各位大大,这几天我动手想破一个外挂,用脚本Aspr2.XX_unpacker_v1.15SC.osc已经脱壳了。是ASProtect 2.1x SKE -> Alexey Solodovnikov的壳。然后修复,貌似不用补区段和自效验就可以运行(有偷代码,但不知道怎么修复,汗。我是才鸟没办法)可能脱的不完整,但可以运行。这外挂带BIN文件。由于它字符串处理的很好。(查找字符串一个都没有,汗)。关键跳在004427F4 . 68 E0754C00 push 004C75E0//正常用户登陆。 现给出一个冲过值的游戏帐号szgaoyu 助各位大侠更快找到突破口
这是一个输入游戏帐号和密码和保护码(都是游戏的)然后连接服务器判断你是不是已经冲值的用户,我已经找到关键跳了,修改了。能登陆了,但用没冲值的帐号登陆会显示版本错误,请更新档案。用已冲值的用户登陆却没事(可能这是第2层检验吧)
用已冲值的用户登陆会显示有效日期,用没冲值的帐号登陆不会显示有效时间,不管我怎么调试就是搞不懂第2层检测在哪,求各位大侠帮我一下,由于外挂容量超过论坛要求,就给出连接
http://newtth.gjcai.com/ 。
而且 我认为
004426FE . 55 push ebp
004426FF . 56 push esi
00442700 . 57 push edi
00442701 . 8BBC24 D42600>mov edi, dword ptr [esp+26D4]
00442708 . 3D DF0B0000 cmp eax, 0BDF ; Switch (cases 7E8..BF3)
0044270D . 8BE9 mov ebp, ecx
0044270F . 0F87 81110000 ja 00443896
00442715 . 3D DF0B0000 cmp eax, 0BDF
0044271A . 0F84 56110000 je 00443876
00442720 . 3D D40B0000 cmp eax, 0BD4
00442725 . 0F87 D20F0000 ja 004436FD
0044272B . 0F84 D5090000 je 00443106
00442731 . 3D D00B0000 cmp eax, 0BD0
00442736 . 0F87 04040000 ja 00442B40
0044273C . 0F84 AC030000 je 00442AEE
00442742 . 05 18F8FFFF add eax, -7E8
00442747 . 83F8 04 cmp eax, 4
0044274A . 0F87 A2200000 ja 004447F2
00442750 . FF2485 2C4844>jmp dword ptr [eax*4+44482C]
00442757 > 57 push edi ; Case 7E8 of switch 00442708
00442758 . 53 push ebx
00442759 . 51 push ecx
0044275A . 8BCC mov ecx, esp
0044275C . 896424 24 mov dword ptr [esp+24], esp
00442760 . 68 58474C00 push 004C4758 ; ASCII "MYSELF"
00442765 . E8 BDF10300 call 00481927
0044276A . E9 A5030000 jmp 00442B14
0044276F > 8BCD mov ecx, ebp ; Case 7E9 of switch 00442708
00442771 . E8 3A000100 call 004527B0
00442776 . E8 A9F70300 call 00481F24
0044277B . 85C0 test eax, eax
0044277D . 74 09 je short 00442788
0044277F . 8B10 mov edx, dword ptr [eax]
00442781 . 8BC8 mov ecx, eax
00442783 . FF52 74 call dword ptr [edx+74]
00442786 . EB 02 jmp short 0044278A
00442788 > 33C0 xor eax, eax
0044278A > 8B80 E8020000 mov eax, dword ptr [eax+2E8]
00442790 . 50 push eax
00442791 . E8 8A50FCFF call 00407820
00442796 . 8BC8 mov ecx, eax
00442798 . 81C1 E4020000 add ecx, 2E4
0044279E . E8 9D1FFFFF call 00434740
004427A3 . 50 push eax
004427A4 . 51 push ecx
004427A5 . 8BCC mov ecx, esp
004427A7 . 896424 24 mov dword ptr [esp+24], esp
004427AB . 68 F8464C00 push 004C46F8 ; ASCII "LOGIN"
004427B0 . E8 72F10300 call 00481927
004427B5 . C78424 D02600>mov dword ptr [esp+26D0], -1
004427C0 . E8 5B50FCFF call 00407820
004427C5 . 8BC8 mov ecx, eax
004427C7 . E8 1406FFFF call 00432DE0
004427CC . E9 21200000 jmp 004447F2
004427D1 > 8B0D 10A84C00 mov ecx, dword ptr [4CA810] ; ttha.004CA824; Case 7EB of switch 00442708
004427D7 . 894C24 20 mov dword ptr [esp+20], ecx
004427DB . 83FF 01 cmp edi, 1
004427DE . C78424 C42600>mov dword ptr [esp+26C4], 2
004427E9 . 0F84 67010000 jnz 00442956 //这是关键跳 ,改为JE
004427EF . 53 push ebx
004427F0 . 8D5424 24 lea edx, dword ptr [esp+24]
004427F4 . 68 E0754C00 push 004C75E0
004427F9 . 52 push edx
004427FA . E8 127C0300 call 0047A411
004427FF . A1 10A84C00 mov eax, dword ptr [4CA810]
00442804 . 83C4 0C add esp, 0C
00442807 . 894424 24 mov dword ptr [esp+24], eax
0044280B . 894424 10 mov dword ptr [esp+10], eax
0044280F . 894424 14 mov dword ptr [esp+14], eax
00442813 . C68424 C42600>mov byte ptr [esp+26C4], 5
0044281B . E8 04F70300 call 00481F24
00442820 . 85C0 test eax, eax
00442822 . 74 09 je short 0044282D
00442824 . 8B10 mov edx, dword ptr [eax]
00442826 . 8BC8 mov ecx, eax
00442828 . FF52 74 call dword ptr [edx+74]
0044282B . EB 02 jmp short 0044282F
0044282D > 33C0 xor eax, eax
0044282F > 8D4C24 14 lea ecx, dword ptr [esp+14]
00442833 . 51 push ecx
00442834 . 68 0B050000 push 50B
00442839 . 8D88 D8000000 lea ecx, dword ptr [eax+D8]
0044283F . E8 91E90300 call 004811D5
00442844 . 8BC8 mov ecx, eax
00442846 . E8 06C00300 call 0047E851
0044284B . 8D4C24 14 lea ecx, dword ptr [esp+14]
0044284F . E8 1C7C0300 call 0047A470
00442854 . 8D4C24 14 lea ecx, dword ptr [esp+14]
00442858 . E8 C77B0300 call 0047A424
0044285D . 8B5424 14 mov edx, dword ptr [esp+14]
00442861 . 8D4C24 14 lea ecx, dword ptr [esp+14]
00442865 . 8B42 F8 mov eax, dword ptr [edx-8]
00442868 . 50 push eax
00442869 . E8 7BF40300 call 00481CE9
0044286E . 50 push eax
0044286F . E8 3AFD0200 call <jmp.&tthbn.setProtectPass>
00442874 . E8 ABF60300 call 00481F24
00442879 . 85C0 test eax, eax
0044287B . 74 09 je short 00442886
0044287D . 8B10 mov edx, dword ptr [eax]
0044287F . 8BC8 mov ecx, eax
00442881 . FF52 74 call dword ptr [edx+74]
00442884 . EB 02 jmp short 00442888
00442886 > 33C0 xor eax, eax
00442888 > 8D4C24 24 lea ecx, dword ptr [esp+24]
0044288C . 51 push ecx
0044288D . 68 E9030000 push 3E9
00442892 . 8D88 D8000000 lea ecx, dword ptr [eax+D8]
00442898 . E8 38E90300 call 004811D5
0044289D . 8BC8 mov ecx, eax
0044289F . E8 ADBF0300 call 0047E851
004428A4 . 8D4C24 24 lea ecx, dword ptr [esp+24]
004428A8 . E8 C37B0300 call 0047A470
004428AD . 8D4C24 24 lea ecx, dword ptr [esp+24]
004428B1 . E8 6E7B0300 call 0047A424
004428B6 . E8 69F60300 call 00481F24
004428BB . 85C0 test eax, eax
004428BD . 74 09 je short 004428C8
004428BF . 8B10 mov edx, dword ptr [eax]
004428C1 . 8BC8 mov ecx, eax
004428C3 . FF52 74 call dword ptr [edx+74]
004428C6 . EB 02 jmp short 004428CA
004428C8 > 33C0 xor eax, eax
004428CA > 8D4C24 10 lea ecx, dword ptr [esp+10]
004428CE . 51 push ecx
004428CF . 68 EA030000 push 3EA
004428D4 . 8D88 D8000000 lea ecx, dword ptr [eax+D8]
004428DA . E8 F6E80300 call 004811D5
004428DF . 8BC8 mov ecx, eax
004428E1 . E8 6BBF0300 call 0047E851
004428E6 . 8D4C24 10 lea ecx, dword ptr [esp+10]
004428EA . E8 817B0300 call 0047A470
004428EF . 8D4C24 10 lea ecx, dword ptr [esp+10]
004428F3 . E8 2C7B0300 call 0047A424
004428F8 . 8B5424 10 mov edx, dword ptr [esp+10]
004428FC . 8B4C24 24 mov ecx, dword ptr [esp+24]
00442900 . 8B42 F8 mov eax, dword ptr [edx-8]
00442903 . 8B71 F8 mov esi, dword ptr [ecx-8]
00442906 . 50 push eax
00442907 . 8D4C24 14 lea ecx, dword ptr [esp+14]
0044290B . E8 D9F30300 call 00481CE9
00442910 . 50 push eax
00442911 . 56 push esi
00442912 . 8D4C24 2C lea ecx, dword ptr [esp+2C]
00442916 . E8 CEF30300 call 00481CE9
0044291B . 50 push eax
0044291C . E8 3BFD0200 call <jmp.&tthbn.makeUserPassWordIP>
00442921 . 8D4C24 14 lea ecx, dword ptr [esp+14]
00442925 . C68424 C42600>mov byte ptr [esp+26C4], 4
0044292D . E8 87EF0300 call 004818B9
00442932 . 8D4C24 10 lea ecx, dword ptr [esp+10]
00442936 . C68424 C42600>mov byte ptr [esp+26C4], 3
0044293E . E8 76EF0300 call 004818B9
00442943 . 8D4C24 24 lea ecx, dword ptr [esp+24]
00442947 . C68424 C42600>mov byte ptr [esp+26C4], 2
0044294F . E8 65EF0300 call 004818B9
00442954 . EB 35 jmp short 0044298B
00442956 > 68 D0754C00 push 004C75D0 // 错误就跳到这里
0044295B . 8D4C24 24 lea ecx, dword ptr [esp+24]
0044295F . E8 DEF00300 call 00481A42
00442964 . 6A 00 push 0
00442966 . 51 push ecx
00442967 . 8BCC mov ecx, esp
00442969 . 896424 20 mov dword ptr [esp+20], esp
0044296D . 68 CC474C00 push 004C47CC ; ASCII "ALL"
00442972 . E8 B0EF0300 call 00481927
00442977 . C68424 CC2600>mov byte ptr [esp+26CC], 2
0044297F . E8 9C4EFCFF call 00407820
00442984 . 8BC8 mov ecx, eax
00442986 . E8 D50DFFFF call 00433760
0044298B > 6A 00 push 0
0044298D . 51 push ecx
0044298E . 8D5424 28 lea edx, dword ptr [esp+28]
00442992 . 8BCC mov ecx, esp
00442994 . 896424 20 mov dword ptr [esp+20], esp
00442998 . 52 push edx
00442999 . E8 90EC0300 call 0048162E
0044299E . 68 FFFF0000 push 0FFFF
004429A3 . 8BCD mov ecx, ebp
004429A5 . E8 56FBFFFF call 00442500
004429AA . 8D4C24 20 lea ecx, dword ptr [esp+20]
004429AE . C78424 C42600>mov dword ptr [esp+26C4], -1
004429B9 . E8 FBEE0300 call 004818B9
004429BE . E9 2F1E0000 jmp 004447F2
004429C3 > 8BCD mov ecx, ebp ; Case 7EC of switch 00442708
004429C5 . E8 561F0000 call 00444920
004429CA . 8D8424 440E00>lea eax, dword ptr [esp+E44]
004429D1 . 50 push eax
004429D2 . E8 57FA0200 call <jmp.&tthbn.getMyJiaoShe>
004429D7 . B9 0F030000 mov ecx, 30F
004429DC . 8BF0 mov esi, eax
004429DE . 66:8B85 14010>mov ax, word ptr [ebp+114]
004429E5 . 8DBC24 080200>lea edi, dword ptr [esp+208]
004429EC . F3:A5 rep movs dword ptr es:[edi], dword p>
004429EE . 66:8B8C24 360>mov cx, word ptr [esp+236]
004429F6 . 66:3BC1 cmp ax, cx
004429F9 . 74 05 je short 00442A00
004429FB . 66:85C9 test cx, cx
004429FE . 77 0A ja short 00442A0A
00442A00 > 25 FFFF0000 and eax, 0FFFF
00442A05 . 83F8 FF cmp eax, -1
00442A08 . 75 65 jnz short 00442A6F
00442A0A > 66:898D 14010>mov word ptr [ebp+114], cx
00442A11 . 8B8C24 D42600>mov ecx, dword ptr [esp+26D4]
00442A18 . 8DB5 C4030000 lea esi, dword ptr [ebp+3C4]
00442A1E . 51 push ecx
00442A1F . 53 push ebx
00442A20 . 8BCE mov ecx, esi
00442A22 . E8 A96CFFFF call 004396D0
00442A27 . 8BCE mov ecx, esi
00442A29 . E8 4270FFFF call 00439A70
00442A2E . 8B85 38040000 mov eax, dword ptr [ebp+438]
00442A34 . 85C0 test eax, eax
00442A36 . 75 45 jnz short 00442A7D
00442A38 . 66:C785 14010>mov word ptr [ebp+114], 0FFFF
00442A41 . E8 DEF40300 call 00481F24
00442A46 . 85C0 test eax, eax
00442A48 . 74 15 je short 00442A5F
00442A4A . 8B10 mov edx, dword ptr [eax]
00442A4C . 8BC8 mov ecx, eax
00442A4E . FF52 74 call dword ptr [edx+74]
00442A51 . 8BC8 mov ecx, eax
00442A53 . E8 F808FFFF call 00433350
00442A58 . 33C0 xor eax, eax
00442A5A . E9 B21D0000 jmp 00444811
00442A5F > 33C0 xor eax, eax
00442A61 . 8BC8 mov ecx, eax
00442A63 . E8 E808FFFF call 00433350
00442A68 . 33C0 xor eax, eax
00442A6A . E9 A21D0000 jmp 00444811
00442A6F > 8B85 38040000 mov eax, dword ptr [ebp+438]
00442A75 . 85C0 test eax, eax
00442A77 . 0F84 751D0000 je 004447F2
00442A7D > 8DB5 80010000 lea esi, dword ptr [ebp+180]
00442A83 . 6A 01 push 1
00442A85 . 8BCE mov ecx, esi
00442A87 . E8 5DD70300 call 004801E9
00442A8C . 8B8424 5A0200>mov eax, dword ptr [esp+25A]
00442A93 . 66:8985 54010>mov word ptr [ebp+154], ax
00442A9A . 25 FFFF0000 and eax, 0FFFF
00442A9F . 50 push eax
00442AA0 . 8D85 5C030000 lea eax, dword ptr [ebp+35C]
00442AA6 . 68 60214C00 push 004C2160 ; ASCII "%d"
00442AAB . 50 push eax
00442AAC . E8 60790300 call 0047A411
00442AB1 . 8B8424 680200>mov eax, dword ptr [esp+268]
00442AB8 . 8B8D 3C040000 mov ecx, dword ptr [ebp+43C]
00442ABE . 66:8985 56010>mov word ptr [ebp+156], ax
00442AC5 . 25 FFFF0000 and eax, 0FFFF
00442ACA . 2BC8 sub ecx, eax
00442ACC . 83C4 0C add esp, 0C
00442ACF . 49 dec ecx
00442AD0 . 8D95 60030000 lea edx, dword ptr [ebp+360]
00442AD6 . 51 push ecx
00442AD7 . 68 60214C00 push 004C2160 ; ASCII "%d"
00442ADC . 52 push edx
00442ADD . E8 2F790300 call 0047A411
00442AE2 . 83C4 0C add esp, 0C
00442AE5 . 8BCE mov ecx, esi
00442AE7 . 6A 00 push 0
00442AE9 . E9 CB0C0000 jmp 004437B9
00442AEE > 68 20588E00 push 008E5820 ; Case BD0 of switch 00442708
00442AF3 . E8 5EFB0200 call <jmp.&tthbn.getSendIP>
00442AF8 . 50 push eax
00442AF9 . 68 20588E00 push 008E5820
00442AFE . 51 push ecx
00442AFF . 83FB 01 cmp ebx, 1
00442B02 . 8BCC mov ecx, esp
00442B04 . 75 2A jnz short 00442B30
00442B06 . 896424 24 mov dword ptr [esp+24], esp
00442B0A . 68 F8464C00 push 004C46F8 ; ASCII "LOGIN"
00442B0F . E8 13EE0300 call 00481927
00442B14 > C78424 D02600>mov dword ptr [esp+26D0], -1
00442B1F . E8 FC4CFCFF call 00407820
00442B24 . 8BC8 mov ecx, eax
00442B26 . E8 E50AFFFF call 00433610
00442B2B . E9 C21C0000 jmp 004447F2
00442B30 > 896424 24 mov dword ptr [esp+24], esp
00442B34 . 68 F0464C00 push 004C46F0 ; ASCII "GAME"
00442B39 . E8 E9ED0300 call 00481927
00442B3E .^ EB D4 jmp short 00442B14
00442B40 > 2D D10B0000 sub eax, 0BD1
00442B45 . 0F84 39020000 je 00442D84
00442B4B . 48 dec eax
00442B4C . 0F84 73010000 je 00442CC5
00442B52 . 48 dec eax
00442B53 . 0F85 991C0000 jnz 004447F2
00442B59 . 8BCD mov ecx, ebp ; Case BD3 of switch 00442708
00442B5B . E8 C01D0000 call 00444920
00442B60 . 8A85 D51C0100 mov al, byte ptr [ebp+11CD5]
00442B66 . 8B35 84464A00 mov esi, dword ptr [<&user32.KillTim>; USER32.KillTimer
00442B6C . BB 01000000 mov ebx, 1
00442B71 . 33FF xor edi, edi
00442B73 . 3AC3 cmp al, bl
00442B75 . 0F85 C4000000 jnz 00442C3F
00442B7B . 57 push edi
00442B7C . 8D8D 800A0100 lea ecx, dword ptr [ebp+10A80]
00442B82 . C685 D51C0100>mov byte ptr [ebp+11CD5], 0
00442B89 . E8 C2A0FCFF call 0040CC50
00442B8E . 57 push edi
00442B8F . 8D8D A80E0100 lea ecx, dword ptr [ebp+10EA8]
00442B95 . E8 06AAFEFF call 0042D5A0
00442B9A . 57 push edi
00442B9B . 8D8D 1C160100 lea ecx, dword ptr [ebp+1161C]
00442BA1 . E8 CADDFDFF call 00420970
00442BA6 . 57 push edi
00442BA7 . 8D8D 18130100 lea ecx, dword ptr [ebp+11318]
00442BAD . E8 9E04FCFF call 00403050
00442BB2 . 57 push edi
00442BB3 . 8D8D 6C0C0100 lea ecx, dword ptr [ebp+10C6C]
00442BB9 . E8 0213FEFF call 00423EC0
00442BBE . 57 push edi
00442BBF . 8D8D 80140100 lea ecx, dword ptr [ebp+11480]
00442BC5 . E8 76260100 call 00455240
00442BCA . 57 push edi
00442BCB . 8D8D 38180100 lea ecx, dword ptr [ebp+11838]
00442BD1 . E8 1AC5FDFF call 0041F0F0
00442BD6 . 8D8D D8E90000 lea ecx, dword ptr [ebp+E9D8]
00442BDC . E8 0F670100 call 004592F0
00442BE1 . 8D8D C0E50000 lea ecx, dword ptr [ebp+E5C0]
00442BE7 . E8 A44E0100 call 00457A90
00442BEC . 8D8D DCEC0000 lea ecx, dword ptr [ebp+ECDC]
00442BF2 . E8 698AFEFF call 0042B660
00442BF7 . 8D8D 70FC0000 lea ecx, dword ptr [ebp+FC70]
00442BFD . E8 DECEFEFF call 0042FAE0
00442C02 . E8 1DF30300 call 00481F24
00442C07 . 3BC7 cmp eax, edi
00442C09 . 74 09 je short 00442C14
00442C0B . 8B10 mov edx, dword ptr [eax]
00442C0D . 8BC8 mov ecx, eax
00442C0F . FF52 74 call dword ptr [edx+74]
00442C12 . EB 02 jmp short 00442C16
00442C14 > 33C0 xor eax, eax
00442C16 > 8B40 1C mov eax, dword ptr [eax+1C]
00442C19 . 53 push ebx
00442C1A . 50 push eax
00442C1B . FFD6 call esi
00442C1D . E8 02F30300 call 00481F24
00442C22 . 3BC7 cmp eax, edi
00442C24 . 74 09 je short 00442C2F
00442C26 . 8B10 mov edx, dword ptr [eax]
00442C28 . 8BC8 mov ecx, eax
00442C2A . FF52 74 call dword ptr [edx+74]
00442C2D . EB 02 jmp short 00442C31
00442C2F > 33C0 xor eax, eax
00442C31 > 8B40 1C mov eax, dword ptr [eax+1C]
00442C34 . 6A 02 push 2
00442C36 . 50 push eax
00442C37 . FFD6 call esi
00442C39 . 89BD DC1C0100 mov dword ptr [ebp+11CDC], edi
00442C3F > E8 E0F20300 call 00481F24
00442C44 . 3BC7 cmp eax, edi
00442C46 . 74 09 je short 00442C51
00442C48 . 8B10 mov edx, dword ptr [eax]
00442C4A . 8BC8 mov ecx, eax
00442C4C . FF52 74 call dword ptr [edx+74]
00442C4F . EB 02 jmp short 00442C53
00442C51 > 33C0 xor eax, eax
00442C53 > 8998 D0000000 mov dword ptr [eax+D0], ebx
00442C59 . E8 C6F20300 call 00481F24
00442C5E . 3BC7 cmp eax, edi
00442C60 . 74 09 je short 00442C6B
00442C62 . 8B10 mov edx, dword ptr [eax]
00442C64 . 8BC8 mov ecx, eax
00442C66 . FF52 74 call dword ptr [edx+74]
00442C69 . EB 02 jmp short 00442C6D
00442C6B > 33C0 xor eax, eax
00442C6D > 8B40 1C mov eax, dword ptr [eax+1C]
00442C70 . 6A 06 push 6
00442C72 . 50 push eax
00442C73 . FFD6 call esi
00442C75 . E8 AAF20300 call 00481F24
00442C7A . 3BC7 cmp eax, edi
00442C7C . 74 09 je short 00442C87
00442C7E . 8B10 mov edx, dword ptr [eax]
00442C80 . 8BC8 mov ecx, eax
00442C82 . FF52 74 call dword ptr [edx+74]
00442C85 . EB 02 jmp short 00442C89
00442C87 > 33C0 xor eax, eax
00442C89 > 89B8 C0000000 mov dword ptr [eax+C0], edi
00442C8F . 8B45 1C mov eax, dword ptr [ebp+1C]
00442C92 . 57 push edi ; /Timerproc
00442C93 . 68 DC050000 push 5DC ; |Timeout = 1500. ms
00442C98 . 53 push ebx ; |TimerID
00442C99 . 50 push eax ; |hWnd
00442C9A . FF15 80464A00 call dword ptr [<&user32.SetTimer>] ; \SetTimer
00442CA0 . 8B85 041A0100 mov eax, dword ptr [ebp+11A04]
00442CA6 . 899D 081A0100 mov dword ptr [ebp+11A08], ebx
00442CAC . 3BC3 cmp eax, ebx
00442CAE . 0F85 3E1B0000 jnz 004447F2
00442CB4 . 899D 001A0100 mov dword ptr [ebp+11A00], ebx
00442CBA . 89BD CC1A0100 mov dword ptr [ebp+11ACC], edi
00442CC0 . E9 2D1B0000 jmp 004447F2
00442CC5 > 8D4C24 2C lea ecx, dword ptr [esp+2C] ; Case BD2 of switch 00442708
00442CC9 . 51 push ecx
00442CCA . E8 81F90200 call <jmp.&tthbn.getIPAddressAndPort>
00442CCF . 50 push eax
00442CD0 . 8D4C24 2C lea ecx, dword ptr [esp+2C]
00442CD4 . E8 4EEC0300 call 00481927
00442CD9 . 6A 01 push 1
00442CDB . 51 push ecx
00442CDC . 8BCC mov ecx, esp
00442CDE . 896424 20 mov dword ptr [esp+20], esp
00442CE2 . 68 F0464C00 push 004C46F0 ; ASCII "GAME"
00442CE7 . C78424 D02600>mov dword ptr [esp+26D0], 0A
00442CF2 . E8 30EC0300 call 00481927
00442CF7 . C68424 CC2600>mov byte ptr [esp+26CC], 0A
00442CFF . E8 1C4BFCFF call 00407820
00442D04 . 8BC8 mov ecx, eax
00442D06 . E8 550AFFFF call 00433760
00442D0B . 8B5424 2C mov edx, dword ptr [esp+2C]
00442D0F . 8D4C24 28 lea ecx, dword ptr [esp+28]
00442D13 . 81E2 FFFF0000 and edx, 0FFFF
00442D19 . 52 push edx
00442D1A . E8 211AFFFF call 00434740
00442D1F . 50 push eax
00442D20 . 51 push ecx
00442D21 . 8BCC mov ecx, esp
00442D23 . 896424 24 mov dword ptr [esp+24], esp
00442D27 . 68 F0464C00 push 004C46F0 ; ASCII "GAME"
00442D2C . E8 F6EB0300 call 00481927
00442D31 . C68424 D02600>mov byte ptr [esp+26D0], 0A
00442D39 . E8 E24AFCFF call 00407820
00442D3E . 8BC8 mov ecx, eax
00442D40 . E8 9B00FFFF call 00432DE0
00442D45 . 8B45 1C mov eax, dword ptr [ebp+1C]
00442D48 . 6A 01 push 1 ; /TimerID = 1
00442D4A . 50 push eax ; |hWnd
00442D4B . FF15 84464A00 call dword ptr [<&user32.KillTimer>] ; \KillTimer
00442D51 . 8B8D 001A0100 mov ecx, dword ptr [ebp+11A00]
00442D57 . 33C0 xor eax, eax
00442D59 . 898D 041A0100 mov dword ptr [ebp+11A04], ecx
00442D5F . 8D4C24 28 lea ecx, dword ptr [esp+28]
00442D63 . 8985 081A0100 mov dword ptr [ebp+11A08], eax
00442D69 . 8985 001A0100 mov dword ptr [ebp+11A00], eax
00442D6F . C78424 C42600>mov dword ptr [esp+26C4], -1
00442D7A . E8 3AEB0300 call 004818B9
00442D7F . E9 6E1A0000 jmp 004447F2
00442D84 > 8B15 10A84C00 mov edx, dword ptr [4CA810] ; ttha.004CA824; Case BD1 of switch 00442708
00442D8A . 895424 10 mov dword ptr [esp+10], edx
00442D8E . C78424 C42600>mov dword ptr [esp+26C4], 9
[课程]Linux pwn 探索篇!