.text:00420A66 sub_420A66      proc near               ; CODE XREF: KeBugCheck+Bp
.text:00420A66                                         ; KeBugCheckEx+14p
.text:00420A66 
.text:00420A66 var_3B4         = byte ptr -3B4h
.text:00420A66 var_328         = dword ptr -328h
.text:00420A66 var_324         = dword ptr -324h
.text:00420A66 var_320         = dword ptr -320h
.text:00420A66 var_31C         = dword ptr -31Ch
.text:00420A66 var_318         = dword ptr -318h
.text:00420A66 var_314         = dword ptr -314h
.text:00420A66 var_310         = dword ptr -310h
.text:00420A66 var_30C         = dword ptr -30Ch
.text:00420A66 var_308         = dword ptr -308h
.text:00420A66 var_304         = dword ptr -304h
.text:00420A66 var_300         = dword ptr -300h
.text:00420A66 var_2FC         = dword ptr -2FCh
.text:00420A66 var_2F8         = dword ptr -2F8h
.text:00420A66 var_2F4         = dword ptr -2F4h
.text:00420A66 var_2F0         = dword ptr -2F0h
.text:00420A66 var_2EC         = dword ptr -2ECh
.text:00420A66 var_E8          = byte ptr -0E8h
.text:00420A66 var_80          = byte ptr -80h
.text:00420A66 var_1C          = dword ptr -1Ch
.text:00420A66 var_18          = dword ptr -18h
.text:00420A66 var_14          = dword ptr -14h
.text:00420A66 var_10          = dword ptr -10h
.text:00420A66 var_C           = dword ptr -0Ch
.text:00420A66 var_8           = dword ptr -8
.text:00420A66 var_3           = byte ptr -3
.text:00420A66 var_2           = byte ptr -2
.text:00420A66 var_1           = byte ptr -1
.text:00420A66 arg_0           = dword ptr  8
.text:00420A66 arg_4           = dword ptr  0Ch
.text:00420A66 arg_8           = dword ptr  10h
.text:00420A66 arg_C           = dword ptr  14h
.text:00420A66 arg_10          = dword ptr  18h
.text:00420A66 arg_14          = dword ptr  1Ch
.text:00420A66 
.text:00420A66                 push    ebp
.text:00420A67                 mov     ebp, esp
.text:00420A69                 sub     esp, 3B4h
.text:00420A6F                 xor     ecx, ecx
.text:00420A71                 push    ebx
.text:00420A72                 mov     [ebp+var_10], ecx
.text:00420A75                 mov     [ebp+var_14], ecx
.text:00420A78                 mov     [ebp+var_8], ecx
.text:00420A7B                 mov     eax, large fs:124h
.text:00420A81                 mov     ebx, [ebp+arg_0]
.text:00420A84                 and     [ebp+var_3], cl
.text:00420A87                 and     [ebp+var_1], cl
.text:00420A8A                 cmp     ebx, 0E5h       			; ebx = user BUG code
.text:00420A90                 mov     [ebp+var_1C], eax
.text:00420A93                 mov     dword_475C40, ecx
.text:00420A99                 jnz     short loc_420AA8
.text:00420A9B                 call    sub_420778      			; if NOT system code -- process user code
.text:00420AA0                 push    3
.text:00420AA2                 call    ds:HalReturnToFirmware
.text:00420AA8 
.text:00420AA8 loc_420AA8:                             ; CODE XREF: sub_420A66+33j
.text:00420AA8                 push    esi
.text:00420AA9                 push    edi
.text:00420AAA                 call    sub_45FBB4
.text:00420AAF                 mov     eax, large fs:20h
.text:00420AB5                 add     eax, 1Ch
.text:00420AB8                 push    eax
.text:00420AB9                 call    RtlCaptureContext
.text:00420ABE                 mov     eax, large fs:20h
.text:00420AC4                 add     eax, 1Ch
.text:00420AC7                 push    eax
.text:00420AC8                 call    sub_427F54      			; save cr0-cr4, dr0-dr3, dr6, dr7, gdt, idt, tr, ldt  -- to fs:20h + 1ch
.text:00420ACD                 mov     eax, large fs:20h
.text:00420AD3                 cmp     ebx, 7Fh        			; UNEXPECTED_KERNEL_MODE_TRAP
.text:00420AD6                 lea     esi, [eax+1Ch]  			; esi = fs:20h + 1ch
.text:00420AD9                 mov     ecx, 0B3h
.text:00420ADE                 lea     edi, [ebp+var_3B4]
.text:00420AE4                 push    1Eh
.text:00420AE6                 repe movsd              			; copy fs:20h+1ch to [ebp+var_3b4]
.text:00420AE8                 mov     eax, 0C5h
.text:00420AED                 pop     ecx             			; ecx = 1eh
.text:00420AEE                 ja      loc_420BAF      			; cmp ebx, 7fh
.text:00420AF4                 jz      loc_420C07      			; if BUG code == 7fh
.text:00420AFA                 mov     eax, ebx        			; BUG code < 7fh
.text:00420AFC                 sub     eax, ecx        			; eax = BUG code - 1eh
.text:00420AFE                 jz      short loc_420B34 		; if BUG code == 1eh
.text:00420B00                 sub     eax, 5
.text:00420B03                 jz      loc_420C07      			; if BUG code == 23h
.text:00420B09                 dec     eax
.text:00420B0A                 jz      loc_420BA6      			; if BUG code == 24h
.text:00420B10                 sub     eax, 0Ah
.text:00420B13                 jz      loc_420C07      			; if BUG code == 2dh
.text:00420B19                 sub     eax, 11h
.text:00420B1C                 jz      loc_420C07      			; if BUG code == 3eh
.text:00420B22                 sub     eax, 3Ch
.text:00420B25                 jz      loc_420C07      			; if BUG code == 7ah
.text:00420B2B                 sub     eax, 3
.text:00420B2E                 jnz     loc_420BE7      			; if BUG code != 7dh
.text:00420B34 
.text:00420B34 loc_420B34:                             ; CODE XREF: sub_420A66+98j
.text:00420B34                                         ; sub_420A66+14Fj
.text:00420B34                 mov     [ebp+var_C], ecx
.text:00420B37 
.text:00420B37 loc_420B37:                             ; CODE XREF: sub_420A66+147j
.text:00420B37                                         ; sub_420A66+188j ...
.text:00420B37                 mov     esi, [ebp+arg_4] 		; BugCheck parameters
.text:00420B3A                 mov     eax, [ebp+arg_8]
.text:00420B3D                 mov     ecx, [ebp+arg_C]
.text:00420B40                 mov     edx, [ebp+arg_10]
.text:00420B43                 mov     KiBugCheckData, ebx
.text:00420B49                 sub     ebx, 0Ah
.text:00420B4C                 mov     dword_475C64, esi 		; Save parameters to BugCheck struct (.data:00475C60)
.text:00420B52                 mov     dword_475C68, eax
.text:00420B57                 mov     dword_475C6C, ecx
.text:00420B5D                 mov     dword_475C70, edx
.text:00420B63                 jz      loc_420D3C      			; if BUG code == 0ah
.text:00420B69                 sub     ebx, 42h
.text:00420B6C                 jz      loc_420D05      			; if BUG code == 4ch
.text:00420B72                 sub     ebx, 4
.text:00420B75                 jz      loc_420C38      			; if BUG code == 50h
.text:00420B7B                 sub     ebx, 6Eh
.text:00420B7E                 jz      loc_420C25      			; if BUG code == beh
.text:00420B84                 sub     ebx, 0Dh
.text:00420B87                 jz      loc_420C1D      			; if BUG code == cbh
.text:00420B8D                 sub     ebx, 0Dh
.text:00420B90                 jz      short loc_420C0F 		; if BUG code == d8h
.text:00420B92                 sub     ebx, 12h
.text:00420B95                 jnz     loc_420E00      			; if BUG code != 0eah
.text:00420B9B                 mov     dword_475C40, ecx
.text:00420BA1                 jmp     loc_420E00
.text:00420BA6 ; ---------------------------------------------------------------------------
.text:00420BA6 
.text:00420BA6 loc_420BA6:                             ; CODE XREF: sub_420A66+A4j
.text:00420BA6                 mov     [ebp+var_C], 23h
.text:00420BAD                 jmp     short loc_420B37 		; BugCheck parameters
.text:00420BAF ; ---------------------------------------------------------------------------
.text:00420BAF 
.text:00420BAF loc_420BAF:                             ; CODE XREF: sub_420A66+88j
.text:00420BAF                 cmp     ebx, 8Eh        			; BUG code > 7fh
.text:00420BB5                 jz      loc_420B34      			; if BUG code == 8eh
.text:00420BBB                 cmp     ebx, 0A5h
.text:00420BC1                 jz      short loc_420C07 		; if BUG code == 0a5h
.text:00420BC3                 cmp     ebx, eax        			; eax == 0c5h
.text:00420BC5                 jz      short loc_420C07 		; if BUG code == 0c5h
.text:00420BC7                 cmp     ebx, 0D0h
.text:00420BCD                 jz      short loc_420BFF 		; if BUG code == 0d0h
.text:00420BCF                 cmp     ebx, 0E0h
.text:00420BD5                 jz      short loc_420C07 		; if BUG code == 0e0h
.text:00420BD7                 cmp     ebx, 0EAh
.text:00420BDD                 jz      short loc_420C07 		; if BUG code == 0eah
.text:00420BDF                 cmp     ebx, 0C00002D1h
.text:00420BE5                 jz      short loc_420BF3 		; if BUG code == 0c00002d1h -- ??
.text:00420BE7 
.text:00420BE7 loc_420BE7:                             ; CODE XREF: sub_420A66+C8j
.text:00420BE7                 mov     [ebp+var_C], 40000082h
.text:00420BEE                 jmp     loc_420B37      			; BugCheck parameters
.text:00420BF3 ; ---------------------------------------------------------------------------
.text:00420BF3 
.text:00420BF3 loc_420BF3:                             ; CODE XREF: sub_420A66+17Fj
.text:00420BF3                 mov     [ebp+var_C], 0C3h
.text:00420BFA                 jmp     loc_420B37      			; BugCheck parameters
.text:00420BFF ; ---------------------------------------------------------------------------
.text:00420BFF 
.text:00420BFF loc_420BFF:                             ; CODE XREF: sub_420A66+167j
.text:00420BFF                 mov     [ebp+var_C], eax
.text:00420C02                 jmp     loc_420B37      			; BugCheck parameters
.text:00420C07 ; ---------------------------------------------------------------------------
.text:00420C07 
.text:00420C07 loc_420C07:                             ; CODE XREF: sub_420A66+8Ej
.text:00420C07                                         ; sub_420A66+9Dj ...
.text:00420C07                 mov     [ebp+var_C], ebx
.text:00420C0A                 jmp     loc_420B37      			; BugCheck parameters
.text:00420C0F ; ---------------------------------------------------------------------------
.text:00420C0F 
.text:00420C0F loc_420C0F:                             ; CODE XREF: sub_420A66+12Aj
.text:00420C0F                 add     esi, 2Ch
.text:00420C12                 mov     dword_475C40, esi
.text:00420C18                 jmp     loc_420E00
.text:00420C1D ; ---------------------------------------------------------------------------
.text:00420C1D 
.text:00420C1D loc_420C1D:                             ; CODE XREF: sub_420A66+121j
.text:00420C1D                 mov     [ebp+var_8], esi
.text:00420C20                 jmp     loc_420E00
.text:00420C25 ; ---------------------------------------------------------------------------
.text:00420C25 
.text:00420C25 loc_420C25:                             ; CODE XREF: sub_420A66+118j
.text:00420C25                 test    ecx, ecx
.text:00420C27                 jz      loc_420E00
.text:00420C2D                 mov     eax, [ecx+68h]
.text:00420C30                 mov     [ebp+var_8], eax
.text:00420C33                 jmp     loc_420E00
.text:00420C38 ; ---------------------------------------------------------------------------
.text:00420C38 
.text:00420C38 loc_420C38:                             ; CODE XREF: sub_420A66+10Fj
.text:00420C38                 xor     edi, edi
.text:00420C3A                 test    ecx, ecx        			; ecx = [ebp+arg_C]
.text:00420C3C                 jz      short loc_420C62
.text:00420C3E                 mov     eax, [ebp+arg_C]
.text:00420C41                 mov     eax, [eax+68h]
.text:00420C44                 lea     ecx, [ebp+var_2]
.text:00420C47                 push    ecx
.text:00420C48                 push    edi
.text:00420C49                 lea     ecx, [ebp+var_18]
.text:00420C4C                 push    ecx
.text:00420C4D                 push    eax
.text:00420C4E                 mov     [ebp+var_8], eax
.text:00420C51                 mov     dword_475C6C, eax
.text:00420C56                 call    sub_4204C4
.text:00420C5B                 mov     bl, [ebp+var_2]
.text:00420C5E                 mov     edi, eax
.text:00420C60                 jmp     short loc_420C64
.text:00420C62 ; ---------------------------------------------------------------------------
.text:00420C62 
.text:00420C62 loc_420C62:                             ; CODE XREF: sub_420A66+1D6j
.text:00420C62                 mov     bl, 1
.text:00420C64 
.text:00420C64 loc_420C64:                             ; CODE XREF: sub_420A66+1FAj
.text:00420C64                 mov     esi, [ebp+arg_4]
.text:00420C67                 push    esi
.text:00420C68                 call    sub_43F364
.text:00420C6D                 cmp     eax, 1
.text:00420C70                 jnz     short loc_420CA6
.text:00420C72                 push    esi
.text:00420C73                 call    sub_43F382
.text:00420C78                 dec     bl
.text:00420C7A                 cmp     eax, 1
.text:00420C7D                 jnz     short loc_420C8E
.text:00420C7F                 neg     bl
.text:00420C81                 sbb     ebx, ebx
.text:00420C83                 and     ebx, 9
.text:00420C86                 add     ebx, 0CCh
.text:00420C8C                 jmp     short loc_420C9B
.text:00420C8E ; ---------------------------------------------------------------------------
.text:00420C8E 
.text:00420C8E loc_420C8E:                             ; CODE XREF: sub_420A66+217j
.text:00420C8E                 neg     bl
.text:00420C90                 sbb     ebx, ebx
.text:00420C92                 and     ebx, 9
.text:00420C95                 add     ebx, 0CDh
.text:00420C9B 
.text:00420C9B loc_420C9B:                             ; CODE XREF: sub_420A66+226j
.text:00420C9B                 mov     KiBugCheckData, ebx
.text:00420CA1                 jmp     loc_420E00
.text:00420CA6 ; ---------------------------------------------------------------------------
.text:00420CA6 
.text:00420CA6 loc_420CA6:                             ; CODE XREF: sub_420A66+20Aj
.text:00420CA6                 cmp     [ebp+var_8], esi
.text:00420CA9                 jnz     short loc_420CD9
.text:00420CAB                 push    esi
.text:00420CAC                 call    sub_43EAA8
.text:00420CB1                 xor     ebx, ebx
.text:00420CB3                 cmp     eax, 1
.text:00420CB6                 jnz     short loc_420CDB
.text:00420CB8                 mov     eax, [ebp+var_1C]
.text:00420CBB                 mov     eax, [eax+20h]
.text:00420CBE                 cmp     eax, ebx
.text:00420CC0                 jz      short loc_420CCA
.text:00420CC2                 cmp     eax, MmSystemRangeStart
.text:00420CC8                 jb      short loc_420CDB
.text:00420CCA 
.text:00420CCA loc_420CCA:                             ; CODE XREF: sub_420A66+25Aj
.text:00420CCA                 mov     KiBugCheckData, 0CFh
.text:00420CD4                 jmp     loc_420E02
.text:00420CD9 ; ---------------------------------------------------------------------------
.text:00420CD9 
.text:00420CD9 loc_420CD9:                             ; CODE XREF: sub_420A66+243j
.text:00420CD9                 xor     ebx, ebx
.text:00420CDB 
.text:00420CDB loc_420CDB:                             ; CODE XREF: sub_420A66+250j
.text:00420CDB                                         ; sub_420A66+262j
.text:00420CDB                 cmp     edi, ebx
.text:00420CDD                 jnz     loc_420E02
.text:00420CE3                 push    esi
.text:00420CE4                 call    sub_433A22
.text:00420CE9                 cmp     eax, ebx
.text:00420CEB                 mov     dword_475C40, eax
.text:00420CF0                 jz      loc_420E19
.text:00420CF6                 mov     KiBugCheckData, 0CEh
.text:00420D00                 jmp     loc_420E02
.text:00420D05 ; ---------------------------------------------------------------------------
.text:00420D05 
.text:00420D05 loc_420D05:                             ; CODE XREF: sub_420A66+106j
.text:00420D05                 mov     KiBugCheckData, esi 		; esi = [ebp+arg_4]
.text:00420D0B                 mov     [ebp+var_10], ecx 		; ecx = [ebp+arg_C]
.text:00420D0E                 mov     ecx, [eax]      			; eax =  [ebp+arg_8]
.text:00420D10                 mov     dword_475C64, ecx
.text:00420D16                 mov     ecx, [eax+4]
.text:00420D19                 mov     dword_475C68, ecx
.text:00420D1F                 mov     ecx, [eax+8]
.text:00420D22                 mov     dword_475C6C, ecx
.text:00420D28                 mov     eax, [eax+0Ch]
.text:00420D2B                 mov     [ebp+var_3], 1
.text:00420D2F                 mov     [ebp+var_14], edx 		; edx = [ebp+arg_10]
.text:00420D32                 mov     dword_475C70, eax
.text:00420D37                 jmp     loc_420E00
.text:00420D3C ; ---------------------------------------------------------------------------
.text:00420D3C 
.text:00420D3C loc_420D3C:                             ; CODE XREF: sub_420A66+FDj
.text:00420D3C                 cmp     edx, dword_47628C 		; edx = [ebp+arg_10]
.text:00420D42                 jb      short loc_420D5B
.text:00420D44                 cmp     edx, dword_476288
.text:00420D4A                 jnb     short loc_420D5B
.text:00420D4C                 mov     KiBugCheckData, 0C5h
.text:00420D56                 jmp     loc_420DFC
.text:00420D5B ; ---------------------------------------------------------------------------
.text:00420D5B 
.text:00420D5B loc_420D5B:                             ; CODE XREF: sub_420A66+2DCj
.text:00420D5B                                         ; sub_420A66+2E4j
.text:00420D5B                 cmp     edx, dword_476284
.text:00420D61                 jb      short loc_420D7A
.text:00420D63                 cmp     edx, dword_476280
.text:00420D69                 jnb     short loc_420D7A
.text:00420D6B                 mov     KiBugCheckData, 0D0h
.text:00420D75                 jmp     loc_420DFC
.text:00420D7A ; ---------------------------------------------------------------------------
.text:00420D7A 
.text:00420D7A loc_420D7A:                             ; CODE XREF: sub_420A66+2FBj
.text:00420D7A                                         ; sub_420A66+303j
.text:00420D7A                 cmp     edx, dword_47627C
.text:00420D80                 jb      short loc_420D96
.text:00420D82                 cmp     edx, dword_476278
.text:00420D88                 jnb     short loc_420D96
.text:00420D8A                 mov     KiBugCheckData, 0DBh
.text:00420D94                 jmp     short loc_420DFC
.text:00420D96 ; ---------------------------------------------------------------------------
.text:00420D96 
.text:00420D96 loc_420D96:                             ; CODE XREF: sub_420A66+31Aj
.text:00420D96                                         ; sub_420A66+322j
.text:00420D96                 lea     eax, [ebp+var_2]
.text:00420D99                 push    eax
.text:00420D9A                 push    0
.text:00420D9C                 lea     eax, [ebp+var_18]
.text:00420D9F                 push    eax
.text:00420DA0                 push    edx
.text:00420DA1                 call    sub_4204C4
.text:00420DA6                 cmp     [ebp+var_2], 1
.text:00420DAA                 jnz     short loc_420DF2
.text:00420DAC                 lea     eax, [ebp+var_2]
.text:00420DAF                 push    eax
.text:00420DB0                 push    1
.text:00420DB2                 lea     eax, [ebp+var_18]
.text:00420DB5                 push    eax
.text:00420DB6                 push    esi
.text:00420DB7                 call    sub_4204C4
.text:00420DBC                 test    eax, eax
.text:00420DBE                 jz      short loc_420DD7
.text:00420DC0                 mov     eax, [ebp+var_18]
.text:00420DC3                 add     eax, 2Ch
.text:00420DC6                 mov     dword_475C40, eax
.text:00420DCB                 mov     KiBugCheckData, 0D3h
.text:00420DD5                 jmp     short loc_420DFC
.text:00420DD7 ; ---------------------------------------------------------------------------
.text:00420DD7 
.text:00420DD7 loc_420DD7:                             ; CODE XREF: sub_420A66+358j
.text:00420DD7                 push    esi
.text:00420DD8                 call    sub_433A22
.text:00420DDD                 test    eax, eax
.text:00420DDF                 mov     dword_475C40, eax
.text:00420DE4                 jz      short loc_420DFC
.text:00420DE6                 mov     KiBugCheckData, 0D4h
.text:00420DF0                 jmp     short loc_420DFC
.text:00420DF2 ; ---------------------------------------------------------------------------
.text:00420DF2 
.text:00420DF2 loc_420DF2:                             ; CODE XREF: sub_420A66+344j
.text:00420DF2                 mov     KiBugCheckData, 0D1h
.text:00420DFC 
.text:00420DFC loc_420DFC:                             ; CODE XREF: sub_420A66+2F0j
.text:00420DFC                                         ; sub_420A66+30Fj ...
.text:00420DFC                 and     [ebp+var_8], 0
.text:00420E00 
.text:00420E00 loc_420E00:                             ; CODE XREF: sub_420A66+12Fj
.text:00420E00                                         ; sub_420A66+13Bj ...
.text:00420E00                 xor     ebx, ebx
.text:00420E02 
.text:00420E02 loc_420E02:                             ; CODE XREF: sub_420A66+26Ej
.text:00420E02                                         ; sub_420A66+277j ...
.text:00420E02                 mov     eax, dword_475C40
.text:00420E07                 cmp     eax, ebx
.text:00420E09                 jz      short loc_420E19
.text:00420E0B                 push    64h
.text:00420E0D                 lea     ecx, [ebp+var_80]
.text:00420E10                 push    ecx
.text:00420E11                 push    eax
.text:00420E12                 call    sub_4203FA
.text:00420E17                 jmp     short loc_420E32
.text:00420E19 ; ---------------------------------------------------------------------------
.text:00420E19 
.text:00420E19 loc_420E19:                             ; CODE XREF: sub_420A66+28Aj
.text:00420E19                                         ; sub_420A66+3A3j
.text:00420E19                 cmp     [ebp+var_8], ebx
.text:00420E1C                 jz      short loc_420E32
.text:00420E1E                 push    offset sub_4203FA
.text:00420E23                 push    1
.text:00420E25                 lea     eax, [ebp+var_8]
.text:00420E28                 push    eax
.text:00420E29                 lea     eax, [ebp+var_80]
.text:00420E2C                 push    eax
.text:00420E2D                 call    sub_420581      			; Create string "*** Address ... base at ... "
.text:00420E32 
.text:00420E32 loc_420E32:                             ; CODE XREF: sub_420A66+3B1j
.text:00420E32                                         ; sub_420A66+3B6j
.text:00420E32                 cmp     byte_4666FC, 0
.text:00420E39                 jnz     short loc_420E4C
.text:00420E3B                 lea     eax, [ebp+var_3B4]
.text:00420E41                 mov     dword_466308, eax
.text:00420E46                 mov     dword_46630C, ebx
.text:00420E4C 
.text:00420E4C loc_420E4C:                             ; CODE XREF: sub_420A66+3D3j
.text:00420E4C                 cmp     [ebp+arg_0], 0E2h
.text:00420E53                 jz      short loc_420ED3 		; pushf, ... , cli
.text:00420E55                 cmp     KdDebuggerEnabled, 0
.text:00420E5C                 jz      short loc_420ED3 		; If no debuggers enabled
.text:00420E5E                 push    dword_475C70
.text:00420E64                 push    dword_475C6C
.text:00420E6A                 push    dword_475C68
.text:00420E70                 push    dword_475C64
.text:00420E76                 push    KiBugCheckData
.text:00420E7C                 push    offset aFatalSystemErr 	; "\n*** Fatal System Error: 0x%08lx\n      "...
.text:00420E81                 call    DbgPrint
.text:00420E86                 add     esp, 18h
.text:00420E89                 cmp     KdDebuggerNotPresent, 0
.text:00420E90                 jnz     short loc_420ED3 		; pushf, ... , cli
.text:00420E92                 cmp     dword_475C40, ebx
.text:00420E98                 jz      short loc_420EAA
.text:00420E9A                 lea     eax, [ebp+var_80]
.text:00420E9D                 push    eax
.text:00420E9E                 push    offset aDriverAtFaultS 	; "Driver at fault: %s.\n"
.text:00420EA3                 call    DbgPrint
.text:00420EA8                 pop     ecx
.text:00420EA9                 pop     ecx
.text:00420EAA 
.text:00420EAA loc_420EAA:                             ; CODE XREF: sub_420A66+432j
.text:00420EAA                 cmp     [ebp+var_3], 0
.text:00420EAE                 jz      short loc_420ECC
.text:00420EB0                 cmp     [ebp+var_10], ebx
.text:00420EB3                 jz      short loc_420EBE
.text:00420EB5                 push    [ebp+var_10]
.text:00420EB8                 call    DbgPrint
.text:00420EBD                 pop     ecx
.text:00420EBE 
.text:00420EBE loc_420EBE:                             ; CODE XREF: sub_420A66+44Dj
.text:00420EBE                 cmp     [ebp+var_14], ebx
.text:00420EC1                 jz      short loc_420ECC
.text:00420EC3                 push    [ebp+var_14]
.text:00420EC6                 call    DbgPrint
.text:00420ECB                 pop     ecx
.text:00420ECC 
.text:00420ECC loc_420ECC:                             ; CODE XREF: sub_420A66+448j
.text:00420ECC                                         ; sub_420A66+45Bj
.text:00420ECC                 push    3
.text:00420ECE                 call    sub_420435
.text:00420ED3 
.text:00420ED3 loc_420ED3:                             ; CODE XREF: sub_420A66+3EDj
.text:00420ED3                                         ; sub_420A66+3F6j ...
.text:00420ED3                 call    sub_427F04      			; pushf, ... , cli
.text:00420ED8                 mov     cl, 1Fh
.text:00420EDA                 call    ds:KfRaiseIrql
.text:00420EE0                 mov     eax, offset unk_46A7F8
.text:00420EE5                 or      ecx, 0FFFFFFFFh
.text:00420EE8                 lock xadd    [eax], ecx
.text:00420EEC                 jnz     loc_42141A
.text:00420EF2                 mov     eax, large fs:20h
.text:00420EF8                 mov     ecx, [eax+14h]
.text:00420EFB                 not     ecx
.text:00420EFD                 and     ecx, dword_46EA50
.text:00420F03                 jz      short loc_420F18 		; Create and display text
.text:00420F05                 push    4
.text:00420F07                 pop     edx
.text:00420F08                 call    sub_425F74
.text:00420F0D                 push    0F4240h
.text:00420F12                 call    ds:KeStallExecutionProcessor
.text:00420F18 
.text:00420F18 loc_420F18:                             ; CODE XREF: sub_420A66+49Dj
.text:00420F18                 mov     eax, KiBugCheckData 		; Create and display text
.text:00420F1D                 push    ebx
.text:00420F1E                 push    ebx
.text:00420F1F                 push    ebx
.text:00420F20                 push    ebx
.text:00420F21                 push    0Eh
.text:00420F23                 mov     [ebp+var_18], eax
.text:00420F26                 mov     [ebp+var_2], 1
.text:00420F2A                 call    HeadlessDispatch
.text:00420F2F                 push    ebx
.text:00420F30                 push    ebx
.text:00420F31                 push    1
.text:00420F33                 lea     eax, [ebp+var_2]
.text:00420F36                 push    eax
.text:00420F37                 push    1
.text:00420F39                 call    HeadlessDispatch
.text:00420F3E                 push    ebx
.text:00420F3F                 push    ebx
.text:00420F40                 push    4
.text:00420F42                 lea     eax, [ebp+var_18]
.text:00420F45                 push    eax
.text:00420F46                 push    14h
.text:00420F48                 call    HeadlessDispatch
.text:00420F4D                 call    InbvIsBootDriverInstalled
.text:00420F52                 test    al, al
.text:00420F54                 jz      short loc_420F95
.text:00420F56                 call    InbvAcquireDisplayOwnership
.text:00420F5B                 call    InbvResetDisplay
.text:00420F60                 push    4
.text:00420F62                 push    1DFh
.text:00420F67                 mov     esi, 27Fh
.text:00420F6C                 push    esi
.text:00420F6D                 push    ebx
.text:00420F6E                 push    ebx
.text:00420F6F                 call    InbvSolidColorFill
.text:00420F74                 push    0Fh
.text:00420F76                 call    InbvSetTextColor
.text:00420F7B                 push    ebx
.text:00420F7C                 call    InbvInstallDisplayStringFilter
.text:00420F81                 push    1
.text:00420F83                 call    InbvEnableDisplayString
.text:00420F88                 push    1DBh
.text:00420F8D                 push    esi
.text:00420F8E                 push    ebx
.text:00420F8F                 push    ebx
.text:00420F90                 call    InbvSetScrollRegion
.text:00420F95 
.text:00420F95 loc_420F95:                             ; CODE XREF: sub_420A66+4EEj
.text:00420F95                 cmp     [ebp+var_3], 0
.text:00420F99                 jnz     loc_4210C5
.text:00420F9F                 push    offset asc_420A1C ; "\n"
.text:00420FA4                 call    InbvDisplayString
.text:00420FA9                 push    ebx
.text:00420FAA                 push    4000007Fh
.text:00420FAF                 call    sub_420314
.text:00420FB4                 push    offset asc_420A20 ; "\n\n"
.text:00420FB9                 call    InbvDisplayString
.text:00420FBE                 cmp     dword_475C40, ebx
.text:00420FC4                 jz      short loc_421005
.text:00420FC6                 push    ebx
.text:00420FC7                 push    40000080h
.text:00420FCC                 call    sub_420314
.text:00420FD1                 push    67h
.text:00420FD3                 lea     eax, [ebp+var_E8]
.text:00420FD9                 push    eax
.text:00420FDA                 push    dword_475C40
.text:00420FE0                 call    sub_4203FA
.text:00420FE5                 push    offset asc_420A24 ; " "
.text:00420FEA                 call    InbvDisplayString
.text:00420FEF                 lea     eax, [ebp+var_E8]
.text:00420FF5                 push    eax
.text:00420FF6                 call    InbvDisplayString
.text:00420FFB                 push    offset asc_420A28 ; "\n\n"
.text:00421000                 call    InbvDisplayString
.text:00421005 
.text:00421005 loc_421005:                             ; CODE XREF: sub_420A66+55Ej
.text:00421005                 cmp     [ebp+var_C], 40000082h
.text:0042100C                 jnz     short loc_421024
.text:0042100E                 push    ebx
.text:0042100F                 push    KiBugCheckData
.text:00421015                 call    sub_420314
.text:0042101A                 push    offset asc_420A2C ; "\n\n"
.text:0042101F                 call    InbvDisplayString
.text:00421024 
.text:00421024 loc_421024:                             ; CODE XREF: sub_420A66+5A6j
.text:00421024                 push    ebx
.text:00421025                 push    40000081h
.text:0042102A                 call    sub_420314
.text:0042102F                 push    offset asc_420A30 ; "\n\n"
.text:00421034                 call    InbvDisplayString
.text:00421039                 push    ebx
.text:0042103A                 push    [ebp+var_C]
.text:0042103D                 call    sub_420314
.text:00421042                 push    offset asc_420A34 ; "\n\n"
.text:00421047                 call    InbvDisplayString
.text:0042104C                 push    ebx
.text:0042104D                 push    40000083h
.text:00421052                 call    sub_420314
.text:00421057                 push    dword_475C70
.text:0042105D                 lea     eax, [ebp+var_E8]
.text:00421063                 push    dword_475C6C
.text:00421069                 push    dword_475C68
.text:0042106F                 push    dword_475C64
.text:00421075                 push    KiBugCheckData
.text:0042107B                 push    offset aStop0x08lx0xP0 	; "\n\n*** STOP: 0x%08lX (0x%p,0x%p,0x%p,0x%"...
.text:00421080                 push    eax
.text:00421081                 call    sprintf
.text:00421086                 add     esp, 1Ch
.text:00421089                 lea     eax, [ebp+var_E8]
.text:0042108F                 push    eax
.text:00421090                 call    InbvDisplayString
.text:00421095                 cmp     dword_475C40, ebx
.text:0042109B                 jz      short loc_4210AE
.text:0042109D                 lea     eax, [ebp+var_80]
.text:004210A0                 push    eax
.text:004210A1                 call    InbvDisplayString
.text:004210A6                 cmp     dword_475C40, ebx
.text:004210AC                 jnz     short loc_4210DF
.text:004210AE 
.text:004210AE loc_4210AE:                             ; CODE XREF: sub_420A66+635j
.text:004210AE                 push    offset sub_4203FA
.text:004210B3                 push    4
.text:004210B5                 push    offset dword_475C64
.text:004210BA                 lea     eax, [ebp+var_80]
.text:004210BD                 push    eax
.text:004210BE                 call    sub_420581      			; Create string "*** Address ... base at ... "
.text:004210C3                 jmp     short loc_4210DF
.text:004210C5 ; ---------------------------------------------------------------------------
.text:004210C5 
.text:004210C5 loc_4210C5:                             ; CODE XREF: sub_420A66+533j
.text:004210C5                 cmp     [ebp+var_10], ebx
.text:004210C8                 jz      short loc_4210D2
.text:004210CA                 push    [ebp+var_10]
.text:004210CD                 call    InbvDisplayString
.text:004210D2 
.text:004210D2 loc_4210D2:                             ; CODE XREF: sub_420A66+662j
.text:004210D2                 cmp     [ebp+var_14], ebx
.text:004210D5                 jz      short loc_4210DF
.text:004210D7                 push    [ebp+var_14]
.text:004210DA                 call    InbvDisplayString
.text:004210DF 
.text:004210DF loc_4210DF:                             ; CODE XREF: sub_420A66+646j
.text:004210DF                                         ; sub_420A66+65Dj ...
.text:004210DF                 call    sub_4208E2
.text:004210E4                 cmp     KdDebuggerEnabled, 0
.text:004210EB                 jnz     short loc_4210FF
.text:004210ED                 cmp     byte_4666FC, 0
.text:004210F4                 jnz     short loc_4210FF
.text:004210F6                 push    ebx
.text:004210F7                 push    ebx
.text:004210F8                 call    sub_5710D3      			; some work with debugger
.text:004210FD                 jmp     short loc_421109
.text:004210FF ; ---------------------------------------------------------------------------
.text:004210FF 
.text:004210FF loc_4210FF:                             ; CODE XREF: sub_420A66+685j
.text:004210FF                                         ; sub_420A66+68Ej
.text:004210FF                 push    offset asc_420A64 ; "\n"
.text:00421104                 call    InbvDisplayString
.text:00421109 
.text:00421109 loc_421109:                             ; CODE XREF: sub_420A66+697j
.text:00421109                 mov     eax, large fs:20h
.text:0042110F                 mov     ebx, 0B3h
.text:00421114                 lea     edi, [eax+1Ch]
.text:00421117                 mov     ecx, ebx
.text:00421119                 lea     esi, [ebp+var_3B4]
.text:0042111F                 repe movsd
.text:00421121                 call    sub_419EE4
.text:00421126                 test    al, al
.text:00421128                 jz      loc_4213E7
.text:0042112E                 mov     eax, [ebp+arg_0]
.text:00421131                 sub     eax, 50h
.text:00421134                 jz      loc_42128C
.text:0042113A                 sub     eax, 2Eh
.text:0042113D                 jz      loc_421272
.text:00421143                 dec     eax
.text:00421144                 jz      short loc_4211A5
.text:00421146                 sub     eax, 0Fh
.text:00421149                 jz      loc_42128C
.text:0042114F                 sub     eax, 30h
.text:00421152                 jz      loc_42128C
.text:00421158                 sub     eax, 2Ch
.text:0042115B                 jnz     loc_421375
.text:00421161                 mov     eax, [ebp+arg_4]
.text:00421164                 cmp     byte ptr [eax+2Dh], 2
.text:00421168                 mov     [ebp+var_1C], eax
.text:0042116B                 jnz     short loc_421183
.text:0042116D                 movzx   eax, byte ptr [eax+12Bh]
.text:00421174                 mov     esi, dword_475180[eax*4]
.text:0042117B                 add     esi, 1Ch
.text:0042117E                 jmp     loc_42127D
.text:00421183 ; ---------------------------------------------------------------------------
.text:00421183 
.text:00421183 loc_421183:                             ; CODE XREF: sub_420A66+705j
.text:00421183                 mov     eax, [eax+28h]
.text:00421186                 lea     ecx, [eax+0Ch]
.text:00421189                 mov     [ebp+var_2F0], ecx
.text:0042118F                 mov     ecx, [ecx]
.text:00421191                 mov     [ebp+var_300], ecx
.text:00421197                 mov     eax, [eax+8]
.text:0042119A                 mov     [ebp+var_2FC], eax
.text:004211A0                 jmp     loc_42136E
.text:004211A5 ; ---------------------------------------------------------------------------
.text:004211A5 
.text:004211A5 loc_4211A5:                             ; CODE XREF: sub_420A66+6DEj
.text:004211A5                 cmp     [ebp+arg_4], 8
.text:004211A9                 jnz     loc_421375
.text:004211AF                 mov     eax, [ebp+arg_8]
.text:004211B2                 test    eax, eax
.text:004211B4                 jz      loc_42136E
.text:004211BA                 mov     ecx, [eax+24h]
.text:004211BD                 test    ecx, 20000h
.text:004211C3                 jz      short loc_4211D1
.text:004211C5                 movzx   edx, word ptr [eax+50h]
.text:004211C9 
.text:004211C9 loc_4211C9:                             ; CODE XREF: sub_420A66+778j
.text:004211C9                 mov     [ebp+var_2EC], edx
.text:004211CF                 jmp     short loc_4211EA
.text:004211D1 ; ---------------------------------------------------------------------------
.text:004211D1 
.text:004211D1 loc_4211D1:                             ; CODE XREF: sub_420A66+75Dj
.text:004211D1                 test    byte ptr [eax+4Ch], 1
.text:004211D5                 jz      short loc_4211E0
.text:004211D7                 movzx   edx, word ptr [eax+50h]
.text:004211DB                 or      edx, 3
.text:004211DE                 jmp     short loc_4211C9
.text:004211E0 ; ---------------------------------------------------------------------------
.text:004211E0 
.text:004211E0 loc_4211E0:                             ; CODE XREF: sub_420A66+76Fj
.text:004211E0                 mov     [ebp+var_2EC], 10h
.text:004211EA 
.text:004211EA loc_4211EA:                             ; CODE XREF: sub_420A66+769j
.text:004211EA                 movzx   edx, word ptr [eax+5Ch]
.text:004211EE                 mov     [ebp+var_328], edx
.text:004211F4                 movzx   edx, word ptr [eax+58h]
.text:004211F8                 mov     [ebp+var_324], edx
.text:004211FE                 movzx   edx, word ptr [eax+48h]
.text:00421202                 mov     [ebp+var_320], edx
.text:00421208                 movzx   edx, word ptr [eax+54h]
.text:0042120C                 mov     [ebp+var_31C], edx
.text:00421212                 movzx   edx, word ptr [eax+4Ch]
.text:00421216                 mov     [ebp+var_2F8], edx
.text:0042121C                 mov     edx, [eax+38h]
.text:0042121F                 mov     [ebp+var_2F0], edx
.text:00421225                 mov     edx, [eax+20h]
.text:00421228                 mov     [ebp+var_2FC], edx
.text:0042122E                 mov     edx, [eax+3Ch]
.text:00421231                 mov     [ebp+var_300], edx
.text:00421237                 mov     edx, [eax+28h]
.text:0042123A                 mov     [ebp+var_304], edx
.text:00421240                 mov     edx, [eax+34h]
.text:00421243                 mov     [ebp+var_310], edx
.text:00421249                 mov     edx, [eax+2Ch]
.text:0042124C                 mov     [ebp+var_308], edx
.text:00421252                 mov     edx, [eax+30h]
.text:00421255                 mov     [ebp+var_30C], edx
.text:0042125B                 mov     edx, [eax+44h]
.text:0042125E                 mov     eax, [eax+40h]
.text:00421261                 mov     [ebp+var_318], edx
.text:00421267                 mov     [ebp+var_2F4], ecx
.text:0042126D                 jmp     loc_421368
.text:00421272 ; ---------------------------------------------------------------------------
.text:00421272 
.text:00421272 loc_421272:                             ; CODE XREF: sub_420A66+6D7j
.text:00421272                 mov     esi, [ebp+arg_10]
.text:00421275                 test    esi, esi
.text:00421277                 jz      loc_421375
.text:0042127D 
.text:0042127D loc_42127D:                             ; CODE XREF: sub_420A66+718j
.text:0042127D                 mov     ecx, ebx
.text:0042127F                 lea     edi, [ebp+var_3B4]
.text:00421285                 repe movsd
.text:00421287                 jmp     loc_42136E
.text:0042128C ; ---------------------------------------------------------------------------
.text:0042128C 
.text:0042128C loc_42128C:                             ; CODE XREF: sub_420A66+6CEj
.text:0042128C                                         ; sub_420A66+6E3j ...
.text:0042128C                 mov     eax, [ebp+arg_C]
.text:0042128F                 test    eax, eax
.text:00421291                 jz      loc_421375
.text:00421297                 mov     edx, [eax+6Ch]
.text:0042129A                 mov     ebx, edx
.text:0042129C                 and     ebx, 1
.text:0042129F                 mov     edi, 20000h
.text:004212A4                 jnz     short loc_4212AE
.text:004212A6                 test    [eax+70h], edi
.text:004212A9                 lea     ecx, [eax+74h]
.text:004212AC                 jz      short loc_4212B1
.text:004212AE 
.text:004212AE loc_4212AE:                             ; CODE XREF: sub_420A66+83Ej
.text:004212AE                 mov     ecx, [eax+74h]
.text:004212B1 
.text:004212B1 loc_4212B1:                             ; CODE XREF: sub_420A66+846j
.text:004212B1                 mov     esi, [eax+70h]
.text:004212B4                 test    edi, esi
.text:004212B6                 mov     [ebp+var_2F0], ecx
.text:004212BC                 mov     ecx, 0FFFFh
.text:004212C1                 jz      short loc_4212D0
.text:004212C3                 mov     edi, [eax+78h]
.text:004212C6                 and     edi, ecx
.text:004212C8 
.text:004212C8 loc_4212C8:                             ; CODE XREF: sub_420A66+87Aj
.text:004212C8                 mov     [ebp+var_2EC], edi
.text:004212CE                 jmp     short loc_4212EC
.text:004212D0 ; ---------------------------------------------------------------------------
.text:004212D0 
.text:004212D0 loc_4212D0:                             ; CODE XREF: sub_420A66+85Bj
.text:004212D0                 test    ebx, ebx
.text:004212D2                 jz      short loc_4212E2
.text:004212D4                 mov     edi, [eax+78h]
.text:004212D7                 and     edi, 0FFFCh
.text:004212DD                 or      edi, 3
.text:004212E0                 jmp     short loc_4212C8
.text:004212E2 ; ---------------------------------------------------------------------------
.text:004212E2 
.text:004212E2 loc_4212E2:                             ; CODE XREF: sub_420A66+86Cj
.text:004212E2                 mov     [ebp+var_2EC], 10h
.text:004212EC 
.text:004212EC loc_4212EC:                             ; CODE XREF: sub_420A66+868j
.text:004212EC                 mov     edi, [eax+30h]
.text:004212EF                 and     edi, ecx
.text:004212F1                 mov     [ebp+var_328], edi
.text:004212F7                 mov     edi, [eax+50h]
.text:004212FA                 and     edi, ecx
.text:004212FC                 mov     [ebp+var_324], edi
.text:00421302                 mov     edi, [eax+34h]
.text:00421305                 and     edi, ecx
.text:00421307                 mov     [ebp+var_320], edi
.text:0042130D                 mov     edi, [eax+38h]
.text:00421310                 and     edi, ecx
.text:00421312                 and     edx, ecx
.text:00421314                 mov     ecx, [eax+68h]
.text:00421317                 mov     [ebp+var_2FC], ecx
.text:0042131D                 mov     ecx, [eax+60h]
.text:00421320                 mov     [ebp+var_300], ecx
.text:00421326                 mov     ecx, [eax+44h]
.text:00421329                 mov     [ebp+var_304], ecx
.text:0042132F                 mov     ecx, [eax+5Ch]
.text:00421332                 mov     [ebp+var_310], ecx
.text:00421338                 mov     ecx, [eax+40h]
.text:0042133B                 mov     [ebp+var_308], ecx
.text:00421341                 mov     ecx, [eax+3Ch]
.text:00421344                 mov     [ebp+var_30C], ecx
.text:0042134A                 mov     ecx, [eax+54h]
.text:0042134D                 mov     eax, [eax+58h]
.text:00421350                 mov     [ebp+var_31C], edi
.text:00421356                 mov     [ebp+var_2F8], edx
.text:0042135C                 mov     [ebp+var_318], ecx
.text:00421362                 mov     [ebp+var_2F4], esi
.text:00421368 
.text:00421368 loc_421368:                             ; CODE XREF: sub_420A66+807j
.text:00421368                 mov     [ebp+var_314], eax
.text:0042136E 
.text:0042136E loc_42136E:                             ; CODE XREF: sub_420A66+73Aj
.text:0042136E                                         ; sub_420A66+74Ej ...
.text:0042136E                 or      byte ptr KiBugCheckData+3, 10h
.text:00421375 
.text:00421375 loc_421375:                             ; CODE XREF: sub_420A66+6F5j
.text:00421375                                         ; sub_420A66+743j ...
.text:00421375                 mov     eax, dword_475C64
.text:0042137A                 mov     edi, 1000h
.text:0042137F                 mov     esi, 0FFFFF000h
.text:00421384                 push    edi
.text:00421385                 and     eax, esi
.text:00421387                 push    eax
.text:00421388                 call    sub_419E10
.text:0042138D                 mov     eax, dword_475C68
.text:00421392                 push    edi
.text:00421393                 and     eax, esi
.text:00421395                 push    eax
.text:00421396                 call    sub_419E10
.text:0042139B                 mov     eax, dword_475C6C
.text:004213A0                 push    edi
.text:004213A1                 and     eax, esi
.text:004213A3                 push    eax
.text:004213A4                 call    sub_419E10
.text:004213A9                 mov     eax, dword_475C70
.text:004213AE                 push    edi
.text:004213AF                 and     eax, esi
.text:004213B1                 push    eax
.text:004213B2                 call    sub_419E10
.text:004213B7                 mov     eax, [ebp+arg_14]
.text:004213BA                 push    edi
.text:004213BB                 and     eax, esi
.text:004213BD                 push    eax
.text:004213BE                 call    sub_419E10
.text:004213C3                 mov     eax, large fs:20h
.text:004213C9                 cmp     dword ptr [eax+874h], 0
.text:004213D0                 jz      short loc_4213E7
.text:004213D2                 mov     eax, large fs:20h
.text:004213D8                 mov     eax, [eax+874h]
.text:004213DE                 push    edi
.text:004213DF                 and     eax, esi
.text:004213E1                 push    eax
.text:004213E2                 call    sub_419E10
.text:004213E7 
.text:004213E7 loc_4213E7:                             ; CODE XREF: sub_420A66+6C2j
.text:004213E7                                         ; sub_420A66+96Aj
.text:004213E7                 lea     eax, [ebp+var_1]
.text:004213EA                 push    eax
.text:004213EB                 push    [ebp+var_1C]
.text:004213EE                 lea     eax, [ebp+var_3B4]
.text:004213F4                 push    eax
.text:004213F5                 push    dword_475C70
.text:004213FB                 push    dword_475C6C
.text:00421401                 push    dword_475C68
.text:00421407                 push    dword_475C64
.text:0042140D                 push    KiBugCheckData
.text:00421413                 call    sub_41B70D
.text:00421418                 xor     ebx, ebx
.text:0042141A 
.text:0042141A loc_42141A:                             ; CODE XREF: sub_420A66+486j
.text:0042141A                 call    sub_420778
.text:0042141F                 cmp     [ebp+var_1], 0
.text:00421423                 pop     edi
.text:00421424                 pop     esi
.text:00421425                 jz      short loc_421438
.text:00421427                 push    ebx
.text:00421428                 push    0FFFFFFFFh
.text:0042142A                 push    ebx
.text:0042142B                 call    sub_449940      			; some stuff with int 2d / int 3
.text:00421430                 push    3
.text:00421432                 call    ds:HalReturnToFirmware
.text:00421438 
.text:00421438 loc_421438:                             ; CODE XREF: sub_420A66+9BFj
.text:00421438                 push    4
.text:0042143A                 call    sub_420435      			; debugger
.text:0042143F                 pop     ebx
.text:00421440                 leave
.text:00421441                 retn    18h
.text:00421441 sub_420A66      endp
.text:00421441 
.text:00421444 ; Exported entry 509. KeBugCheck
.text:00421444 
