(_BYTE *, int), int)", "size": "0x9d", "comments": {}, "asm": "PeiLocateProtocol (.text @ 0x43d):\n43d  sub esp, 20h\n440  push ebx\n441  push ebp\n442  push esi\n443  push edi\n444  mov ebp, edx\n446  mov edi, ecx\n448  xor ebx, ebx\n44a  mov eax, [edi]\n44c  lea ecx, [esp+30h+var_20]\n450  push ecx\n451  lea ecx, [esp+34h+var_14]\n455  push ecx\n456  push ebx\n457  push offset unk_1E40\n45c  push edi\n45d  call dword ptr [eax+20h]\n460  add esp, 14h\n463  inc ebx\n464  test eax, eax\n466  js loc_4D2\n468  lea eax, [esp+30h+var_1C]\n46c  push eax\n46d  mov eax, [esp+34h+var_20]\n471  push eax\n472  push edi\n473  call dword ptr [eax]\n475  add esp, 0Ch\n478  test eax, eax\n47a  js loc_44A\n47c  xor esi, esi\n47e  cmp [esp+30h+var_1C], esi\n482  jbe loc_44A\n484  lea eax, [esp+30h+var_10]\n488  push eax\n489  lea eax, [esp+34h+var_18]\n48d  push eax\n48e  mov eax, [esp+38h+var_20]\n492  push esi\n493  push eax\n494  push edi\n495  call dword ptr [eax+4]\n498  add esp, 14h\n49b  test eax, eax\n49d  js loc_4C6\n49f  push [esp+30h+arg_0]\n4a3  lea eax, [esp+34h+var_10]\n4a7  push eax\n4a8  call ebp... [1398 chars total]", "code": "int __fastcall PeiLocateProtocol(int a1, unsigned __int8 (__cdecl *sub_4DA)(_BYTE *, int), int a3)\n{\n  int v5; // ebx\n  int result; // eax\n  int v7; // esi\n  int v8; // [esp+10h] [ebp-20h] BYREF\n  unsigned int v9; // [esp+14h] [ebp-1Ch] BYREF\n  unsigned int v10; // [esp+18h] [ebp-18h] BYREF\n  _BYTE v11[4]; // [esp+1Ch] [ebp-14h] BYREF\n  _BYTE v12[16]; // [esp+20h] [ebp-10h] BYREF\n\n  v5 = 0; /*0x448*/\nLABEL_2:\n  while ( 1 ) /*0x45d*/\n  {\n    result = (*(int (__cdecl **)(int, void *, int, _BYTE *, int *))(*(_DWORD *)a1 + 32))(a1, &unk_1E40, v5++, v11, &v8); /*0x45d*/\n    if ( result < 0 ) /*0x466*/\n      return result; /*0x4d2*/\n    if ( (*(int (__cdecl **)(int, int, unsigned int *))v8)(a1, v8, &v9) >= 0 ) /*0x47a*/\n    {\n      v7 = 0; /*0x47c*/\n      if ( v9 ) /*0x482*/\n      {\n        while ( 1 ) /*0x495*/\n        {\n          if ( (*(int (__cdecl **)(int, int, int, unsigned int *, _BYTE *))(v8 + 4))(a1, v8, v7, &v10, v12) >= 0 ) /*0x49d*/\n          {\n            if ( sub_4DA(v12, a3) )... [1309 chars total]", "xrefs": {"to": [{"addr": "0x5f5", "type": "code"}, {"addr": "0x613", "type": "code"}], "from": [{"addr": "0x440", "type": "code"}]}}, {"addr": "0x4da", "name": "GuidMatchAnyInList", "prototype": "char __cdecl(int, _DWORD *)", "size": "0x30", "comments": {}, "asm": "GuidMatchAnyInList (.text @ 0x4da):\n4da  push ebp\n4db  mov ebp, esp\n4dd  and esp, 0FFFFFFF8h\n4e0  push ecx\n4e1  push esi\n4e2  mov esi, [ebp+arg_4]\n4e5  jmp loc_4FA\n4e7  push [ebp+arg_0]\n4ea  push dword ptr [esi]\n4ec  call IsGuidEqual\n4f1  pop ecx\n4f2  pop ecx\n4f3  test al, al\n4f5  jnz loc_506\n4f7  add esi, 4\n4fa  cmp dword ptr [esi], 0\n4fd  jnz loc_4E7\n4ff  mov al, 1\n501  pop esi\n502  mov esp, ebp\n504  pop ebp\n505  retn\n506  xor al, al\n508  jmp loc_501", "code": "char __cdecl GuidMatchAnyInList(int a1, _DWORD *a2)\n{\n  while ( 1 ) /*0x4fa*/\n  {\n    if ( !*a2 ) /*0x4fa*/\n      return 1; /*0x505*/\n    if ( (unsigned __int8)sub_918(*a2, a1) ) /*0x4ec*/\n      break; /*0x4ec*/\n    ++a2; /*0x4f7*/\n  }\n  return 0; /*0x501*/\n}", "xrefs": {"to": [{"addr": "0x60c", "type": "data"}], "from": [{"addr": "0x4db", "type": "code"}]}}, {"addr": "0x50a", "name": "IsRecoveryMode", "prototype": "BOOL()", "size": "0x47", "comments": {}, "asm": "IsRecoveryMode (.text @ 0x50a):\n50a  push ebp\n50b  mov ebp, esp\n50d  push ecx\n50e  push esi\n50f  call GetPeiServices\n514  lea edx, [ebp+var_4]\n517  xor esi, esi\n519  push edx\n51a  push esi\n51b  mov ecx, [eax]\n51d  push esi\n51e  push offset unk_17B0\n523  push eax\n524  call dword ptr [ecx+20h]\n527  add esp, 14h\n52a  test eax, eax\n52c  jns loc_547\n52e  call GetPeiServices\n533  lea edx, [ebp+var_4]\n536  push edx\n537  push esi\n538  mov ecx, [eax]\n53a  push esi\n53b  push offset unk_17C0\n540  push eax\n541  call dword ptr [ecx+20h]\n544  add esp, 14h\n547  not eax\n549  shr eax, 1Fh\n54c  pop esi\n54d  mov esp, ebp\n54f  pop ebp\n550  retn", "code": "BOOL IsRecoveryMode()\n{\n  int v0; // eax\n  int v1; // eax\n  int v2; // eax\n  _BYTE v4[4]; // [esp+4h] [ebp-4h] BYREF\n\n  v0 = sub_1423(); /*0x50f*/\n  v1 = (*(int (__cdecl **)(int, void *, _DWORD, _DWORD, _BYTE *))(*(_DWORD *)v0 + 32))(v0, &unk_17B0, 0, 0, v4); /*0x524*/\n  if ( v1 < 0 ) /*0x52c*/\n  {\n    v2 = sub_1423(); /*0x52e*/\n    v1 = (*(int (__cdecl **)(int, void *, _DWORD, _DWORD, _BYTE *))(*(_DWORD *)v2 + 32))(v2, &unk_17C0, 0, 0, v4); /*0x541*/\n  }\n  return v1 >= 0; /*0x54c*/\n}", "xrefs": {"to": [{"addr": "0x5ca", "type": "code"}], "from": [{"addr": "0x50b", "type": "code"}]}}, {"addr": "0x551", "name": "RecoveryModuleEntry", "prototype": "int __cdecl(int)", "size": "0x100", "comments": {}, "asm": "RecoveryModuleEntry (.text @ 0x551):\n551  push ebp\n552  mov ebp, esp\n554  and esp, 0FFFFFFF8h\n557  sub esp, 0Ch\n55a  push ebx\n55b  mov ebx, [ebp+arg_0]\n55e  push esi\n55f  push edi\n560  push offset dword_1F6C\n565  mov eax, [ebx]\n567  push 29h\n569  push 4\n56b  push ebx\n56c  call dword ptr [eax+34h]\n56f  add esp, 10h\n572  test eax, eax\n574  js loc_64A\n57a  mov edi, dword_1F6C\n580  lea ecx, [esp+18h+var_4]\n584  mov esi, offset unk_1760\n589  push ecx\n58a  push ebx\n58b  lea edi, [edi+8]\n58e  movsd ,\n58f  movsd ,\n590  movsd ,\n591  movsd ,\n592  mov eax, dword_1F6C\n597  xor esi, esi\n599  mov [eax+18h], esi\n59c  mov [eax+1Ch], esi\n59f  mov eax, dword_1F6C\n5a4  mov [eax+21h], esi\n5a7  mov eax, dword_1F6C\n5ac  mov [eax+25h], esi\n5af  mov eax, dword_1F6C\n5b4  mov byte ptr [eax+20h], 0Eh\n5b8  mov eax, [ebx]\n5ba  call dword ptr [eax+28h]\n5bd  pop ecx\n5be  pop ecx\n5bf  test eax, eax\n5c1  js loc_5DC\n5c3  cmp [esp+18h+var_4], 12h\n5c8  jnz loc_5DC\n5ca  call IsRecoveryMode\n5cf  test al, al\n5d1  jz loc_5DC... [1888 chars total]", "code": "int __cdecl RecoveryModuleEntry(int a1)\n{\n  int result; // eax\n  _DWORD *v2; // edi\n  int v3; // eax\n  int v4; // edi\n  int *v5; // esi\n  int v6; // [esp+10h] [ebp-8h]\n  int n18; // [esp+14h] [ebp-4h] BYREF\n\n  result = (*(int (__cdecl **)(int, int, int, int *))(*(_DWORD *)a1 + 52))(a1, 4, 41, &dword_1F6C); /*0x56c*/\n  if ( result >= 0 ) /*0x574*/\n  {\n    v2 = (_DWORD *)(dword_1F6C + 8); /*0x58b*/\n    *(_DWORD *)(dword_1F6C + 8) = unk_1760; /*0x58e*/\n    *++v2 = unk_1764; /*0x58f*/\n    *++v2 = unk_1768; /*0x590*/\n    v2[1] = unk_176C; /*0x591*/\n    v3 = dword_1F6C; /*0x592*/\n    *(_DWORD *)(dword_1F6C + 24) = 0; /*0x599*/\n    *(_DWORD *)(v3 + 28) = 0; /*0x59c*/\n    *(_DWORD *)(dword_1F6C + 33) = 0; /*0x5a4*/\n    *(_DWORD *)(dword_1F6C + 37) = 0; /*0x5ac*/\n    *(_BYTE *)(dword_1F6C + 32) = 14; /*0x5b4*/\n    if ( (*(int (__cdecl **)(int, int *))(*(_DWORD *)a1 + 40))(a1, &n18) >= 0 /*0x5ca*/\n      && n18 == 18\n      && (unsigned __int8)IsRecoveryMode() )\n    {\n      return sub_73A(a1); /*0... [1966 chars total]", "xrefs": {"to": [{"addr": "0x1e68", "type": "data"}], "from": [{"addr": "0x552", "type": "code"}]}}]}, "content": [{"type": "text", "text": "{\"format\":\"json\",\"functions\":[{\"addr\":\"0x260\",\"name\":\"InternalMemCopyMem\",\"prototype\":\"char *__cdecl(char *dst, char *src, unsigned int count)\",\"size\":\"0x3f\",\"comments\":{},\"asm\":\"InternalMemCopyMem (.text @ 0x260):\\n260  push esi\\n261  push edi\\n262  mov esi, [esp+8+src]\\n266  mov edi, [esp+8+dst]\\n26a  mov edx, [esp+8+count]\\n26e  lea eax, [esi+edx-1]\\n272  cmp esi, edi\\n274  jnb loc_27A\\n276  cmp eax, edi\\n278  jnb loc_28C\\n27a  mov ecx, edx\\n27c  and edx, 3\\n282  shr ecx, 2\\n285  movsd ,\\n287  jmp loc_293\\n28c  mov esi, eax\\n28e  lea edi, [edi+edx-1]\\n292  std\\n293  mov ecx, edx\\n295  movsb ,\\n297  cld\\n298  mov eax, [esp+8+dst]\\n29c  pop edi\\n29d  pop esi\\n29e  retn\",\"code\":\"char *__cdecl InternalMemCopyMem(char *dst, char *src, unsigned int count_1)\\n{\\n  unsigned int count; // edx\\n  char *dst_1; // edi\\n  char *src_1; // esi\\n\\n  count = count_1; /*0x26a*/\\n  if ( src < dst && &src[count_1 - 1] >= dst ) /*0x278*/\\n  {\\n    src_1 = &src[count_1 - 1]; /*0x28c*/\\n    dst_1 = &dst[count_1 - 1]; /*0x28e*/\\n  }\\n  else\\n  {\\n    count = count_1 & 3; /*0x27c*/\\n    qmemcpy(dst, src, 4 * (count_1 >> 2)); /*0x285*/\\n    src_1 = &src[4 * (count_1 >> 2)]; /*0x285*/\\n    dst_1 = &dst[4 * (count_1 >> 2)]; /*0x285*/\\n  }\\n  qmemcpy(dst_1, src_1, count); /*0x295*/\\n  return dst; /*0x29c*/\\n}\",\"xrefs\":{\"to\":[{\"addr\":\"0xf4\",\"type\":\"data\"},{\"addr\":\"0x1cc\",\"type\":\"data\"}],\"from\":[{\"addr\":\"0x261\",\"type\":\"code\"}]}},{\"addr\":\"0x2c0\",\"name\":\"SetMem\",\"prototype\":\"void *__cdecl(void *buf, unsigned int count, char value)\",\"size\":\"0x15\",\"comments\":{},\"asm\":\"SetMem (.text @ 0x2c0):\\n2c0  push edi\\n2c1  mov eax, dword ptr [esp+4+value]\\n2c5  mov edi, [esp+4+buf]\\n2c9  mov ecx, [esp+4+count]\\n2cd  stosb ,\\n2cf  mov eax, [esp+4+buf]\\n2d3  pop edi\\n2d4  retn\",\"code\":\"void *__cdecl SetMem(void *buf, unsigned int count, char value)\\n{\\n  memset(buf, value, count); /*0x2cd*/\\n  return buf; /*0x2d3*/\\n}\",\"xrefs\":{\"to\":[],\"from\":[{\"addr\":\"0x2c1\",\"type\":\"code\"}]}},{\"addr\":\"0x2e0\",\"name\":\"SetMem64\",\"prototype\":\"int __cdecl(int, int, int, int)\",\"size\":\"0x1f\",\"comments\":{},\"asm\":\"SetMem64 (.text @ 0x2e0):\\n2e0  push edi\\n2e1  mov ecx, [esp+4+arg_4]\\n2e5  mov eax, [esp+4+arg_8]\\n2e9  mov edx, [esp+4+arg_C]\\n2ed  mov edi, [esp+4+arg_0]\\n2f1  mov [edi+ecx*8-8], eax\\n2f5  mov [edi+ecx*8-4], edx\\n2f9  loop loc_2F1,\\n2fb  mov eax, edi\\n2fd  pop edi\\n2fe  retn\",\"code\":\"int __cdecl SetMem64(int a1, int a2, int a3, int a4)\\n{\\n  do /*0x2f9*/\\n  {\\n    *(_DWORD *)(a1 + 8 * a2 - 8) = a3; /*0x2f1*/\\n    *(_DWORD *)(a1 + 8 * a2-- - 4) = a4; /*0x2f5*/\\n  }\\n  while ( a2 ); /*0x2f9*/\\n  return a1; /*0x2fd*/\\n}\",\"xrefs\":{\"to\":[],\"from\":[{\"addr\":\"0x2e1\",\"type\":\"code\"}]}},{\"addr\":\"0x300\",\"name\":\"SetMem32\",\"prototype\":\"void *__cdecl(void *buf, unsigned int count, int value)\",\"size\":\"0x15\",\"comments\":{},\"asm\":\"SetMem32 (.text @ 0x300):\\n300  push edi\\n301  mov eax, [esp+4+value]\\n305  mov edi, [esp+4+buf]\\n309  mov ecx, [esp+4+count]\\n30d  stosd ,\\n30f  mov eax, [esp+4+buf]\\n313  pop edi\\n314  retn\",\"code\":\"void *__cdecl SetMem32(void *buf, unsigned int count, int value)\\n{\\n  memset32(buf, value, count); /*0x30d*/\\n  return buf; /*0x313*/\\n}\",\"xrefs\":{\"to\":[],\"from\":[{\"addr\":\"0x301\",\"type\":\"code\"}]}},{\"addr\":\"0x320\",\"name\":\"_ModuleEntryPoint\",\"prototype\":\"EFI_STATUS(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable)\",\"size\":\"0x12\",\"comments\":{},\"asm\":\"_ModuleEntryPoint (.text @ 0x320):\\n320  mov eax, [esp+SystemTable]\\n324  push offset unk_1E50\\n329  push eax\\n32a  mov ecx, [eax]\\n32c  call dword ptr [ecx+18h]\\n32f  pop ecx\\n330  pop ecx\\n331  retn\",\"code\":\"EFI_STATUS ModuleEntryPoint(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable)\\n{\\n  return (*(int (__cdecl **)(EFI_SYSTEM_TABLE *, void *))(LODWORD(SystemTable->Hdr.Signature) + 24))( /*0x331*/\\n           SystemTable,\\n           &unk_1E50);\\n}\",\"xrefs\":{\"to\":[{\"addr\":\"0xf0\",\"type\":\"data\"}],\"from\":[{\"addr\":\"0x324\",\"type\":\"code\"}]}},{\"addr\":\"0x332\",\"name\":\"RecoveryLoadCapsule\",\"prototype\":\"int __fastcall(int, int, int, unsigned int)\",\"size\":\"0x10b\",\"comments\":{},\"asm\":\"RecoveryLoadCapsule (.text @ 0x332):\\n332  push ecx\\n333  push ebx\\n334  push ebp\\n335  push esi\\n336  push edi\\n337  mov edi, [esp+14h+arg_4]\\n33b  mov ebp, edx\\n33d  mov ebx, ecx\\n33f  cmp edi, dword_1EE0\\n345  jbe loc_36C\\n347  mov esi, [ebx]\\n349  mov eax, edi\\n34b  shr eax, 0Ch\\n34e  push offset qword_1EE8\\n353  inc eax\\n354  push eax\\n355  push 6\\n357  push ebx\\n358  call dword ptr [esi+48h]\\n35b  add esp, 10h\\n35e  test eax, eax\\n360  js loc_437\\n366  mov dword_1EE0, edi\\n36c  push offset aLoadingRecover\\n371  push 44h\\n373  call DebugPrint\\n378  push dword ptr qword_1EE8\\n37e  push [esp+20h+arg_0]\\n382  push ebp\\n383  push ebx\\n384  call dword ptr [ebp+8]\\n387  mov esi, eax\\n389  push esi\\n38a  push offset aDoneStatusR\\n38f  push 44h\\n391  call DebugPrint\\n396  add esp, 24h\\n399  test esi, esi\\n39b  jns loc_3A4\\n39d  mov eax, esi\\n39f  jmp loc_437\\n3a4  mov ecx, dword_1F6C\\n3aa  mov eax, [ecx+25h]\\n3ad  test eax, eax\\n3af  jnz loc_3BB\\n3b1  mov eax, dword_1EE0\\n3b6  mov [ecx+25h], eax\\n3b9  jmp loc_3D4\\n3bb  cmp eax, 1004000h... [1839 chars total]\",\"code\":\"int __fastcall RecoveryLoadCapsule(int a1, int a2, int a3, unsigned int a4)\\n{\\n  int v4; // edi\\n  int result; // eax\\n  int v8; // esi\\n  unsigned int n0x1004000; // eax\\n  signed int v10; // ebx\\n  int v11; // [esp+10h] [ebp-4h] BYREF\\n\\n  v4 = a4; /*0x337*/\\n  if ( a4 > dword_1EE0 ) /*0x345*/\\n  {\\n    result = (*(int (__cdecl **)(int, int, unsigned int, __int64 *))(*(_DWORD *)a1 + 72))( /*0x358*/\\n               a1,\\n               6,\\n               (a4 >> 12) + 1,\\n               &qword_1EE8);\\n    if ( result < 0 ) /*0x360*/\\n      return result; /*0x360*/\\n    dword_1EE0 = v4; /*0x366*/\\n  }\\n  sub_8D0(68, (int)\\\"Loading Recovery Image...\\\"); /*0x373*/\\n  v8 = (*(int (__cdecl **)(int, int, int, _DWORD))(a2 + 8))(a1, a2, a3, qword_1EE8); /*0x387*/\\n  sub_8D0(68, (int)\\\"done. Status: %r\\\\n\\\", v8);\\n  if ( v8 < 0 ) /*0x39b*/\\n    return v8; /*0x39d*/\\n  n0x1004000 = *(_DWORD *)(dword_1F6C + 37); /*0x3aa*/\\n  if ( n0x1004000 ) /*0x3af*/\\n  {\\n    if ( n0x1004000 > 0x1004000 ) /*0x3c0*/\\n      qword_1EE8 += n0x10040... [1429 chars total]\",\"xrefs\":{\"to\":[{\"addr\":\"0x4bb\",\"type\":\"code\"}],\"from\":[{\"addr\":\"0x333\",\"type\":\"code\"}]}},{\"addr\":\"0x43d\",\"name\":\"PeiLocateProtocol\",\"prototype\":\"int __fastcall(int, unsigned __int8 (__cdecl *sub_4DA)(_BYTE *, int), int)\",\"size\":\"0x9d\",\"comments\":{},\"asm\":\"PeiLocateProtocol (.text @ 0x43d):\\n43d  sub esp, 20h\\n440  push ebx\\n441  push ebp\\n442  push esi\\n443  push edi\\n444  mov ebp, edx\\n446  mov edi, ecx\\n448  xor ebx, ebx\\n44a  mov eax, [edi]\\n44c  lea ecx, [esp+30h+var_20]\\n450  push ecx\\n451  lea ecx, [esp+34h+var_14]\\n455  push ecx\\n456  push ebx\\n457  push offset unk_1E40\\n45c  push edi\\n45d  call dword ptr [eax+20h]\\n460  add esp, 14h\\n463  inc ebx\\n464  test eax, eax\\n466  js loc_4D2\\n468  lea eax, [esp+30h+var_1C]\\n46c  push eax\\n46d  mov eax, [esp+34h+var_20]\\n471  push eax\\n472  push edi\\n473  call dword ptr [eax]\\n475  add esp, 0Ch\\n478  test eax, eax\\n47a  js loc_44A\\n47c  xor esi, esi\\n47e  cmp [esp+30h+var_1C], esi\\n482  jbe loc_44A\\n484  lea eax, [esp+30h+var_10]\\n488  push eax\\n489  lea eax, [esp+34h+var_18]\\n48d  push eax\\n48e  mov eax, [esp+38h+var_20]\\n492  push esi\\n493  push eax\\n494  push edi\\n495  call dword ptr [eax+4]\\n498  add esp, 14h\\n49b  test eax, eax\\n49d  js loc_4C6\\n49f  push [esp+30h+arg_0]\\n4a3  lea eax, [esp+34h+var_10]\\n4a7  push eax\\n4a8  call ebp... [1398 chars total]\",\"code\":\"int __fastcall PeiLocateProtocol(int a1, unsigned __int8 (__cdecl *sub_4DA)(_BYTE *, int), int a3)\\n{\\n  int v5; // ebx\\n  int result; // eax\\n  int v7; // esi\\n  int v8; // [esp+10h] [ebp-20h] BYREF\\n  unsigned int v9; // [esp+14h] [ebp-1Ch] BYREF\\n  unsigned int v10; // [esp+18h] [ebp-18h] BYREF\\n  _BYTE v11[4]; // [esp+1Ch] [ebp-14h] BYREF\\n  _BYTE v12[16]; // [esp+20h] [ebp-10h] BYREF\\n\\n  v5 = 0; /*0x448*/\\nLABEL_2:\\n  while ( 1 ) /*0x45d*/\\n  {\\n    result = (*(int (__cdecl **)(int, void *, int, _BYTE *, int *))(*(_DWORD *)a1 + 32))(a1, &unk_1E40, v5++, v11, &v8); /*0x45d*/\\n    if ( result < 0 ) /*0x466*/\\n      return result; /*0x4d2*/\\n    if ( (*(int (__cdecl **)(int, int, unsigned int *))v8)(a1, v8, &v9) >= 0 ) /*0x47a*/\\n    {\\n      v7 = 0; /*0x47c*/\\n      if ( v9 ) /*0x482*/\\n      {\\n        while ( 1 ) /*0x495*/\\n        {\\n          if ( (*(int (__cdecl **)(int, int, int, unsigned int *, _BYTE *))(v8 + 4))(a1, v8, v7, &v10, v12) >= 0 ) /*0x49d*/\\n          {\\n            if ( sub_4DA(v12, a3) )... [1309 chars total]\",\"xrefs\":{\"to\":[{\"addr\":\"0x5f5\",\"type\":\"code\"},{\"addr\":\"0x613\",\"type\":\"code\"}],\"from\":[{\"addr\":\"0x440\",\"type\":\"code\"}]}},{\"addr\":\"0x4da\",\"name\":\"GuidMatchAnyInList\",\"prototype\":\"char __cdecl(int, _DWORD *)\",\"size\":\"0x30\",\"comments\":{},\"asm\":\"GuidMatchAnyInList (.text @ 0x4da):\\n4da  push ebp\\n4db  mov ebp, esp\\n4dd  and esp, 0FFFFFFF8h\\n4e0  push ecx\\n4e1  push esi\\n4e2  mov esi, [ebp+arg_4]\\n4e5  jmp loc_4FA\\n4e7  push [ebp+arg_0]\\n4ea  push dword ptr [esi]\\n4ec  call IsGuidEqual\\n4f1  pop ecx\\n4f2  pop ecx\\n4f3  test al, al\\n4f5  jnz loc_506\\n4f7  add esi, 4\\n4fa  cmp dword ptr [esi], 0\\n4fd  jnz loc_4E7\\n4ff  mov al, 1\\n501  pop esi\\n502  mov esp, ebp\\n504  pop ebp\\n505  retn\\n506  xor al, al\\n508  jmp loc_501\",\"code\":\"char __cdecl GuidMatchAnyInList(int a1, _DWORD *a2)\\n{\\n  while ( 1 ) /*0x4fa*/\\n  {\\n    if ( !*a2 ) /*0x4fa*/\\n      return 1; /*0x505*/\\n    if ( (unsigned __int8)sub_918(*a2, a1) ) /*0x4ec*/\\n      break; /*0x4ec*/\\n    ++a2; /*0x4f7*/\\n  }\\n  return 0; /*0x501*/\\n}\",\"xrefs\":{\"to\":[{\"addr\":\"0x60c\",\"type\":\"data\"}],\"from\":[{\"addr\":\"0x4db\",\"type\":\"code\"}]}},{\"addr\":\"0x50a\",\"name\":\"IsRecoveryMode\",\"prototype\":\"BOOL()\",\"size\":\"0x47\",\"comments\":{},\"asm\":\"IsRecoveryMode (.text @ 0x50a):\\n50a  push ebp\\n50b  mov ebp, esp\\n50d  push ecx\\n50e  push esi\\n50f  call GetPeiServices\\n514  lea edx, [ebp+var_4]\\n517  xor esi, esi\\n519  push edx\\n51a  push esi\\n51b  mov ecx, [eax]\\n51d  push esi\\n51e  push offset unk_17B0\\n523  push eax\\n524  call dword ptr [ecx+20h]\\n527  add esp, 14h\\n52a  test eax, eax\\n52c  jns loc_547\\n52e  call GetPeiServices\\n533  lea edx, [ebp+var_4]\\n536  push edx\\n537  push esi\\n538  mov ecx, [eax]\\n53a  push esi\\n53b  push offset unk_17C0\\n540  push eax\\n541  call dword ptr [ecx+20h]\\n544  add esp, 14h\\n547  not eax\\n549  shr eax, 1Fh\\n54c  pop esi\\n54d  mov esp, ebp\\n54f  pop ebp\\n550  retn\",\"code\":\"BOOL IsRecoveryMode()\\n{\\n  int v0; // eax\\n  int v1; // eax\\n  int v2; // eax\\n  _BYTE v4[4]; // [esp+4h] [ebp-4h] BYREF\\n\\n  v0 = sub_1423(); /*0x50f*/\\n  v1 = (*(int (__cdecl **)(int, void *, _DWORD, _DWORD, _BYTE *))(*(_DWORD *)v0 + 32))(v0, &unk_17B0, 0, 0, v4); /*0x524*/\\n  if ( v1 < 0 ) /*0x52c*/\\n  {\\n    v2 = sub_1423(); /*0x52e*/\\n    v1 = (*(int (__cdecl **)(int, void *, _DWORD, _DWORD, _BYTE *))(*(_DWORD *)v2 + 32))(v2, &unk_17C0, 0, 0, v4); /*0x541*/\\n  }\\n  return v1 >= 0; /*0x54c*/\\n}\",\"xrefs\":{\"to\":[{\"addr\":\"0x5ca\",\"type\":\"code\"}],\"from\":[{\"addr\":\"0x50b\",\"type\":\"code\"}]}},{\"addr\":\"0x551\",\"name\":\"RecoveryModuleEntry\",\"prototype\":\"int __cdecl(int)\",\"size\":\"0x100\",\"comments\":{},\"asm\":\"RecoveryModuleEntry (.text @ 0x551):\\n551  push ebp\\n552  mov ebp, esp\\n554  and esp, 0FFFFFFF8h\\n557  sub esp, 0Ch\\n55a  push ebx\\n55b  mov ebx, [ebp+arg_0]\\n55e  push esi\\n55f  push edi\\n560  push offset dword_1F6C\\n565  mov eax, [ebx]\\n567  push 29h\\n569  push 4\\n56b  push ebx\\n56c  call dword ptr [eax+34h]\\n56f  add esp, 10h\\n572  test eax, eax\\n574  js loc_64A\\n57a  mov edi, dword_1F6C\\n580  lea ecx, [esp+18h+var_4]\\n584  mov esi, offset unk_1760\\n589  push ecx\\n58a  push ebx\\n58b  lea edi, [edi+8]\\n58e  movsd ,\\n58f  movsd ,\\n590  movsd ,\\n591  movsd ,\\n592  mov eax, dword_1F6C\\n597  xor esi, esi\\n599  mov [eax+18h], esi\\n59c  mov [eax+1Ch], esi\\n59f  mov eax, dword_1F6C\\n5a4  mov [eax+21h], esi\\n5a7  mov eax, dword_1F6C\\n5ac  mov [eax+25h], esi\\n5af  mov eax, dword_1F6C\\n5b4  mov byte ptr [eax+20h], 0Eh\\n5b8  mov eax, [ebx]\\n5ba  call dword ptr [eax+28h]\\n5bd  pop ecx\\n5be  pop ecx\\n5bf  test eax, eax\\n5c1  js loc_5DC\\n5c3  cmp [esp+18h+var_4], 12h\\n5c8  jnz loc_5DC\\n5ca  call IsRecoveryMode\\n5cf  test al, al\\n5d1  jz loc_5DC... [1888 chars total]\",\"code\":\"int __cdecl RecoveryModuleEntry(int a1)\\n{\\n  int result; // eax\\n  _DWORD *v2; // edi\\n  int v3; // eax\\n  int v4; // edi\\n  int *v5; // esi\\n  int v6; // [esp+10h] [ebp-8h]\\n  int n18; // [esp+14h] [ebp-4h] BYREF\\n\\n  result = (*(int (__cdecl **)(int, int, int, int *))(*(_DWORD *)a1 + 52))(a1, 4, 41, &dword_1F6C); /*0x56c*/\\n  if ( result >= 0 ) /*0x574*/\\n  {\\n    v2 = (_DWORD *)(dword_1F6C + 8); /*0x58b*/\\n    *(_DWORD *)(dword_1F6C + 8) = unk_1760; /*0x58e*/\\n    *++v2 = unk_1764; /*0x58f*/\\n    *++v2 = unk_1768; /*0x590*/\\n    v2[1] = unk_176C; /*0x591*/\\n    v3 = dword_1F6C; /*0x592*/\\n    *(_DWORD *)(dword_1F6C + 24) = 0; /*0x599*/\\n    *(_DWORD *)(v3 + 28) = 0; /*0x59c*/\\n    *(_DWORD *)(dword_1F6C + 33) = 0; /*0x5a4*/\\n    *(_DWORD *)(dword_1F6C + 37) = 0; /*0x5ac*/\\n    *(_BYTE *)(dword_1F6C + 32) = 14; /*0x5b4*/\\n    if ( (*(int (__cdecl **)(int, int *))(*(_DWORD *)a1 + 40))(a1, &n18) >= 0 /*0x5ca*/\\n      && n18 == 18\\n      && (unsigned __int8)IsRecoveryMode() )\\n    {\\n      return sub_73A(a1); /*0... [1966 chars total]\",\"xrefs\":{\"to\":[{\"addr\":\"0x1e68\",\"type\":\"data\"}],\"from\":[{\"addr\":\"0x552\",\"type\":\"code\"}]}}]}"}, {"type": "text", "text": "Output truncated. Run: curl -o .ida-mcp/276f531a-a584-4e3a-9cbd-ff1cce43c282.json http://127.0.0.1:13402/output/276f531a-a584-4e3a-9cbd-ff1cce43c282.json"}], "isError": false, "_meta": {"ida_mcp": {"output_truncated": true, "total_chars": 94197, "output_id": "276f531a-a584-4e3a-9cbd-ff1cce43c282", "download_url": "http://127.0.0.1:13402/output/276f531a-a584-4e3a-9cbd-ff1cce43c282.json", "download_hint": "Output truncated. Run: curl -o .ida-mcp/276f531a-a584-4e3a-9cbd-ff1cce43c282.json http://127.0.0.1:13402/output/276f531a-a584-4e3a-9cbd-ff1cce43c282.json"}}}, "id": 1}