First step was a grep for INT 21s (file operations) which was quite revealing. 17EE:00004DEB int 21 ;open EAX:00003D02 EBX:000000D8 ECX:00000000 EDX:00000237 ESI:00005C80 EDI:0000023F EBP:00005242 ESP:00000FCE DS:9F7C ES:9F7C FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 17EE:00004DEB int 21 ;seek file=5 origin=SEEK_SET offset=0000552B (tuneamusic2) EAX:00004200 EBX:00000005 ECX:00000000 EDX:0000552B ESI:00005C80 EDI:00000000 EBP:00005242 ESP:00000FCE DS:0820 ES:50BC FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:0 IF:1 17EE:00004DEB int 21 ;read file=5 size=00000E13 (tuneamusic2.length) buffer=50BC:0000 EAX:00003FBC EBX:00000005 ECX:00000E13 EDX:00000000 ESI:00005C80 EDI:00000000 EBP:00005242 ESP:00000FCC DS:50BC ES:50BC FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 17EE:00004DEB int 21 ;close file=5 EAX:00003E13 EBX:00000005 ECX:00000E13 EDX:00000000 ESI:00005C80 EDI:00000000 EBP:00005242 ESP:00000FD2 DS:EA25 ES:50BC FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 17EE:00004DEB int 21 ;open EAX:00003D02 EBX:000000D8 ECX:00000000 EDX:00000237 ESI:00005C60 EDI:0000023F EBP:00005242 ESP:00000FC0 DS:9F7C ES:9F7C FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 17EE:00004DEB int 21 ;seek file=5 origin=SEEK_SET offset=0000376D (datamendstr2) EAX:00004200 EBX:00000005 ECX:00000000 EDX:0000376D ESI:00005C60 EDI:00000000 EBP:00005242 ESP:00000FC0 DS:0820 ES:50BC FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:0 IF:1 17EE:00004DEB int 21 ;read file=5 size=00000C41 buffer=50BC:0000 EAX:00003FBC EBX:00000005 ECX:00000C41 EDX:00000000 ESI:00005C60 EDI:00000000 EBP:00005242 ESP:00000FBE DS:50BC ES:50BC FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 17EE:00004DEB int 21 ;close file=5 EAX:00003E41 EBX:00000005 ECX:00000C41 EDX:00000000 ESI:00005C60 EDI:00000000 EBP:00005242 ESP:00000FC4 DS:EA25 ES:50BC FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 7ED7:00008139 int 21 ;open EAX:00003D00 EBX:00000000 ECX:00000000 EDX:00000816 ESI:0000B2ED EDI:00000000 EBP:00000000 ESP:00000FE4 DS:7ED7 ES:E699 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 7ED7:00008154 int 21 ;seek file=5 origin=SEEK_SET offset=00000028 EAX:00004200 EBX:00000005 ECX:00000000 EDX:00000028 ESI:0000B2ED EDI:00000000 EBP:00000000 ESP:00000FE6 DS:7ED7 ES:E699 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 7ED7:00008162 int 21 ;read file=5 size=00000008 EAX:00003F28 EBX:00000005 ECX:00000008 EDX:00000820 ESI:0000B2ED EDI:00000000 EBP:00000000 ESP:00000FE6 DS:7ED7 ES:E699 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 7ED7:00008174 int 21 ;seek file=5 origin=SEEK_SET offset=0000C38E EAX:00004200 EBX:00000005 ECX:00000000 EDX:0000C38E ESI:0000B2ED EDI:00000000 EBP:00000000 ESP:00000FE6 DS:7ED7 ES:E699 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 7ED7:00008185 int 21 ;read file=5 size=0000060D EAX:00003F8E EBX:00000005 ECX:0000060D EDX:00000828 ESI:0000B2ED EDI:00000000 EBP:00000000 ESP:00000FE6 DS:7ED7 ES:E699 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 7ED7:0000819B int 21 ;close file=5 EAX:00003E29 EBX:00000005 ECX:0000060D EDX:00000828 ESI:0000B2ED EDI:00000000 EBP:00000000 ESP:00000FE6 DS:7ED7 ES:E699 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:0 IF:1 17EE:00004DEB int 21 ;open EAX:00003D02 EBX:000000C0 ECX:0000060D EDX:000005A5 ESI:000059E0 EDI:000005AE EBP:00005242 ESP:00000FC8 DS:9F7C ES:9F7C FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 17EE:00004DEB int 21 ;seek file=5 origin=SEEK_SET offset=00000299 (bmapleft_on) EAX:00004200 EBX:00000005 ECX:00000000 EDX:00000299 ESI:000059E0 EDI:00000000 EBP:00005242 ESP:00000FC8 DS:0820 ES:50BC FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:0 IF:1 17EE:00004DEB int 21 ;read file=5 size=00000294 EAX:00003FBC EBX:00000005 ECX:00000294 EDX:00000000 ESI:000059E0 EDI:00000000 EBP:00005242 ESP:00000FC6 DS:50BC ES:50BC FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 17EE:00004DEB int 21 ;close file=5 EAX:00003E94 EBX:00000005 ECX:00000294 EDX:00000000 ESI:000059E0 EDI:00000000 EBP:00005242 ESP:00000FCC DS:EA25 ES:50BC FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 17EE:00004DEB int 21 ;open EAX:00003D02 EBX:000000C0 ECX:00000000 EDX:000005A5 ESI:00005AE0 EDI:000005AE EBP:00005242 ESP:00000FC8 DS:9F7C ES:9F7C FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 17EE:00004DEB int 21 ;seek file=5 origin=SEEK_SET offset=0000E9C4 (bmapdeaduk.offset) EAX:00004200 EBX:00000005 ECX:00000000 EDX:0000E9C4 ESI:00005AE0 EDI:00000000 EBP:00005242 ESP:00000FC8 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 17EE:00004DEB int 21 ;read file=5 size=0000C57C (bmapdeaduk.length) buffer=86F6:0000 EAX:00003FF6 EBX:00000005 ECX:0000C57C EDX:00000000 ESI:00005AE0 EDI:00000000 EBP:00005242 ESP:00000FC6 DS:86F6 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 17EE:00004DEB int 21 ;close file=5 EAX:00003E7C EBX:00000005 ECX:0000C57C EDX:00000000 ESI:00005AE0 EDI:00000000 EBP:00005242 ESP:00000FCC DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 This was a starting point for investigation. Before the call to fread for bmapdeaduk, this first sets SI to 00005AE0 (this is subroutine sub_1D7DA in IDA): 200F:00005663 call 000058EA ($+284) E8 84 02 EAX:00000000 EBX:00000005 ECX:00000000 EDX:000000C7 ESI:0000A510 EDI:00000000 EBP:00000000 ESP:00000FD8 DS:0820 ES:50E7 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:0 IF:1 TF:0 VM:0 FLG:00007246 CR0:00000010 200F:000058EA mov bp,5239 BD 39 52 EAX:00000000 EBX:00000005 ECX:00000000 EDX:000000C7 ESI:0000A510 EDI:00000000 EBP:00000000 ESP:00000FD6 DS:0820 ES:50E7 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:0 IF:1 TF:0 VM:0 FLG:00007246 CR0:00000010 200F:000058ED or si,si 0B F6 EAX:00000000 EBX:00000005 ECX:00000000 EDX:000000C7 ESI:0000A510 EDI:00000000 EBP:00005239 ESP:00000FD6 DS:0820 ES:50E7 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:0 IF:1 TF:0 VM:0 FLG:00007246 CR0:00000010 200F:000058EF jns 000058F6 ($+5) (no jmp) 79 05 EAX:00000000 EBX:00000005 ECX:00000000 EDX:000000C7 ESI:0000A510 EDI:00000000 EBP:00005239 ESP:00000FD6 DS:0820 ES:50E7 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:0 IF:1 TF:0 VM:0 FLG:00007246 CR0:00000010 200F:000058F1 neg si F7 DE EAX:00000000 EBX:00000005 ECX:00000000 EDX:000000C7 ESI:0000A510 EDI:00000000 EBP:00005239 ESP:00000FD6 DS:0820 ES:50E7 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:0 IF:1 TF:0 VM:0 FLG:00007246 CR0:00000010 200F:000058F3 mov bp,5242 BD 42 52 EAX:00000000 EBX:00000005 ECX:00000000 EDX:000000C7 ESI:00005AF0 EDI:00000000 EBP:00005239 ESP:00000FD6 DS:0820 ES:50E7 FS:0000 GS:0000 SS:4D42 CF:1 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007246 CR0:00000010 200F:000058F6 sub si,cs:[bp+04] cs:[5246]=0010 2E 2B 76 04 EAX:00000000 EBX:00000005 ECX:00000000 EDX:000000C7 ESI:00005AF0 EDI:00000000 EBP:00005242 ESP:00000FD6 DS:0820 ES:50E7 FS:0000 GS:0000 SS:4D42 CF:1 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007246 CR0:00000010 200F:000058FA mov ds,cs:[bp] cs:[5242]=EA25 2E 8E 5E 00 EAX:00000000 EBX:00000005 ECX:00000000 EDX:000000C7 ESI:00005AE0 EDI:00000000 EBP:00005242 ESP:00000FD6 DS:0820 ES:50E7 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:0 IF:1 TF:0 VM:0 FLG:00007246 CR0:00000010 200F:000058FE ret C3 EAX:00000000 EBX:00000005 ECX:00000000 EDX:000000C7 ESI:00005AE0 EDI:00000000 EBP:00005242 ESP:00000FD6 DS:EA25 ES:50E7 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:0 IF:1 TF:0 VM:0 FLG:00007246 CR0:00000010 Even though this is a Code Segment, this is used as RAM by the game. This is seg003 in IDA, in IDA the seg003:510C-525A area is all zeroes. SI is pushed, before being clobbered: 200F:00005B63 call 17EE:74C6 9A C6 74 EE 17 EAX:00003FBE EBX:00000005 ECX:00000000 EDX:000000C7 ESI:00005AE0 EDI:0000281C EBP:00005242 ESP:00000FCA DS:0820 ES:3FAA FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007A96 CR0:00000010 17EE:000074C6 push es 06 EAX:00003FBE EBX:00000005 ECX:00000000 EDX:000000C7 ESI:00005AE0 EDI:0000281C EBP:00005242 ESP:00000FC6 DS:0820 ES:3FAA FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007206 CR0:00000010 17EE:000074C7 push bx 53 EAX:00003FBE EBX:00000005 ECX:00000000 EDX:000000C7 ESI:00005AE0 EDI:0000281C EBP:00005242 ESP:00000FC4 DS:0820 ES:3FAA FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007206 CR0:00000010 17EE:000074C8 push cx 51 EAX:00003FBE EBX:00000005 ECX:00000000 EDX:000000C7 ESI:00005AE0 EDI:0000281C EBP:00005242 ESP:00000FC2 DS:0820 ES:3FAA FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007206 CR0:00000010 17EE:000074C9 push si 56 EAX:00003FBE EBX:00000005 ECX:00000000 EDX:000000C7 ESI:00005AE0 EDI:0000281C EBP:00005242 ESP:00000FC0 DS:0820 ES:3FAA FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007206 CR0:00000010 17EE:000074CA push di 57 EAX:00003FBE EBX:00000005 ECX:00000000 EDX:000000C7 ESI:00005AE0 EDI:0000281C EBP:00005242 ESP:00000FBE DS:0820 ES:3FAA FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007206 CR0:00000010 17EE:000074CB push bp 55 EAX:00003FBE EBX:00000005 ECX:00000000 EDX:000000C7 ESI:00005AE0 EDI:0000281C EBP:00005242 ESP:00000FBC DS:0820 ES:3FAA FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007206 CR0:00000010 then several lines later SI is restored: 17EE:00007500 pop dx 5A EAX:00003FC2 EBX:00000000 ECX:00000000 EDX:00000010 ESI:00002864 EDI:000010CF EBP:00000000 ESP:00000FB6 DS:0820 ES:9CD0 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007256 CR0:00000010 17EE:00007501 pop ax 58 EAX:00003FC2 EBX:00000000 ECX:00000000 EDX:0000E2E4 ESI:00002864 EDI:000010CF EBP:00000000 ESP:00000FB8 DS:0820 ES:9CD0 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007256 CR0:00000010 17EE:00007502 pop bp 5D EAX:00000820 EBX:00000000 ECX:00000000 EDX:0000E2E4 ESI:00002864 EDI:000010CF EBP:00000000 ESP:00000FBA DS:0820 ES:9CD0 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007256 CR0:00000010 17EE:00007503 pop di 5F EAX:00000820 EBX:00000000 ECX:00000000 EDX:0000E2E4 ESI:00002864 EDI:000010CF EBP:00005242 ESP:00000FBC DS:0820 ES:9CD0 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007256 CR0:00000010 17EE:00007504 pop si 5E EAX:00000820 EBX:00000000 ECX:00000000 EDX:0000E2E4 ESI:00002864 EDI:0000281C EBP:00005242 ESP:00000FBE DS:0820 ES:9CD0 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007256 CR0:00000010 17EE:00007505 pop cx 59 EAX:00000820 EBX:00000000 ECX:00000000 EDX:0000E2E4 ESI:00005AE0 EDI:0000281C EBP:00005242 ESP:00000FC0 DS:0820 ES:9CD0 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007256 CR0:00000010 17EE:00007506 pop bx 5B EAX:00000820 EBX:00000000 ECX:00000000 EDX:0000E2E4 ESI:00005AE0 EDI:0000281C EBP:00005242 ESP:00000FC2 DS:0820 ES:9CD0 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007256 CR0:00000010 17EE:00007507 pop es 07 EAX:00000820 EBX:00000005 ECX:00000000 EDX:0000E2E4 ESI:00005AE0 EDI:0000281C EBP:00005242 ESP:00000FC4 DS:0820 ES:9CD0 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007256 CR0:00000010 17EE:00007508 retf CB EAX:00000820 EBX:00000005 ECX:00000000 EDX:0000E2E4 ESI:00005AE0 EDI:0000281C EBP:00005242 ESP:00000FC6 DS:0820 ES:3FAA FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007256 CR0:00000010 200F:00005B68 mov cs:[511D],ax cs:[511D]=0820 2E A3 1D 51 EAX:00000820 EBX:00000005 ECX:00000000 EDX:0000E2E4 ESI:00005AE0 EDI:0000281C EBP:00005242 ESP:00000FCA DS:0820 ES:3FAA FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007256 CR0:00000010 This leave (E)SI set up with value 00005AE0. Later on this set up EAX and ECX with the values for the fread: 200F:00005AED xor di,di 33 FF EAX:00000005 EBX:00000005 ECX:00000000 EDX:000005A5 ESI:00005AE0 EDI:000005AE EBP:00005242 ESP:00000FD4 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007246 CR0:00000010 200F:00005AEF mov cx,[si+08] ds:[5AE8]=C57C 8B 4C 08 EAX:00000005 EBX:00000005 ECX:00000000 EDX:000005A5 ESI:00005AE0 EDI:00000000 EBP:00005242 ESP:00000FD4 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007246 CR0:00000010 200F:00005AF2 mov ax,[si+02] ds:[5AE2]=E9C4 8B 44 02 EAX:00000005 EBX:00000005 ECX:0000C57C EDX:000005A5 ESI:00005AE0 EDI:00000000 EBP:00005242 ESP:00000FD4 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007246 CR0:00000010 200F:00005AF5 mov dx,[si+04] ds:[5AE4]=0000 8B 54 04 EAX:0000E9C4 EBX:00000005 ECX:0000C57C EDX:000005A5 ESI:00005AE0 EDI:00000000 EBP:00005242 ESP:00000FD4 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007246 CR0:00000010 So at EA25:5AE0 there is a structure with offset at +02 (0000E9C4) and length/word1 at +08 (0000C57C). This structure is probably read from _INDEX when the game is first loaded. Down below (200F:00005A24) we can see that at +0A word2 is located (FD31). Note how at 200F:00005A21 "AL" is loaded with the mistery byte 03. The values in _INDEX next to "bmapdeaduk" are off 00 01 02 03 04 05 06 07 08 09 val 19 03 C4 E9 00 00 7C C5 31 FD While at EA25:5AE0 they are off 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F val 01 00 C4 E9 00 00 19 03 7C C5 31 FD 00 00 00 00 So at corenormal log line 1858749 follows the fread: 17EE:00004DEB int 21 CD 21 EAX:00004200 EBX:00000005 ECX:00000000 EDX:0000E9C4 ESI:00005AE0 EDI:00000000 EBP:00005242 ESP:00000FC8 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 And later at corenormal log line 2985120, there is a memcpy of the whole fread buffer from DS=86F6 to ES=726F. The "repe movsw" is actually a "rep movsw" as rnlf said. 17EE:000057C7 repe movsw F3 A5 EAX:0000726F EBX:0000726E ECX:000062C0 EDX:000062C0 ESI:00000000 EDI:00000000 EBP:0000504A ESP:00000FA2 DS:86F6 ES:726F FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:1 PF:0 IF:1 TF:0 VM:0 FLG:00007212 CR0:00000010 So a memcpy of 000062C0 words = 50560 bytes (bmapdeaduk.length) from 86F6:0000 to 726F:0000. Then later, this bit seems to take care to load a few registers: -AL = bmapdeaduk.misteryByte (AX is simply left with highbyte of 86F6) -BX = bmapdeaduk.word2 (decompressed length?) -CX = bmapdeaduk.length/word1 -SI = 0 -DI = 0 -DS = 726F (src?) -ES = 86F6 (dst?) 17EE:000053C0 mov ax,es 8C C0 EAX:0000726E EBX:00000FD5 ECX:0000C50E EDX:00000605 ESI:00005AE0 EDI:00005AEC EBP:0000504A ESP:00000FB8 DS:EA25 ES:86F5 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007206 CR0:00000010 17EE:000053C2 inc ax 40 EAX:000086F5 EBX:00000FD5 ECX:0000C50E EDX:00000605 ESI:00005AE0 EDI:00005AEC EBP:0000504A ESP:00000FB8 DS:EA25 ES:86F5 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007206 CR0:00000010 17EE:000053C3 mov es,ax 8E C0 EAX:000086F6 EBX:00000FD5 ECX:0000C50E EDX:00000605 ESI:00005AE0 EDI:00005AEC EBP:0000504A ESP:00000FB8 DS:EA25 ES:86F5 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007206 CR0:00000010 17EE:000053C5 mov ax,ds 8C D8 EAX:000086F6 EBX:00000FD5 ECX:0000C50E EDX:00000605 ESI:00005AE0 EDI:00005AEC EBP:0000504A ESP:00000FB8 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007206 CR0:00000010 17EE:000053C7 or ax,di 0B C7 EAX:0000EA25 EBX:00000FD5 ECX:0000C50E EDX:00000605 ESI:00005AE0 EDI:00005AEC EBP:0000504A ESP:00000FB8 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007206 CR0:00000010 17EE:000053C9 je 000053CD ($+2) (no jmp) 74 02 EAX:0000FAED EBX:00000FD5 ECX:0000C50E EDX:00000605 ESI:00005AE0 EDI:00005AEC EBP:0000504A ESP:00000FB8 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007206 CR0:00000010 17EE:000053CB mov [di],es ds:[5AEC]=0000 8C 05 EAX:0000FAED EBX:00000FD5 ECX:0000C50E EDX:00000605 ESI:00005AE0 EDI:00005AEC EBP:0000504A ESP:00000FB8 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007206 CR0:00000010 17EE:000053CD clc F8 EAX:0000FAED EBX:00000FD5 ECX:0000C50E EDX:00000605 ESI:00005AE0 EDI:00005AEC EBP:0000504A ESP:00000FB8 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007206 CR0:00000010 17EE:000053CE retf CB EAX:0000FAED EBX:00000FD5 ECX:0000C50E EDX:00000605 ESI:00005AE0 EDI:00005AEC EBP:0000504A ESP:00000FB8 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 17EE:00005120 mov ax,es 8C C0 EAX:0000FAED EBX:00000FD5 ECX:0000C50E EDX:00000605 ESI:00005AE0 EDI:00005AEC EBP:0000504A ESP:00000FBC DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 17EE:00005122 pop bp 5D EAX:000086F6 EBX:00000FD5 ECX:0000C50E EDX:00000605 ESI:00005AE0 EDI:00005AEC EBP:0000504A ESP:00000FBC DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 17EE:00005123 pop di 5F EAX:000086F6 EBX:00000FD5 ECX:0000C50E EDX:00000605 ESI:00005AE0 EDI:00005AEC EBP:00005242 ESP:00000FBE DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 17EE:00005124 pop si 5E EAX:000086F6 EBX:00000FD5 ECX:0000C50E EDX:00000605 ESI:00005AE0 EDI:00005AEC EBP:00005242 ESP:00000FC0 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 17EE:00005125 pop dx 5A EAX:000086F6 EBX:00000FD5 ECX:0000C50E EDX:00000605 ESI:00005AE0 EDI:00005AEC EBP:00005242 ESP:00000FC2 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 17EE:00005126 pop cx 59 EAX:000086F6 EBX:00000FD5 ECX:0000C50E EDX:00000000 ESI:00005AE0 EDI:00005AEC EBP:00005242 ESP:00000FC4 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 17EE:00005127 pop bx 5B EAX:000086F6 EBX:00000FD5 ECX:0000C57C EDX:00000000 ESI:00005AE0 EDI:00005AEC EBP:00005242 ESP:00000FC6 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 17EE:00005128 pop es 07 EAX:000086F6 EBX:00000FD4 ECX:0000C57C EDX:00000000 ESI:00005AE0 EDI:00005AEC EBP:00005242 ESP:00000FC8 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 17EE:00005129 pop ds 1F EAX:000086F6 EBX:00000FD4 ECX:0000C57C EDX:00000000 ESI:00005AE0 EDI:00005AEC EBP:00005242 ESP:00000FCA DS:EA25 ES:86F5 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 17EE:0000512A retf CB EAX:000086F6 EBX:00000FD4 ECX:0000C57C EDX:00000000 ESI:00005AE0 EDI:00005AEC EBP:00005242 ESP:00000FCC DS:EA25 ES:86F5 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 200F:00005A1B jc 00005A49 ($+2c) (no jmp) 72 2C EAX:000086F6 EBX:00000FD4 ECX:0000C57C EDX:00000000 ESI:00005AE0 EDI:00005AEC EBP:00005242 ESP:00000FD0 DS:EA25 ES:86F5 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 200F:00005A1D mov es,ax 8E C0 EAX:000086F6 EBX:00000FD4 ECX:0000C57C EDX:00000000 ESI:00005AE0 EDI:00005AEC EBP:00005242 ESP:00000FD0 DS:EA25 ES:86F5 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 200F:00005A1F xor di,di 33 FF EAX:000086F6 EBX:00000FD4 ECX:0000C57C EDX:00000000 ESI:00005AE0 EDI:00005AEC EBP:00005242 ESP:00000FD0 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 200F:00005A21 mov al,[si+07] ds:[5AE7]=7C03 8A 44 07 EAX:000086F6 EBX:00000FD4 ECX:0000C57C EDX:00000000 ESI:00005AE0 EDI:00000000 EBP:00005242 ESP:00000FD0 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 200F:00005A24 mov bx,[si+0A] ds:[5AEA]=FD31 8B 5C 0A EAX:00008603 EBX:00000FD4 ECX:0000C57C EDX:00000000 ESI:00005AE0 EDI:00000000 EBP:00005242 ESP:00000FD0 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 200F:00005A27 mov si,cs:[5259] cs:[5259]=5D90 2E 8B 36 59 52 EAX:00008603 EBX:0000FD31 ECX:0000C57C EDX:00000000 ESI:00005AE0 EDI:00000000 EBP:00005242 ESP:00000FD0 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 200F:00005A2C mov ds,[si] ds:[5D90]=726F 8E 1C EAX:00008603 EBX:0000FD31 ECX:0000C57C EDX:00000000 ESI:00005D90 EDI:00000000 EBP:00005242 ESP:00000FD0 DS:EA25 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 200F:00005A2E xor si,si 33 F6 EAX:00008603 EBX:0000FD31 ECX:0000C57C EDX:00000000 ESI:00005D90 EDI:00000000 EBP:00005242 ESP:00000FD0 DS:726F ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 200F:00005A30 call 4F05:10B7 9A B7 10 05 4F EAX:00008603 EBX:0000FD31 ECX:0000C57C EDX:00000000 ESI:00000000 EDI:00000000 EBP:00005242 ESP:00000FD0 DS:726F ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 4F05:10B7 (IDA sub_47F07) seems to be the decompression routine. An examination of the IDA disassembly confirms that the misteryByte 03 picks the decompression algorithm. seg026:10B7 sub_47F07 proc far ; CODE XREF: sub_1D8D3+4DP seg026:10B7 push ds seg026:10B8 push si seg026:10B9 dec al seg026:10BB jnz short loc_47F13 seg026:10BD push cs seg026:10BE call near ptr sub_47F32 seg026:10C1 jmp short loc_47F2E seg026:10C3 ; --------------------------------------------------------------------------- seg026:10C3 seg026:10C3 loc_47F13: ; CODE XREF: sub_47F07+4j seg026:10C3 dec al seg026:10C5 jnz short loc_47F1D seg026:10C7 push cs seg026:10C8 call near ptr sub_47FAC seg026:10CB jmp short loc_47F2E seg026:10CD ; --------------------------------------------------------------------------- seg026:10CD seg026:10CD loc_47F1D: ; CODE XREF: sub_47F07+Ej seg026:10CD dec al seg026:10CF jnz short loc_47F2B seg026:10D1 push cs seg026:10D2 call near ptr sub_47FAC seg026:10D5 push cs seg026:10D6 call near ptr sub_47F32 seg026:10D9 jmp short loc_47F2E seg026:10DB ; --------------------------------------------------------------------------- seg026:10DB seg026:10DB loc_47F2B: ; CODE XREF: sub_47F07+18j seg026:10DB stc seg026:10DC jmp short loc_47F2F seg026:10DE ; --------------------------------------------------------------------------- seg026:10DE seg026:10DE loc_47F2E: ; CODE XREF: sub_47F07+Aj seg026:10DE ; sub_47F07+14j ... seg026:10DE clc seg026:10DF seg026:10DF loc_47F2F: ; CODE XREF: sub_47F07+25j seg026:10DF pop si seg026:10E0 pop ds seg026:10E1 retf seg026:10E1 sub_47F07 endp Further in, the bytes seem to be read through LODSB instructions (Load byte at address DS:(E)SI into AL)... 4F05:00001413 lodsb 4F05:0000141F lodsb 4F05:0000119B lodsb ...and written through either one of two identical MOVs. 4F05:000011E3 mov es:[di],ch 4F05:000011B5 mov es:[di],ch Later on: 17EE:00004D29 xor si,si 33 F6 EAX:00000000 EBX:00000005 ECX:00000000 EDX:000000C7 ESI:0000A510 EDI:00000000 EBP:00000000 ESP:00000FEC DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:1 ZF:0 SF:1 OF:0 AF:1 PF:0 IF:1 TF:0 VM:0 FLG:00007293 CR0:00000010 17EE:00004D2B push cs 0E EAX:00000000 EBX:00000005 ECX:00000000 EDX:000000C7 ESI:00000000 EDI:00000000 EBP:00000000 ESP:00000FEC DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007293 CR0:00000010 17EE:00004D2C call 00004D12 ($-1d) E8 E3 FF EAX:00000000 EBX:00000005 ECX:00000000 EDX:000000C7 ESI:00000000 EDI:00000000 EBP:00000000 ESP:00000FEA DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007293 CR0:00000010 17EE:00004D12 cmp byte es:[si+09],00 es:[0009]=0081 26 80 7C 09 00 EAX:00000000 EBX:00000005 ECX:00000000 EDX:000000C7 ESI:00000000 EDI:00000000 EBP:00000000 ESP:00000FE8 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007293 CR0:00000010 17EE:00004D17 jns 00004D1F ($+6) (no jmp) 79 06 EAX:00000000 EBX:00000005 ECX:00000000 EDX:000000C7 ESI:00000000 EDI:00000000 EBP:00000000 ESP:00000FE8 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007293 CR0:00000010 17EE:00004D19 call 9CD0:1D52 9A 52 1D D0 9C EAX:00000000 EBX:00000005 ECX:00000000 EDX:000000C7 ESI:00000000 EDI:00000000 EBP:00000000 ESP:00000FE8 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007293 CR0:00000010 Note the call to 9CD0:1D52. The IDA disassembly is different. Note the call to "far ptr unk_0", this is a disassembly of 9A 00 00 00 00. Most likely this is some sort of self modifying code to implement a far call. seg001:4D12 sub_149F2 proc far ; CODE XREF: sub_149F2+1Ap seg001:4D12 cmp byte ptr es:[si+9], 0 seg001:4D17 jns short loc_149FF seg001:4D19 seg001:4D19 loc_149F9: ; DATA XREF: seg008:008Ao seg001:4D19 call far ptr unk_0 seg001:4D1E retf At any rate it calls a copy-to-VGA routine, note "rep movsb" copying from DS=86F6 to ES=A000. Note 86F6 is decompressed bmap data and A000 is VGA memory. Note at 9CD0:00001E2D the "out dx,ax" with AX=1102 and DX=03C4. This writes AL=02h to port 3C4h and AH=11h to next port 3C5h, the 11h seems to be a bitplane select plus a meaningless bit (rnlf). 9CD0:00001D52 xor bx,bx 33 DB EAX:00000000 EBX:00000005 ECX:00000000 EDX:000000C7 ESI:00000000 EDI:00000000 EBP:00000000 ESP:00000FE4 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:1 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001D54 mov bl,es:[si+09] es:[0009]=0081 26 8A 5C 09 EAX:00000000 EBX:00000000 ECX:00000000 EDX:000000C7 ESI:00000000 EDI:00000000 EBP:00000000 ESP:00000FE4 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001D58 shl bl,1 D0 E3 EAX:00000000 EBX:00000081 ECX:00000000 EDX:000000C7 ESI:00000000 EDI:00000000 EBP:00000000 ESP:00000FE4 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001D5A call near word cs:[bx+1D60] cs:[1D62]=1D65 2E FF 97 60 1D EAX:00000000 EBX:00000002 ECX:00000000 EDX:000000C7 ESI:00000000 EDI:00000000 EBP:00000000 ESP:00000FE4 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:1 ZF:0 SF:0 OF:1 AF:1 PF:0 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001D65 push ds 1E EAX:00000000 EBX:00000002 ECX:00000000 EDX:000000C7 ESI:00000000 EDI:00000000 EBP:00000000 ESP:00000FE2 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:1 ZF:0 SF:0 OF:1 AF:1 PF:0 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001D66 sub cx,es:[si+0A] es:[000A]=0000 26 2B 4C 0A EAX:00000000 EBX:00000002 ECX:00000000 EDX:000000C7 ESI:00000000 EDI:00000000 EBP:00000000 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:1 ZF:0 SF:0 OF:1 AF:1 PF:0 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001D6A sub dx,es:[si+0C] es:[000C]=0000 26 2B 54 0C EAX:00000000 EBX:00000002 ECX:00000000 EDX:000000C7 ESI:00000000 EDI:00000000 EBP:00000000 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001D6E mov bx,es:[si] es:[0000]=0140 26 8B 1C EAX:00000000 EBX:00000002 ECX:00000000 EDX:000000C7 ESI:00000000 EDI:00000000 EBP:00000000 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:0 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001D71 mov bp,es:[si+02] es:[0002]=00C8 26 8B 6C 02 EAX:00000000 EBX:00000140 ECX:00000000 EDX:000000C7 ESI:00000000 EDI:00000000 EBP:00000000 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:0 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001D75 cmp dx,[DA66] ds:[DA66]=0000 3B 16 66 DA EAX:00000000 EBX:00000140 ECX:00000000 EDX:000000C7 ESI:00000000 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:0 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001D79 jge 00001D7E ($+3) (down) 7D 03 EAX:00000000 EBX:00000140 ECX:00000000 EDX:000000C7 ESI:00000000 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:0 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001D7E cmp cx,[DA64] ds:[DA64]=013F 3B 0E 64 DA EAX:00000000 EBX:00000140 ECX:00000000 EDX:000000C7 ESI:00000000 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:0 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001D82 jle 00001D87 ($+3) (down) 7E 03 EAX:00000000 EBX:00000140 ECX:00000000 EDX:000000C7 ESI:00000000 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:1 ZF:0 SF:1 OF:0 AF:1 PF:0 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001D87 add si,0014 83 C6 14 EAX:00000000 EBX:00000140 ECX:00000000 EDX:000000C7 ESI:00000000 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:1 ZF:0 SF:1 OF:0 AF:1 PF:0 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001D8A cmp dx,[DA68] ds:[DA68]=00C7 3B 16 68 DA EAX:00000000 EBX:00000140 ECX:00000000 EDX:000000C7 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001D8E jle 00001DB6 ($+26) (down) 7E 26 EAX:00000000 EBX:00000140 ECX:00000000 EDX:000000C7 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DB6 mov ax,dx 8B C2 EAX:00000000 EBX:00000140 ECX:00000000 EDX:000000C7 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DB8 sub ax,[DA66] ds:[DA66]=0000 2B 06 66 DA EAX:000000C7 EBX:00000140 ECX:00000000 EDX:000000C7 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DBC inc ax 40 EAX:000000C7 EBX:00000140 ECX:00000000 EDX:000000C7 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:0 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DBD cmp ax,bp 3B C5 EAX:000000C8 EBX:00000140 ECX:00000000 EDX:000000C7 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:0 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DBF jge 00001DC3 ($+2) (down) 7D 02 EAX:000000C8 EBX:00000140 ECX:00000000 EDX:000000C7 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DC3 neg dx F7 DA EAX:000000C8 EBX:00000140 ECX:00000000 EDX:000000C7 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DC5 add dx,00C7 81 C2 C7 00 EAX:000000C8 EBX:00000140 ECX:00000000 EDX:0000FF39 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:1 ZF:0 SF:1 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DC9 xchg dl,dh 86 F2 EAX:000000C8 EBX:00000140 ECX:00000000 EDX:00000000 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:1 ZF:1 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DCB mov di,dx 8B FA EAX:000000C8 EBX:00000140 ECX:00000000 EDX:00000000 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:1 ZF:1 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DCD shr dx,1 D1 EA EAX:000000C8 EBX:00000140 ECX:00000000 EDX:00000000 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:1 ZF:1 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DCF shr dx,1 D1 EA EAX:000000C8 EBX:00000140 ECX:00000000 EDX:00000000 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DD1 add di,dx 03 FA EAX:000000C8 EBX:00000140 ECX:00000000 EDX:00000000 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DD3 cmp cx,[DA62] ds:[DA62]=0000 3B 0E 62 DA EAX:000000C8 EBX:00000140 ECX:00000000 EDX:00000000 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DD7 jge 00001DDC ($+3) (down) 7D 03 EAX:000000C8 EBX:00000140 ECX:00000000 EDX:00000000 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DDC add di,cx 03 F9 EAX:000000C8 EBX:00000140 ECX:00000000 EDX:00000000 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DDE mov ax,cx 8B C1 EAX:000000C8 EBX:00000140 ECX:00000000 EDX:00000000 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DE0 add ax,bx 03 C3 EAX:00000000 EBX:00000140 ECX:00000000 EDX:00000000 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DE2 dec ax 48 EAX:00000140 EBX:00000140 ECX:00000000 EDX:00000000 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DE3 sub ax,[DA64] ds:[DA64]=013F 2B 06 64 DA EAX:0000013F EBX:00000140 ECX:00000000 EDX:00000000 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DE7 jle 00001DEC ($+3) (down) 7E 03 EAX:00000000 EBX:00000140 ECX:00000000 EDX:00000000 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DEC mov ax,es 8C C0 EAX:00000000 EBX:00000140 ECX:00000000 EDX:00000000 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DEE mov es,[DA60] ds:[DA60]=A000 8E 06 60 DA EAX:000086F6 EBX:00000140 ECX:00000000 EDX:00000000 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:86F6 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DF2 mov ds,ax 8E D8 EAX:000086F6 EBX:00000140 ECX:00000000 EDX:00000000 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:0820 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DF4 mov dx,03C4 BA C4 03 EAX:000086F6 EBX:00000140 ECX:00000000 EDX:00000000 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DF7 mov cs:[1E09],bx cs:[1E09]=0018 2E 89 1E 09 1E EAX:000086F6 EBX:00000140 ECX:00000000 EDX:000003C4 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DFC mov ax,0140 B8 40 01 EAX:000086F6 EBX:00000140 ECX:00000000 EDX:000003C4 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001DFF sub ax,bx 2B C3 EAX:00000140 EBX:00000140 ECX:00000000 EDX:000003C4 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E01 mov cs:[1E70],ax cs:[1E70]=0128 2E A3 70 1E EAX:00000000 EBX:00000140 ECX:00000000 EDX:000003C4 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E05 jmp short 00001E07 ($+0) (down) EB 00 EAX:00000000 EBX:00000140 ECX:00000000 EDX:000003C4 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E07 push bp 55 EAX:00000000 EBX:00000140 ECX:00000000 EDX:000003C4 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FE0 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E08 mov bp,0140 BD 40 01 EAX:00000000 EBX:00000140 ECX:00000000 EDX:000003C4 ESI:00000014 EDI:00000000 EBP:000000C8 ESP:00000FDE DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E0B xor ax,ax 33 C0 EAX:00000000 EBX:00000140 ECX:00000000 EDX:000003C4 ESI:00000014 EDI:00000000 EBP:00000140 ESP:00000FDE DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E0D lodsb AC EAX:00000000 EBX:00000140 ECX:00000000 EDX:000003C4 ESI:00000014 EDI:00000000 EBP:00000140 ESP:00000FDE DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E0E add di,ax 03 F8 EAX:00000000 EBX:00000140 ECX:00000000 EDX:000003C4 ESI:00000015 EDI:00000000 EBP:00000140 ESP:00000FDE DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E10 sub bp,ax 2B E8 EAX:00000000 EBX:00000140 ECX:00000000 EDX:000003C4 ESI:00000015 EDI:00000000 EBP:00000140 ESP:00000FDE DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E12 jle 00001E6E ($+5a) (no jmp) 7E 5A EAX:00000000 EBX:00000140 ECX:00000000 EDX:000003C4 ESI:00000015 EDI:00000000 EBP:00000140 ESP:00000FDE DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E14 lodsb AC EAX:00000000 EBX:00000140 ECX:00000000 EDX:000003C4 ESI:00000015 EDI:00000000 EBP:00000140 ESP:00000FDE DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E15 push ax 50 EAX:000000FF EBX:00000140 ECX:00000000 EDX:000003C4 ESI:00000016 EDI:00000000 EBP:00000140 ESP:00000FDE DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E16 push bp 55 EAX:000000FF EBX:00000140 ECX:00000000 EDX:000003C4 ESI:00000016 EDI:00000000 EBP:00000140 ESP:00000FDC DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E17 push di 57 EAX:000000FF EBX:00000140 ECX:00000000 EDX:000003C4 ESI:00000016 EDI:00000000 EBP:00000140 ESP:00000FDA DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E18 mov bx,ax 8B D8 EAX:000000FF EBX:00000140 ECX:00000000 EDX:000003C4 ESI:00000016 EDI:00000000 EBP:00000140 ESP:00000FD8 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E1A shl bx,1 D1 E3 EAX:000000FF EBX:000000FF ECX:00000000 EDX:000003C4 ESI:00000016 EDI:00000000 EBP:00000140 ESP:00000FD8 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E1C shl bx,1 D1 E3 EAX:000000FF EBX:000001FE ECX:00000000 EDX:000003C4 ESI:00000016 EDI:00000000 EBP:00000140 ESP:00000FD8 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E1E mov cx,di 8B CF EAX:000000FF EBX:000003FC ECX:00000000 EDX:000003C4 ESI:00000016 EDI:00000000 EBP:00000140 ESP:00000FD8 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E20 shr di,1 D1 EF EAX:000000FF EBX:000003FC ECX:00000000 EDX:000003C4 ESI:00000016 EDI:00000000 EBP:00000140 ESP:00000FD8 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:0 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E22 shr di,1 D1 EF EAX:000000FF EBX:000003FC ECX:00000000 EDX:000003C4 ESI:00000016 EDI:00000000 EBP:00000140 ESP:00000FD8 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E24 and cx,0003 83 E1 03 EAX:000000FF EBX:000003FC ECX:00000000 EDX:000003C4 ESI:00000016 EDI:00000000 EBP:00000140 ESP:00000FD8 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:1 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E27 mov ah,11 B4 11 EAX:000000FF EBX:000003FC ECX:00000000 EDX:000003C4 ESI:00000016 EDI:00000000 EBP:00000140 ESP:00000FD8 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E29 rol ah,cl D2 C4 EAX:000011FF EBX:000003FC ECX:00000000 EDX:000003C4 ESI:00000016 EDI:00000000 EBP:00000140 ESP:00000FD8 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E2B mov al,02 B0 02 EAX:000011FF EBX:000003FC ECX:00000000 EDX:000003C4 ESI:00000016 EDI:00000000 EBP:00000140 ESP:00000FD8 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E2D out dx,ax EF EAX:00001102 EBX:000003FC ECX:00000000 EDX:000003C4 ESI:00000016 EDI:00000000 EBP:00000140 ESP:00000FD8 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E2E mov cl,cs:[bx+269D] cs:[2A99]=4040 2E 8A 8F 9D 26 EAX:00001102 EBX:000003FC ECX:00000000 EDX:000003C4 ESI:00000016 EDI:00000000 EBP:00000140 ESP:00000FD8 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E33 mov bp,di 8B EF EAX:00001102 EBX:000003FC ECX:00000040 EDX:000003C4 ESI:00000016 EDI:00000000 EBP:00000140 ESP:00000FD8 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 9CD0:00001E35 repe movsb F3 A4 EAX:00001102 EBX:000003FC ECX:00000040 EDX:000003C4 ESI:00000016 EDI:00000000 EBP:00000000 ESP:00000FD8 DS:86F6 ES:A000 FS:0000 GS:0000 SS:4D42 CF:0 ZF:1 SF:0 OF:0 AF:0 PF:1 IF:1 TF:0 VM:0 FLG:00007286 CR0:00000010 I disassembled it from a DOSBox RAM memdump as 9CD0.asm. It has some more self-modifying code, and is overall opaque. I couldn't initially find it on B17.EXE. Then, I noticed the folder DRIVERS containing MGA.DRV and WGA.DRV, and searched for 1E262B4C0A262B540C268B1C268B6C023B1666DA7D03 (the code at 9CD0:00001D65 above). WGA.DRV matched the code exactly at offset 1D65! So it is a DLL of sorts. The file starts with the string "Vektor Grafix Ltd - WGA DRIVERS". Vektor Grafix Ltd developed B17 Flying Fortress (bought by MicroProse in July 1992, during development?). Regexp int 21 CD 21 EAX\:[0-8A-Z]{4}3F[0-8A-Z]{2} EBX\:[0-8A-Z]{8} ECX\:[0-8A-Z]{4}C57C EDX\:[0-8A-Z]{8} ESI\:[0-8A-Z]{8} EDI\:[0-8A-Z]{8} EBP\:[0-8A-Z]{8} ESP\:[0-8A-Z]{8} DS\:86F6 repe movsw F3 A5 EAX\:[0-8A-Z]{8} EBX\:[0-8A-Z]{8} ECX\:[0-8A-Z]{8} EDX\:[0-8A-Z]{8} ESI\:[0-8A-Z]{8} EDI\:[0-8A-Z]{8} EBP\:[0-8A-Z]{8} ESP\:[0-8A-Z]{8} DS\:86F6 repe movsb F3 A5 EAX\:[0-8A-Z]{8} EBX\:[0-8A-Z]{8} ECX\:[0-8A-Z]{8} EDX\:[0-8A-Z]{8} ESI\:[0-8A-Z]{8} EDI\:[0-8A-Z]{8} EBP\:[0-8A-Z]{8} ESP\:[0-8A-Z]{8} DS\:86F6 ES:A000 { "name": "bmapdeaduk", "offset": 59844, "offsetHex": "0000e9c4", "word1": 50556, "word2": 64817,//hex fd31 "length": 50556, "lengthHex": "0000c57c", "fileByte": 25, "misteryByte": 3, "fileName": "_missend" }