传神199破解笔记-软件逆向-看雪论坛-安全社区|非营利性质技术交流社区

传神199破解笔记

发表于: 2005-12-14 09:54 7062

传神199破解笔记

jskew

2005-12-14 09:54

7062

004BA876 50             PUSH EAX
004BA877 E8 9CA9FEFF    CALL 004A5218                         ; <JMP.&ws2_32.WSASend>
004BA87C 8945 F8       MOV [EBP-8],EAX
004BA87F 837D F8 FF    CMP DWORD PTR [EBP-8],-1

0152F9BC 000000B8  |Socket = B8
0152F9C0 01287B70  |pBuffers = 01287B70
0152F9C4 00000008  |nBuffers = 8
0152F9C8 00000000  |pBytesSent = NULL

01B2F9BC 000000BC
01B2F9C0 017B721C  ASCII "<mir152>"
01B2F9C4 00000008
01B2F9C8 00000000

/////////////////////////////////////////////////////////////////////
01B2F990  |000000E4
01B2F994  |01B2F9AC
01B2F998  |00000001
01B2F99C  |01B2F9C4
01B2F9A0  |00000000
01B2F9A4  |00000000
01B2F9A8  |00000000

01B2F9AC  |00000008
01B2F9B0  |017B7238  ASCII "<mir152>"
01B2F9B4  ]01B2FA14
01B2F9B8  |004BA87C  RETURN to main.004BA87C from main.004A5218
01B2F9BC  |000000E4
01B2F9C0  |017B7238  ASCII "<mir152>"

01B2F9C4  |00000008
01B2F9C8  |00000000
01B2F9CC  |01B2F9D8  Pointer to next SEH record
01B2F9D0  |004BA921  SE handler
01B2F9D4  |01B2FA14
01B2F9D8  |01B2FA28  Pointer to next SEH record
01B2F9DC  |004BA93E  SE handler
01B2F9E0  |01B2FA14
01B2F9E4  |017B7238  ASCII "<mir152>"
01B2F9E8  |017393AC
/////////////////////////////////////////////////////////////////////

WSASend  >  55             PUSH EBP
74FB1526 8BEC          MOV EBP,ESP
74FB1528 51             PUSH ECX
74FB1529 51             PUSH ECX
74FB152A 813D C417FC74 3>CMP DWORD PTR [74FC17C4],74FB1334

int WSASend(
  SOCKET s,
  LPWSABUF lpBuffers,
  DWORD dwBufferCount,
  LPDWORD lpNumberOfBytesSent,
  DWORD dwFlags,
  LPWSAOVERLAPPED lpOverlapped,
  LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
);

int send(
  SOCKET s,
  const char* buf,
  int len,
  int flags
);

003544A3       83F8 16       CMP EAX,16
003544A6       75 67          JNZ SHORT 0035450F
003544A8       55             PUSH EBP
003544A9       8BEC          MOV EBP,ESP
003544AB       E8 00000000    CALL 003544B0
003544B0       59             POP ECX
003544B1       81E9 F1334100 SUB ECX,4133F1
003544B7       51             PUSH ECX
003544B8       51             PUSH ECX
003544B9       8B45 10       MOV EAX,[EBP+10]
003544BC       6A 00          PUSH 0
003544BE       8945 F8       MOV [EBP-8],EAX
003544C1       8B45 0C       MOV EAX,[EBP+C]
003544C4       6A 00          PUSH 0
003544C6       8945 FC       MOV [EBP-4],EAX
003544C9       FF75 14       PUSH DWORD PTR [EBP+14]
003544CC       8D45 10       LEA EAX,[EBP+10]
003544CF       50             PUSH EAX
003544D0       8D45 F8       LEA EAX,[EBP-8]
003544D3       6A 01          PUSH 1
003544D5       50             PUSH EAX
003544D6       FF75 08       PUSH DWORD PTR [EBP+8]
003544D9       8D89 D8474100 LEA ECX,[ECX+4147D8]
003544DF       FFD1          CALL ECX
003544E1       83F8 FF       CMP EAX,-1
003544E4       75 03          JNZ SHORT 003544E9
003544E6       0945 10       OR [EBP+10],EAX
003544E9       8B45 10       MOV EAX,[EBP+10]
003544EC       8BE5          MOV ESP,EBP
003544EE       5D             POP EBP
003544EF       83C4 14       ADD ESP,14
003544F2       FF6424 EC    JMP [ESP-14]

004BAA26 50             PUSH EAX
004BAA27 E8 DCA7FEFF    CALL 004A5208                         ; <JMP.&ws2_32.WSARecv>
004BAA2C 8945 F8       MOV [EBP-8],EAX
004BAA2F 837D F8 FF    CMP DWORD PTR [EBP-8],-1

004BBA1B 33C0          XOR EAX,EAX
004BBA1D 8907          MOV [EDI],EAX
004BBA1F C747 04 F401000>MOV DWORD PTR [EDI+4],1F4
004BBA26 57             PUSH EDI
004BBA27 6A 00          PUSH 0
004BBA29 6A 00          PUSH 0
004BBA2B 56             PUSH ESI
004BBA2C 6A 00          PUSH 0
004BBA2E E8 DD97FEFF    CALL 004A5210                         ; <JMP.&ws2_32.select>
004BBA33 85C0          TEST EAX,EAX
004BBA35 7E 24          JLE SHORT 004BBA5B                      ; 004BBA5B
004BBA37 807B 0D 00    CMP BYTE PTR [EBX+D],0
004BBA3B 75 1E          JNZ SHORT 004BBA5B                      ; 004BBA5B
004BBA3D 8BD6          MOV EDX,ESI
004BBA3F 83C9 FF       OR ECX,FFFFFFFF
004BBA42 8B43 30       MOV EAX,[EBX+30]
004BBA45 E8 5AEFFFFF    CALL 004BA9A4                         ; 004BA9A4
004BBA4A 85C0          TEST EAX,EAX
004BBA4C 74 44          JE SHORT 004BBA92                      ; 004BBA92
004BBA4E 53             PUSH EBX
004BBA4F 68 50B84B00    PUSH 4BB850
004BBA54 8BC3          MOV EAX,EBX
004BBA56 E8 8D84F6FF    CALL 00423EE8                         ; 00423EE8
004BBA5B 57             PUSH EDI
004BBA5C 6A 00          PUSH 0
004BBA5E 56             PUSH ESI
004BBA5F 6A 00          PUSH 0
004BBA61 6A 00          PUSH 0
004BBA63 E8 A897FEFF    CALL 004A5210                         ; <JMP.&ws2_32.select>
004BBA68 85C0          TEST EAX,EAX
004BBA6A 7E 13          JLE SHORT 004BBA7F                      ; 004BBA7F
004BBA6C 807B 0D 00    CMP BYTE PTR [EBX+D],0
004BBA70 75 0D          JNZ SHORT 004BBA7F                      ; 004BBA7F

004A5208  - FF25 A4DA7D00 JMP [7DDAA4]                            ; WS2_32.WSARecv
004A520E 8BC0          MOV EAX,EAX
004A5210  - FF25 A0DA7D00 JMP [7DDAA0]                            ; WS2_32.select
004A5216 8BC0          MOV EAX,EAX
004A5218  - FF25 9CDA7D00 JMP [7DDA9C]                            ; WS2_32.WSASend

0012FBBC 74FB32E2  /CALL to ntohl from WS2_32.74FB32DD
0012FBC0 D2331FC0  \NetLong = D2331FC0
0012FBC4 01274A4C  ASCII "210.51.31.192"

74FB32DA 0BCA          OR ECX,EDX
74FB32DC 51             PUSH ECX
74FB32DD E8 22000000    CALL 74FB3304                         ; ntohl
74FB32E2 8B4D F0       MOV ECX,[EBP-10]

004B9CE5 E8 5EB4F4FF    CALL 00405148                         ; 00405148
004B9CEA 50             PUSH EAX
004B9CEB E8 F8B4FEFF    CALL 004A51E8                         ; <JMP.&wsock32.inet_addr>
004B9CF0 8B55 FC       MOV EDX,[EBP-4]
004B9CF3 8942 1C       MOV [EDX+1C],EAX
004B9CF6 E9 08010000    JMP 004B9E03                            ; 004B9E03
004B9CFB C745 F8 5604000>MOV DWORD PTR [EBP-8],456

0012FD2C 0124EC3C  ASCII "219.156.123.43"

Call stack of main thread
Address Stack    Procedure / arguments                Called from                Frame
0012FB5C 005810E2 ? main_dat.004BA81C                main_dat.005810DD          0012FB58
0012FE00 005850F7 ? main_dat.00580C00                main_dat.005850F2          0012FDFC
0012FE14 004BBD95 Includes main_dat.005850F7          main_dat.004BBD92          0012FE10
0012FE1C 004BBAF2 Includes main_dat.004BBD95          main_dat.004BBAEF          0012FE24
0012FE28 004BA609 Includes main_dat.004BBAF2          main_dat.004BA606          0012FE24
0012FE34 004BAD46 main_dat.004040A4                   main_dat.004BAD41          0012FE48
0012FE3C 004B9FC3 Includes main_dat.004BAD46          main_dat.004B9FC0          0012FE48
0012FE4C 004BAB78 Includes main_dat.004B9FC3          main_dat.004BAB75          0012FE48
0012FE70 0042517E Includes main_dat.004BAB78          main_dat.0042517C          0012FE6C
0012FE88 77E1A420 Includes main_dat.0042517E          user32.77E1A41D             0012FE84
0012FEA8 77DF4605 user32.77E1A408                      user32.77DF4600             0012FEA4
0012FF34 77DF5B77 user32.77DF4321                      user32.77DF5B72             0012FF30
0012FF40 0046BE20 <JMP.&user32.DispatchMessageA>       main_dat.0046BE1B          0012FFA8
0012FF44 0012FF5C    pMsg = WM_USER+1 hw = 13E0DDA (cla
0012FF58 0046BE57 main_dat.0046BD98                   main_dat.0046BE52          0012FFA8
0012FF7C 0046C077 main_dat.0046BE48                   main_dat.0046C072          0012FFA8
0012FFAC 007E1A4F main_dat.0046BFDC                   main_dat.007E1A4A          0012FFA8

00578CF7 90             NOP
00578CF8 55             PUSH EBP
00578CF9 8BEC          MOV EBP,ESP

005790BE /75 26          JNZ SHORT 005790E6                      ; 005790E6
005790C0 |8D4D F0       LEA ECX,[EBP-10]
005790C3 |B8 78915700    MOV EAX,579178                         ; ASCII "bFIPkLJVnb0WFtoqeVrzLA=="
005790C8 |66:BA B6B8    MOV DX,0B8B6
005790CC |E8 FF89F9FF    CALL 00511AD0                         ; 00511AD0
005790D1 |8B55 F0       MOV EDX,[EBP-10]
005790D4 |A1 78C77100    MOV EAX,[71C778]
005790D9 |8B80 C4080000 MOV EAX,[EAX+8C4]

01288DC0  32 31 39 2E 31 35 36 2E 31 32 33 2E 34 33 00 00  219.156.123.43..

005790E6 8D4D EC       LEA ECX,[EBP-14]
005790E9 B8 9C915700    MOV EAX,57919C                         ; ASCII "kaAMv/9tC8I6RngZA4Pcxw=="
005790EE 66:BA B6B8    MOV DX,0B8B6
005790F2 E8 D989F9FF    CALL 00511AD0                         ; 00511AD0
005790F7 8B55 EC       MOV EDX,[EBP-14]

012CDECC  32 32 32 2E 31 33 37 2E 31 31 36 2E 36 38 00 00  222.137.116.68..

004BA876 50             PUSH EAX
004BA877 E8 9CA9FEFF    CALL 004A5218                         ; <JMP.&ws2_32.send>
004BA87C 8945 F8       MOV [EBP-8],EAX

Call stack of main thread
Address Stack    Procedure / arguments                Called from                Frame
0012FB5C 005810E2 ? main_dat.004BA81C                main_dat.005810DD          0012FB58
0012FE00 005850F7 ? main_dat.00580C00                main_dat.005850F2          0012FDFC
0012FE14 004BBD95 Includes main_dat.005850F7          main_dat.004BBD92          0012FE10
0012FE1C 004BBAF2 Includes main_dat.004BBD95          main_dat.004BBAEF          0012FE24
0012FE28 004BA609 Includes main_dat.004BBAF2          main_dat.004BA606          0012FE24
0012FE34 004BAD46 main_dat.004040A4                   main_dat.004BAD41          0012FE48
0012FE3C 004B9FC3 Includes main_dat.004BAD46          main_dat.004B9FC0          0012FE48
0012FE4C 004BAB78 Includes main_dat.004B9FC3          main_dat.004BAB75          0012FE48
0012FE70 0042517E Includes main_dat.004BAB78          main_dat.0042517C          0012FE6C
0012FE88 77E1A420 Includes main_dat.0042517E          user32.77E1A41D             0012FE84
0012FEA8 77DF4605 user32.77E1A408                      user32.77DF4600             0012FEA4
0012FF34 77DF5B77 user32.77DF4321                      user32.77DF5B72             0012FF30
0012FF40 0046BE20 <JMP.&user32.DispatchMessageA>       main_dat.0046BE1B          0012FFA8
0012FF44 0012FF5C    pMsg = WM_USER+1 hw = 164082E (cla
0012FF58 0046BE57 main_dat.0046BD98                   main_dat.0046BE52          0012FFA8
0012FF7C 0046C077 main_dat.0046BE48                   main_dat.0046C072          0012FFA8
0012FFAC 007E1A4F main_dat.0046BFDC                   main_dat.007E1A4A          0012FFA8

004BAA23 8B40 04       MOV EAX,[EAX+4]
004BAA26 50             PUSH EAX
004BAA27 E8 DCA7FEFF    CALL 004A5208                         ; <JMP.&ws2_32.recv>
004BAA2C 8945 F8       MOV [EBP-8],EAX
004BAA2F 837D F8 FF    CMP DWORD PTR [EBP-8],-1

Call stack of main thread
Address Stack    Procedure / arguments                Called from                Frame
0012FD80 004BAB49 ? main_dat.004BA9A4                main_dat.004BAB44          0012FD7C
0012FD8C 00584610 main_dat.004BAB1C                   main_dat.0058460B          0012FDFC
0012FE00 0058512F ? main_dat.005845A0                main_dat.0058512A          0012FDFC
0012FE14 004BBDF1 Includes main_dat.0058512F          main_dat.004BBDEE          0012FE10
0012FE1C 004BBAF2 Includes main_dat.004BBDF1          main_dat.004BBAEF          0012FE24
0012FE28 004BA609 Includes main_dat.004BBAF2          main_dat.004BA606          0012FE24
0012FE34 004BA9A2 main_dat.004040A4                   main_dat.004BA99D          0012FE48
0012FE3C 004B9FE3 Includes main_dat.004BA9A2          main_dat.004B9FE0          0012FE48
0012FE4C 004BAB78 Includes main_dat.004B9FE3          main_dat.004BAB75          0012FE48
0012FE70 0042517E Includes main_dat.004BAB78          main_dat.0042517C          0012FE6C
0012FE88 77E1A420 Includes main_dat.0042517E          user32.77E1A41D             0012FE84
0012FEA8 77DF4605 user32.77E1A408                      user32.77DF4600             0012FEA4
0012FF34 77DF5B77 user32.77DF4321                      user32.77DF5B72             0012FF30
0012FF40 0046BE20 <JMP.&user32.DispatchMessageA>       main_dat.0046BE1B          0012FFA8
0012FF44 0012FF5C    pMsg = WM_USER+1 hw = 1320CAC (cla
0012FF58 0046BE57 main_dat.0046BD98                   main_dat.0046BE52          0012FFA8
0012FF7C 0046C077 main_dat.0046BE48                   main_dat.0046C072          0012FFA8
0012FFAC 007E1A4F main_dat.0046BFDC                   main_dat.007E1A4A          0012FFA8

0058459C 5D             POP EBP
0058459D C2 0800       RETN 8
005845A0 55             PUSH EBP
005845A1 8BEC          MOV EBP,ESP
005845A3 B9 0B000000    MOV ECX,0B
005845A8 6A 00          PUSH 0
005845AA 6A 00          PUSH 0
005845AC 49             DEC ECX
005845AD  ^ 75 F9          JNZ SHORT 005845A8                      ; 005845A8
005845AF 51             PUSH ECX

00584663 8B80 90000000 MOV EAX,[EAX+90]
00584669 E8 2E58F3FF    CALL 004B9E9C                         ; closesocket

Run trace, selected line
Back=2.
Thread=Main
Module=main
Address=004BAA27
Command=CALL 004A5208
Modified registers=EAX=0000041C, ECX=00145678, EDX=0014F420

01A561B4  00 00 00 00 2E 04 00 00 01 00 00 00 1C 04 00 00  ................

00 00 00 00 2E 04 00 00 01 00 00 00 1C 04 00 00 00 02 01 E8 BD 6E BF B8 16 AB 7F BF 10 45 85 68
25 A5 1D DA EF 34 84 F6 8C AF EF D9 92 97 5A 3D 34 58 D5 21 61 33 5A 9E EE 35 98 76 71 EA CD A3
86 F0 79 10 59 79 1E 79 33 0E 5F 7F D7 42 9C F6 F2 C9 84 19 82 94 51 44 E4 95 30 F1 37 2C 47 3F
9A 94 49 23 AF AE FE 0A B8 18 4B 48 ED 01 00 00 B4 CF C8 A3 0D 09 05 00 1E 00 00 00 12 A9 A4 0A
B4 86 E7 96 97 0B 0D F1 39 AE 27 BE 91 C5 58 11 00 57 D9 E8 87 DA 8C D1 A4 E4 87 2B 33 72 89 09
33 EA 0E FA C1 2D 6B 92 01 00 00 00 00 7F 01 E5 54 F6 98 97 1B D6 C1 29 57 8C 93 07 7C 61 EA A1
FA A7 3C C4 73 18 83 EF BD 33 56 C1 1E F1 08 59 E2 0B 92 C4 BB E6 35 DE AF 86 3F EE EB EC C5 40
32 7A 43 A2 58 AE A4 42 57 4C FD A0 24 8F 7F A0 3D F2 1A 00 97 34 9C BB 43 52 CE 43 80 D5 AF 20
3D 05 7E 5B E3 E8 1A 17 E0 A5 0E 76 A1 44 00 00 E2 F6 33 74 EC 24 70 21 38 C3 93 61 F9 6B 50 C9
45 5B F3 B8 57 91 96 1C 3A 93 ED 8C F1 59 6C 50 F3 2C 7C F0 91 6F 92 8B 0B A7 D4 3E 82 21 61 1D
83 CC CA 17 FF ED 67 62 4C 8A 92 9B 08 74 B9 72 18 90 28 8C 8A 0B 16 D9 B1 22 F3 C3 D8 42 77 8B
E8 E7 35 EC E5 B7 D2 AD FA A6 75 FC 20 E4 D1 F2 5D A0 5B DA AD 15 1D 34 98 8E CC D2 03 6E BC FC
F2 44 B9 3C F1 4C E0 31 8D 50 F4 8B 29 C6 38 37 A3 B6 52 44 97 2E 95 65 C5 89 99 94 23 43 E7 1C
F1 68 73 FE 65 73 A6 2B F5 35 05 54 54 83 E3 4F 63 69 90 5B 5D 18 B5 D4 4E 31 30 03 39 52 AC A7
A4 A3 AC 9A A2 85 F2 62 8A 3C AB A7 7F 11 27 33 91 A4 67 4D 5D 7A 62 20 49 4F 94 5D 45 FE 44 ED
4B D8 5F 82 C0 20 09 D9 C1 8B A5 0E DF 1C B2 CA B2 20 1F 6A B0 11 50 84 15 AB 6A 0F 62 00 AA 86
AF 31 F3 08 A2 4C 8B B4 EA 09 19 54 76 94 70 C6 BF 26 A4 52 AD 06 9D 94 99 55 ED 00 90 06 5C AE
B1 98 A6 67 6F 80 4E 14 D1 0E 12 4A 2D EE 0D 9D 68 42 A6 5B 98 EB AB EC 48 90 DA BC 50 67 40 B1
61 EF 22 C6 8A 5B A9 A5 28 44 F1 33 95 AA 82 0A 67 27 C9 3C CC C2 EC 7F 95 64 32 C0 64 7F 95 B9
CC CA BA 58 22 E9 83 33 EF 8C E6 A5 56 7C 07 10 BE 42 FB EA AF 31 9B 3E 01 BC BC 34 E5 F8 38 C3
CA 69 3A EE 05 74 1E 3E 07 A6 80 20 41 B3 9B 43 67 E6 F1 4C 38 4B 49 71 77 31 E0 31 7B 42 FB 38
50 E6 16 9A 5C 89 36 7F 73 60 D8 D5 C8 6B 2B B5 78 A8 C0 C8 88 0B D4 8C EC 4E 4B A7 18 4B 1E 32
96 EB D5 5B CD EF 86 2D 06 F2 6C FA 93 78 18 AB BE 19 04 3D 9B A4 F7 62 86 3C 1C 00 78 19 45 4F
A7 C5 A0 3A DD 9E A1 0E 80 D1 BC 67 20 01 9B CC 6E 47 B1 F7 1F 7A BD 98 AF 15 59 63 21 A0 10 82
04 04 AE 0E 1D D0 8A 83 A1 D1 AD F4 9A AD A3 AF 12 64 A2 9A 43 FA 97 E0 74 0C 28 77 D7 59 D0 78
A8 54 C8 D8 21 66 09 06 B4 59 B0 66 D7 ED 41 C6 E6 60 4A D8 6F C8 51 62 60 80 7D 20 3F 40 14 32
03 2D 0F E0 FC 91 BA 45 F5 F3 18 C3 63 A7 50 F0 BD 51 1A 7B CF 77 CD DE FE 99 87 A5 BE A3 C1 BF
EC 86 3C 1C 03 C4 EC F4 E7 1B 38 6D 3D B9 6E D5 D6 C2 13 74 DA 3B 39 34 BA 3B 2E 6C A1 31 71 78
B0 E4 5F 18 B0 77 9F 57 9E 77 1C 4E D0 8B 85 4B F4 96 60 CA 01 E3 F1 B3 31 B6 8A F1 F0 C2 9C 1D
40 7D 8D 2E 30 45 CB C8 A8 57 20 9D 64 A6 B9 0A 65 B4 8B AB 8E 8D 2E 90 1F A9 2A 9A 6E 94 54 CF
8E 7F 22 BA D9 E7 86 4F 2C D0 D0 57 F7 5A 9B 6F 89 18 9F D7 94 62 6F CA AB 68 0E 04 99 C5 8E DA
58 50 22 B1 AF 54 12 78 77 B5 EA C5 45 06 6B 49 4E 81 5F 4D ED 8C 45 39 CE 2C E7 CF 9D 56 92 98
14 83 1C 5C 11 0D 4B 3F 0B 0E 35 58 09 0D 4B 3C 08 0D 4A 74 56 39 5A 34 3E 62 3A 55 6C 70 13 5B
7C 5B 00 22 6F 43 12 42 3F 1A 73 3B 00 00 00 00

00 02 01 E8 BD 6E BF B8 16 AB 7F BF 05 9C A5 62 15 8B 3A 39 77 B0 21 AB 3E EC B1 82 61 90 E0 EC
0B FB 9A F1 05 3E E9 42 DB 39 5B EE D6 9E 3F 26 6F F9 8B FD 30 BD B5 9E 54 42 4E 48 C3 1F DE 02
B4 4B 30 EA 83 EC D4 35 4E EE 32 4B 85 75 98 D9 75 11 08 8A AF F0 A7 CF 33 0A D8 91 ED 01 00 00
E0 8D 2F 2A E6 08 05 00 1E 00 00 00 04 2C 83 F9 53 77 62 77 6E F5 7F 0E C9 5C 25 16 1D 1E D7 0C
DD 7F 1E 3D 7B 33 61 F0 13 F3 60 F9 04 E4 29 91 EF 38 C9 FE F0 65 AA E7 01 00 00 00 00 16 D1 04
E4 6A 7B B6 97 01 C7 ED CD 63 38 CE 2A CF B0 A0 2A 61 F1 58 D4 7C DD 71 29 D4 97 D5 F6 15 E3 27
74 EF 11 E5 77 A6 35 73 3B 28 56 6B E0 B1 B0 C3 06 C1 CF 64 1E 97 75 F6 64 4A 6D 0F 9D 6B A0 72
42 AC 80 4F A9 5C 97 0D F8 FF 84 6F 6F 31 DE B6 A9 F9 37 84 55 E7 12 BE 1D C9 0E 2F A1 44 00 00
3C 7E B9 E2 40 A6 C5 41 48 51 B6 06 A4 5D 34 37 32 FF 41 7A AB 79 00 B9 9F 5F 66 07 7D F4 9A DA
5E 69 34 1C 7D DD 86 CD B7 7A 30 A5 00 BD 5C 01 90 38 FA 79 72 89 18 FF BD 15 9E 20 EF 8B CB 8D
E8 CE B1 77 60 0D 5C AA 96 CE 1D D4 40 4A B6 27 9D D8 4E F2 D3 14 E2 1E 61 F1 E8 C5 A7 83 2E CB
07 81 F2 27 C1 15 3B 63 FF F0 1A 60 34 7C 3D B8 1C 0B 00 10 71 3B E0 2E D1 E2 D6 98 0F 4B 4A 4E
68 7D E1 79 A3 BF 8B 1C 36 3E 90 A7 E8 74 21 A4 84 49 15 92 81 02 19 23 89 E4 37 FD DC C2 D0 D1
2F 6C 6A 8D B4 BE 50 AF 1F CA 80 42 92 F6 92 70 4A E7 D5 E3 F9 80 E0 D3 B7 FB F0 37 20 59 8D 31
41 67 E2 E8 96 A4 EE 3A 97 16 50 74 D5 6B D0 30 D3 C1 86 57 41 74 57 87 68 76 C9 0E 26 25 07 25
E2 FE AD 6C 0E 6E E5 CE 1F 34 5A 33 69 AC A2 1F E9 38 CB FC B6 26 12 49 5A 5E 5C D5 2F 25 1B 69
5D 16 6A DF D8 A7 F6 BA 71 72 ED 36 D5 7E 7D B5 D7 7A 92 F3 6D F2 22 4B DB 1B 75 BF 7F E7 17 59
C6 2B 2E C7 9F E2 30 B9 06 2C 32 FF 30 68 26 23 CA 91 3B 75 FC 04 10 EA C2 E7 A9 0D 9D 5D 8B B5
EB 79 F2 E6 20 8E 0D DB 80 8F F2 AD 4D 64 00 BD 0C 0A 59 13 69 72 4A 8D F8 84 EE 03 D9 90 5B C6
40 2F 13 72 00 9B 6C D2 DC D3 CA 52 26 DC 21 EA 9A 95 DB D4 10 70 8E 9C 53 DC 48 25 E0 28 96 BB
9F 2E CC C8 EC BF 9B 62 C9 12 62 3B 77 7E 14 EC 07 68 4B 4D 47 C6 C7 93 2B B4 E1 EC 5A 85 96 37
DA CE 47 A5 92 92 AD 1E CB D2 6D 3D 37 21 44 95 66 F8 3F CE F8 B2 7E 27 37 E4 EF CB 47 53 EE CB
6E 0A C3 28 E3 5E D9 85 A0 43 1C 00 47 5E F3 A1 EB CA 48 51 74 63 CD 0E 15 01 BC 67 20 01 9D 6D
8C 8C ED D3 49 EA A0 BB 36 1D 53 AE 2D C9 9C 46 AD F9 C2 0E 82 1E 23 7A 08 2C C1 F4 7D CB A2 02
D7 31 CB CF B6 77 99 35 37 1E 59 42 9B 25 5A 6B 79 40 FF D2 F4 D6 A4 21 B1 FE 03 01 6E 98 B3 07
77 55 C1 2F 1F E4 BC B0 AE AC D7 7E 26 9C 40 20 30 55 F6 4A 85 D3 A5 92 DC F6 B3 28 F2 B1 BF 20
0C D7 0B 29 E1 2A 29 C4 E2 88 31 6D 15 FB 80 5B 38 6A 02 42 35 FA CC 06 E3 2E 53 A8 0D 15 22 74
D3 97 CF 12 63 4C 14 37 03 4C 94 02 A6 9F 78 DB 10 C2 EC BB 10 4E F6 B3 EF BB 0B 8F 04 5F 8D AF
F9 C7 A4 F5 01 BF 32 FF D2 F5 34 72 4B AB 42 03 0C 54 DD F0 FC CF 97 2F 66 FC 83 2E F8 A7 41 88
8D F4 F2 5A 3C 43 30 06 0C 01 13 E0 E2 0D 7A B3 9E C7 69 A3 C0 03 62 9B F8 2A 78 C6 50 9F 59 DC
DD 4D D5 3F 3C 72 FA 72 6F 36 4E 15 88 D7 8E 5B 6A 83 B3 D3 F1 D7 C6 B4 3A 03 FD A2 79 4D 30 BD
AD 63 40 8E 3E 48 67 65 88 C1 03 A7 87 B5 C2 0C E5 F1 7F 50 11 0D 02 5D 0B 0E 7C 3A 09 0D 02 5E
08 0D 03 16 56 39 13 56 3E 62 73 37 6C 70 5A 39 7C 5B 49 40 6F 43 5B 20 3F 1A 3A 59 00 00 00 00

00 02 01 E8 BE 6F BF B8 17 AB 7F BF EB AC F0 EA 2C 6C D7 B7 BF C4 F5 72 7F ED E8 A2 9C 73 AF 4A
DD 4D 59 CC E9 86 F1 C9 C4 A9 A0 B9 DD F1 4D 1B EA 19 4B 82 65 A9 21 7A D7 95 53 5A D2 C3 B8 0B
11 47 0D E0 C9 29 E3 5B 57 09 CD 94 F0 55 9D 0A 03 71 4D 3A F0 8E 2E 6B D7 93 15 5C ED 01 00 00
B9 13 E1 13 DD 08 05 00 1E 00 00 00 61 D1 D3 23 C4 8A EA 7E AB C8 38 68 19 D2 EF BA EB 3A 76 F9
41 A7 2B DD 74 B7 EC 5E 5F 9F F0 D9 C6 60 7A AC 4D 48 5E 1F 18 64 2E FD 01 00 00 00 00 E1 AC FA
5A DC 16 99 1E AF 16 60 7F 39 4B 14 94 F6 35 D4 C6 94 71 DF 95 4D 74 15 68 CC 79 2F 31 4B 56 18
2E B7 31 5D 43 EB 37 9F EF FC E6 AD BE B1 AA 0D D6 43 EE 7D B2 57 27 3F 94 18 0E C0 7A 16 01 FC
69 3F 75 94 B0 8E B8 3E 1B A8 45 8C FA D1 63 0F 75 12 25 25 FE 0F 43 7A 06 D1 0E D2 A1 44 00 00
AA 72 94 02 DE EC 91 19 4C CB F6 99 FE 11 8B FA 97 20 47 81 4D 7C 28 01 C2 B0 D9 B8 2C 81 F8 F7
5E 1D 8E 3F 5E 92 4D F1 81 B7 A5 AA 90 D4 C9 4B F7 DD D0 8A F7 0D 7F 27 3F EA C0 0F D8 89 8C EB
38 68 CE 50 9E 34 61 E2 AE FD 18 E8 EF 27 48 8C A0 63 11 FE F1 2D 24 EB BB 10 44 C5 BA 5F 95 CB
FA 4A 36 3C D9 15 96 A9 DC 34 39 5A 7F A3 57 C9 C4 55 9C 31 F8 FB F6 7D C6 49 CB 74 65 89 1C 5C
BB 4E F9 CC F5 A9 62 68 29 89 72 42 F1 76 AC 8D 40 36 8F F3 19 34 BC 54 97 48 3B 77 35 EC A4 DA
77 A2 68 41 9E 74 D6 D4 DD DE D4 6B 4F 33 54 D5 29 89 F4 9F E0 1B 31 54 A5 13 AB B3 9A A0 FB 6B
BF 84 F5 B1 7D B2 8A 3A 35 F3 91 55 9D 17 60 F2 EE D1 71 A8 BE 15 AD 1A AC 6D D1 0E C6 59 EE 25
53 81 40 B8 CE F2 40 6D 14 8E 56 38 55 B4 E1 92 84 AB 5D 8E A2 41 14 4F 6C 62 53 9A 45 E7 CE F2
06 68 A4 4E E3 01 A2 18 B1 0E A0 2C 3F 50 AD 75 C7 21 21 7F 98 6C B1 CE C9 E5 EE 0B CC 1E 64 FA
4D 8F B9 BE 8A DD D0 D9 49 06 E3 EE 4F 3C 30 22 ED 1A 35 1A 70 0E F7 45 82 69 D8 4E 34 3B 22 8D
5B 97 4B 75 A9 E7 04 44 43 F2 96 AF 81 7E D0 DA 30 36 5E 84 FE 14 E0 A3 74 B9 D3 FA 76 A7 2A AC
A1 EF 43 DD 88 B0 1B E5 07 BB B3 13 DB 93 0E 30 F5 39 D2 61 A6 2C 09 8D 32 B8 80 B5 9D FD 03 BE
46 07 38 44 5E AA 54 5D A2 E5 C7 EE 2B AC DE 4E 11 4F B9 F2 48 F3 6B 56 F1 16 EB A0 F6 F1 F4 73
DF 05 F6 8A 4C 73 BB 5F 54 B9 91 5B 16 13 A2 06 62 52 3E B3 CA F4 02 38 F9 A1 98 53 A3 14 D0 B4
AE 96 9C A2 B2 0F 76 2F 59 45 1C 00 52 40 C3 B9 4E 34 FF 0E B0 78 D5 0E 69 F2 BC 67 20 01 8D 7A
72 E5 E8 C8 BD 6A A9 71 7B 11 77 58 C9 FD B9 FC 69 E2 DA 0E 06 12 6B D4 CC 37 D9 F4 70 89 82 9D
D8 9A 28 FA 52 16 1A BB BD 73 E0 40 AC 75 6B 31 E0 54 0D 89 54 1A 61 A3 9F 61 36 E3 C6 80 50 36
09 58 F4 7E 16 ED 44 5B 38 A3 58 8A 94 02 A6 B8 0E 65 85 38 B0 75 BE D3 FE 18 AB 53 93 83 4E 44
6D 61 E0 71 5D E0 83 43 51 CF 75 7B CB CF 4E 51 98 23 3A 22 1A 9A C5 51 CA A6 7B E5 B5 E5 06 E9
23 E8 5D D6 BE 42 19 EA DE 42 94 50 45 9E B7 9C D8 02 5C FC D8 F2 A3 28 CA 6C 50 99 5A 42 1B 07
E8 82 F8 65 01 BB BA A1 14 87 AD 12 81 EA 16 87 28 49 7C 11 C8 28 54 AF A2 B4 98 97 CB 3E AC 1D
C4 04 EE FB 74 10 57 ED 9C 95 EB 57 7D DC FA 59 95 78 95 CB A8 AB CA 91 F2 19 99 C8 39 4A 67 FC
73 63 46 D1 8E 78 3E 7D 59 F0 15 8D 96 0A DD 5F C7 9E 9E 2E 48 21 1F D7 18 A5 4C 87 1C DF AD D8
31 83 D3 B7 1D E1 50 E1 9B AC 79 95 7B 72 EB A2 C6 46 B2 6E 11 0D 82 99 0B 0E FC FE 09 0D 82 9A
08 0D 83 D2 56 39 93 92 3E 62 F3 F3 6C 70 DA FD 7C 5B C9 84 6F 43 DB E4 3F 1A BA 9D 00 00 00 00

00 01 01 E8 BD 6E BF B8 16 AB 7F BF C5 34 77 79 F3 15 60 A1 BA C5 B7 17 93 97 C0 7F 78 CA D5 10
28 4C AE 34 D5 9B B3 E8 0C 63 5A 96 D8 61 20 CD AC 95 33 A2 F1 92 BB F4 60 42 D4 F9 64 4A 87 FC
55 F8 59 90 96 70 84 13 80 37 E5 2B 81 9A 3C 2A DF 12 15 54 BF 9C 59 AC 4E 64 41 57 D7 00 00 00
BE EF 1A 02 18 B2 04 00 1E 00 00 00 2E 21 F1 7B 1C 54 9F 04 D6 BC F8 AD 93 02 6F A2 79 10 C3 69
D5 E7 0E 84 2A 62 DA A1 84 D9 76 D6 2D 5F EF C5 1C F2 B5 A5 58 B6 0F 84 01 00 00 00 00 F9 E9 69
33 DE 46 EA 4E 47 14 D0 85 94 25 D0 7A 8B 4F 62 D9 8A BB A2 33 DF C0 74 58 64 0E A3 03 5E A5 56
FC 78 F3 7F 00 32 F5 83 81 83 88 64 4F FF 63 3B 76 38 5E C7 60 7E 01 80 00 F0 3C B5 09 62 68 36
05 0C 19 1D C0 E5 28 B8 E6 7B E9 7D 42 62 5D 69 36 81 CA 4C E3 31 57 B8 39 69 02 BE A1 44 00 00
E4 AC B5 64 F1 93 DA 36 97 5E FC 66 FF F0 3E 5D 4B 3C 76 FD 53 0C 82 70 8E 38 8A BD 72 83 B6 D6
26 63 DE C3 FB 80 31 7E 6B 4A 75 C3 02 0D 2D D7 0F 10 73 6A 93 4E 0C A6 A5 E3 62 4D FC 26 15 77
EB 51 E5 93 3E 14 C1 F0 D1 64 EB 6D 7A DD 77 74 3A CF 8C 97 1C F1 BC 45 A2 6A E5 26 0A 48 8C 24
F0 F6 F4 03 61 19 4B 6E 6F EC 52 D8 2A C0 22 18 0E D9 F4 34 F1 3A 74 84 C0 B5 54 2E EC 08 26 15
32 B2 D0 70 13 56 DC 2B 65 6E 8B F8 9D 1A 7E D2 B2 59 21 2C 72 B8 87 47 C0 AE CD 61 CB 2F 03 A6
23 FC 44 AB 85 D0 7B 17 81 CE B8 7D F7 2D 1D 0B DB F5 80 F2 0F 04 A5 DE 5E 94 9D 16 D8 06 40 CB
0D 31 2F 40 E0 BE 7C 67 1B E8 6B 2A 6C BE 37 64 87 81 55 93 85 AE A6 18 6E 52 69 02 CF F8 D4 12
EB 9A 02 96 FA 62 6A F6 DD C1 FA A2 31 5B D4 54 D8 C7 CE 09 34 A6 4D 96 17 7F 99 0A 99 F5 A8 FC
C9 14 3A D5 D3 C9 88 A8 E8 01 85 05 08 B3 B8 E8 33 A6 A5 5E 79 F9 A7 09 D8 3A AD 64 14 01 E5 21
E2 79 7C 58 E3 67 C8 12 3C 2F F9 6F CC 76 7C 3F B8 2A 79 28 6A 14 EB CB 4C BA 13 A7 4E 2E A1 72
01 E1 E3 06 DB 78 7E E3 3F E9 AC 44 6F 10 30 36 74 7C 44 7A 48 1D BA 34 C4 71 44 8B BE 9D 6E 9E
35 73 83 25 7F 2E B4 DF 78 75 C5 94 6C 03 BA 6D 01 9A D5 3D CE AB 55 E4 89 CB 3A D3 BC DC 0A 23
70 11 08 01 FF 25 54 FD 43 96 0D 90 15 A7 CE 7C 3F D0 FA EE DE 13 A1 84 A7 24 FD 87 AF B9 61 31
74 AB 04 B4 6F F6 BD AF 88 DC 8C 08 2F 08 D2 33 D5 AE C1 34 38 FE 62 B0 91 E3 CA 12 D1 D2 93 C9
EB 7C D6 F8 67 8D 7B 9B FE 20 1F 00 C9 25 AC 07 7D 4E C6 41 72 47 6D 02 7D 64 BC 67 20 01 DB AC
AC 13 43 48 C8 EC DE AE 50 E1 6C 44 32 0F 1C 7D AB DD 62 02 78 D5 01 11 0E 08 61 F8 29 5F E4 5B
D8 0E DB 72 A2 B4 81 30 92 33 C9 6A 5F B8 2F 7A 8C 3E 55 B1 B9 39 76 1B 24 06 42 20 DA 7C D9 C0
FE BB D7 D3 9E 5D 19 FC 31 D3 25 B2 34 45 6C 08 C6 53 A8 95 C6 48 A6 BA 5F 43 D8 FA 65 4F 46 55
1F 63 54 98 B8 4D D8 9F FF ED C2 85 E6 F3 53 9A BF CA 71 92 68 EE F1 B7 47 F6 35 B4 80 5A 51 5F
35 EA 93 7F 08 3E EC A6 68 3E 04 C5 45 C8 EE 19 1C 1A 28 79 1C A5 6A AA A9 40 8B 7F 32 AB 27 64
5D 21 38 D3 01 CE 24 EF 03 AB 89 A3 36 6D 3F 82 7F 24 18 02 93 B3 15 CA E1 9A 95 82 B3 C3 22 BF
9A CC D9 16 EB C8 1A AF 02 99 F9 3B B3 E6 D2 89 72 7B 8F 2B 13 AB 9D FE C9 C9 AD 77 28 A6 3D 13
C0 F1 A3 75 AC 9C 40 30 0D 68 89 7F 02 7E A0 0F 82 37 0E F9 A7 21 CB 25 1F 49 BE BC 6B 6E FC 74
71 97 51 7A 6C 2C 24 44 B1 2D 20 45 CB B5 3C 01 C8 65 75 7D 19 0D 50 EF 0B 0E 2E 88 08 0B 50 EF
09 0A 51 EC 09 70 2B 85 43 7C 25 8C 42 67 3C 89 59 42 1B 98 6A 58 14 84 56 4B 2A B1 49 5E 23 96
53 56 1D 83

recv
00584605 8B80 90000000 MOV EAX,[EAX+90]
0058460B E8 0C65F3FF    CALL 004BAB1C                         ; 004BAB1C
00584610 8B55 C0       MOV EDX,[EBP-40]

004BAB1C 53             PUSH EBX
004BAB1D 56             PUSH ESI
004BAB1E 8BDA          MOV EBX,EDX
004BAB20 8BF0          MOV ESI,EAX
004BAB22 83C9 FF       OR ECX,FFFFFFFF
004BAB25 33D2          XOR EDX,EDX
004BAB27 8BC6          MOV EAX,ESI
004BAB29 E8 76FEFFFF    CALL 004BA9A4                         ;得出recv字节数
004BAB2E 8BD0          MOV EDX,EAX
004BAB30 8BC3          MOV EAX,EBX
004BAB32 E8 9DA7F4FF    CALL 004052D4                         ; 004052D4
004BAB37 8B03          MOV EAX,[EBX]
004BAB39 E8 12A4F4FF    CALL 00404F50                         ;取字节数到EAX
004BAB3E 8BC8          MOV ECX,EAX
004BAB40 8B13          MOV EDX,[EBX]
004BAB42 8BC6          MOV EAX,ESI
004BAB44 E8 5BFEFFFF    CALL 004BA9A4                         ;recv
004BAB49 8BD0          MOV EDX,EAX
004BAB4B 8BC3          MOV EAX,EBX
004BAB4D E8 82A7F4FF    CALL 004052D4                         ; 004052D4
004BAB52 5E             POP ESI
004BAB53 5B             POP EBX
004BAB54 C3             RETN

EAX 012ABC30
ECX 000000C0
EDX 0012FDBC
EBX 0124444C
ESP 0012FD90
EBP 0012FDFC
ESI 004BA5F4 main_dat.004BA5F4
EDI 0012FF5C
EIP 0058460B main_dat.0058460B

0012FD24 000000E4  |Socket = E4
0012FD28 0146E084  |Buffer = 0146E084
0012FD2C 0000001D  |BufSize = 1D (29.)
0012FD30 00000000  \Flags = 0

;解收的字节数

004BAB37 8B03          MOV EAX,[EBX]
004BAB39 B8 1C040000    MOV EAX,41C
004BAB3E 8BC8          MOV ECX,EAX

004BAB3E       8BC8          MOV ECX,EAX ;接收字节数
004BAB40       8B13          MOV EDX,[EBX] ;接收地址
004BAB42       8BC6          MOV EAX,ESI ;不知
004BAB44       E8 5BFEFFFF    CALL 004BA9A4

0012FD84 004BA5F4
0012FD88 0124444C
0012FD8C 00584610  RETURN to 00584610 from 004BAB1C
0012FD90 0012FE50  Pointer to next SEH record
0012FD94 00585056  SE handler

mycode
590200

00590200 B8 1C040000    MOV EAX,41C
00590205 8BC8          MOV ECX,EAX
00590207 BE 54B47D00    MOV ESI,7DB454
0059020C 8B3B          MOV EDI,[EBX]
0059020E F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI>
00590210  ^ E9 34A9F2FF    JMP 004BAB49                            ; 004BAB49

B8 1C 04 00 00 8B C8 BE 54 B4 7D 00 8B 3B F3 A4 E9 34 A9 F2 FF 00 00 00

mydata
3db454
7db454

004BAB32 E8 9DA7F4FF    CALL 004052D4                         ; 004052D4
004BAB37 E9 C4560D00    JMP 00590200                            ; 00590200
004BAB3C 0000          ADD [EAX],AL
004BAB3E 0000          ADD [EAX],AL
004BAB40 0000          ADD [EAX],AL
004BAB42 0000          ADD [EAX],AL
004BAB44 0000          ADD [EAX],AL
004BAB46 0000          ADD [EAX],AL
004BAB48 90             NOP
004BAB49 8BD0          MOV EDX,EAX
004BAB4B 8BC3          MOV EAX,EBX
004BAB4D E8 82A7F4FF    CALL 004052D4                         ; 004052D4

E9 C4 56 0D 00 00 00 00 00 00 00 00 00 00 00 00 00 90 8B D0

004BAB27 8BC6          MOV EAX,ESI
004BAB29 B8 1C040000    MOV EAX,41C
004BAB2E 8BD0          MOV EDX,EAX

;解码
0146ECF0  36 31 2E 31 35 31 2E 32 35 34 2E 33 2F 74 65 73  61.151.254.3/tes
0146ED00  74 37 34 38                                     t748

00568BBB  ^\7C 9B          JL SHORT 00568B58                                        ; 00568B58
00568BBD 33C0          XOR EAX,EAX
00568BBF 5A             POP EDX

0057AAF3 E8 C0D3E8FF    CALL 00407EB8                                           ; 00407EB8
0057AAF8 A1 64F05800    MOV EAX,[58F064]
0057AAFD C700 FFFFFFFF MOV DWORD PTR [EAX],-1
0057AB03 A1 D8FC5800    MOV EAX,[58FCD8]
0057AB08 33D2          XOR EDX,EDX
0057AB0A 8910          MOV [EAX],EDX
0057AB0C E8 737AF8FF    CALL 00502584                                           ; 00502584
0057AB11 A1 FCF15800    MOV EAX,[58F1FC]
0057AB16 C700 FFFFFFFF MOV DWORD PTR [EAX],-1
0057AB1C A1 A8F75800    MOV EAX,[58F7A8]
0057AB21 C700 FFFFFFFF MOV DWORD PTR [EAX],-1
0057AB27 E9 5C010000    JMP 0057AC88                                           ; 0057AC88
0057AB2C A1 A0015900    MOV EAX,[5901A0]
0057AB31 8338 00       CMP DWORD PTR [EAX],0
0057AB34 75 57          JNZ SHORT 0057AB8D                                     ; 0057AB8D
0057AB36 A1 A0EF5800    MOV EAX,[58EFA0]
0057AB3B 8338 00       CMP DWORD PTR [EAX],0
0057AB3E 7C 4D          JL SHORT 0057AB8D                                        ; 0057AB8D
0057AB40 6A 00          PUSH 0
0057AB42 6A 00          PUSH 0
0057AB44 6A 00          PUSH 0
0057AB46 6A 00          PUSH 0
0057AB48 6A 00          PUSH 0
0057AB4A 6A 00          PUSH 0
0057AB4C 6A 00          PUSH 0
0057AB4E 68 E8AC5700    PUSH 57ACE8                                              ; ASCII "您的"
0057AB53 A1 38F85800    MOV EAX,[58F838]
0057AB58 FF30          PUSH DWORD PTR [EAX]
0057AB5A 68 F8AC5700    PUSH 57ACF8                                              ; ASCII "剩余"
0057AB5F 8D55 F4       LEA EDX,[EBP-C]
0057AB62 A1 A0EF5800    MOV EAX,[58EFA0]
0057AB67 8B00          MOV EAX,[EAX]
0057AB69 E8 F26DF9FF    CALL 00511960                                           ; 00511960
0057AB6E FF75 F4       PUSH DWORD PTR [EBP-C]
0057AB71 8D45 F8       LEA EAX,[EBP-8]

16:42:19 您的热血传神剩余228天10小时

0057AA20 8B45 08       MOV EAX,[EBP+8]
0057AA23 8B40 FC       MOV EAX,[EAX-4]
0057AA26 E8 61490000    CALL 0057F38C                         ; eax=1正确
0057AA2B 85C0          TEST EAX,EAX
0057AA2D 0F85 F9000000 JNZ 0057AB2C                            ; 0057AB2C
0057AA33 A1 A0015900    MOV EAX,[5901A0]

0057F428 A1 64E75800    MOV EAX,[58E764]
0057F42D 8338 00       CMP DWORD PTR [EAX],0
0057F430 0F84 A5000000 JE 0057F4DB                            ; 0057F4DB

00567113 C3             RETN
00567114 55             PUSH EBP
00567115 8BEC          MOV EBP,ESP

0057F39D A1 00FE5800    MOV EAX,[58FE00]
0057F3A2 8B00          MOV EAX,[EAX]
0057F3A4 E8 A75BE8FF    CALL 00404F50                         ; 00404F50

0057F428 A1 64E75800    MOV EAX,[58E764]
0057F42D 8338 00       CMP DWORD PTR [EAX],0
0057F430 0F84 A5000000 JE 0057F4DB                            ; 0057F4DB

005674FD 8B45 FC       MOV EAX,[EBP-4]
00567500 BA 78755600    MOV EDX,567578                         ; ASCII "$data5"
00567505 E8 8ADBE9FF    CALL 00405094                         ; 00405094
0056750A 75 39          JNZ SHORT 00567545                      ; 00567545

0056752A 9E             SAHF
0056752B 75 0B          JNZ SHORT 00567538                      ; 00567538
0056752D A1 64E75800    MOV EAX,[58E764]

0056750C 8B45 F8       MOV EAX,[EBP-8]
0056750F FF70 04       PUSH DWORD PTR [EAX+4]
00567512 FF30          PUSH DWORD PTR [EAX]
00567514 6A 00          PUSH 0
00567516 6A 00          PUSH 0
00567518 B8 07000000    MOV EAX,7
0056751D E8 2E050000    CALL 00567A50                         ; 00567A50

0012F5C8 00000000  |Arg1 = 00000000
0012F5CC 00000000  |Arg2 = 00000000
0012F5D0 00000000  |Arg3 = 00000000
0012F5D4 00000000  \Arg4 = 00000000

0012F5C8 00000000  |Arg1 = 00000000
0012F5CC 00000000  |Arg2 = 00000000
0012F5D0 00000000  |Arg3 = 00000000
0012F5D4 3FF00000  \Arg4 = 3FF00000

0057F40A BA ECF45700    MOV EDX,57F4EC
0057F40F E8 CC97FEFF    CALL 00568BE0                         ; 00568BE0
0057F414 A1 14E75800    MOV EAX,[58E714]
0057F419 8B00          MOV EAX,[EAX]
0057F41B 83B8 D4000000 0>CMP DWORD PTR [EAX+D4],0
0057F422 0F84 B3000000 JE 0057F4DB                            ; 0057F4DB
0057F428 A1 64E75800    MOV EAX,[58E764]
0057F42D 8338 00       CMP DWORD PTR [EAX],0
0057F430 0F84 A5000000 JE 0057F4DB                            ; 0057F4DB
0057F436 A1 00E95800    MOV EAX,[58E900]

0057F40A BA ECF45700    MOV EDX,57F4EC
0057F40F E8 CC97FEFF    CALL 00568BE0                         ; 00568BE0
0057F414 A1 14E75800    MOV EAX,[58E714]
0057F419 8B00          MOV EAX,[EAX]
0057F41B 83B8 D4000000 0>CMP DWORD PTR [EAX+D4],0
0057F422 0F84 B3000000 JE 0057F4DB                            ; 0057F4DB
0057F428 A1 64E75800    MOV EAX,[58E764]
0057F42D 8338 00       CMP DWORD PTR [EAX],0
0057F430 0F84 A5000000 JE 0057F4DB                            ; 0057F4DB
0057F436 A1 00E95800    MOV EAX,[58E900]
0057F43B FF40 12       INC DWORD PTR [EAX+12]

0057AD2F 55             PUSH EBP
0057AD30 E8 A7FCFFFF    CALL 0057A9DC                         ; 0057A9DC

0057AA20 8B45 08       MOV EAX,[EBP+8]
0057AA23 8B40 FC       MOV EAX,[EAX-4]
0057AA26 E8 61490000    CALL 0057F38C                         ; !!!
0057AA2B 85C0          TEST EAX,EAX

00568B63 E8 74FBFFFF    CALL 005686DC                         ; 2 times
00568B68 59             POP ECX                               ; 0012F680

00568A68 E8 67EAFFFF    CALL 005674D4                         ; 005674D4
00568A6D EB 62          JMP SHORT 00568AD1                      ; 00568AD1
00568A6F 55             PUSH EBP

1
DS:[0173E668]=000000B1
EAX=00000014

DS:[0123E684]=000000B1
EAX=00000014

2
DS:[0173E668]=000000B1
EAX=00000073

DS:[0173E668]=000000B1
EAX=00000073

DS:[0123E684]=???
EAX=00000036

send
Call stack of main thread
Address Stack    Procedure / arguments                Called from                Frame
0012FB30 00568C44 ? main_dat.00568B14                main_dat.00568C3F          0012FB2C
0012FB50 0057F64A ? main_dat.00568BE0                main_dat.0057F645          0012FB4C
0012FB5C 00580F1C main_dat.0057F600                   main_dat.00580F17          0012FB58
0012FE00 005850F7 ? main_dat.00580C00                main_dat.005850F2          0012FDFC
0012FE14 004BBD95 Includes main_dat.005850F7          main_dat.004BBD92          0012FE10
0012FE1C 004BBAF2 Includes main_dat.004BBD95          main_dat.004BBAEF          0012FE24
0012FE28 004BA609 Includes main_dat.004BBAF2          main_dat.004BA606          0012FE24
0012FE34 004BAD46 main_dat.004040A4                   main_dat.004BAD41          0012FE48
0012FE3C 004B9FC3 Includes main_dat.004BAD46          main_dat.004B9FC0          0012FE48
0012FE4C 004BAB78 Includes main_dat.004B9FC3          main_dat.004BAB75          0012FE48
0012FE70 0042517E Includes main_dat.004BAB78          main_dat.0042517C          0012FE6C
0012FE88 77E1A420 Includes main_dat.0042517E          user32.77E1A41D             0012FE84
0012FEA8 77DF4605 user32.77E1A408                      user32.77DF4600             0012FEA4
0012FF34 77DF5B77 user32.77DF4321                      user32.77DF5B72             0012FF30
0012FF40 0046BE20 <JMP.&user32.DispatchMessageA>       main_dat.0046BE1B          0012FFA8
0012FF44 0012FF5C    pMsg = WM_USER+1 hw = 40077C (clas
0012FF58 0046BE57 main_dat.0046BD98                   main_dat.0046BE52          0012FFA8
0012FF7C 0046C077 main_dat.0046BE48                   main_dat.0046C072          0012FFA8
0012FFAC 007E1A4F main_dat.0046BFDC                   main_dat.007E1A4A          0012FFA8

0056785C 8D45 EC       LEA EAX,[EBP-14]
0056785F 6B55 F4 17    IMUL EDX,[EBP-C],17
00567863 8B0D 00216100 MOV ECX,[612100]
00567869 8D1451       LEA EDX,[ECX+EDX*2]
0056786C B9 29000000    MOV ECX,29
00567871 E8 8AD6E9FF    CALL 00404F00                         ;新的变量名字
00567876 8B45 EC       MOV EAX,[EBP-14]
00567879 8B55 FC       MOV EDX,[EBP-4]
0056787C E8 13D8E9FF    CALL 00405094                         ;比较是不是$data5
00567881 75 08          JNZ SHORT 0056788B                      ; 0056788B
00567883 8B45 F4       MOV EAX,[EBP-C]
00567886 8945 F8       MOV [EBP-8],EAX
00567889 EB 08          JMP SHORT 00567893                      ; 00567893
0056788B FF45 F4       INC DWORD PTR [EBP-C]
0056788E FF4D F0       DEC DWORD PTR [EBP-10]
00567891  ^ 75 C9          JNZ SHORT 0056785C                      ; 0056785C

00568A65 8B45 DC       MOV EAX,[EBP-24]
00568A68 E8 67EAFFFF    CALL 005674D4                         ; data5
00568A6D EB 62          JMP SHORT 00568AD1                      ; 00568AD1
00568A6F 55             PUSH EBP

eax=1d
00568A57 55             PUSH EBP
00568A58 E8 37F8FFFF    CALL 00568294                         ; 00568294
00568A5D 59             POP ECX
00568A5E 85C0          TEST EAX,EAX
00568A60 74 6F          JE SHORT 00568AD1                      ; 00568AD1
00568A62 8D55 F0       LEA EDX,[EBP-10]
00568A65 8B45 DC       MOV EAX,[EBP-24]
00568A68 E8 67EAFFFF    CALL 005674D4                         ; data5
00568A6D EB 62          JMP SHORT 00568AD1                      ; 00568AD1

Call stack of main thread
Address Stack    Procedure / arguments                Called from                Frame
0012FB0C 0044F968 <JMP.&user32.CreateWindowExA>       main_dat.0044F963          0012FC20
0012FB10 00000000    ExtStyle = 0
0012FB14 0012FBE0    Class = "TFlatButton"
0012FB18 012072D0    WindowName = "关闭"
0012FB1C 44000000    Style = WS_CHILD|WS_CLIPSIBLINGS
0012FB20 000000DF    X = DF (223.)
0012FB24 00000082    Y = 82 (130.)
0012FB28 00000030    Width = 30 (48.)
0012FB2C 00000014    Height = 14 (20.)
0012FB30 001D0B8A    hParent = 001D0B8A ('FrmMsg',class
0012FB34 00000000    hMenu = NULL
0012FB38 00400000    hInst = 00400000
0012FB3C 00000000    lParam = NULL
0012FB48 0044F8BF Includes main_dat.0044F968          main_dat.0044F8B9

00000028
00000073

4B

0050157C 8338 00       CMP DWORD PTR [EAX],0
0050157F  ^ 75 C4          JNZ SHORT 00501545                      ; 00501545
00501581 A1 C4F45800    MOV EAX,[58F4C4]
00501586 8338 00       CMP DWORD PTR [EAX],0
00501589 74 1F          JE SHORT 005015AA                      ; 005015AA
0050158B 6A 00          PUSH 0
0050158D 6A 00          PUSH 0
0050158F 6A 00          PUSH 0
00501591 6A 00          PUSH 0
00501593 6A 00          PUSH 0
00501595 6A 00          PUSH 0
00501597 6A 00          PUSH 0
00501599 33C9          XOR ECX,ECX
0050159B BA 01000000    MOV EDX,1
005015A0 B8 EC155000    MOV EAX,5015EC                         ; ASCII "err1"
005015A5 E8 2A050000    CALL 00501AD4                         ; 00501AD4
005015AA C705 AC7F5F00 F>MOV DWORD PTR [5F7FAC],-1
005015B4 33C0          XOR EAX,EAX
005015B6 5A             POP EDX
005015B7 59             POP ECX
005015B8 59             POP ECX
005015B9 64:8910       MOV FS:[EAX],EDX
005015BC 68 E0155000    PUSH 5015E0                            ; ASCII "Y]?
005015C1 A1 28FC5800    MOV EAX,[58FC28]
005015C6 FF00          INC DWORD PTR [EAX]
005015C8 A1 BCE55800    MOV EAX,[58E5BC]

0012FD58 00404C87  /CALL to CreateThread from main_dat.00404C82
0012FD5C 00000000  |pSecurity = NULL
0012FD60 00000000  |StackSize = 0
0012FD64 00404C14  |ThreadFunction = main_dat.00404C14
0012FD68 0122F7D8  |pThreadParm = 0122F7D8
0012FD6C 00000004  |CreationFlags = CREATE_SUSPENDED
0012FD70 0143AFC4  \pThreadId = 0143AFC4

复制1次
004029C5 F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR [E>

复制2次
004029C5 F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR [E>

0057D402 A1 00FE5800    MOV EAX,[58FE00]
0057D407 8B00          MOV EAX,[EAX]
0057D409 8A80 40010000 MOV AL,[EAX+140]
0057D40F 8B15 6CF85800 MOV EDX,[58F86C]                      ; main_dat.006FD024
0057D415 8802          MOV [EDX],AL
0057D417 A1 54015900    MOV EAX,[590154]
0057D41C 8A00          MOV AL,[EAX]
0057D41E 34 61          XOR AL,61
0057D420 8B15 94015900 MOV EDX,[590194]                      ; main_dat.006FCF4C
0057D426 3A02          CMP AL,[EDX] ;关键
0057D428 75 24          JNZ SHORT 0057D44E                      ; 0057D44E
0057D42A A1 00FE5800    MOV EAX,[58FE00]

00584ACF E8 7C04E8FF    CALL 00404F50                         ; 00404F50
00584AD4 48             DEC EAX
00584AD5 7C 11          JL SHORT 00584AE8                      ; 00584AE8
00584AD7 A1 9CED5800    MOV EAX,[58ED9C]
00584ADC 8B00          MOV EAX,[EAX]
00584ADE 8A00          MOV AL,[EAX]
00584AE0 8B15 0CFF5800 MOV EDX,[58FF0C]                      ; main_dat.006122E4

00584AE0 8B15 0CFF5800 MOV EDX,[58FF0C]                      ; main_dat.006122E4
00584B03 8B15 20005900 MOV EDX,[590020]                      ; main_dat.00612335
00584B26 8B15 84F65800 MOV EDX,[58F684]                      ; main_dat.00617D26
00584B49 8B15 2CEE5800 MOV EDX,[58EE2C]                      ; main_dat.0062CF40
00584B6C 8B15 90FB5800 MOV EDX,[58FB90]                      ; main_dat.0062D094
00584B8F 8B15 34F95800 MOV EDX,[58F934]                      ; main_dat.006F2CFC
00584BB2 8B15 C8E95800 MOV EDX,[58E9C8]                      ; main_dat.006FCB48
00584BD5 8B15 84EB5800 MOV EDX,[58EB84]                      ; main_dat.006FCB80

004EF379 A1 00FE5800    MOV EAX,[58FE00]
004EF37E 8B00          MOV EAX,[EAX]
004EF380 8A80 9C000000 MOV AL,[EAX+9C]
004EF386 8B15 94015900 MOV EDX,[590194]                      ; main_dat.006FCF4C
004EF38C 8802          MOV [EDX],AL
004EF38E A1 94015900    MOV EAX,[590194]
004EF393 8A00          MOV AL,[EAX]
004EF395 8B15 D0F45800 MOV EDX,[58F4D0]                      ; main_dat.006FD59C
004EF39B 8802          MOV [EDX],AL

0057D402 A1 00FE5800    MOV EAX,[58FE00]
0057D407 8B00          MOV EAX,[EAX]
0057D409 8A80 40010000 MOV AL,[EAX+140]
0057D40F 8B15 6CF85800 MOV EDX,[58F86C]                      ; main_dat.006FD024
0057D415 8802          MOV [EDX],AL
0057D417 A1 54015900    MOV EAX,[590154]
0057D41C 8A00          MOV AL,[EAX]
0057D41E 34 61          XOR AL,61
0057D420 8B15 94015900 MOV EDX,[590194]                      ; main_dat.006FCF4C
0057D426 3A02          CMP AL,[EDX]
0057D428 75 24          JNZ SHORT 0057D44E                      ; 0057D44E

00584C11 A1 9CED5800    MOV EAX,[58ED9C]
00584C16 8B00          MOV EAX,[EAX]
00584C18 8A40 09       MOV AL,[EAX+9]
00584C1B 8B15 94015900 MOV EDX,[590194]                      ; main_dat.006FCF4C
00584C21 8802          MOV [EDX],AL
00584C23 A1 9CED5800    MOV EAX,[58ED9C]
00584C28 8B00          MOV EAX,[EAX]
00584C2A E8 2103E8FF    CALL 00404F50                         ; 00404F50

0057D41C 8A00          MOV AL,[EAX]
0057D41E 34 61          XOR AL,61
0057D420 8B15 94015900 MOV EDX,[590194]                      ; main_dat.006FCF4C

8a 00 34 ?? 8b 15

Breakpoints
Address Module    Active                   Disassembly                         Comment
004CEA9F main_dat Always                   CALL 004CDA38
004DA9BE main_dat Always                   MOV EAX,[58F374]
004DC20A main_dat Always                   MOV EAX,[58FE00]
004E6BE2 main_dat Always                   MOV EAX,[58F7A0]
004E827D main_dat Always                   MOV EAX,[58F614]
004E8D33 main_dat Always                   MOV [EBP-4],EAX
004EAAEA main_dat Always                   MOV EAX,[58E67C]
004EF351 main_dat Always                   MOV EAX,[58FE00]
005097A9 main_dat Always                   MOV EAX,[58FE00]
0051BF1F main_dat Always                   MOV EAX,[58EBA4]
00520D90 main_dat Always                   MOV EAX,[58F870]
0057D402 main_dat Always                   MOV EAX,[58FE00]
0057D426 main_dat Always                   CMP AL,[EDX]
00584ADC main_dat Always                   MOV EAX,[EAX]

Windows, item 82
Handle=E02D60D42
Title=FrmMsg
Parent=008D02C6
Style=86000000 WS_POPUP|WS_CLIPSIBLINGS|WS_CLIPCHILDREN
ExtStyle=00010008 WS_EX_TOPMOST|WS_EX_CONTROLPARENT
Thread=Main
ClsProc=00448DF0 main_dat.00448DF0
Class=TFrmMsg

0012F824 00010000  |ExtStyle = WS_EX_CONTROLPARENT
0012F828 0012F8C8  |Class = "TFrmMsg"
0012F82C 01296204  |WindowName = "FrmMsg"
0012F830 86000000  |Style = WS_POPUP|WS_CLIPSIBLINGS|WS_CLIPCHILDREN
0012F834 0000017D  |X = 17D (381.)
0012F838 00000100  |Y = 100 (256.)
0012F83C 00000140  |Width = 140 (320.)
0012F840 000000F0  |Height = F0 (240.)
0012F844 0196027A  |hParent = 0196027A ('55555555555',class='TApplication')
0012F848 00000000  |hMenu = NULL
0012F84C 00400000  |hInst = 00400000
0012F850 00000000  \lParam = NULL

00466EEB 8BC3          MOV EAX,EBX
00466EED E8 3E8AFEFF    CALL 0044F930                                           ;死call
00466EF2 80A3 EC020000 E>AND BYTE PTR [EBX+2EC],0EF
00466EF9 8BC3          MOV EAX,EBX

0057D36D 8B80 DC030000 MOV EAX,[EAX+3DC]
0057D373 E8 6CEBECFF    CALL 0044BEE4                                           ; 0044BEE4
0057D378 A1 FCE95800    MOV EAX,[58E9FC]

0044BB72 8BD8          MOV EBX,EAX
0044BB74 8BB3 A0000000 MOV ESI,[EBX+A0]
0044BB7A 85F6          TEST ESI,ESI
0044BB7C 74 40          JE SHORT 0044BBBE                                        ; 0044BBBE
0044BB7E 833D BC1B5900 0>CMP DWORD PTR [591BBC],0
0044BB85 75 37          JNZ SHORT 0044BBBE                                     ; 0044BBBE
0044BB87 66:A1 C8BB4400  MOV AX,[44BBC8]
0044BB8D 66:2343 1C    AND AX,[EBX+1C]
0044BB91 66:8B15 CCBB440>MOV DX,[44BBCC]
0044BB98 66:3BD0       CMP DX,AX
0044BB9B 75 21          JNZ SHORT 0044BBBE                                     ; 0044BBBE
0044BB9D 897D F0       MOV [EBP-10],EDI
0044BBA0 8B45 FC       MOV EAX,[EBP-4]
0044BBA3 8945 F4       MOV [EBP-C],EAX
0044BBA6 8B45 08       MOV EAX,[EBP+8]
0044BBA9 8945 F8       MOV [EBP-8],EAX
0044BBAC 8D45 F0       LEA EAX,[EBP-10]
0044BBAF 50             PUSH EAX

/////////////////////////////////////////////////////////////////////

00584AD4 48             DEC EAX
00584AD5 7C 11          JL SHORT 00584AE8                      ; 00584AE8
00584AD7 A1 9CED5800    MOV EAX,[58ED9C]
00584ADC 8B00          MOV EAX,[EAX]
00584ADE 8A00          MOV AL,[EAX]
00584AE0 8B15 0CFF5800 MOV EDX,[58FF0C]                      ; main_dat.006122E4
00584AE6 8802          MOV [EDX],AL
00584AE8 A1 9CED5800    MOV EAX,[58ED9C]
00584AED 8B00          MOV EAX,[EAX]
00584AEF E8 5C04E8FF    CALL 00404F50                         ; 00404F50
00584AF4 83F8 02       CMP EAX,2
00584AF7 7C 12          JL SHORT 00584B0B                      ; 00584B0B
00584AF9 A1 9CED5800    MOV EAX,[58ED9C]
00584AFE 8B00          MOV EAX,[EAX]
00584B00 8A40 01       MOV AL,[EAX+1]
00584B03 8B15 20005900 MOV EDX,[590020]                      ; main_dat.00612335
00584B09 8802          MOV [EDX],AL
00584B0B A1 9CED5800    MOV EAX,[58ED9C]
00584B10 8B00          MOV EAX,[EAX]
00584B12 E8 3904E8FF    CALL 00404F50                         ; 00404F50
00584B17 83F8 03       CMP EAX,3
00584B1A 7C 12          JL SHORT 00584B2E                      ; 00584B2E
00584B1C A1 9CED5800    MOV EAX,[58ED9C]
00584B21 8B00          MOV EAX,[EAX]
00584B23 8A40 02       MOV AL,[EAX+2]
00584B26 8B15 84F65800 MOV EDX,[58F684]                      ; main_dat.00617D26
00584B2C 8802          MOV [EDX],AL
00584B2E A1 9CED5800    MOV EAX,[58ED9C]
00584B33 8B00          MOV EAX,[EAX]
00584B35 E8 1604E8FF    CALL 00404F50                         ; 00404F50
00584B3A 83F8 04       CMP EAX,4
00584B3D 7C 12          JL SHORT 00584B51                      ; 00584B51
00584B3F A1 9CED5800    MOV EAX,[58ED9C]
00584B44 8B00          MOV EAX,[EAX]
00584B46 8A40 03       MOV AL,[EAX+3]
00584B49 8B15 2CEE5800 MOV EDX,[58EE2C]                      ; main_dat.0062CF40
00584B4F 8802          MOV [EDX],AL
00584B51 A1 9CED5800    MOV EAX,[58ED9C]
00584B56 8B00          MOV EAX,[EAX]
00584B58 E8 F303E8FF    CALL 00404F50                         ; 00404F50
00584B5D 83F8 05       CMP EAX,5
00584B60 7C 12          JL SHORT 00584B74                      ; 00584B74
00584B62 A1 9CED5800    MOV EAX,[58ED9C]
00584B67 8B00          MOV EAX,[EAX]
00584B69 8A40 04       MOV AL,[EAX+4]
00584B6C 8B15 90FB5800 MOV EDX,[58FB90]                      ; main_dat.0062D094
00584B72 8802          MOV [EDX],AL
00584B74 A1 9CED5800    MOV EAX,[58ED9C]
00584B79 8B00          MOV EAX,[EAX]
00584B7B E8 D003E8FF    CALL 00404F50                         ; 00404F50
00584B80 83F8 06       CMP EAX,6
00584B83 7C 12          JL SHORT 00584B97                      ; 00584B97
00584B85 A1 9CED5800    MOV EAX,[58ED9C]
00584B8A 8B00          MOV EAX,[EAX]
00584B8C 8A40 05       MOV AL,[EAX+5]
00584B8F 8B15 34F95800 MOV EDX,[58F934]                      ; main_dat.006F2CFC
00584B95 8802          MOV [EDX],AL
00584B97 A1 9CED5800    MOV EAX,[58ED9C]
00584B9C 8B00          MOV EAX,[EAX]
00584B9E E8 AD03E8FF    CALL 00404F50                         ; 00404F50
00584BA3 83F8 07       CMP EAX,7
00584BA6 7C 12          JL SHORT 00584BBA                      ; 00584BBA
00584BA8 A1 9CED5800    MOV EAX,[58ED9C]
00584BAD 8B00          MOV EAX,[EAX]
00584BAF 8A40 06       MOV AL,[EAX+6]
00584BB2 8B15 C8E95800 MOV EDX,[58E9C8]                      ; main_dat.006FCB48
00584BB8 8802          MOV [EDX],AL
00584BBA A1 9CED5800    MOV EAX,[58ED9C]
00584BBF 8B00          MOV EAX,[EAX]
00584BC1 E8 8A03E8FF    CALL 00404F50                         ; 00404F50
00584BC6 83F8 08       CMP EAX,8
00584BC9 7C 12          JL SHORT 00584BDD                      ; 00584BDD
00584BCB A1 9CED5800    MOV EAX,[58ED9C]
00584BD0 8B00          MOV EAX,[EAX]
00584BD2 8A40 07       MOV AL,[EAX+7]
00584BD5 8B15 84EB5800 MOV EDX,[58EB84]                      ; main_dat.006FCB80
00584BDB 8802          MOV [EDX],AL
00584BDD A1 9CED5800    MOV EAX,[58ED9C]
00584BE2 8B00          MOV EAX,[EAX]
00584BE4 E8 6703E8FF    CALL 00404F50                         ; 00404F50
00584BE9 83F8 09       CMP EAX,9
00584BEC 7C 12          JL SHORT 00584C00                      ; 00584C00
00584BEE A1 9CED5800    MOV EAX,[58ED9C]
00584BF3 8B00          MOV EAX,[EAX]
00584BF5 8A40 08       MOV AL,[EAX+8]
00584BF8 8B15 F8F95800 MOV EDX,[58F9F8]                      ; main_dat.006FCD7C
00584BFE 8802          MOV [EDX],AL
00584C00 A1 9CED5800    MOV EAX,[58ED9C]
00584C05 8B00          MOV EAX,[EAX]
00584C07 E8 4403E8FF    CALL 00404F50                         ; 00404F50
00584C0C 83F8 0A       CMP EAX,0A
00584C0F 7C 12          JL SHORT 00584C23                      ; 00584C23
00584C11 A1 9CED5800    MOV EAX,[58ED9C]
00584C16 8B00          MOV EAX,[EAX]
00584C18 8A40 09       MOV AL,[EAX+9]
00584C1B 8B15 94015900 MOV EDX,[590194]                      ; main_dat.006FCF4C
00584C21 8802          MOV [EDX],AL
00584C23 A1 9CED5800    MOV EAX,[58ED9C]
00584C28 8B00          MOV EAX,[EAX]
00584C2A E8 2103E8FF    CALL 00404F50                         ; 00404F50
00584C2F 83F8 0B       CMP EAX,0B
00584C32 7C 12          JL SHORT 00584C46                      ; 00584C46
00584C34 A1 9CED5800    MOV EAX,[58ED9C]
00584C39 8B00          MOV EAX,[EAX]
00584C3B 8A40 0A       MOV AL,[EAX+A]
00584C3E 8B15 6CF85800 MOV EDX,[58F86C]                      ; main_dat.006FD024
00584C44 8802          MOV [EDX],AL
00584C46 A1 9CED5800    MOV EAX,[58ED9C]
00584C4B 8B00          MOV EAX,[EAX]
00584C4D E8 FE02E8FF    CALL 00404F50                         ; 00404F50
00584C52 83F8 0C       CMP EAX,0C
00584C55 7C 12          JL SHORT 00584C69                      ; 00584C69
00584C57 A1 9CED5800    MOV EAX,[58ED9C]
00584C5C 8B00          MOV EAX,[EAX]
00584C5E 8A40 0B       MOV AL,[EAX+B]
00584C61 8B15 A4F95800 MOV EDX,[58F9A4]                      ; main_dat.006FD011
00584C67 8802          MOV [EDX],AL
00584C69 A1 50005900    MOV EAX,[590050]
00584C6E 8B00          MOV EAX,[EAX]
00584C70 E8 DB02E8FF    CALL 00404F50                         ; 00404F50
00584C75 83F8 0D       CMP EAX,0D
00584C78 7C 12          JL SHORT 00584C8C                      ; 00584C8C
00584C7A A1 50005900    MOV EAX,[590050]
00584C7F 8B00          MOV EAX,[EAX]
00584C81 8A40 0C       MOV AL,[EAX+C]
00584C84 8B15 00EF5800 MOV EDX,[58EF00]                      ; main_dat.006FD14C
00584C8A 8802          MOV [EDX],AL
00584C8C A1 9CED5800    MOV EAX,[58ED9C]
00584C91 8B00          MOV EAX,[EAX]
00584C93 E8 B802E8FF    CALL 00404F50                         ; 00404F50
00584C98 83F8 0E       CMP EAX,0E
00584C9B 7C 12          JL SHORT 00584CAF                      ; 00584CAF
00584C9D A1 9CED5800    MOV EAX,[58ED9C]
00584CA2 8B00          MOV EAX,[EAX]
00584CA4 8A40 0D       MOV AL,[EAX+D]
00584CA7 8B15 50E75800 MOV EDX,[58E750]                      ; main_dat.006FD1A5
00584CAD 8802          MOV [EDX],AL
00584CAF A1 9CED5800    MOV EAX,[58ED9C]
00584CB4 8B00          MOV EAX,[EAX]
00584CB6 E8 9502E8FF    CALL 00404F50                         ; 00404F50
00584CBB 83F8 0F       CMP EAX,0F
00584CBE 7C 12          JL SHORT 00584CD2                      ; 00584CD2
00584CC0 A1 9CED5800    MOV EAX,[58ED9C]
00584CC5 8B00          MOV EAX,[EAX]
00584CC7 8A40 0E       MOV AL,[EAX+E]
00584CCA 8B15 D0F45800 MOV EDX,[58F4D0]                      ; main_dat.006FD59C
00584CD0 8802          MOV [EDX],AL
00584CD2 A1 9CED5800    MOV EAX,[58ED9C]
00584CD7 8B00          MOV EAX,[EAX]
00584CD9 E8 7202E8FF    CALL 00404F50                         ; 00404F50
00584CDE 83F8 10       CMP EAX,10
00584CE1 7C 12          JL SHORT 00584CF5                      ; 00584CF5
00584CE3 A1 9CED5800    MOV EAX,[58ED9C]
00584CE8 8B00          MOV EAX,[EAX]
00584CEA 8A40 0F       MOV AL,[EAX+F]
00584CED 8B15 14F25800 MOV EDX,[58F214]                      ; main_dat.006FD658
00584CF3 8802          MOV [EDX],AL
00584CF5 A1 9CED5800    MOV EAX,[58ED9C]
00584CFA 8B00          MOV EAX,[EAX]
00584CFC E8 4F02E8FF    CALL 00404F50                         ; 00404F50
00584D01 83F8 11       CMP EAX,11
00584D04 7C 12          JL SHORT 00584D18                      ; 00584D18
00584D06 A1 9CED5800    MOV EAX,[58ED9C]
00584D0B 8B00          MOV EAX,[EAX]
00584D0D 8A40 10       MOV AL,[EAX+10]
00584D10 8B15 54015900 MOV EDX,[590154]                      ; main_dat.006FD7F1
00584D16 8802          MOV [EDX],AL
00584D18 A1 9CED5800    MOV EAX,[58ED9C]
00584D1D 8B00          MOV EAX,[EAX]
00584D1F E8 2C02E8FF    CALL 00404F50                         ; 00404F50
00584D24 83F8 12       CMP EAX,12
00584D27 7C 12          JL SHORT 00584D3B                      ; 00584D3B
00584D29 A1 9CED5800    MOV EAX,[58ED9C]
00584D2E 8B00          MOV EAX,[EAX]
00584D30 8A40 11       MOV AL,[EAX+11]
00584D33 8B15 FCE45800 MOV EDX,[58E4FC]                      ; main_dat.006FD8CC
00584D39 8802          MOV [EDX],AL
00584D3B A1 9CED5800    MOV EAX,[58ED9C]
00584D40 8B00          MOV EAX,[EAX]
00584D42 E8 0902E8FF    CALL 00404F50                         ; 00404F50
00584D47 83F8 13       CMP EAX,13
00584D4A 7C 12          JL SHORT 00584D5E                      ; 00584D5E
00584D4C A1 9CED5800    MOV EAX,[58ED9C]
00584D51 8B00          MOV EAX,[EAX]
00584D53 8A40 12       MOV AL,[EAX+12]
00584D56 8B15 C8F25800 MOV EDX,[58F2C8]                      ; main_dat.006FD8FC
00584D5C 8802          MOV [EDX],AL
00584D5E A1 74F35800    MOV EAX,[58F374]
00584D63 8B00          MOV EAX,[EAX]
00584D65 E8 E601E8FF    CALL 00404F50                         ; 00404F50
00584D6A 83F8 14       CMP EAX,14
00584D6D 7C 12          JL SHORT 00584D81                      ; 00584D81
00584D6F A1 9CED5800    MOV EAX,[58ED9C]
00584D74 8B00          MOV EAX,[EAX]
00584D76 8A40 13       MOV AL,[EAX+13]
00584D79 8B15 C0E45800 MOV EDX,[58E4C0]                      ; main_dat.006FD93C
00584D7F 8802          MOV [EDX],AL
00584D81 A1 9CED5800    MOV EAX,[58ED9C]
00584D86 8B00          MOV EAX,[EAX]
00584D88 E8 C301E8FF    CALL 00404F50                         ; 00404F50
00584D8D 83F8 15       CMP EAX,15
00584D90 7C 11          JL SHORT 00584DA3                      ; 00584DA3
00584D92 A1 74F35800    MOV EAX,[58F374]
00584D97 8B00          MOV EAX,[EAX]
00584D99 8A00          MOV AL,[EAX]
00584D9B 8B15 B0F95800 MOV EDX,[58F9B0]                      ; main_dat.006FD978
00584DA1 8802          MOV [EDX],AL
00584DA3 A1 9CED5800    MOV EAX,[58ED9C]
00584DA8 8B00          MOV EAX,[EAX]
00584DAA E8 A101E8FF    CALL 00404F50                         ; 00404F50
00584DAF 83F8 16       CMP EAX,16
00584DB2 7C 12          JL SHORT 00584DC6                      ; 00584DC6
00584DB4 A1 9CED5800    MOV EAX,[58ED9C]
00584DB9 8B00          MOV EAX,[EAX]
00584DBB 8A40 01       MOV AL,[EAX+1]
00584DBE 8B15 A8FA5800 MOV EDX,[58FAA8]                      ; main_dat.006FD9AC
00584DC4 8802          MOV [EDX],AL
00584DC6 A1 9CED5800    MOV EAX,[58ED9C]
00584DCB 8B00          MOV EAX,[EAX]
00584DCD E8 7E01E8FF    CALL 00404F50                         ; 00404F50
00584DD2 83F8 17       CMP EAX,17
00584DD5 7C 12          JL SHORT 00584DE9                      ; 00584DE9
00584DD7 A1 9CED5800    MOV EAX,[58ED9C]
00584DDC 8B00          MOV EAX,[EAX]
00584DDE 8A40 02       MOV AL,[EAX+2]
00584DE1 8B15 3CF05800 MOV EDX,[58F03C]                      ; main_dat.006FD9EC
00584DE7 8802          MOV [EDX],AL
00584DE9 A1 94F15800    MOV EAX,[58F194]
00584DEE 8B00          MOV EAX,[EAX]
00584DF0 E8 5B01E8FF    CALL 00404F50                         ; 00404F50
00584DF5 83F8 18       CMP EAX,18
00584DF8 7C 12          JL SHORT 00584E0C                      ; 00584E0C
00584DFA A1 9CED5800    MOV EAX,[58ED9C]
00584DFF 8B00          MOV EAX,[EAX]
00584E01 8A40 03       MOV AL,[EAX+3]
00584E04 8B15 60E85800 MOV EDX,[58E860]                      ; main_dat.006FDA48
00584E0A 8802          MOV [EDX],AL
00584E0C A1 9CED5800    MOV EAX,[58ED9C]
00584E11 8B00          MOV EAX,[EAX]
00584E13 E8 3801E8FF    CALL 00404F50                         ; 00404F50
00584E18 83F8 19       CMP EAX,19
00584E1B 7C 12          JL SHORT 00584E2F                      ; 00584E2F
00584E1D A1 9CED5800    MOV EAX,[58ED9C]
00584E22 8B00          MOV EAX,[EAX]
00584E24 8A40 04       MOV AL,[EAX+4]
00584E27 8B15 54F65800 MOV EDX,[58F654]                      ; main_dat.006FDB7C
00584E2D 8802          MOV [EDX],AL
00584E2F A1 9CED5800    MOV EAX,[58ED9C]
00584E34 8B00          MOV EAX,[EAX]
00584E36 E8 1501E8FF    CALL 00404F50                         ; 00404F50
00584E3B 83F8 1A       CMP EAX,1A
00584E3E 7C 12          JL SHORT 00584E52                      ; 00584E52
00584E40 A1 9CED5800    MOV EAX,[58ED9C]
00584E45 8B00          MOV EAX,[EAX]
00584E47 8A40 05       MOV AL,[EAX+5]
00584E4A 8B15 2CF35800 MOV EDX,[58F32C]                      ; main_dat.006FDBC0
00584E50 8802          MOV [EDX],AL
00584E52 A1 9CED5800    MOV EAX,[58ED9C]
00584E57 8B00          MOV EAX,[EAX]
00584E59 E8 F200E8FF    CALL 00404F50                         ; 00404F50
00584E5E 83F8 1B       CMP EAX,1B
00584E61 7C 12          JL SHORT 00584E75                      ; 00584E75
00584E63 A1 70F85800    MOV EAX,[58F870]
00584E68 8B00          MOV EAX,[EAX]
00584E6A 8A40 06       MOV AL,[EAX+6]
00584E6D 8B15 94E45800 MOV EDX,[58E494]                      ; main_dat.006FDC14
00584E73 8802          MOV [EDX],AL
00584E75 A1 9CED5800    MOV EAX,[58ED9C]
00584E7A 8B00          MOV EAX,[EAX]
00584E7C E8 CF00E8FF    CALL 00404F50                         ; 00404F50
00584E81 83F8 1C       CMP EAX,1C
00584E84 7C 12          JL SHORT 00584E98                      ; 00584E98
00584E86 A1 9CED5800    MOV EAX,[58ED9C]
00584E8B 8B00          MOV EAX,[EAX]
00584E8D 8A40 07       MOV AL,[EAX+7]
00584E90 8B15 1CE65800 MOV EDX,[58E61C]                      ; main_dat.006FDC34
00584E96 8802          MOV [EDX],AL
00584E98 A1 9CED5800    MOV EAX,[58ED9C]
00584E9D 8B00          MOV EAX,[EAX]
00584E9F E8 AC00E8FF    CALL 00404F50                         ; 00404F50
00584EA4 83F8 1D       CMP EAX,1D
00584EA7 7C 12          JL SHORT 00584EBB                      ; 00584EBB
00584EA9 A1 00FE5800    MOV EAX,[58FE00]
00584EAE 8B00          MOV EAX,[EAX]
00584EB0 8A40 08       MOV AL,[EAX+8]
00584EB3 8B15 F4F35800 MOV EDX,[58F3F4]                      ; main_dat.006FDC60
00584EB9 8802          MOV [EDX],AL
00584EBB A1 9CED5800    MOV EAX,[58ED9C]
00584EC0 8B00          MOV EAX,[EAX]
00584EC2 E8 8900E8FF    CALL 00404F50                         ; 00404F50
00584EC7 83F8 1E       CMP EAX,1E
00584ECA 7C 12          JL SHORT 00584EDE                      ; 00584EDE
00584ECC A1 9CED5800    MOV EAX,[58ED9C]
00584ED1 8B00          MOV EAX,[EAX]
00584ED3 8A40 1D       MOV AL,[EAX+1D]
00584ED6 8B15 18F95800 MOV EDX,[58F918]                      ; main_dat.006FDC84
00584EDC 8802          MOV [EDX],AL
00584EDE A1 9CED5800    MOV EAX,[58ED9C]
00584EE3 8B00          MOV EAX,[EAX]
00584EE5 E8 6600E8FF    CALL 00404F50                         ; 00404F50
00584EEA 83F8 1F       CMP EAX,1F
00584EED 7C 11          JL SHORT 00584F00                      ; 00584F00
00584EEF A1 9CED5800    MOV EAX,[58ED9C]
00584EF4 8B00          MOV EAX,[EAX]
00584EF6 8A00          MOV AL,[EAX]
00584EF8 8B15 08EF5800 MOV EDX,[58EF08]                      ; main_dat.00702AF5
00584EFE 8802          MOV [EDX],AL
00584F00 A1 9CED5800    MOV EAX,[58ED9C]
00584F05 8B00          MOV EAX,[EAX]
00584F07 E8 4400E8FF    CALL 00404F50                         ; 00404F50
00584F0C 83F8 20       CMP EAX,20
00584F0F 7C 12          JL SHORT 00584F23                      ; 00584F23
00584F11 A1 9CED5800    MOV EAX,[58ED9C]
00584F16 8B00          MOV EAX,[EAX]
00584F18 8A40 01       MOV AL,[EAX+1]
00584F1B 8B15 38F05800 MOV EDX,[58F038]                      ; main_dat.00702B44
00584F21 8802          MOV [EDX],AL
00584F23 A1 9CED5800    MOV EAX,[58ED9C]
00584F28 8B00          MOV EAX,[EAX]
00584F2A E8 2100E8FF    CALL 00404F50                         ; 00404F50
00584F2F 83F8 21       CMP EAX,21
00584F32 7C 12          JL SHORT 00584F46                      ; 00584F46
00584F34 A1 94F15800    MOV EAX,[58F194]
00584F39 8B00          MOV EAX,[EAX]
00584F3B 8A40 02       MOV AL,[EAX+2]
00584F3E 8B15 44E65800 MOV EDX,[58E644]                      ; main_dat.00702BD0
00584F44 8802          MOV [EDX],AL
00584F46 A1 9CED5800    MOV EAX,[58ED9C]
00584F4B 8B00          MOV EAX,[EAX]
00584F4D E8 FEFFE7FF    CALL 00404F50                         ; 00404F50
00584F52 83F8 22       CMP EAX,22
00584F55 7C 12          JL SHORT 00584F69                      ; 00584F69
00584F57 A1 9CED5800    MOV EAX,[58ED9C]
00584F5C 8B00          MOV EAX,[EAX]
00584F5E 8A40 03       MOV AL,[EAX+3]
00584F61 8B15 E8FC5800 MOV EDX,[58FCE8]                      ; main_dat.00702C6C
00584F67 8802          MOV [EDX],AL
00584F69 A1 9CED5800    MOV EAX,[58ED9C]
00584F6E 8B00          MOV EAX,[EAX]
00584F70 E8 DBFFE7FF    CALL 00404F50                         ; 00404F50
00584F75 83F8 23       CMP EAX,23
00584F78 7C 12          JL SHORT 00584F8C                      ; 00584F8C
00584F7A A1 9CED5800    MOV EAX,[58ED9C]
00584F7F 8B00          MOV EAX,[EAX]
00584F81 8A40 04       MOV AL,[EAX+4]
00584F84 8B15 64EB5800 MOV EDX,[58EB64]                      ; main_dat.0070309C
00584F8A 8802          MOV [EDX],AL
00584F8C A1 9CED5800    MOV EAX,[58ED9C]
00584F91 8B00          MOV EAX,[EAX]
00584F93 E8 B8FFE7FF    CALL 00404F50                         ; 00404F50
00584F98 83F8 24       CMP EAX,24
00584F9B 7C 12          JL SHORT 00584FAF                      ; 00584FAF
00584F9D A1 9CED5800    MOV EAX,[58ED9C]
00584FA2 8B00          MOV EAX,[EAX]
00584FA4 8A40 05       MOV AL,[EAX+5]
00584FA7 8B15 BCE85800 MOV EDX,[58E8BC]                      ; main_dat.00714D7C
00584FAD 8802          MOV [EDX],AL
00584FAF A1 9CED5800    MOV EAX,[58ED9C]
00584FB4 8B00          MOV EAX,[EAX]
00584FB6 E8 95FFE7FF    CALL 00404F50                         ; 00404F50
00584FBB 83F8 25       CMP EAX,25
00584FBE 7C 12          JL SHORT 00584FD2                      ; 00584FD2
00584FC0 A1 9CED5800    MOV EAX,[58ED9C]
00584FC5 8B00          MOV EAX,[EAX]
00584FC7 8A40 06       MOV AL,[EAX+6]
00584FCA 8B15 ECF85800 MOV EDX,[58F8EC]                      ; main_dat.00714D8C
00584FD0 8802          MOV [EDX],AL
00584FD2 A1 74F35800    MOV EAX,[58F374]
00584FD7 8B00          MOV EAX,[EAX]
00584FD9 E8 72FFE7FF    CALL 00404F50                         ; 00404F50
00584FDE 83F8 26       CMP EAX,26
00584FE1 7C 12          JL SHORT 00584FF5                      ; 00584FF5
00584FE3 A1 70F85800    MOV EAX,[58F870]
00584FE8 8B00          MOV EAX,[EAX]
00584FEA 8A40 07       MOV AL,[EAX+7]
00584FED 8B15 70FA5800 MOV EDX,[58FA70]                      ; main_dat.00714DD8
00584FF3 8802          MOV [EDX],AL
00584FF5 A1 9CED5800    MOV EAX,[58ED9C]
00584FFA 8B00          MOV EAX,[EAX]
00584FFC E8 4FFFE7FF    CALL 00404F50                         ; 00404F50
00585001 83F8 27       CMP EAX,27
00585004 7C 12          JL SHORT 00585018                      ; 00585018
00585006 A1 9CED5800    MOV EAX,[58ED9C]
0058500B 8B00          MOV EAX,[EAX]
0058500D 8A40 08       MOV AL,[EAX+8]
00585010 8B15 68E95800 MOV EDX,[58E968]                      ; main_dat.00717198
00585016 8802          MOV [EDX],AL
00585018 A1 9CED5800    MOV EAX,[58ED9C]
0058501D 8B00          MOV EAX,[EAX]
0058501F E8 2CFFE7FF    CALL 00404F50                         ; 00404F50
00585024 83F8 28       CMP EAX,28
00585027 7C 12          JL SHORT 0058503B                      ; 0058503B
00585029 A1 9CED5800    MOV EAX,[58ED9C]
0058502E 8B00          MOV EAX,[EAX]
00585030 8A40 09       MOV AL,[EAX+9]
00585033 8B15 1CF15800 MOV EDX,[58F11C]                      ; main_dat.00717354
00585039 8802          MOV [EDX],AL
0058503B 33C0          XOR EAX,EAX
0058503D 5A             POP EDX
0058503E 59             POP ECX
0058503F 59             POP ECX
00585040 64:8910       MOV FS:[EAX],EDX
00585043 68 5D505800    PUSH 58505D
00585048 8D45 A4       LEA EAX,[EBP-5C]
0058504B BA 0B000000    MOV EDX,0B
00585050 E8 67FCE7FF    CALL 00404CBC                         ; 00404CBC
00585055 C3             RETN

Breakpoints
Address Module    Active                   Disassembly                         Comment
004DA9BE main_dat Always                   MOV EAX,[58F374]
004DC20A main_dat Always                   MOV EAX,[58FE00]
004EAAEA main_dat Always                   MOV EAX,[58E67C]
004ED1A4 main_dat Always                   MOV EAX,[58F194]
004EF351 main_dat Always                   MOV EAX,[58FE00]
005097A9 main_dat Always                   MOV EAX,[58FE00]
00520D90 main_dat Always                   MOV EAX,[58F870]
0057D402 main_dat Always                   MOV EAX,[58FE00]
0059020E main_dat Always                   REP MOVS BYTE PTR ES:[EDI],BYTE PTR

/////////////////////////////////////////////////////////////////////
0057D34C 55             PUSH EBP
0057D34D 8BEC          MOV EBP,ESP
0057D34F 83C4 F8       ADD ESP,-8
0057D352 8955 F8       MOV [EBP-8],EDX
0057D355 8945 FC       MOV [EBP-4],EAX
0057D358 33D2          XOR EDX,EDX
0057D35A 8B45 FC       MOV EAX,[EBP-4]
0057D35D 8B80 88060000 MOV EAX,[EAX+688]
0057D363 E8 6042ECFF    CALL 004415C8                         ; 004415C8
0057D368 B2 01          MOV DL,1
0057D36A 8B45 FC       MOV EAX,[EBP-4]
0057D36D 8B80 DC030000 MOV EAX,[EAX+3DC]
0057D373 E8 6CEBECFF    CALL 0044BEE4                         ; 0044BEE4
0057D378 A1 FCE95800    MOV EAX,[58E9FC]
0057D37D 8338 00       CMP DWORD PTR [EAX],0
0057D380 75 16          JNZ SHORT 0057D398                      ; 0057D398
0057D382 33C9          XOR ECX,ECX
0057D384 B2 01          MOV DL,1
0057D386 A1 8CE25400    MOV EAX,[54E28C]
0057D38B E8 0875EEFF    CALL 00464898                         ; 00464898
0057D390 8B15 FCE95800 MOV EDX,[58E9FC]                      ; main_dat.00611D94
0057D396 8902          MOV [EDX],EAX
0057D398 A1 FCE95800    MOV EAX,[58E9FC]
0057D39D 8B00          MOV EAX,[EAX]
0057D39F 8B80 04030000 MOV EAX,[EAX+304]
0057D3A5 33D2          XOR EDX,EDX
0057D3A7 E8 38EBECFF    CALL 0044BEE4                         ; 0044BEE4
0057D3AC A1 FCE95800    MOV EAX,[58E9FC]
0057D3B1 8B00          MOV EAX,[EAX]
0057D3B3 8B80 FC020000 MOV EAX,[EAX+2FC]
0057D3B9 33D2          XOR EDX,EDX
0057D3BB E8 24EBECFF    CALL 0044BEE4                         ; 0044BEE4
0057D3C0 A1 FCE95800    MOV EAX,[58E9FC]
0057D3C5 8B00          MOV EAX,[EAX]
0057D3C7 8B80 04030000 MOV EAX,[EAX+304]
0057D3CD B2 01          MOV DL,1
0057D3CF E8 10EBECFF    CALL 0044BEE4                         ; 0044BEE4
0057D3D4 A1 FCE95800    MOV EAX,[58E9FC]
0057D3D9 8B00          MOV EAX,[EAX]
0057D3DB E8 F8B6EEFF    CALL 00468AD8                         ;出现失败窗口
0057D3E0 B9 B80B0000    MOV ECX,0BB8
0057D3E5 B2 01          MOV DL,1
0057D3E7 8B45 FC       MOV EAX,[EBP-4]
0057D3EA E8 DD83FFFF    CALL 005757CC                         ; 005757CC
0057D3EF A1 00FE5800    MOV EAX,[58FE00]
0057D3F4 8B00          MOV EAX,[EAX]
0057D3F6 E8 557BE8FF    CALL 00404F50                         ; 00404F50
0057D3FB 3D F4010000    CMP EAX,1F4
0057D400 7E 4C          JLE SHORT 0057D44E                      ; 0057D44E
0057D402 A1 00FE5800    MOV EAX,[58FE00]
0057D407 8B00          MOV EAX,[EAX]
0057D409 8A80 40010000 MOV AL,[EAX+140]
0057D40F 8B15 6CF85800 MOV EDX,[58F86C]                      ; main_dat.006FD024
0057D415 8802          MOV [EDX],AL
0057D417 A1 54015900    MOV EAX,[590154]
0057D41C 8A00          MOV AL,[EAX]
0057D41E 34 61          XOR AL,61
0057D420 8B15 94015900 MOV EDX,[590194]                      ; main_dat.006FCF4C
0057D426 3A02          CMP AL,[EDX]
0057D428 75 24          JNZ SHORT 0057D44E                      ; 0057D44E
0057D42A A1 00FE5800    MOV EAX,[58FE00]
0057D42F 8B00          MOV EAX,[EAX]
0057D431 8A80 64010000 MOV AL,[EAX+164]
0057D437 8B15 00EF5800 MOV EDX,[58EF00]                      ; main_dat.006FD14C
0057D43D 8802          MOV [EDX],AL
0057D43F A1 D0F45800    MOV EAX,[58F4D0]
0057D444 8A00          MOV AL,[EAX]
0057D446 8B15 54015900 MOV EDX,[590154]                      ; main_dat.006FD7F1
0057D44C 8802          MOV [EDX],AL
0057D44E 59             POP ECX
0057D44F 59             POP ECX
0057D450 5D             POP EBP
0057D451 C3             RETN

Call stack of main thread
Address Stack    Procedure / arguments                Called from                Frame
0012FE44 00441612 Includes main_dat.0057D3E0          main_dat.0044160F          0012FE40
0012FE4C 004414F8 main_dat.004040A4                   main_dat.004414F3          0012FE6C
0012FE70 0042517E Includes main_dat.004414F8          main_dat.0042517C          0012FE6C
0012FE88 77E1A420 Includes main_dat.0042517E          user32.77E1A41D             0012FE84
0012FEA8 77DF4605 user32.77E1A408                      user32.77DF4600             0012FEA4
0012FF34 77DF5B77 user32.77DF4321                      user32.77DF5B72             0012FF30
0012FF40 0046BE20 <JMP.&user32.DispatchMessageA>       main_dat.0046BE1B          0012FFA8
0012FF44 0012FF5C    pMsg = WM_TIMER hw = 1B046C (class
0012FF58 0046BE57 main_dat.0046BD98                   main_dat.0046BE52          0012FFA8
0012FF7C 0046C077 main_dat.0046BE48                   main_dat.0046C072          0012FFA8
0012FFAC 007E1A4F main_dat.0046BFDC                   main_dat.007E1A4A          0012FFA8

Call stack of main thread
Address Stack    Procedure / arguments                                                          Called from                Frame
0012FE44 00441612 Includes main_dat.0057D373                                                       main_dat.0044160F          0012FE40
0012FE4C 004414F8 main_dat.004040A4                                                                main_dat.004414F3          0012FE6C
0012FE70 0042517E Includes main_dat.004414F8                                                       main_dat.0042517C          0012FE6C
0012FE88 77E1A420 Includes main_dat.0042517E                                                       user32.77E1A41D             0012FE84
0012FEA8 77DF4605 user32.77E1A408                                                                user32.77DF4600             0012FEA4
0012FF34 77DF5B77 user32.77DF4321                                                                user32.77DF5B72             0012FF30
0012FF40 0046BE20 <JMP.&user32.DispatchMessageA>                                                 main_dat.0046BE1B          0012FFA8
0012FF44 0012FF5C    pMsg = WM_TIMER hw = 930936 (class="TPUtilWindow") ID = 1 Callback = 0
0012FF58 0046BE57 main_dat.0046BD98                                                                main_dat.0046BE52          0012FFA8
0012FF7C 0046C077 main_dat.0046BE48                                                                main_dat.0046C072          0012FFA8
0012FFAC 007E1A4F main_dat.0046BFDC                                                                main_dat.007E1A4A          0012FFA8

004414D6 81FE 13010000 CMP ESI,113
004414DC 75 3F          JNZ SHORT 0044151D                      ; 0044151D
004414DE 33C0          XOR EAX,EAX

0057D36D 8B80 DC030000 MOV EAX,[EAX+3DC]
0057D373 E8 6CEBECFF    CALL 0044BEE4                         ; 0044BEE4
0057D378 A1 FCE95800    MOV EAX,[58E9FC]

0012FB00 000000EC  |Socket = EC
0012FB04 0012FC8F  |Data = 0012FC8F
0012FB08 000000CA  |DataSize = CA (202.)
0012FB0C 00000000  \Flags = 0

send
0012FC8F  3A                                              :

12FD59

3A 68 00 00 00 00 67 3C 00 00 89 E3 1B DC 11 35 2B 8E 0A 1C 1E 7C BB 22 6D 2A F7 DD 2E CD 2A 37
00 65 84 BF FB 89 14 EC E2 85 B2 35 B8 38 3E 62 A3 65 95 09 6B 39 5B 99 66 84 68 62 02 1C 78 FB
1F 6A 17 15 96 11 9F D1 D3 4D F7 DD 2E CD 2A 37 00 65 E5 BA BF 72 31 B7 8C AA 28 98 7F 8E 4D 82
D4 E9 75 FB 9B BE FC E9 31 CA 39 A0 27 A6 78 D0 9E E5 F7 DD 2E CD 2A 37 00 65 F7 DD 2E CD 2A 37
00 65 F7 DD 2E CD 2A 37 00 65 2B B5 46 CE EE DF 45 A0 75 90 87 66 37 0C 02 FA F7 DD 2E CD 2A 37
00 65 F7 DD 2E CD 2A 37 00 65 F7 DD 2E CD 2A 37 00 65 F7 DD 2E CD 2A 37 00 65 F7 DD 2E CD 2A 37
00 65 D0 2C A7 26 33 8F 05 53 00 00 00 00 00 00

Call stack of main thread
Address Stack    Procedure / arguments                                                          Called from                Frame
0012FB5C 005810E2 ? main_dat.004BA81C                                                             main_dat.005810DD          0012FB58
0012FE00 005850F7 ? main_dat.00580C00                                                             main_dat.005850F2          0012FDFC
0012FE14 004BBD95 Includes main_dat.005850F7                                                       main_dat.004BBD92          0012FE10
0012FE1C 004BBAF2 Includes main_dat.004BBD95                                                       main_dat.004BBAEF          0012FE24
0012FE28 004BA609 Includes main_dat.004BBAF2                                                       main_dat.004BA606          0012FE24
0012FE34 004BAD46 main_dat.004040A4                                                                main_dat.004BAD41          0012FE48
0012FE3C 004B9FC3 Includes main_dat.004BAD46                                                       main_dat.004B9FC0          0012FE48
0012FE4C 004BAB78 Includes main_dat.004B9FC3                                                       main_dat.004BAB75          0012FE48
0012FE70 0042517E Includes main_dat.004BAB78                                                       main_dat.0042517C          0012FE6C
0012FE88 77E1A420 Includes main_dat.0042517E                                                       user32.77E1A41D             0012FE84
0012FEA8 77DF4605 user32.77E1A408                                                                user32.77DF4600             0012FEA4
0012FF34 77DF5B77 user32.77DF4321                                                                user32.77DF5B72             0012FF30
0012FF40 0046BE20 <JMP.&user32.DispatchMessageA>                                                 main_dat.0046BE1B          0012FFA8
0012FF44 0012FF5C    pMsg = WM_USER+1 hw = 4708DE (class="TPUtilWindow") wParam = EC lParam = 10
0012FF58 0046BE57 main_dat.0046BD98                                                                main_dat.0046BE52          0012FFA8
0012FF7C 0046C077 main_dat.0046BE48                                                                main_dat.0046C072          0012FFA8
0012FFAC 007E1A4F main_dat.0046BFDC                                                                main_dat.007E1A4A          0012FFA8

005810DA 8B4D EC       MOV ECX,[EBP-14]
005810DD E8 3A97F3FF    CALL 004BA81C                         ; 004BA81C
005810E2 A1 00E95800    MOV EAX,[58E900]

name,pass
25867758

00580EF4 8B45 FC       MOV EAX,[EBP-4]
00580EF7 E8 0CE6FFFF    CALL 0057F508                         ; last user
00580EFC E8 C71CE8FF    CALL 00402BC8                         ; GetSystemTime

0041EAD7 E8 0889FEFF    CALL 004073E4                         ; <JMP.&kernel32.FindResourceA>

0012F998 00400000  |hModule = 00400000 (main_dat)
0012F99C 0052FC34  |ResourceName = "BIN3"
0012F9A0 0052FC3C  \ResourceType = "BIN"

EAX 014E3FC0 ;MOV EAX,[EAX+4] Socket
ECX 000000CA ;DataSiz
EDX 0012FC8F ;Data
EBX 000000C0
ESP 0012FB60
EBP 0012FDFC
ESI 004BA5F4 main_dat.004BA5F4
EDI 0012FF5C
EIP 005810DD main_dat.005810DD

0012FB00 000000E4  |Socket = E4
0012FB04 0012FC8F  |Data = 0012FC8F
0012FB08 000000CA  |DataSize = CA (202.)
0012FB0C 00000000  \Flags = 0

004BAB1C 53             PUSH EBX

53 56 8B DA 8B F0 83 C9 FF 33 D2 8B C6 E8 76 FE FF FF 8B D0 8B C3 E8 9D A7 F4 FF 8B 03 E8 12 A4
F4 FF 8B C8 8B 13 8B C6 E8 5B FE FF FF 8B D0 8B C3 E8 82 A7 F4 FF 5E 5B C3 8D 40 00 55 8B EC 51

00574DCD 64:8920       MOV FS:[EAX],ESP
00574DD0 90             NOP
00574DD1 90             NOP
00574DD2 90             NOP
00574DD3 90             NOP
00574DD4 90             NOP
00574DD5 8945 F8       MOV [EBP-8],EAX

005849A4 E8 8F5AF2FF    CALL 004AA438                         ; <JMP.&winmm.timeGetTime>
005849A9 8B15 70E75800 MOV EDX,[58E770]                      ; main_dat.0071BFE0
005849AF 8902          MOV [EDX],EAX
005849B1 A1 00FE5800    MOV EAX,[58FE00]

004F5438 3B45 EC       CMP EAX,[EBP-14]
004F543B EB 0D          JMP SHORT 004F544A                      ; 004F544A
004F543D 33C0          XOR EAX,EAX

424
01489E38  00                                              .
0148A258  53                                              S

148A25C

00 01 01 E8 BD 6E BF B8 16 AB 7F BF|C5 34 77 79 F3 15 60 A1 BA C5 B7 17 93 97 C0 7F 78 CA D5 10

00 01 01 E8 BD 6E BF B8 16 AB 7F BF AB 0B 2C 6E DB EC D9 C0 36 F7 CF 58 6C 35 97 4B 6C E9 D6 28
82 4E 61 0F 93 27 BC DF 0C 2D 4B F1 82 CF 3E 43 B2 03 D5 34 E8 C5 D3 9A 44 BE F1 1F 95 19 FF 2A
FD 0E F7 50 DC 0B 80 25 AC 96 80 5C 8E DF 01 B3 94 32 7B 3E BD 57 4A 42 22 DA 73 0C 89 00 00 00
3C 25 9E FE 4B AF 04 00 1E 00 00 00 2E C8 64 64 26 2C 56 F9 A1 72 C7 C0 E5 76 79 34 FC 4E C8 3E
F4 66 03 25 0B 51 01 3F E2 A8 F3 DC B7 BB 47 51 D9 A5 3B 85 C5 68 84 D4 01 00 00 00 00 C1 EE 22
42 8E 2C B0 34 A3 53 DB AE 99 06 DC 8B 53 E7 84 A6 4C 9B 4D C7 AA 38 64 49 AC 3B 04 57 50 B2 4C
85 80 0D 93 3A 13 FA 32 D2 EB F2 95 CB 13 C9 77 E2 FD 1D 82 BD B3 DB CC E0 90 FF 8A 53 23 58 61
BA E5 B7 4D F6 0E 41 54 11 67 F4 9F 7F 08 6B 6E 22 74 4D 7C 4B 4B 79 90 1F F9 04 A9 A1 44 00 00
66 5F A0 53 32 7F CC 8B C8 81 F3 77 35 FB 56 E7 9C 43 62 51 95 B9 06 0D 31 F0 80 B7 42 E9 DC C3
02 4C 4A 0D 35 B0 71 E0 EF 85 D9 D8 76 E2 90 D2 FF BB 9E 25 75 7E BB E3 C3 95 58 8D 66 FB 2A 1A
9D 34 39 05 6F 74 D1 83 F3 62 B7 18 0A AB 33 AF FA 94 83 D0 B7 BB FB 5E 8D F8 DD 4D BF 8C 2A 49
E2 1A DC 25 F1 1F A2 14 AA 39 46 13 18 B8 43 C1 8A 6B 83 55 FA A7 75 02 8F BD 9E DF F4 75 F7 E5
08 27 23 99 C7 7F F5 9B 3C FE 4B DA C3 18 A8 79 22 F8 7A 52 B4 85 DE B3 BF 79 A4 2B F6 B8 42 25
7A 90 CA B5 EE 01 62 FF 5A 91 51 82 FA 6B 5A C1 DA D1 30 88 A3 4A 97 C0 51 27 D3 9B 06 07 BB 2F
A2 8D 89 1C AC 15 B3 A5 E2 E3 4D 78 5C EE E1 A0 13 CE FC 22 C2 61 20 04 46 74 F9 04 6D 35 9D FB
59 05 52 0C EE 6C 65 25 71 71 AE E1 90 45 3E 52 78 FB E1 E9 30 88 40 C1 F4 98 DD 1B 7C 41 0D 54
13 59 EC AC AC BC D8 97 4F 68 1D B8 D8 A8 1E F2 90 7C 88 A2 8C A6 08 3B 88 3D B9 6B 82 81 BF A1
04 75 54 93 15 DD 68 89 93 56 6D B5 49 DF 04 05 AD F5 26 1E C2 1A 1C AF FB 3A C3 63 F7 72 A9 B9
7D 6C D9 84 FC 46 83 FE 9C 55 71 BC 18 47 33 99 56 5E E1 F6 C4 68 51 9A E7 8D B8 0B A4 54 C0 D3
55 E8 98 9A A5 31 61 16 5C CE 1C 9F 99 B5 72 5C 6E 8C 70 3A 96 6C 74 18 46 2E 43 40 A8 10 61 88
BF DA B8 71 82 50 43 D8 11 62 CC 0A AD 67 C9 02 6E E6 C7 ED F0 B9 B0 86 6B 5A 8B F7 C7 D3 14 34
7E 00 29 C7 C0 E1 24 FB 26 6C F6 6B 56 7D 91 3F 92 90 1C CC 58 2A AE F8 CB F5 84 32 72 27 E1 3F
99 68 F8 29 B7 B4 A4 16 EE 64 1F 00 F2 18 97 4B 1C 39 0A 58 5A 61 FD 04 AF 25 BC 67 20 01 D5 57
39 41 16 C3 31 88 13 25 9C 63 B9 77 62 9C 1B 49 83 FB F2 04 33 81 12 54 26 2E F1 FE 74 DF FF 0C
0A 68 58 1C 1E 11 EC E1 C9 50 39 F5 23 F5 6C 68 6B 14 DA 4A BD 8D 09 78 C8 3E 4F AD 7F 3E 41 4E
A2 37 78 0F FA C8 3E D4 17 43 9C 4A C8 89 CC 11 E3 C2 F8 9E C2 5A F1 79 7F 1A 81 9F 14 EB 9C 2F
05 A6 87 4B 76 9B 14 49 56 C1 0E 7F DC E5 F6 3E 04 1B B9 9C EA 94 AE 17 64 E7 B5 94 D5 90 E0 A3
E1 79 13 11 6F 5E 49 BE 0F 5E CD AD 87 D3 A4 78 34 73 CF 18 34 64 32 62 DE 94 1C CF EC 75 83 AE
7A 1F A0 21 01 5F 25 DF 94 2D 20 B3 D2 CB 7E 23 CE F4 AB 27 12 06 E0 B5 4C 8A 2C 54 5E EF 54 FF
E5 29 BA C9 AF 3C 70 4F 5A E8 5B ED FF 4F A5 EC 2C CB 2E EB D3 64 52 F0 C7 FA A6 BF 1E 48 06 9A
3A C8 05 3D 24 3D 96 68 64 14 78 61 C5 05 23 66 62 81 43 83 44 2D DF BC DC 07 E5 67 5B A7 E1 0C
9F CC 14 80 BC 4A 91 30 6B E5 F0 44 54 3C D5 DA 8E 16 8B 95 19 0D F9 D7 0B 0E 87 B0 08 0B F9 D7
09 0A F8 D4 09 70 82 BD 43 7C 8C B4 42 67 95 B1 59 42 B2 A0 6A 58 BD BC 56 4B 83 89 49 5E 8A AE
53 56 B4 BB 00 00 00 00 00 00 00 00 00 00 00 00

005849A4 E8 8F5AF2FF    CALL 004AA438                         ; <JMP.&winmm.timeGetTime>
005849A9 8B15 70E75800 MOV EDX,[58E770]                      ; main_dat.0071BFE0
005849AF 8902          MOV [EDX],EAX

00584AB5 8B45 FC       MOV EAX,[EBP-4]
00584AB8 8B80 70060000 MOV EAX,[EAX+670]
00584ABE BA 58020000    MOV EDX,258
00584AC3 E8 10CBEBFF    CALL 004415D8                         ; time

005849EB A1 9CED5800    MOV EAX,[58ED9C]
005849F0 8B15 00FE5800 MOV EDX,[58FE00]                      ; main_dat.006FCB94
005849F6 8B12          MOV EDX,[EDX]
005849F8 E8 EF02E8FF    CALL 00404CEC                         ; 00404CEC

00584AD7 A1 9CED5800    MOV EAX,[58ED9C]
00584ADC 8B00          MOV EAX,[EAX]

418
0148A5FC  35                                              5

148AA14

35 53 96 8C D2 00 62 86 96 15 1A 9D B3 75 56 C3 BD 19 AD 2B B6 A6 F8 74 9A 1E C4 28 8F CF 6E 4B
A0 FF 68 B4 F3 D1 D8 E3 14 E2 BD C3 0E 59 DA D3 81 4A B4 6C 95 ED 2C 37 C6 E9 7E A2 61 02 9D 98
23 9A CD EB 64 77 22 3E 94 17 66 7A B0 EB E3 EA 50 02 00 00 9E BE 54 B1 8E AE 04 00 1E 00 00 00
6D A4 EA 71 87 70 86 01 BD D0 2B 51 2E EB 28 D2 11 4B BC A6 18 F9 F9 5E 88 C3 BC 8D BA 51 97 C9
8E 0E 3D BA 21 A4 67 99 DD FC 5B 08 01 00 00 00 00 32 BE DD 0A C6 2E BB BA 87 11 AD CA 71 FF 44
85 65 8F 1F 2F 3A BB 9F 51 B9 70 DC F4 03 6D DD 6C C0 50 AB E0 B0 39 6B 83 5C 7E 20 BA D3 F5 2A
49 D6 55 6C 5C 45 CE B9 9F 46 10 BD 18 52 2D 91 63 79 05 C2 7D AE 44 5E 39 CF DF 70 F4 AC 3C 9C
6D D2 FF F1 E2 48 0F 21 C1 A9 E2 5F B5 A7 05 B7 A1 44 00 00 AF 2E D4 B3 72 E4 00 8B 40 FA 45 43
47 F6 8D 4D 55 79 F5 D0 DF D2 01 A2 C8 35 58 6F CE 96 A3 B7 73 97 0A CE F6 66 21 CC 28 7B 39 CE
3E 00 46 04 20 E7 5D C7 16 D4 53 22 50 F5 39 4B B1 5E C6 8B 56 16 40 71 72 0C 65 CB 07 C7 01 08
FE 3B 8B 78 14 E4 46 E5 2E D7 62 E1 FD 59 6D CA 12 C1 C9 CF CF 56 13 8F AF 1E DB CE 1F 41 3F 21
13 0F A7 FC 55 7F AB 45 70 14 D2 10 08 F6 F9 D6 77 A4 C4 A5 F6 09 76 A7 CF BE 1E 71 4F CE 34 2F
2C 88 1E 6F 8D 0F E1 CA 9C C2 06 05 97 78 1F C9 A6 98 4E 13 D7 1B 4B 38 14 06 4B 26 81 84 1D 33
32 28 27 65 2D BF 13 03 5B DC EB 75 AC 2B 43 4C 4F C4 B9 18 7B AA AC C1 25 DC 3D 16 B6 48 23 48
7C 94 40 D7 F8 A4 9E 01 78 54 2C E6 89 DE A7 05 88 34 16 18 09 05 E2 10 D1 E7 4B 71 95 21 59 13
87 EF 72 0B 69 A7 9B F4 BB 4E 8B 4A F6 35 43 50 54 51 CF 0A B0 DC 31 B6 10 80 D6 1F E1 64 C0 FB
C6 61 2F DD 14 DF B2 28 1C D0 C1 85 FC 49 35 CC 1C 83 4C 99 D9 61 EB F8 5A 30 D9 C3 0F 87 68 81
F6 D6 A3 FF 6F AA E1 92 6A 63 69 47 96 CD C6 D5 DF 3D A1 B2 52 B9 ED D2 19 EF 7B 39 8A 73 EA 26
0E 7E 5F A1 BA B2 58 A3 91 FC 9A 0C 86 AF 9A E5 AA 11 D1 A4 8C 74 FB 5D 39 E6 2C 53 01 20 26 3D
70 0D B7 DA 81 FC DC 09 09 7C 99 DF 73 86 DE B0 D7 E1 D7 36 84 44 0A E7 3F 51 D0 B7 47 85 BF 08
AF 2F 44 A7 BF 28 BF 2F 05 EB 45 B7 B2 FF F3 27 68 7D 38 0C 11 F4 80 A2 7D F1 FA A0 5C E4 19 24
19 BF 55 8A 21 A9 29 26 4E E7 A6 21 AF 91 F4 D7 AF 00 0E F5 06 71 1B D6 9A 7B 27 60 6F 7A 1F 00
4D 3F A2 CF 19 31 3E 0E 95 CB A3 05 73 AE BC 67 20 01 1E 74 FF 8E D3 BA 64 09 25 F8 1B 6B 69 D9
B9 47 7F 4F 4C 51 AC 05 2B 70 4F 4B E9 84 AF FF C8 43 FC 5A 2F 2D DE 90 12 0F 22 76 30 B8 C7 B7
26 15 10 FD 3C 6D 3E 26 74 72 88 EE AB 65 43 4D CE 86 47 3E 8F 24 85 2C B3 97 02 B9 3B 8C EA B1
4C 7F 7B 66 A1 C0 11 AC EF 66 1A DD F3 18 B7 91 81 F1 FB BC 47 47 C6 B6 D8 AF 01 DE 5E 6D 51 59
1B 54 77 82 46 F6 98 F3 60 5D 2E 7C 8B CC CA E1 E2 B6 1F 55 44 70 E9 3B 9D EA 27 DB FD EA 87 A6
26 7F 28 48 B4 43 36 28 B4 79 34 72 46 70 E1 D5 34 FF 0B ED 59 BE 6E BF 01 F1 AB 8E 09 23 7A B6
2D 45 66 ED 31 B5 4E 69 3C E5 AC 38 79 D8 D9 E3 F1 BE 59 23 35 5A B7 38 21 61 9C 8D FB D8 81 1A
CF 1B 37 14 3C 8C 7D AA 92 43 75 4A 7D 4F DE 07 7B 32 13 9C BD 31 B5 7D 50 FB 18 4F 99 2B E4 1E
C5 F0 2F 18 89 DC 06 40 D2 C1 A4 FB 9E D3 EC C4 D7 7E 49 A5 F0 71 2F 38 21 51 1A 4E 54 F6 DF EB
38 A0 DF 0A C6 B0 AA 5A 19 0D FD C9 0B 0E 83 AE 08 0B FD C9 09 0A FC CA 09 70 86 A3 43 7C 88 AA
42 67 91 AF 59 42 B6 BE 6A 58 B9 A2 56 4B 87 97 49 5E 8E B0 53 56 B0 A5

005849C3 8BC8          MOV ECX,EAX
005849C5 83E9 0C       SUB ECX,0C
005849C8 A1 00FE5800    MOV EAX,[58FE00]
005849CD 8B00          MOV EAX,[EAX]
005849CF BA 0D000000    MOV EDX,0D
005849D4 E8 CF07E8FF    CALL 004051A8                         ;变
005849D9 A1 70F85800    MOV EAX,[58F870]
005849DE 8B15 00FE5800 MOV EDX,[58FE00]                      ; main_dat.006FCB94
005849E4 8B12          MOV EDX,[EDX]
005849E6 E8 0103E8FF    CALL 00404CEC                         ; 00404CEC

00000418
0148A26C  08                                              .
148A684

08 E2 1F 55 90 45 A3 7A 1D E1 24 D7 72 25 4B 34 10 DF E5 D1 81 18 F4 56 8B 68 0E AD 2F 66 4F 2E
37 0F 4E 99 36 0F 49 33 36 E9 F6 ED 4B E7 A2 92 BF DA 37 1A 23 56 38 7B 16 4C 80 04 AC 5C C8 7F
64 F3 F9 47 B3 17 D8 B3 19 1E 35 21 82 16 D0 C4 50 02 00 00 3B 08 01 0F 72 AE 04 00 1E 00 00 00
16 37 A6 2D 62 E3 F0 AC C2 77 83 50 F3 64 1C 41 F4 E2 C7 00 C3 C9 62 61 4D 4F 24 CC 01 E6 02 C3
A1 43 FC 9B A1 6E D6 AC 0E 45 ED 71 01 00 00 00 00 FC 23 A1 56 93 BA 47 99 CD F8 47 72 75 2F D5
22 9B 23 42 CC 2C 8A 82 17 D2 64 96 38 F0 DF 1D 20 07 B7 CC 0A AF 93 40 FB A4 E4 F7 6A AA 60 4F
15 77 4C 37 CD 8E 6F 16 99 3E 96 91 CE D8 F2 C9 BA 72 9A 43 0D B2 1E 38 5B F3 2A 2D 0C 45 C5 38
74 63 91 3D D7 79 04 BE C7 72 00 6F A2 BE 05 C0 A1 44 00 00 68 C7 4D F3 DB B9 7A C1 B4 D7 7C 42
F8 45 E6 3C CE FF 72 74 78 FC D5 DB 6F 36 AA 9D FD F8 CD 2E 46 DF 88 79 41 9A 1D 06 9D F7 74 BD
3C 43 D6 35 9E 18 0C 69 E1 E0 71 B7 A3 43 F1 A2 2A F9 6E 8A 8B 9E B4 6A 13 33 22 B5 3D 6B FA FD
C1 42 78 F8 FB A5 6A D8 FF 92 D2 61 21 48 5D F9 04 F6 E2 FC 33 C8 23 98 B6 1E 5C 5E E0 DA 98 00
E4 32 B0 C7 B8 C3 21 57 19 A8 54 27 D1 BB 78 8B CC 24 30 D6 BD 7E 13 3A 93 45 29 52 45 E8 63 73
C0 6D 0B 84 A2 B7 CA BC 83 81 82 36 C2 7C 69 24 FB F8 83 82 99 37 EB 6B A0 37 B1 FC 0E 6D 88 87
B9 A9 CF 0A 6F C5 D3 1B 3A DD 6B 77 7A 43 74 9F 03 F9 F6 39 22 0C FF 0A FA BD CA EF B3 31 89 01
14 E4 B2 3D D9 33 57 5F C7 53 C7 1A B9 C9 BE 05 E1 7F D6 BF 58 86 92 93 2E 3C A1 28 D6 97 5C E8
A4 29 DE 0F 16 FC 54 60 6D 31 E4 9F D6 55 F9 77 A5 93 CB EC C4 0B 60 AD 25 58 F3 DA C3 75 49 9C
60 CC C1 E9 51 AB E6 71 81 F0 A7 93 B8 3B A0 52 EE 38 80 B6 CF AD 18 1E E1 D4 A2 18 90 E6 11 0B
2A 8B 96 E7 02 9F 23 D3 F8 43 DD D5 B0 B0 9E 7E 93 09 C1 95 B5 B9 48 5E 17 21 D6 E6 A8 D7 B1 23
F9 A4 93 3A E5 ED 88 C7 F5 28 18 80 20 4C 79 96 8C 6F 68 09 0C 8F 82 1D 26 B7 C3 2D 39 3E 8A 0A
8A A2 63 14 EC BD F9 4D 25 E5 22 B1 74 C4 58 C5 EE 0F 74 73 53 C0 4D F7 D0 5C 0A 51 78 C4 C3 C0
18 8A 00 4E 2B 1C 92 42 2E 2E 2B 1A 7B 16 CE 44 FC 39 3B B9 41 4D A3 C4 B6 53 86 87 87 CC D6 88
2E A4 7B 57 DA 93 08 B6 82 46 9F 3F 17 8E D5 19 79 FE 99 51 93 CF 63 80 4D A6 D9 25 8F 7D 1F 00
94 EA 2B 3D 0C 94 67 1D A5 DC BA 05 38 8C BC 67 20 01 C1 91 6B 5B 4E 25 EF 25 A4 64 91 44 23 B5
BF A8 5C 90 7C 46 B5 05 0D 20 6C DC D9 93 B6 FF 1E 56 DA 03 1B C8 4D 52 81 07 E5 61 28 47 11 83
00 F2 9D C8 E8 F1 3E BB 1D 97 14 72 0D E7 8F 13 72 C8 CF FC B4 6B 87 EC 6C 91 44 34 69 08 D8 4E
6F 17 3F 91 0B 12 E0 C6 DA E1 ED 97 D6 57 70 E2 2C 1A D1 46 B2 84 A3 9C A5 9E 9F F5 74 11 BD DD
A5 02 ED 01 2D C3 23 3C 02 15 7E 26 EA 59 64 49 0E E5 8C 62 D5 FD E8 E1 6F 13 A5 65 0F 13 C2 CF
47 A5 F5 4F E0 AF 1E 2F E0 10 6C 71 E3 F3 A5 07 67 1F 36 50 70 23 46 27 01 E6 A3 49 83 D9 FA 85
EF 13 FB 6A A2 E8 15 95 21 FB 49 33 60 00 F6 39 96 B6 A4 30 45 E2 48 A6 2D 59 0B 0C 3B 7B 92 BC
CF 5D BC 5B AD EE 64 4C 74 45 73 BA 8D 82 CE F7 D5 5A 0E BE 16 04 3E C0 02 A4 57 84 F4 B4 79 6A
35 80 6D B7 68 7F FE 5C 1D 6E 8C 50 CF F8 01 DE 05 4A 2A B0 82 21 CE E4 50 5D C6 FE 01 D1 DC D5
A9 D8 1E 5B CE 74 D7 51 19 0D C9 82 0B 0E B7 E5 08 0B C9 82 09 0A C8 81 09 70 B2 E8 43 7C BC E1
42 67 A5 E4 59 42 82 F5 6A 58 8D E9 56 4B B3 DC 49 5E BA FB 53 56 84 EE

0148A264  EB AC F0 EA 2C 6C D7 B7 BF C4 F5 72 7F ED E8 A2  ?痍,l..磕躜.龛.
0148A274  9C 73 AF 4A DD 4D 59 CC E9 86 F1 C9 C4 A9 A0 B9  ??萃Y涕.裆末.

01489E38  00 02 01 E8 BE 6F BF B8 17 AB 7F BF|EB AC F0 EA  ...杈o?...侩.痍
01489E48  2C 6C D7 B7 BF C4 F5 72 7F ED E8 A2 9C 73 AF 4A  ,l..磕躜.龛.??

0148A5FC

0148A5FC  7B 1C B6 C9 42 25 D9 30 BA BE 08 39 BD ED 08 AE  {..陕%?壕.9.?
0148A60C  26 46 C1 D7 96 FC 58 29 4E 49 98 45 EE D1 CD BD  &F?.?)NI.E钛?

0148A1C8

0148A1C8  00 01 01 E8 BE 6F BF B8 17 AB 7F BF|7B 1C B6 C9  ...杈o?...葵..
0148A1D8  42 25 D9 30 BA BE 08 39 BD ED 08 AE 26 46 C1 D7  B%?壕.9.??F?

1
004029C5 F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR [E>

004029AB F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR [E>

eax+1

2
004029C5 F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR [E>

ECX=00000106 (decimal 262.)
DS:[ESI]=[012E28E0]=EAF0ACEB
ES:[EDI]=[00718650]=00000000

Call stack of main thread, item 11
Address=0012FF44
Stack=0012FF5C
Procedure / arguments=  pMsg = WM_USER+1 hw = 6008C4 (class="TPUtilWindow") wParam = F4 lParam = 1

Call stack of main thread, item 12
Address=0012FF44
Stack=0012FF5C
Procedure / arguments=  pMsg = WM_USER+1 hw = DA04BE (class="TPUtilWindow") wParam = E4 lParam = 1

0041BAE0 50             PUSH EAX
0041BAE1 53             PUSH EBX
0041BAE2 E8 FDB8FEFF    CALL 004073E4                         ; <JMP.&kernel32.FindResourceA>

Call stack of main thread
Address Stack    Procedure / arguments                Called from                Frame
0012F754 0044F8BF Includes main_dat.00466F18          main_dat.0044F8B9          0012F750
0012F830 00464032 ? main_dat.0044F798                main_dat.0046402D          0012F82C
0012F838 00466CBE main_dat.00464028                   main_dat.00466CB9          0012F8EC
0012F84C 0044FC68 Includes main_dat.00466CBE          main_dat.0044FC62          0012F8EC
0012F85C 00452686 Includes main_dat.0044FC68          main_dat.00452680          0012F8EC

0012F864 0045267C main_dat.00452664                   main_dat.00452677          0012F8EC
0012F86C 0045267C ? main_dat.00452664                main_dat.00452677
0012F874 0045267C ? main_dat.00452664                main_dat.00452677
0012F87C 00452692 ? main_dat.00452664                main_dat.0045268D
0012F884 00479665 main_dat.00452688                   main_dat.00479660
0012F89C 004186F0 Includes main_dat.00479665          main_dat.004186EE
0012F8AC 0042078F main_dat.004186B4                   main_dat.0042078A

Call stack of main thread
Address Stack    Procedure / arguments                Called from                Frame
0012F930 0044F8BF Includes main_dat.00466F18          main_dat.0044F8B9          0012F92C
0012FA0C 00464032 ? main_dat.0044F798                main_dat.0046402D          0012FA08
0012FA14 00466CBE main_dat.00464028                   main_dat.00466CB9          0012FA6C
0012FA28 0044FC68 Includes main_dat.00466CBE          main_dat.0044FC62          0012FA6C
0012FA38 00452686 Includes main_dat.0044FC68          main_dat.00452680          0012FA6C

0012FA40 00452692 main_dat.00452664                   main_dat.0045268D          0012FA6C
0012FA48 004524CE main_dat.00452688                   main_dat.004524C9          0012FA6C
0012FA54 0044AB21 Includes main_dat.004524CE          main_dat.0044AB1E          0012FA6C

Call stack of main thread, item 3
Address=0012FF44
Stack=0012FF5C
Procedure / arguments=  pMsg = WM_LBUTTONUP hw = FC097E ("登录") Keys = 0 X = 29. Y = 14.

77E429A0 3E:817C24 0C 8702>CMP DWORD PTR DS:[ESP+C],287

SendMessageA 77DF6880                   55             PUSH EBP
77DF6881                               8BEC             MOV EBP,ESP
77DF6883                               56             PUSH ESI
77DF6884                               8B75 0C          MOV ESI,[EBP+C]

77DF6887                               F7C6 0000FEFF    TEST ESI,FFFE0000
77DF688D                               74 09          JE SHORT 77DF6898                      ; 77DF6898
77DF688F                               6A 57          PUSH 57
77DF6891                               E8 CC6D0100    CALL 77E0D662                         ; 77E0D662

SendMessageA 77DF6880                   /E9 1BC10400    JMP 77E429A0                            ; 77E429A0
77DF6885                               |90             NOP
77DF6886                               |90             NOP
77DF6887                               |F7C6 0000FEFF    TEST ESI,FFFE0000
77DF688D                               |74 09          JE SHORT 77DF6898                      ; 77DF6898

55 8B EC 56 8B 75 0C F7 C6 00 00 FE FF 74 09 6A

77E429A0    3E:817C24 08 8702>CMP DWORD PTR DS:[ESP+8],287
77E429A9    74 0C          JE SHORT 77E429B7                      ; 77E429B7
77E429AB    55             PUSH EBP
77E429AC    8BEC             MOV EBP,ESP
77E429AE    56             PUSH ESI
77E429AF    8B75 0C          MOV ESI,[EBP+C]
77E429B2 ^ E9 D03EFBFF    JMP 77DF6887                            ; 77DF6887

3E 81 7C 24 08 87 02 00 00 74 0C 55 8B EC 56 8B 75 0C E9 D0 3E FB FF 90 90 90 90 90 90 90 90 90

post
77DFA049    55             PUSH EBP
77DFA04A    8BEC          MOV EBP,ESP
77DFA04C    56             PUSH ESI
77DFA04D    57             PUSH EDI

77DFA04E    8B7D 0C       MOV EDI,[EBP+C]
77DFA051    8BC7          MOV EAX,EDI

PostMessageA> /E9 52890400    JMP 77E429A0                            ; 77E429A0
77DFA04E    |8B7D 0C       MOV EDI,[EBP+C]
77DFA051    |8BC7          MOV EAX,EDI

55 8B EC 56 57 8B 7D 0C 8B C7 2D 45 01 00 00 74

77E429A0 0000          ADD [EAX],AL

3E 81 7C 24 08 87 02 00 00 74 0C 55 8B EC 56 57 E9 99 76 FB FF 90 90 90 90 90 00 00 00 00 00 00

77E429A0    3E:817C24 08 87>CMP DWORD PTR DS:[ESP+8],287
77E429A9    74 0C          JE SHORT 77E429B7                      ; 77E429B7
77E429AB    55             PUSH EBP
77E429AC    8BEC          MOV EBP,ESP
77E429AE    56             PUSH ESI
77E429AF    57             PUSH EDI
77E429B0    ^ E9 9976FBFF    JMP 77DFA04E                            ; 77DFA04E

0057F428    A1 64E75800    MOV EAX,[58E764]
0057F42D    8338 00       CMP DWORD PTR [EAX],0
0057F430    0F84 A5000000 JE 0057F4DB                            ; 0057F4DB

00567876    8B45 EC       MOV EAX,[EBP-14]
00567879    8B55 FC       MOV EDX,[EBP-4]
0056787C    E8 13D8E9FF    CALL 00405094                         ; 00405094
00567881    75 08          JNZ SHORT 0056788B                      ; 0056788B

00568760    8B40 FC       MOV EAX,[EAX-4]
00568763    8B40 7D       MOV EAX,[EAX+7D]
00568766    83F8 25       CMP EAX,25
00568769    0F87 62030000 JA 00568AD1                            ; 00568AD1

00567516    6A 00          PUSH 0
00567518    B8 07000000    MOV EAX,7
0056751D    E8 2E050000    CALL 00567A50                         ; 00567A50
00567522    D81D 80755600 FCOMP DWORD PTR [567580]
00567528    DFE0          FSTSW AX

00568B58 A1 E4FA5800       MOV EAX,[58FAE4]

00568709 64:8920       MOV FS:[EAX],ESP
0056870C 8B45 08       MOV EAX,[EBP+8]
0056870F 8B40 FC       MOV EAX,[EAX-4]
00568712 8B40 48       MOV EAX,[EAX+48]                      ; eax=012DC008
00568715 8B55 08       MOV EDX,[EBP+8]
00568718 8B52 FC       MOV EDX,[EDX-4]
0056871B 0342 04       ADD EAX,[EDX+4]                         ; 012DC008+35
0056871E 8B55 08       MOV EDX,[EBP+8]
00568721 8B52 FC       MOV EDX,[EDX-4]
00568724 8B52 0C       MOV EDX,[EDX+C]                         ; 9a++
00568727 8B4D 08       MOV ECX,[EBP+8]
0056872A 8B49 FC       MOV ECX,[ECX-4]
0056872D 0FAF51 08    IMUL EDX,[ECX+8]                      ; edx=94++,83
00568731 03C2          ADD EAX,EDX                            ; +edx=4f51
00568733 8B55 08       MOV EDX,[EBP+8]
00568736 8B52 FC       MOV EDX,[EDX-4]
00568739 8BF0          MOV ESI,EAX
0056873B 8D7A 50       LEA EDI,[EDX+50]                      ; edi=0123E88C
0056873E B9 20000000    MOV ECX,20
00568743 F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR [E>

0057F625 8B15 5CF15800 MOV EDX,[58F15C]                      ; main_dat.007183E0
0057F62B 8B12          MOV EDX,[EDX]
0057F62D A1 14E75800    MOV EAX,[58E714] ;保存了EAX-4，重要地方
0057F632 8B00          MOV EAX,[EAX]
0057F634 E8 8797FEFF    CALL 00568DC0                         ; 00568DC0
0057F639 A1 14E75800    MOV EAX,[58E714]
0057F63E 8B00          MOV EAX,[EAX]
0057F640 BA 58F65700    MOV EDX,57F658
0057F645 E8 9695FEFF    CALL 00568BE0                         ; 00568BE0

;固定83和35
00568DD4 8942 48       MOV [EDX+48],EAX
00568DD7 8B45 FC       MOV EAX,[EBP-4]
00568DDA C740 08 8300000>MOV DWORD PTR [EAX+8],83
00568DE1 8B45 FC       MOV EAX,[EBP-4]
00568DE4 C740 04 3500000>MOV DWORD PTR [EAX+4],35
00568DEB 8D45 C3       LEA EAX,[EBP-3D]

[EAX+10]
00568E09 F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR [E>

88 82 56 00 35 00 00 00 83 00 00 00 98 00 00 00
C8 5A 00 00 B2 03 00 00 B1 00 00 00 6E 70 63 64
6C 67 2E 64 6C 74 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 08 C0 2D 01 00 00 00 00
E6 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00

88 82 56 00 35 00 00 00 83 00 00 00 01 00 00 00
C8 5A 00 00 B2 03 00 00 B1 00 00 00 6E 70 63 64
6C 67 2E 64 6C 74 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 B4 B9 2D 01 00 00 00 00
00 00 00 00 2E 00 00 00 00 00 00 00 00 00 00 00

88 82 56 00 35 00 00 00 83 00 00 00 98 00 00 00
C8 5A 00 00 B2 03 00 00 B1 00 00 00 6E 70 63 64
6C 67 2E 64 6C 74 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 F8 3F 48 01 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

88 82 56 00 35 00 00 00 83 00 00 00 B1 00 00 00
C8 5A 00 00 B2 03 00 00 B1 00 00 00 6E 70 63 64
6C 67 2E 64 6C 74 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 F8 3F 48 01 00 00 00 00
04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0057F40F E8 CC97FEFF    CALL 00568BE0                         ; 处理数据
0057F414 A1 14E75800    MOV EAX,[58E714]
0057F419 8B00          MOV EAX,[EAX]
0057F41B 83B8 D4000000 0>CMP DWORD PTR [EAX+D4],0
0057F422 0F84 B3000000 JE 0057F4DB                            ; 0057F4DB
0057F428 A1 64E75800    MOV EAX,[58E764]
0057F42D 8338 00       CMP DWORD PTR [EAX],0
0057F430 0F84 A5000000 JE 0057F4DB                            ;不能跳
0057F436 A1 00E95800    MOV EAX,[58E900]
0057F43B FF40 12       INC DWORD PTR [EAX+12]

0057A9DB C3             RETN
0057A9DC 55             PUSH EBP                               ; 处理数据，并打印剩余时间
0057A9DD 8BEC          MOV EBP,ESP

0057AB4E 68 E8AC5700    PUSH 57ACE8                            ; ASCII "您的"
0057AB53 A1 38F85800    MOV EAX,[58F838]
0057AB58 FF30          PUSH DWORD PTR [EAX]
0057AB5A 68 F8AC5700    PUSH 57ACF8                            ; ASCII "剩余"
0057AB5F 8D55 F4       LEA EDX,[EBP-C]
0057AB62 A1 A0EF5800    MOV EAX,[58EFA0]
0057AB67 8B00          MOV EAX,[EAX]
0057AB69 E8 F26DF9FF    CALL 00511960                         ; 计算天数放edx

5a0 x 0x270F(9999) = DBB460

012E22CC  DD 08 05 00 1E 00 00 00 61 D1 D3 23 C4 8A EA 7E  ?......a延#?掰

4
01483c68

5
012DB9b4

00568C1E E8 45000000    CALL 00568C68                         ; 构造循环次数存eax
00568C23 8945 F4       MOV [EBP-C],EAX
00568C26 837D F4 00    CMP DWORD PTR [EBP-C],0
00568C2A 7D 0D          JGE SHORT 00568C39                      ; 00568C39
00568C2C 8B45 FC       MOV EAX,[EBP-4]
00568C2F 33D2          XOR EDX,EDX
00568C31 8990 D4000000 MOV [EAX+D4],EDX
00568C37 EB 0B          JMP SHORT 00568C44                      ; 00568C44
00568C39 8B55 F4       MOV EDX,[EBP-C]                         ; 开始循环数字
00568C3C 8B45 FC       MOV EAX,[EBP-4]
00568C3F E8 D0FEFFFF    CALL 00568B14                         ; 真正循环处理

97出来

97 1 r

36 1 x

005688F4 A1 98F75800    MOV EAX,[58F798] ;eax=3 半路检查
005688F9 8338 00       CMP DWORD PTR [EAX],0
005688FC 0F85 CF010000 JNZ 00568AD1                            ; 00568AD1
00568902 8B45 08       MOV EAX,[EBP+8]
00568905 8B40 FC       MOV EAX,[EAX-4]
00568908 8B80 CF000000 MOV EAX,[EAX+CF]
0056890E 48             DEC EAX
0056890F 8B55 08       MOV EDX,[EBP+8]
00568912 8B52 FC       MOV EDX,[EDX-4]
00568915 8942 0C       MOV [EDX+C],EAX ;跳过出错地方
00568918 E9 B4010000    JMP 00568AD1                            ; 00568AD1

005685C5 8B45 F8       MOV EAX,[EBP-8]
005685C8 BA 28865600    MOV EDX,568628                         ; ASCII "$dr_if"
005685CD E8 C2CAE9FF    CALL 00405094                         ; 00405094
005685D2 75 12          JNZ SHORT 005685E6                      ; 005685E6
005685D4 DD45 08       FLD QWORD PTR [EBP+8]
005685D7 E8 54A6E9FF    CALL 00402C30                         ; 正确eax=0
005685DC 8B15 98F75800 MOV EDX,[58F798]                      ; main_dat.00612118
005685E2 8902          MOV [EDX],EAX
005685E4 EB 11          JMP SHORT 005685F7                      ; 005685F7
005685E6 FF75 0C       PUSH DWORD PTR [EBP+C]

d 检查$dr_if

00612118  01                                              .

18 设置暗桩

0148B708  24 64 72 5F 69 66 00 00 1A 00 00 00 01 00 00 00  $dr_if..........
0148B718  08 00 00 00 32 35 38 36 37 37 35 38 00 00 00 00  ....25867758....

34    39
8 a 4 4 5

005685D2 /75 12          JNZ SHORT 005685E6                      ; 005685E6
005685D4 |DD45 08       FLD QWORD PTR [EBP+8] ;eip
005685D7 |E8 54A6E9FF    CALL 00402C30                         ; 00402C30
005685DC |8B15 98F75800 MOV EDX,[58F798]                      ; main_dat.00612118
005685E2 |8902          MOV [EDX],EAX
005685E4 |EB 11          JMP SHORT 005685F7                      ; 005685F7

Stack SS:[0012F5EC]=1.000000000000000

0012F5D0 0012F5F8  Pointer to next SEH record
0012F5D4 0056860D  SE handler
0012F5D8 0012F5E4
0012F5DC 012E38FC  ASCII "$dr_if"
0012F5E0 00000000
0012F5E4  /0012F65C
0012F5E8  |005688D3  RETURN to main_dat.005688D3 from main_dat.00568560
0012F5EC  |00000000
0012F5F0  |3FF00000
0012F5F4  |0012F65C
0012F5F8  |0012F668  Pointer to next SEH record
0012F5FC  |00568B06  SE handler
0012F600  |0012F65C
0012F604  |0012FF5C
0012F608  |00441600  main_dat.00441600

004A583B 9B             WAIT
004A583C DD45 E8       FLD QWORD PTR [EBP-18]
004A583F D805 98584A00 FADD DWORD PTR [4A5898]
004A5845 DD5D E8       FSTP QWORD PTR [EBP-18]
004A5848 9B             WAIT

///////////////////////////////////////////////////////////
005688AE FF75 F4       PUSH DWORD PTR [EBP-C]
005688B1 FF75 F0       PUSH DWORD PTR [EBP-10]
005688B4 FF75 EC       PUSH DWORD PTR [EBP-14]
005688B7 FF75 E8       PUSH DWORD PTR [EBP-18]

0012F5F4  |0012F65C
0012F5F8  |0012F668  Pointer to next SEH record
0012F5FC  |00568B06  SE handler
0012F600  |0012F65C
0012F604  |0012FF5C

0012F63C  |00441600  main_dat.00441600
0012F640  |0123E83C
0012F644  |00000000 18
0012F648  |405D4000 14
0012F64C  |00000000 10
0012F650  |405F0000 c
0012F654  |00000000 8
0012F658  |40200000 4
0012F65C  ]0012F680 ebp

0012F5E4 00000000
0012F5E8 4068E000
0012F5EC 00000000
0012F5F0 00000000
0012F5F4 0012F65C

0012F63C 00441600  main_dat.00441600
0012F640 0123E83C
0012F644 00000000 18
0012F648 4068E000 14
0012F64C 00000000 10
0012F650 4068E000 c
0012F654 00000000 8
0012F658 40200000 ebp-4
0012F65C  /0012F680 ebp

199
4068E000
00000000

FLD src
装入实数到st(0)
st(0) <- src (mem32/mem64/mem80)

FILD src
装入整数到st(0)
st(0) <- src (mem16/mem32/mem64)

FST dest
保存实数st(0)到dest
dest <- st(0) (mem32/mem64)

FSTP dest

dest <- st(0) (mem32/mem64/mem80)；然后再执行一次出栈操作

FIST dest
将st(0)以整数保存到dest
dest <- st(0) (mem32/mem64)

FISTP dest

dest <- st(0) (mem16/mem32/mem64)；然后再执行一次出栈操作

FLDCW src
从src装入FPU的控制字
FPU CW <-src (mem16)

FSTCW dest
将FPU的控制字保存到dest
dest<- FPU CW

FSUB
减去一个实数
st(0) <- st(0) - st(1)

FSUB src

st(0) <-st(0) - src (reg/mem)

FSUB st(i),st

st(i) <-st(i) - st(0)

FMUL
乘上一个实数
st(0) <- st(0) * st(1)

FMUL st(i)

st(0) <- st(0) * st(i)

FMUL st(i),st

st(i) <- st(0) * st(i)

0056889E 55             PUSH EBP                               ; 88888888888
0056889F E8 F0F9FFFF    CALL 00568294                         ; 循环
005688A4 59             POP ECX
005688A5 85C0          TEST EAX,EAX
005688A7 0F84 24020000 JE 00568AD1                            ; 00568AD1
005688AD 55             PUSH EBP
005688AE FF75 F4       PUSH DWORD PTR [EBP-C]
005688B1 FF75 F0       PUSH DWORD PTR [EBP-10]
005688B4 FF75 EC       PUSH DWORD PTR [EBP-14]
005688B7 FF75 E8       PUSH DWORD PTR [EBP-18]
005688BA DD45 F8       FLD QWORD PTR [EBP-8]
005688BD E8 7AA3E9FF    CALL 00402C3C                         ; 00402C3C
005688C2 E8 89F1FFFF    CALL 00567A50                         ; call ebx
005688C7 83C4 F8       ADD ESP,-8
005688CA DD1C24       FSTP QWORD PTR [ESP]
005688CD 9B             WAIT
005688CE E8 8DFCFFFF    CALL 00568560                         ; 检查并设置出暗桩
005688D3 59             POP ECX
005688D4 E9 F8010000    JMP 00568AD1                            ; 00568AD1

4020000000000000

0012F654 00000000
0012F658 40200000

Stack SS:[0012F654]=8.000000000000000

0012F654  00 00 00 00 00 00 20 40 80 F6 12 00 68 8B 56 00  ...... @.?.h.V.

005683D1 8B45 08       MOV EAX,[EBP+8]
005683D4 8B55 F0       MOV EDX,[EBP-10]
005683D7 8950 F0       MOV [EAX-10],EDX
005683DA 8B55 F4       MOV EDX,[EBP-C]
005683DD 8950 F4       MOV [EAX-C],EDX
005683E0 E9 3E010000    JMP 00568523                            ; 00568523

0012F5DC 00000000
0012F5E0 402C0000

0012F5DC 00000000
0012F5E0 40200000

f puah

1b 开始处理recv

2c 开始处理recv
0056897E 55             PUSH EBP                               ; ddddddddd
0056897F E8 10F9FFFF    CALL 00568294                         ; 00568294
00568984 59             POP ECX
00568985 85C0          TEST EAX,EAX
00568987 0F84 44010000 JE 00568AD1                            ; 00568AD1
0056898D 55             PUSH EBP
0056898E FF75 F4       PUSH DWORD PTR [EBP-C]
00568991 FF75 F0       PUSH DWORD PTR [EBP-10]
00568994 8B45 DC       MOV EAX,[EBP-24]
00568997 E8 44F3FFFF    CALL 00567CE0                         ; 处理recv内容
0056899C 83C4 F8       ADD ESP,-8
0056899F DD1C24       FSTP QWORD PTR [ESP]
005689A2 9B             WAIT
005689A3 E8 B8FBFFFF    CALL 00568560                         ;$dr_if之后杀出来
005689A8 59             POP ECX                               ; 0012F65C
005689A9 E9 23010000    JMP 00568AD1                            ; 00568AD1

0123E83C  88 82 56 00 35 00 00 00 83 00 00 00 2C 00 00 00  ..V.5.......,...
0123E84C  C8 5A 00 00 B2 03 00 00 B1 00 00 00 6E 70 63 64  融......?..npcd

0012F5F4 0012F65C
0012F5F8 0012F668  Pointer to next SEH record
0012F5FC 00568B06  SE handler
0012F600 0012F65C
0012F604 0012FF5C
0012F608 00441600  main_dat.00441600
0012F60C 00000000
0012F610 00000000
0012F614 0012F62C
0012F618 00000001
0012F61C 00000000
0012F620 00000000
0012F624 00000010
0012F628 00402495  RETURN to main_dat.00402495 from main_dat.00401EBC
0012F62C 00000000
0012F630 00000000
0012F634 00000000
0012F638 00000000
0012F63C 00441600  main_dat.00441600
0012F640 0123E83C
0012F644 00000000
0012F648 4062C000
0012F64C 00000000
0012F650 4062C000
0012F654 00000000
0012F658 40200000
0012F65C  /0012F680

0012F5F4 0012F65C
0012F5F8 0012F668  Pointer to next SEH record
0012F5FC 00568B06  SE handler
0012F600 0012F65C
0012F604 0012FF5C
0012F608 00441600  main_dat.00441600
0012F60C 00000000
0012F610 00000000
0012F614 0012F62C
0012F618 00000001
0012F61C 00000000
0012F620 00000000
0012F624 00000010
0012F628 00402495  RETURN to main_dat.00402495 from main_dat.00401EBC
0012F62C 00000000
0012F630 00000000
0012F634 00000000
0012F638 00000000
0012F63C 00441600  main_dat.00441600
0012F640 0123E83C
0012F644 00000000
0012F648 405D4000
0012F64C 00000000
0012F650 405F0000
0012F654 00000000
0012F658 40200000
0012F65C  /0012F680

012E20B0  B0 20 2E 01 B0 20 2E 01 18 00 00 00 34 37 32 38  . ... ......4728
012E20C0  36 00 00 00 38 00 00 00 1F 00 00 00 01 00 00 00  6...8...........
012E20D0  0E 00 00 00 32 32 32 2E 31 33 37 2E 31 31 36 2E  ....222.137.116.
012E20E0  36 38 00 00 1A 00 00 00 00 00 00 00 09 00 00 00  68..............
012E20F0  31 33 36 38 36 32 30 39 33 00 2E 31 35 36 2E 00  136862093..156..

012E20B0  B0 20 2E 01 B0 20 2E 01 18 00 00 00 34 37 32 38  . ... ......4728
012E20C0  36 00 00 00 68 00 00 00 1F 00 00 00 01 00 00 00  6...h...........
012E20D0  0E 00 00 00 32 32 32 2E 31 33 37 2E 31 31 36 2E  ....222.137.116.
012E20E0  36 38 00 00 1A 00 00 00 01 00 00 00 08 00 00 00  68..............
012E20F0  73 6F 6C 61 72 69 73 35 00 00 2E 31 1A 00 00 00  solaris5...1....

25867758

33

0012F63C 00441600  main_dat.00441600
0012F640 0123E83C
0012F644 00000000
0012F648 405D4000
0012F64C 00000000
0012F650 405F0000
0012F654 00000000
0012F658 40200000
0012F65C  /0012F680

0012F63C 00441600  main_dat.00441600
0012F640 0123E83C
0012F644 00000000
0012F648 405D4000
0012F64C 00000000
0012F650 405F0000
0012F654 00000000
0012F658 40200000
0012F65C  /0012F680

0012F63C 00441600  main_dat.00441600
0012F640 0123E95C
0012F644 00000000
0012F648 405D4000
0012F64C 00000000
0012F650 405F0000
0012F654 00000000
0012F658 40200000
0012F65C  /0012F680
/////////////////////////////////////////////////////////////////////
0012F63C 00441600  main_dat.00441600
0012F640 0123E83C
0012F644 00000000
0012F648 406BC000
0012F64C 00000000
0012F650 406BC000
0012F654 00000000
0012F658 40200000
0012F65C  /0012F680

0012F63C 00441600  main_dat.00441600
0012F640 0123E95C
0012F644 00000000
0012F648 4054C000
0012F64C 00000000
0012F650 4054C000
0012F654 00000000
0012F658 40200000
0012F65C  /0012F680

0012F63C 00441600  main_dat.00441600
0012F640 0123E95C
0012F644 00000000
0012F648 401C0000
0012F64C 00000000
0012F650 401C0000
0012F654 00000000
0012F658 40200000
0012F65C  /0012F680

/////////////////////////////////////////////////////////////////////

00567FA8 A1 ECF35800    MOV EAX,[58F3EC]
00567FAD 33D2          XOR EDX,EDX
00567FAF 8910          MOV [EAX],EDX
00567FB1 A1 84EC5800    MOV EAX,[58EC84]

3

0056838A 8B40 08       MOV EAX,[EAX+8]
0056838D 8B40 FC       MOV EAX,[EAX-4]
00568390 E8 8B090000    CALL 00568D20                         ; 00568D20

0012F5BC 00000000  |Arg1 = 00000000
0012F5C0 406F6000  \Arg2 = 406F6000

;开始处理recv内容
00567076 6B45 F0 17    IMUL EAX,[EBP-10],17 ;!!!
0056707A 8B15 00216100 MOV EDX,[612100]
00567080 8B4442 2A    MOV EAX,[EDX+EAX*2+2A]
00567084 8945 EC       MOV [EBP-14],EAX
00567087 837D EC 00    CMP DWORD PTR [EBP-14],0
0056708B 7C 62          JL SHORT 005670EF                      ; 005670EF
0056708D 8B45 EC       MOV EAX,[EBP-14]
00567090 3B05 0C216100 CMP EAX,[61210C]
00567096 7D 57          JGE SHORT 005670EF                      ; 005670EF
00567098 A1 08216100    MOV EAX,[612108]
0056709D 8B55 EC       MOV EDX,[EBP-14]
005670A0 8B4D F8       MOV ECX,[EBP-8]
005670A3 8B1CD0       MOV EBX,[EAX+EDX*8] ;复制push内容
005670A6 8919          MOV [ECX],EBX
005670A8 8B5CD0 04    MOV EBX,[EAX+EDX*8+4] ;复制push内容
005670AC 8959 04       MOV [ECX+4],EBX
005670AF C745 F4 FFFFFFF>MOV DWORD PTR [EBP-C],-1
005670B6 EB 37          JMP SHORT 005670EF                      ; 005670EF
005670B8 8B55 F8       MOV EDX,[EBP-8]

0012F5EC  |00000000
0012F5F0  |40360000

取 0-4
012E1EA4  00 00 00 00 00 00 2C 40 00 00 00 00 00 00 20 40  ......,@...... @
012E1EB4  00 00 00 00 00 00 37 40 00 00 00 00 00 00 08 40  ......7@.......@
012E1EC4  00 00 00 00 00 80 48 40 CC 1E 2E 01 CC 1E 2E 01  ......H@?..?..

User-defined comments
Address Disassembly                            Comment
00402998 PUSH ESI                               复制到其他地方
00404D5C TEST EAX,EAX                            没用
00404D93 CALL 00404D5C                            没用
00404DA4 CALL 00402998                            复制到其他地方
00404DAB CALL 00404C98                            没用
00404F50 TEST EAX,EAX                            取字节数
00405094 PUSH EBX                               比较
00405175 CALL 00402998                            复制到其他地方
00466EED CALL 0044F930                            dead
00567057 CALL 0056781C                            大循环
005670A3 MOV EBX,[EAX+EDX*8]                      取出push内容
0056781C PUSH EBP                               大循环，没什么用处
0056787C CALL 00405094                            比较
00567B19 MOV [EAX+EDX*8],ECX                      保存push
00567B56 JMP SHORT 00567B48                      (Initial CPU selection)
00567CEC CALL 00405138                            null
00567D10 CALL 00404F50                            取字节数
00567D30 CALL 004051A0                            复制
00567D3F CALL 004051A0                            复制
00567D50 CALL 00402C30                            null
00567D5E MOVZX EAX,BYTE PTR [EDX+EAX-1]          处理recv
00568294 PUSH EBP                               构造push内容
005683A2 JE 00568536                            取push
00568471 CALL 00568D20                            没用
005684BF CALL 00568D20                            解码
005685A5 LEA ECX,[EBP-8]                         保存在[epb-8]
005685B1 MOV EDX,[EAX+8B]                         [eax+8d]
005685BD MOV EAX,[EAX-4]                         eax
005685C0 CALL 00568D20                            解码成明文,有浮点运算
005685CD CALL 00405094                            比较
005685EF CALL 00567A84                            保存push
00568712 MOV EAX,[EAX+48]                         eax=012DC008
0056871B ADD EAX,[EDX+4]                         012DC008+35
00568724 MOV EDX,[EDX+C]                         9a++
0056872D IMUL EDX,[ECX+8]                         edx=94++,83
00568731 ADD EAX,EDX                            +edx=4f51
0056873B LEA EDI,[EDX+50]                         edi=0123E88C
00568757 MOV [EDX+1D8],EAX                      保存头
00568763 MOV EAX,[EAX+7D]                         功能n
00568825 PUSH EBP                               44444444444取n8,n9,b4,i8
00568826 CALL 00568294                            取k1。。k9
00568837 CALL 005676A4                            出现
00568841 PUSH EBP                               555555555555
00568842 CALL 00568294                            取s1，s2，s3
0056885D PUSH EBP                               66666666666
0056885E CALL 00568294                            取data1。。。9
00568884 CALL 00567E50                            i8
00568894 CALL 00567940                            data9,s9
0056889E PUSH EBP                               88888888888
0056889F CALL 00568294                            取push内容
005688CE CALL 00568560                            检查并设置出暗桩
005688D9 MOV EAX,[EBP+8]                         9999999999
005688F4 MOV EAX,[58F798]                         aaaaaaaaaaaa
0056897E PUSH EBP                               ddddddddd
00568984 POP ECX                                  取ip
00568997 CALL 00567CE0                            id solaris5
005689A3 CALL 00568560                            保存push and 检查dr-if，设置暗桩
005689AE PUSH EBP                               eeeeeeeeeee
005689E3 PUSH EBP                               ffffffffffff
005689E4 CALL 00568294                            取ip和id
005689F6 CALL 00567F50                            id solaris9
00568A68 CALL 005674D4                            data5
00568AD1 XOR EAX,EAX                            结束
00568B1F MOV [EBP-8],EDX                         开始循环数字
00568BA3 INC DWORD PTR [EAX+C]                   [eax+c]++
00568C1E CALL 00568C68                            构造循环次数存eax
00568C39 MOV EDX,[EBP-C]                         开始循环数字
00568C3F CALL 00568B14                            真正循环处理
00568CB3 MOV EDX,[EDX+48]                         edx=012DC008
00568CB9 ADD EDX,[ECX+4]                         edx+35
00568CC2 IMUL ECX,[EBX+8]                         ecx=5++,83
00568CC6 ADD EDX,ECX                            ecx=28f
00568CE0 JNZ SHORT 00568CEA                      特别情况，决定循环开始数字
00568D20 PUSH EBP                               没用
00568D76 CALL 00407EB0                            复制ecx个，eax。edx
0057A9DC PUSH EBP                               处理数据，并打印剩余时间
0057AA2D JNZ 0057AB2C                            成功跳
0057AB69 CALL 00511960                            计算天数放edx
0057F3AC CMP DWORD PTR [EBP-C],0                检查收到字节数
0057F3CB MOV [EDX],EAX                            保存天数
0057F3FE CALL 00568DC0                            构造b1次循环
0057F40F CALL 00568BE0                            处理数据
00580EF7 CALL 0057F508                            last user
00580EFC CALL 00402BC8                            GetSystemTime
0058460B CALL 004BAB1C                            接收数据
00584618 CALL 00404CEC                            保存接收地址到[58F870]
00584638 CALL 00404CEC                            edx保存到eax
00584669 CALL 004B9E9C                            closesocket
0058495C CALL 00404F50                            取字节数
00584AC3 CALL 004415D8                            time

30
取id，保存，取出，push

005688AE FF75 F4       PUSH DWORD PTR [EBP-C]

0012F5E4 00000000
0012F5E8 40180000
0012F5EC 00000000405CC000
0012F5F0 405CC00000000000

0012F5E4 00000000  |Arg1 = 00000000
0012F5E8 40180000  |Arg2 = 40180000
0012F5EC 00000000  |Arg3 = 00000000
0012F5F0 405CC000  \Arg4 = 405CC000

ip,id,x,y,id[0]

x
00000206
0012F5D0 00000021
0012F5D4 00000000
0012F5D8 40408000

y
000001F5
0012F5D0 00000006
0012F5D4 00000000
0012F5D8 40180000

id[0]
0012F5D0 00000073
0012F5D4 00000000
0012F5D8 405CC000

0012F644 00000000
0012F648 40180000
0012F64C 00000000
0012F650 405CC000
0012F654 00000000
0012F658 402E0000

405D4000

0012F644 00000000
0012F648 405D4000
0012F64C 00000000
0012F650 405F0000
0012F654 00000000
0012F658 40200000

检查2次

404A800000000000
id[end]
53
0012F5C8 00000000
0012F5CC 404A8000

x2
0000012E
0012F5D0 000000EA
0012F5D4 00000000
0012F5D8 406D4000

y2
00000066
0012F5D0 0000008A
0012F5D4 00000000
0012F5D8 40614000

0012F5E4 00000000  |Arg1 = 00000000
0012F5E8 40614000  |Arg2 = 40614000
0012F5EC 00000000  |Arg3 = 00000000
0012F5F0 406D4000  \Arg4 = 406D4000

96

0012F5C8 00000000
0012F5CC 40580000

0012F5E4 00000000  |Arg1 = 00000000
0012F5E8 404A8000  |Arg2 = 404A8000
0012F5EC 00000000  |Arg3 = 00000000
0012F5F0 40580000  \Arg4 = 40580000

/////////////////////////////////////////////////////////////////////
x
00000206
0012F5D0 0000002B
0012F5D4 00000000
0012F5D8 40458000

y
000001F5
0012F5D0 00000044
0012F5D4 00000000
0012F5D8 40510000

id[0]
0012F5D0 00000032
0012F5D4 00000000
0012F5D8 40490000

0012F5E4 00000000  |Arg1 = 00000000
0012F5E8 40510000  |Arg2 = 40510000
0012F5EC 00000000  |Arg3 = 00000000
0012F5F0 40490000  \Arg4 = 40490000

0012F5C8 00000000
0012F5CC 405D8000

0012F5E4 00000000  |Arg1 = 00000000
0012F5E8 405D8000  |Arg2 = 405D8000
0012F5EC 00000000  |Arg3 = 00000000
0012F5F0 405D8000  \Arg4 = 405D8000

x2
0000012E
0012F5D0 0000003E
0012F5D4 00000000
0012F5D8 404F0000

y2
00000066
0012F5D0 000000EC
0012F5D4 00000000
0012F5D8 406D8000

0012F5E4 00000000  |Arg1 = 00000000
0012F5E8 406D8000  |Arg2 = 406D8000
0012F5EC 00000000  |Arg3 = 00000000
0012F5F0 404F0000  \Arg4 = 404F0000

210

0012F5EC 00000000
0012F5F0 40554000

0012F5C8 00000000
0012F5CC 40554000

0012F5C8 00000000
0012F5CC 406A4000

0012F5E4 00000000  |Arg1 = 00000000
0012F5E8 404C0000  |Arg2 = 404C0000
0012F5EC 00000000  |Arg3 = 00000000
0012F5F0 406A4000  \Arg4 = 406A4000

0012F5C8 00000000
0012F5CC 406D4000

3e

49

00702BF4  3C 3C 3C 3C 3C 42 58 3C 3C 3C 3C 3C 3C 3C 3C 3C  <<<<<BX<<<<<<<<<
00702C04  48 5F 50 74 49 5F 58 73 49 4F 5C 6B 6C 6B 4E 5D  H_PtI_XsIO\klkN]
00702C14  76 67 53 60 64 5A 66 71 68 56 43 66 6E 69 50 00  vgS`dZfqhVCfniP.

<<<<<BX<<<<<<<<<H_PtI_XsIO\klkN]vgS`dZfqhVCfniP

25867758/卖￡典￡当￡收

00702BF4  3C 3C 3C 3C 3C 42 58 3C 3C 3C 3C 3C 3C 3C 3C 3C  <<<<<BX<<<<<<<<<
00702C04  48 5F 50 74 49 5F 58 73 49 4F 5C 6B 6C 6B 4E 5D  H_PtI_XsIO\klkN]
00702C14  76 67 53 60 64 5A 66 71 68 56 43 66 6E 69 50 00  vgS`dZfqhVCfniP.

00612100  88 BB 4F 01 1D 00 00 00 94 9E 4F 01 0E 00 00 00  ..O......?.....
00612110  34 A0 4F 01 07 00 00 00 01 00 00 00 FF FF FF FF  4.O.............

005915B0  D0 20 00 00 D0 2B 09 00 FF FF FF FF 01 00 00 00  ?..?..........
005915C0  00 00 00 00 00 63 13 00 FF FF FF FF 00 00 00 00  .....c..........
005915D0  00 00 00 00 00 00 00 00 00 00 00 00 70 8D 13 00  ............p?.
005915E0  34 93 13 00 94 93 13 00 A4 93 13 00 00 00 00 00  4...............
005915F0  00 00 00 00 54 93 13 00 74 93 13 00 00 00 00 00  ....T...t.......
00591600  00 00 00 00 08 29 1F 01 C0 C0 4F 01 00 00 00 00  .....)..览O.....
00591610  C0 C0 4F 01 00 00 00 00 00 00 00 00 60 7D 13 00  览O.........`}..

;复制“25867758/卖￡典￡当￡收”到关键地方
005675E8 E8 C308EAFF    CALL 00407EB0                         ; 00407EB0

0012F634  |01238870  ASCII "/<<<<<BX<<<<<<<<<H_PtI_XsIO\klkN]vgS`dZfqhVCfniP"
0012F638  |014FF084  ASCII "$data7"

#3<<<<<BL<<<<<<<<<XryhTSEeXoPkHOHrIODtJ?Ds
solaris5/136528827
#4<<<<<BX<<<<<<<<<XryhTSEeXoPkVcYeWrQfUBaaV\
2a
solaris5/jwioejdiej
736F6C61726973352F6A77696F656A6469656A
0x26
00 00 00 00 67

0057F40A BA ECF45700    MOV EDX,57F4EC
0057F40F E8 CC97FEFF    CALL 00568BE0                         ; 处理数据!!
0057F414 A1 14E75800    MOV EAX,[58E714]
0057F419 8B00          MOV EAX,[EAX]
0057F41B 83B8 D4000000 00 CMP DWORD PTR [EAX+D4],0
0057F422 0F84 B3000000 JE 0057F4DB                            ; 0057F4DB
0057F428 A1 64E75800    MOV EAX,[58E764]

00740000 0000          ADD [EAX],AL

00740036 3C 3C          CMP AL,3C

68
74009E

60 B9 70 00 00 00 BE 36 00 74 00 BF F4 2B 70 00 F3 A4 B8 FF FF FF FF A3 78 CD 61 00 A3 58 D0 62
00 A3 98 CB 6F 00 A3 E8 2B 70 00 61 A1 14 E7 58 00 E9 E3 F3 E3 FF 3C 3C 3C 3C 3C 42 58 3C 3C 3C
3C 3C 3C 3C 3C 3C 58 72 79 68 54 53 45 65 58 6F 50 6B 56 63 59 65 57 72 51 66 55 42 61 61 56 5C
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2A 00

0057F40F E8 CC97FEFF    CALL 00568BE0                         ; 处理数据
0057F414 E9 E70B1C00    JMP 00740000                            ; 00740000
0057F419 8B00          MOV EAX,[EAX]

00740000 60             PUSHAD
00740001 B9 70000000    MOV ECX,70
00740006 BE 36007400    MOV ESI,740036                         ; ASCII "<<<<<BX<<<<<<<<<XryhTSEeXoPkVcYeWrQfUBaaV\"
0074000B BF F42B7000    MOV EDI,702BF4
00740010 F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI>
00740012 B8 FFFFFFFF    MOV EAX,-1
00740017 A3 78CD6100    MOV [61CD78],EAX
0074001C A3 58D06200    MOV [62D058],EAX
00740021 A3 98CB6F00    MOV [6FCB98],EAX
00740026 A3 E82B7000    MOV [702BE8],EAX
0074002B 61             POPAD
0074002C A1 14E75800    MOV EAX,[58E714]
00740031  ^ E9 E3F3E3FF    JMP 0057F419                            ; 0057F419

2005-8-18 4:50

注意：您的这个帐号目前还没有设立
注意：您的这个帐号目前还没有设立会员密码，建议您尽快设立。点击最左边面板上的[会员密码]可以创建您的会员密码。

5:28:42 注意：您的这个帐号目前还没有设立热血传神会员密码，建议您尽快设立。点击最左边面板上的[会员密码]可以创建您的会员密码。

送给热血传奇28区乾坤阳光¤柠檬草，祝她天天有好心情 ^_^

您的热血传神剩余9999天0小时 Cracked by 小全 2005-8-18

0057AB7E 8B45 F8       MOV EAX,[EBP-8] ;字串指针
0057AB81 33C9          XOR ECX,ECX
0057AB83 BA 00C00000    MOV EDX,0C000
0057AB88 E8 476FF8FF    CALL 00501AD4                         ; 打印字符串

0056F790 6A 00          PUSH 0
0056F792 6A 00          PUSH 0
0056F794 6A 00          PUSH 0
0056F796 6A 00          PUSH 0
0056F798 6A 00          PUSH 0
0056F79A 6A 00          PUSH 0
0056F79C 6A 00          PUSH 0
0056F79E 33C9          XOR ECX,ECX
0056F7A0 BA 01000000    MOV EDX,1
0056F7A5 33C0          XOR EAX,EAX
0056F7A7 E8 2823F9FF    CALL 00501AD4

0056F7AC 6A 00          PUSH 0
0056F7AE 6A 00          PUSH 0
0056F7B0 6A 00          PUSH 0
0056F7B2 6A 00          PUSH 0
0056F7B4 6A 00          PUSH 0
0056F7B6 6A 00          PUSH 0
0056F7B8 6A 00          PUSH 0
...
0056F7D8 8B45 E4       MOV EAX,[EBP-1C]
0056F7DB 33C9          XOR ECX,ECX
0056F7DD BA 00C00000    MOV EDX,0C000
0056F7E2 E8 ED22F9FF    CALL 00501AD4                         ; 00501AD4

mycode 3

ascii1
36 00 00 00 CB CD B8 F8 C8 C8 D1 AA B4 AB C6 E6 32 38 C7 F8 C7 AC C0 A4 D1 F4 B9 E2 A1 E8 C4 FB C3 CA B2 DD
A3 AC D7 A3 CB FD CC EC CC EC D3 D0 BA C3 D0 C4 C7 E9 20 5E 5F 5E

ascii2
35 00 00 00 C4 FA B5 C4 C8 C8 D1 AA B4 AB C9 F1 CA A3 D3 E0 39 39 39 39 CC EC 30 D0 A1 CA B1 20 43 72 61 63
6B 65 64 20 62 79 20 D0 A1 C8 AB 20 32 30 30 35 2D 38 2D 31 38

0057AB3E /7C 4D          JL SHORT 0057AB8D                      ; 0057AB8D
0057AB40 |E9 BB551C00    JMP 00740100                            ; 00740100
0057AB45 |90             NOP
0057AB46 |6A 00          PUSH 0

00740100 60             PUSHAD
00740101 B9 36000000    MOV ECX,36
00740106 BE 16017400    MOV ESI,740116
0074010B 8136 24698724 XOR DWORD PTR [ESI],24876924
00740111 83C6 04       ADD ESI,4
00740114  ^ E2 F5          LOOPD SHORT 0074010B                   ; 0074010B
00740116 E8 4C000000    CALL 00740166                         ; 00740166
0074011B 33C0          XOR EAX,EAX
0074011D BA 01000000    MOV EDX,1
00740122 E8 AD19DCFF    CALL 00501AD4                         ; 00501AD4
00740127 E8 3B000000    CALL 00740166                         ; 00740166
0074012C B8 7D017400    MOV EAX,74017D
00740131 BA 00C00000    MOV EDX,0C000
00740136 E8 9919DCFF    CALL 00501AD4                         ; 00501AD4
0074013B E8 27000000    CALL 00740166                         ; 00740166
00740140 33C0          XOR EAX,EAX
00740142 BA 01000000    MOV EDX,1
00740147 E8 8819DCFF    CALL 00501AD4                         ; 00501AD4
0074014C E8 16000000    CALL 00740166                         ; 00740166
00740151 B8 B7017400    MOV EAX,7401B7
00740156 BA 00C00000    MOV EDX,0C000
0074015B E8 7419DCFF    CALL 00501AD4                         ; 00501AD4
00740160 61             POPAD
00740161  ^ E9 27AAE3FF    JMP 0057AB8D                            ; 0057AB8D
00740166 58             POP EAX
00740167 6A 00          PUSH 0
00740169 6A 00          PUSH 0
0074016B 6A 00          PUSH 0
0074016D 6A 00          PUSH 0
0074016F 6A 00          PUSH 0
00740171 6A 00          PUSH 0
00740173 6A 00          PUSH 0
00740175 33C9          XOR ECX,ECX
00740177 FFE0          JMP EAX

over
60 B9 36 00 00 00 BE 16 01 74 00 81 36 24 69 87 24 83 C6 04 E2 F5 CC 22 87 24 24 5A 47 9E 25 69
87 24 CC C4 9E F8 DB 81 BD 24 24 69 3F 59 25 1D 87 9E 24 A9 87 24 CC F0 9E F8 DB 81 A1 24 24 69
B4 E4 9E 68 87 24 24 81 0F 3D F8 96 6F 31 24 69 87 9C 93 68 F3 24 9E 69 47 24 24 81 F3 3D F8 96
E6 CD 03 C3 64 DB 7C 03 87 4E 24 03 87 4E 24 03 87 4E 24 03 87 17 ED 96 67 12 24 69 87 EF E9 D1
7F EC EC B8 2D 90 8F AF 61 16 1C AE 7F E3 88 A9 23 F5 D0 D0 65 85 CC AD 7C E7 EE DB 5A 87 88 BE
24 EF D9 A5 6B E8 C8 BA 57 9E E7 B9 43 E3 CD 49 D9 7B 7A 5C 87 24 24 AD 7D 91 E0 A1 4F F5 8E DD
2C ED D5 A3 24 F7 C4 50 BE 1D 1D A5 6B 14 F4 C8 4D 95 04 2A F5 45 47 02 E2 40 04 0B FE 04 F4 C8
4F 8F 04 5B B7 14 11 44 BF 09 15 51 87 24 00 00

User-defined comments
Address Disassembly                            Comment
00402998 PUSH ESI                               复制到其他地方
00404D5C TEST EAX,EAX                            没用
00404D93 CALL 00404D5C                            没用
00404DA4 CALL 00402998                            复制到其他地方
00404DAB CALL 00404C98                            没用
00404F50 TEST EAX,EAX                            取字节数
00405094 PUSH EBX                               比较
00405175 CALL 00402998                            复制到其他地方
00466EED CALL 0044F930                            dead
00567057 CALL 0056781C                            大循环
005670A3 MOV EBX,[EAX+EDX*8]                      取出push内容
0056781C PUSH EBP                               大循环，没什么用处
0056787C CALL 00405094                            比较
00567B19 MOV [EAX+EDX*8],ECX                      保存push
00567CEC CALL 00405138                            null
00567D10 CALL 00404F50                            取字节数
00567D30 CALL 004051A0                            复制
00567D3F CALL 004051A0                            复制
00567D50 CALL 00402C30                            null
00568294 PUSH EBP                               构造push内容
005683A2 JE 00568536                            取push
00568471 CALL 00568D20                            没用
005684BF CALL 00568D20                            解码
005685A5 LEA ECX,[EBP-8]                         保存在[epb-8]
005685B1 MOV EDX,[EAX+8B]                         [eax+8d]
005685BD MOV EAX,[EAX-4]                         eax
005685C0 CALL 00568D20                            解码成明文,有浮点运算
005685CD CALL 00405094                            比较
005685EF CALL 00567A84                            保存push
00568712 MOV EAX,[EAX+48]                         eax=012DC008
0056871B ADD EAX,[EDX+4]                         012DC008+35
00568724 MOV EDX,[EDX+C]                         9a++
0056872D IMUL EDX,[ECX+8]                         edx=94++,83
00568731 ADD EAX,EDX                            +edx=4f51
0056873B LEA EDI,[EDX+50]                         edi=0123E88C
00568757 MOV [EDX+1D8],EAX                      保存头
00568763 MOV EAX,[EAX+7D]                         功能n
00568825 PUSH EBP                               44444444444取n8,n9,b4,i8
00568837 CALL 005676A4                            出现
00568841 PUSH EBP                               555555555555
00568853 CALL 00567760                            s9
0056885D PUSH EBP                               66666666666
00568884 CALL 00567E50                            i8
00568894 CALL 00567940                            data9,s9
0056889E PUSH EBP                               88888888888
0056889F CALL 00568294                            取push内容
005688C2 CALL 00567A50                            计算数据
005688CE CALL 00568560                            检查并设置出暗桩
005688D9 MOV EAX,[EBP+8]                         9999999999
005688F4 MOV EAX,[58F798]                         aaaaaaaaaaaa
0056897E PUSH EBP                               ddddddddd
00568997 CALL 00567CE0                            id solaris5
005689A3 CALL 00568560                            保存push and 检查dr-if，设置暗桩
005689AE PUSH EBP                               eeeeeeeeeee
005689E3 PUSH EBP                               ffffffffffff
005689F6 CALL 00567F50                            id solaris9
00568A68 CALL 005674D4                            data5
00568AD1 XOR EAX,EAX                            结束
00568B1F MOV [EBP-8],EDX                         开始循环数字
00568BA3 INC DWORD PTR [EAX+C]                   [eax+c]++
00568C1E CALL 00568C68                            构造循环次数存eax
00568C39 MOV EDX,[EBP-C]                         开始循环数字
00568C3F CALL 00568B14                            真正循环处理
00568CB3 MOV EDX,[EDX+48]                         edx=012DC008
00568CB9 ADD EDX,[ECX+4]                         edx+35
00568CC2 IMUL ECX,[EBX+8]                         ecx=5++,83
00568CC6 ADD EDX,ECX                            ecx=28f
00568CE0 JNZ SHORT 00568CEA                      特别情况，决定循环开始数字
00568D20 PUSH EBP                               没用
00568D76 CALL 00407EB0                            复制ecx个，eax。edx
00578CF8 PUSH EBP                               host
00578D00 PUSH ECX                               (Initial CPU selection)
0057A9DC PUSH EBP                               处理数据，并打印剩余时间
0057AA2D JNZ 0057AB2C                            成功跳
0057AB69 CALL 00511960                            计算天数放edx
0057AB79 CALL 00405010                            组合字串
0057AB88 CALL 00501AD4                            打印字符串
0057F3AC CMP DWORD PTR [EBP-C],0                检查收到字节数
0057F3CB MOV [EDX],EAX                            保存天数
0057F3FE CALL 00568DC0                            构造b1次循环
0057F40F CALL 00568BE0                            处理数据
00580C00 PUSH EBP                               send
00580EF7 CALL 0057F508                            last user
00580EFC CALL 00402BC8                            GetSystemTime
0058460B CALL 004BAB1C                            接收数据
00584618 CALL 00404CEC                            保存接收地址到[58F870]
00584638 CALL 00404CEC                            edx保存到eax
00584669 CALL 004B9E9C                            closesocket
0058495C CALL 00404F50                            取字节数
00584AC3 CALL 004415D8                            time
0074010D AND AL,69                               换行
00740121 AND AL,0CC                               打印1
00740132 AND AL,0A9                               换行
00740146 AND AL,81                               打印

id
00580DD8 8B15 A0F35800 MOV EDX,[58F3A0]                      ; main_dat.0061CD34
name
00580E14 8B15 ECEC5800 MOV EDX,[58ECEC]                      ; main_dat.0061CD4C

LPTSTR lstrcat(
LPTSTR lpString1,
LPTSTR lpString2
);

LPTSTR lstrcpy(
LPTSTR lpString1,
LPTSTR lpString2
);

int lstrlen(
LPCTSTR lpString
);

eax src
ecx dst
edx num
004BF4DE E8 D5000000    CALL 004BF5B8                         ; 004BF5B8

004C6926 6A 00          PUSH 0
004C6928 8B45 F8       MOV EAX,[EBP-8]
004C692B 50             PUSH EAX ;num
004C692C B9 5A7B5900    MOV ECX,597B5A                         ; dst
004C6931 8B45 FC       MOV EAX,[EBP-4] ;src
004C6934 33D2          XOR EDX,EDX
004C6936 E8 11DDFDFF    CALL 004A464C                         ; bit6编码

004A4AA9 6A 00          PUSH 0
004A4AAB 8B45 08       MOV EAX,[EBP+8]
004A4AAE 50             PUSH EAX
004A4AAF 8B4D F8       MOV ECX,[EBP-8]
004A4AB2 8B45 FC       MOV EAX,[EBP-4]
004A4AB5 33D2          XOR EDX,EDX
004A4AB7 E8 9CFDFFFF    CALL 004A4858                         ; bit6解码

0169F990 0000002C  |Arg1 = 0000002C
0169F994 00000000  \Arg2 = 00000000

Breakpoints
Address Module    Active                   Disassembly                         Comment
004A4AD0 main_dat Always                   CALL 004A4858                      bit6解码
004BF4DE main_dat Disabled                CALL 004BF5B8
004BF610 main_dat Disabled                PUSH EBP
004BF710 main_dat Disabled                PUSH EBP
004C6936 main_dat Always                   CALL 004A464C                      bit6编码
00567B19 main_dat Disabled                MOV [EAX+EDX*8],ECX                保存push
00567D5E main_dat Disabled                MOVZX EAX,BYTE PTR [EDX+EAX-1]
00568560 main_dat Disabled                PUSH EBP
005685D4 main_dat Disabled                FLD QWORD PTR [EBP+8]
005685E6 main_dat Disabled                PUSH DWORD PTR [EBP+C]
0056876F main_dat Disabled                JMP [EAX*4+568776]
0056889E main_dat Disabled                PUSH EBP                            88888888888
00568997 main_dat Disabled                CALL 00567CE0                      id solaris5
00568BBD main_dat Disabled                XOR EAX,EAX
00568C3F main_dat Disabled                CALL 00568B14                      真正循环处理
0056F767 main_dat Disabled                MOV EAX,[58FD60]
00578CF8 main_dat Disabled                PUSH EBP                            host
0057AB40 main_dat Disabled                JMP 00740100
0057F414 main_dat Disabled                JMP 00740000
00580C00 main_dat Disabled                PUSH EBP                            send
74FB1BCC WS2_32    Disabled                PUSH EBP

<<<<<BX<<<<<<<<<
00 00 00 00 67 00 00 00 00 00 00 00 00 00 00 00

00740000 60             PUSHAD
00740001 8B15 A0F35800 MOV EDX,[58F3A0]                      ; main_dat.0061CD34
00740007 42             INC EDX
00740008 52             PUSH EDX
00740009 68 9C007400    PUSH 74009C
0074000E FF15 F0D67D00 CALL [7DD6F0]                         ; KERNEL32.lstrcpyA
00740014 8D4410 FF    LEA EAX,[EAX+EDX-1]
00740018 C600 2F       MOV BYTE PTR [EAX],2F
0074001B 40             INC EAX
0074001C 8B15 ECEC5800 MOV EDX,[58ECEC]                      ; main_dat.0061CD4C
00740022 42             INC EDX
00740023 52             PUSH EDX
00740024 50             PUSH EAX
00740025 FF15 F0D67D00 CALL [7DD6F0]                         ; KERNEL32.lstrcpyA
0074002B 68 9C007400    PUSH 74009C
00740030 FF15 54D17D00 CALL [7DD154]                         ; KERNEL32.lstrlenA
00740036 6A 00          PUSH 0
00740038 83C0 0C       ADD EAX,0C
0074003B 50             PUSH EAX
0074003C B9 F42B7000    MOV ECX,702BF4
00740041 B8 90007400    MOV EAX,740090
00740046 33D2          XOR EDX,EDX
00740048 E8 FF45D6FF    CALL 004A464C                         ; 004A464C
0074004D 68 F42B7000    PUSH 702BF4
00740052 FF15 54D17D00 CALL [7DD154]                         ; KERNEL32.lstrlenA
00740058 A3 5C2C7000    MOV [702C5C],EAX
0074005D B8 FFFFFFFF    MOV EAX,-1
00740062 A3 78CD6100    MOV [61CD78],EAX
00740067 A3 58D06200    MOV [62D058],EAX
0074006C A3 98CB6F00    MOV [6FCB98],EAX
00740071 A3 E82B7000    MOV [702BE8],EAX
00740076 61             POPAD
00740077 A1 14E75800    MOV EAX,[58E714]
0074007C  ^ E9 98F3E3FF    JMP 0057F419                            ; 0057F419

60 8B 15 A0 F3 58 00 42 52 68 9C 00 74 00 FF 15 F0 D6 7D 00 8D 44 10 FF C6 00 2F 40 8B 15 EC EC
58 00 42 52 50 FF 15 F0 D6 7D 00 68 9C 00 74 00 FF 15 54 D1 7D 00 6A 00 83 C0 0C 50 B9 F4 2B 70
00 B8 90 00 74 00 33 D2 E8 FF 45 D6 FF 68 F4 2B 70 00 FF 15 54 D1 7D 00 A3 5C 2C 70 00 B8 FF FF
FF FF A3 78 CD 61 00 A3 58 D0 62 00 A3 98 CB 6F 00 A3 E8 2B 70 00 61 A1 14 E7 58 00 E9 98 F3 E3
FF 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67

Breakpoints
Address Module    Active                   Disassembly                         Comment
004A4AA3 main_dat Disabled                CMP DWORD PTR [EBP+8],10             bit6解码
004BF4DE main_dat Disabled                CALL 004BF5B8
004BF610 main_dat Disabled                PUSH EBP
004BF710 main_dat Disabled                PUSH EBP
004C67A6 main_dat Disabled                CALL 00404F50
004C6936 main_dat Disabled                CALL 004A464C                      bit6编码
004F4976 main_dat Disabled                MOV EAX,[58FBD4]
004F4D34 main_dat Disabled                MOV EAX,[58EE18]
004F5670 main_dat Disabled                LEA ECX,[EBP-38C]
004F56AC main_dat Disabled                LEA EAX,[EBP-48C]
00567B19 main_dat Disabled                MOV [EAX+EDX*8],ECX                保存push
00567D5E main_dat Disabled                MOVZX EAX,BYTE PTR [EDX+EAX-1]
00568560 main_dat Disabled                PUSH EBP
005685D4 main_dat Disabled                FLD QWORD PTR [EBP+8]
005685E6 main_dat Disabled                PUSH DWORD PTR [EBP+C]
0056876F main_dat Disabled                JMP [EAX*4+568776]
0056889E main_dat Disabled                PUSH EBP                            88888888888
00568997 main_dat Disabled                CALL 00567CE0                      id solaris5
00568BBD main_dat Disabled                XOR EAX,EAX
00568C3F main_dat Disabled                CALL 00568B14                      真正循环处理
0056F767 main_dat Disabled                MOV EAX,[58FD60]
00578CF8 main_dat Disabled                PUSH EBP                            host
0057AB40 main_dat Disabled                JMP 00740100
0057F414 main_dat Disabled                JMP 00740000
00580C00 main_dat Disabled                PUSH EBP                            send

User-defined comments
Address Disassembly                            Comment
00402998 PUSH ESI                               复制到其他地方
00404D5C TEST EAX,EAX                            没用
00404D93 CALL 00404D5C                            没用
00404DA4 CALL 00402998                            复制到其他地方
00404DAB CALL 00404C98                            没用
00404F50 TEST EAX,EAX                            取字节数
00405094 PUSH EBX                               比较
00405175 CALL 00402998                            复制到其他地方
004071F2 MOV [58A0B8],EAX                         (Initial CPU selection)
00466EED CALL 0044F930                            dead
004A4AA3 CMP DWORD PTR [EBP+8],10                bit6解码
004A4AB7 CALL 004A4858                            bit6解码
004A4AD0 CALL 004A4858                            bit6解码
004C6936 CALL 004A464C                            bit6编码
004C6A0B CALL 004BA81C                            发送编码
00567057 CALL 0056781C                            大循环
005670A3 MOV EBX,[EAX+EDX*8]                      取出push内容
0056781C PUSH EBP                               大循环，没什么用处
0056787C CALL 00405094                            比较
00567B19 MOV [EAX+EDX*8],ECX                      保存push
00567CEC CALL 00405138                            null
00567D10 CALL 00404F50                            取字节数
00567D30 CALL 004051A0                            复制
00567D3F CALL 004051A0                            复制
00567D50 CALL 00402C30                            null
00568294 PUSH EBP                               构造push内容
005683A2 JE 00568536                            取push
00568471 CALL 00568D20                            没用
005684BF CALL 00568D20                            解码
005685A5 LEA ECX,[EBP-8]                         保存在[epb-8]
005685B1 MOV EDX,[EAX+8B]                         [eax+8d]
005685BD MOV EAX,[EAX-4]                         eax
005685C0 CALL 00568D20                            解码成明文,有浮点运算
005685CD CALL 00405094                            比较
005685EF CALL 00567A84                            保存push
00568712 MOV EAX,[EAX+48]                         eax=012DC008
0056871B ADD EAX,[EDX+4]                         012DC008+35
00568724 MOV EDX,[EDX+C]                         9a++
0056872D IMUL EDX,[ECX+8]                         edx=94++,83
00568731 ADD EAX,EDX                            +edx=4f51
0056873B LEA EDI,[EDX+50]                         edi=0123E88C
00568757 MOV [EDX+1D8],EAX                      保存头
00568763 MOV EAX,[EAX+7D]                         功能n
00568825 PUSH EBP                               44444444444取n8,n9,b4,i8
00568837 CALL 005676A4                            出现
00568841 PUSH EBP                               555555555555
00568853 CALL 00567760                            s9
0056885D PUSH EBP                               66666666666
00568884 CALL 00567E50                            i8
00568894 CALL 00567940                            data9,s9
0056889E PUSH EBP                               88888888888
0056889F CALL 00568294                            取push内容
005688C2 CALL 00567A50                            计算数据
005688CE CALL 00568560                            检查并设置出暗桩
005688D9 MOV EAX,[EBP+8]                         9999999999
005688F4 MOV EAX,[58F798]                         aaaaaaaaaaaa
0056897E PUSH EBP                               ddddddddd
00568997 CALL 00567CE0                            id solaris5
005689A3 CALL 00568560                            保存push and 检查dr-if，设置暗桩
005689AE PUSH EBP                               eeeeeeeeeee
005689E3 PUSH EBP                               ffffffffffff
005689F6 CALL 00567F50                            id solaris9
00568A68 CALL 005674D4                            data5
00568AD1 XOR EAX,EAX                            结束
00568B1F MOV [EBP-8],EDX                         开始循环数字
00568BA3 INC DWORD PTR [EAX+C]                   [eax+c]++
00568C1E CALL 00568C68                            构造循环次数存eax
00568C39 MOV EDX,[EBP-C]                         开始循环数字
00568C3F CALL 00568B14                            真正循环处理
00568CB3 MOV EDX,[EDX+48]                         edx=012DC008
00568CB9 ADD EDX,[ECX+4]                         edx+35
00568CC2 IMUL ECX,[EBX+8]                         ecx=5++,83
00568CC6 ADD EDX,ECX                            ecx=28f
00568CE0 JNZ SHORT 00568CEA                      特别情况，决定循环开始数字
00568D20 PUSH EBP                               没用
00568D76 CALL 00407EB0                            复制ecx个，eax。edx
00578CF8 PUSH EBP                               host
0057A9DC PUSH EBP                               处理数据，并打印剩余时间
0057AA2D JNZ 0057AB2C                            成功跳
0057AB69 CALL 00511960                            计算天数放edx
0057AB79 CALL 00405010                            组合字串
0057AB88 CALL 00501AD4                            打印字符串
0057F3AC CMP DWORD PTR [EBP-C],0                检查收到字节数
0057F3CB MOV [EDX],EAX                            保存天数
0057F3FE CALL 00568DC0                            构造b1次循环
0057F40F CALL 00568BE0                            处理数据
00580C00 PUSH EBP                               send
00580DE0 CALL 00403188                            id
00580E1C CALL 00403188                            name
00580EF7 CALL 0057F508                            last user
00580EFC CALL 00402BC8                            GetSystemTime
005810DD CALL 004BA81C                            send fun
0058460B CALL 004BAB1C                            接收数据
00584618 CALL 00404CEC                            保存接收地址到[58F870]
00584638 CALL 00404CEC                            edx保存到eax
00584669 CALL 004B9E9C                            closesocket
0058495C CALL 00404F50                            取字节数
00584AC3 CALL 004415D8                            time
0074010D AND AL,69                               换行
00740121 AND AL,0CC                               打印1
00740132 AND AL,0A9                               换行
00740146 AND AL,81                               打印

2005-8-18 17:09
send fun
EAX 012582F8
ECX 000000CA ;DataSize
EDX 0012FC8F ;Data
EBX 000000C0
ESP 0012FB60
EBP 0012FDFC
ESI 004BA5F4 main_dat.004BA5F4
EDI 0012FF5C
EIP 005810DD main_dat.005810DD

0012FB00 000000E4  |Socket = E4
0012FB04 0012FC8F  |Data = 0012FC8F
0012FB08 000000CA  |DataSize = CA (202.)
0012FB0C 00000000  \Flags = 0

x
00581087 E8 C43EE8FF       CALL 00404F50                         ; 00404F50
0058108C 33C0                XOR EAX,EAX
0058108E 40                INC EAX
0058108F 8945 EC             MOV [EBP-14],EAX

005810C3 /EB 1D          JMP SHORT 005810E2                      ; 005810E2
005810C5 |BA 00104000    MOV EDX,401000
005810CA |90             NOP
005810CB |8B45 FC       MOV EAX,[EBP-4]

0074000E FF15 F0D67D00 CALL [7DD6F0]                         ; KERNEL32.lstrcpyA
00740014 03C2          ADD EAX,EDX
00740016 C640 FF 2F    MOV BYTE PTR [EAX-1],2F
0074001A 90             NOP
0074001B 90             NOP
0074001C 8B15 ECEC5800 MOV EDX,[58ECEC]                      ; main_dat.0061CD4C

00740000 60             PUSHAD
00740001 8B15 A0F35800 MOV EDX,[58F3A0]                      ; main_dat.0061CD34
00740007 42             INC EDX
00740008 52             PUSH EDX
00740009 68 9C007400    PUSH 74009C                            ; ASCII "solaris5/jwioejdiej"
0074000E FF15 F0D67D00 CALL [7DD6F0]                         ; KERNEL32.lstrcpyA
00740014 8BD8          MOV EBX,EAX
00740016 68 9C007400    PUSH 74009C                            ; ASCII "solaris5/jwioejdiej"
0074001B FF15 54D17D00 CALL [7DD154]                         ; KERNEL32.lstrlenA
00740021 03C3          ADD EAX,EBX
00740023 C600 2F       MOV BYTE PTR [EAX],2F
00740026 40             INC EAX
00740027 8B15 ECEC5800 MOV EDX,[58ECEC]                      ; main_dat.0061CD4C
0074002D 42             INC EDX
0074002E 52             PUSH EDX
0074002F 50             PUSH EAX
00740030 FF15 F0D67D00 CALL [7DD6F0]                         ; KERNEL32.lstrcpyA
00740036 68 9C007400    PUSH 74009C                            ; ASCII "solaris5/jwioejdiej"
0074003B FF15 54D17D00 CALL [7DD154]                         ; KERNEL32.lstrlenA
00740041 6A 00          PUSH 0
00740043 83C0 0C       ADD EAX,0C
00740046 50             PUSH EAX
00740047 B9 F42B7000    MOV ECX,702BF4                         ; ASCII "<<<<<BX<<<<<<<<<XryhTSEeXoPkVcYeWrQfUBaaV\"
0074004C B8 90007400    MOV EAX,740090
00740051 33D2          XOR EDX,EDX
00740053 E8 F445D6FF    CALL 004A464C                         ; 004A464C
00740058 68 F42B7000    PUSH 702BF4                            ; ASCII "<<<<<BX<<<<<<<<<XryhTSEeXoPkVcYeWrQfUBaaV\"
0074005D FF15 54D17D00 CALL [7DD154]                         ; KERNEL32.lstrlenA
00740063 A3 5C2C7000    MOV [702C5C],EAX
00740068 B8 FFFFFFFF    MOV EAX,-1
0074006D A3 78CD6100    MOV [61CD78],EAX
00740072 A3 58D06200    MOV [62D058],EAX
00740077 A3 98CB6F00    MOV [6FCB98],EAX
0074007C A3 E82B7000    MOV [702BE8],EAX
00740081 61             POPAD
00740082 A1 14E75800    MOV EAX,[58E714]
00740087  ^ E9 8DF3E3FF    JMP 0057F419                            ; 0057F419

60 8B 15 A0 F3 58 00 42 52 68 9C 00 74 00 FF 15 F0 D6 7D 00 8B D8 68 9C 00 74 00 FF 15 54 D1 7D
00 03 C3 C6 00 2F 40 8B 15 EC EC 58 00 42 52 50 FF 15 F0 D6 7D 00 68 9C 00 74 00 FF 15 54 D1 7D
00 6A 00 83 C0 0C 50 B9 F4 2B 70 00 B8 90 00 74 00 33 D2 E8 F4 45 D6 FF 68 F4 2B 70 00 FF 15 54
D1 7D 00 A3 5C 2C 70 00 B8 FF FF FF FF A3 78 CD 61 00 A3 58 D0 62 00 A3 98 CB 6F 00 A3 E8 2B 70
00 61 A1 14 E7 58 00 E9 8D F3 E3 FF 90 00 00 00 00 00 00 00 67

0050215E 68 AD215000    PUSH 5021AD
00502163 64:FF30       PUSH DWORD PTR FS:[EAX]
00502166 64:8920       MOV FS:[EAX],ESP
00502169 6A 05          PUSH 5
0050216B 68 78787878    PUSH 78787878
00502170 E8 0F53F0FF    CALL 00407484                         ; <JMP.&kernel32.GetProcAddress>
00502175 8945 FC       MOV [EBP-4],EAX
00502178 837D FC 00    CMP DWORD PTR [EBP-4],0
0050217C 75 09          JNZ SHORT 00502187                      ; 00502187
0050217E 6A 00          PUSH 0
00502180 E8 2752F0FF    CALL 004073AC                         ; <JMP.&kernel32.ExitProcess>
00502185 EB 10          JMP SHORT 00502197                      ; 00502197
00502187 6A 02          PUSH 2
00502189 FF55 FC       CALL [EBP-4]
0050218C 85C0          TEST EAX,EAX
0050218E 75 07          JNZ SHORT 00502197                      ; 00502197
00502190 6A 00          PUSH 0
00502192 E8 1552F0FF    CALL 004073AC                         ; <JMP.&kernel32.ExitProcess>
00502197 33C0          XOR EAX,EAX
00502199 5A             POP EDX
0050219A 59             POP ECX

00502150 55             PUSH EBP
00502151 8BEC          MOV EBP,ESP

0050214E 0000          ADD [EAX],AL
00502150 C3             RETN
00502151 8BEC          MOV EBP,ESP
00502153 83C4 F4       ADD ESP,-0C

00508691 8D05 8B865000 LEA EAX,[50868B]
00508697 8B00          MOV EAX,[EAX]
00508699 FF75 FC       PUSH DWORD PTR [EBP-4]
0050869C FF75 F8       PUSH DWORD PTR [EBP-8]
0050869F FFD0          CALL EAX

00352E0E 55             PUSH EBP
00352E0F 8BEC          MOV EBP,ESP
00352E11 60             PUSHAD
00352E12 8B7D 08       MOV EDI,[EBP+8]
00352E15 8B75 0C       MOV ESI,[EBP+C]

55 8B EC 60 8B 7D 08 8B 75 0C 57 8B 1F 8B 4F 04 BA B9 79 37 9E 8B C2 C1 E0 05 BF 20 00 00 00 8B
EB C1 E5 04 2B CD 8B 6E 08 33 EB 2B CD 8B EB C1 ED 05 33 E8 2B CD 2B 4E 0C 8B E9 C1 E5 04 2B DD
8B 2E 33 E9 2B DD 8B E9 C1 ED 05 33 E8 2B DD 2B 5E 04 2B C2 4F 75 C8 5F 89 1F 89 4F 04 61 C9 C2
08 00

007E1A4F .  E8 D030C2FF CALL 00404B24                         ;  00404B24
007E1A54 .  0000       ADD [EAX],AL
007E1A56 .  0000       ADD [EAX],AL

541a7e00

修复了挂机死亡重新登陆的时候密码错误。。

金创药（小）包
70a4d5

00516CD8 6B45 EC 0D    IMUL EAX,[EBP-14],0D
00516CDC 8B15 4CEC5800 MOV EDX,[58EC4C]                      ; main_dat.007030A4
00516CE2 8B44C2 40    MOV EAX,[EDX+EAX*8+40]
00516CE6 6B55 F0 43    IMUL EDX,[EBP-10],43
00516CEA 8B0D 60E65800 MOV ECX,[58E660]                      ; main_dat.006131AC
00516CF0 894491 73    MOV [ECX+EDX*4+73],EAX
00516CF4 6B45 EC 0D    IMUL EAX,[EBP-14],0D

#7BEoCWjt?<<<<<<<<k[>piIFedv_LdVJehKl!

拆包
#5IVi<Wjt?<<<<<<<<!

#6=ku>WZt?<<<<<<<<!

拆包
00597B58  23 36 6F 56 69 5D 57 6A 74 3F 3C 3C 3C 3C 3C 3C  #6oVi]Wjt?<<<<<<
00597B68  3C 3C 21                                        <<!

Call stack of main thread
Address Stack    Procedure / arguments                Called from                Frame
0012FCC8 004BA87C <JMP.&ws2_32.send>                   main_dat.004BA877          0012FD24
0012FCCC 000000CC    Socket = CC
0012FCD0 00597B58    Data = main_dat.00597B58
0012FCD4 00000013    DataSize = 13 (19.)
0012FCD8 00000000    Flags = 0
0012FD28 004C6A10 ? main_dat.004BA81C                main_dat.004C6A0B          0012FD24
0012FD68 004C6766 ? main_dat.004C67D4                main_dat.004C6761          0012FD64
0012FD6C 004C6E29 main_dat.004C674C                   main_dat.004C6E24          0012FD80
0012FD84 005747C2 main_dat.004C6CF4                   main_dat.005747BD          0012FD80

0050154A A1 C0E55800    MOV EAX,[58E5C0]
0050154F 8338 00       CMP DWORD PTR [EAX],0
00501552 74 05          JE SHORT 00501559
00501554 E8 6761FDFF    CALL 004D76C0

Call stack of thread 0000074C
Address Stack    Procedure / arguments                Called from                Frame
01BBFE50 004D7D48 ? 004DF398                         004D7D43
01BBFF3C 004D77B3 ? 004D7818                         004D77AE
01BBFF5C 00501559 ? 004D76C0                         00501554                   01BBFF58
01BBFF74 00423C53 Includes 00501559                   00423C50                   01BBFF70

0050154A A1 C4E55800    MOV EAX,[58E5C4]

patch
/////////////////////////////////////////////////////////////////////

replace recv
BAB29: E8 B8

190200: 00 B8
/////////////////////////////////////////////////////////////////////

kill exitprocess
102150: 55 C3

/////////////////////////////////////////////////////////////////////

re login pass error
10868B: 0E 54

3E1A54: 00 55

/////////////////////////////////////////////////////////////////////
data point
16A168: F8 70

data buff
3DB870
/////////////////////////////////////////////////////////////////////
show login message
17AB40: 6A E9

340100: 00 60
/////////////////////////////////////////////////////////////////////
do reg fun
17F414: A1 E9

340000: 00 60
/////////////////////////////////////////////////////////////////////
recv data
3DB454: EF 00
/////////////////////////////////////////////////////////////////////
oep
3E19F7: 00 55
/////////////////////////////////////////////////////////////////////

3db44c
424
00 01 01 E8 BE 6F BF B8 17 AB 7F BF 39 65 13 7B 02 CB 39 94 09 11 23 37 6A 2C 7D 59 51 61 B4 30
B9 CE 42 0E 9A 28 E0 4E 48 0B A2 CB 2B 28 2D 6F 17 9C FA BC DB BA EB B7 5F E2 7F 73 55 6A 5E 77
7F DA 1E 48 32 FA 2C 84 63 E0 9B CB C7 31 C1 99 80 7D D0 BD 97 4E B4 54 0C 0C 4C F9 5C 01 00 00
7B 50 BD CF 4F 74 04 00 1E 00 00 00 63 D4 C6 9F 3D BD E3 0A BE 8E 86 54 0D CF D2 06 8B 55 6E 18
CB CB 39 8E 6B F1 8A 77 C5 5D D0 83 D8 42 34 E6 EC 5F 6A 42 91 64 77 AA 01 00 00 00 00 A0 C9 EA
3F B1 2E 29 9C 45 10 C1 79 A7 6A F3 4D B0 96 3E 08 B2 04 35 9D 59 39 D2 24 48 53 6A FB 21 0F FB
01 64 55 73 DF 77 67 87 91 08 32 7B 0F D4 54 66 36 39 AE D0 98 D1 F7 9E D9 4B D3 87 74 61 38 DD
96 5B 0B 75 87 A1 23 11 55 74 DB A6 45 9E 23 36 4A 7B 5D 1C 22 32 72 DB 33 A5 03 29 A1 44 00 00
C5 9A CE 83 46 92 8C 13 63 24 87 09 B3 06 AA 6A 67 E4 B7 16 A3 80 84 CD B3 87 D5 E2 F7 AA 9F AD
11 8F C6 22 1A B7 30 13 5D FC 97 C6 39 B0 1D 34 86 D8 49 31 BF E1 DC D0 52 D2 B7 2E 0E B7 69 8E
75 4C EE 61 A3 AA 3F 82 35 56 83 E0 12 32 F8 6E 46 DE B1 30 B8 A3 E7 3E 85 40 3F 31 CD BA 9F 32
4A 5C 97 09 AD 18 26 D0 B8 EB BC 76 A8 52 7C F2 9F 5F CB BC 85 CF E3 94 61 F0 42 70 BE CC 9E EB
CC 6C 54 9D 65 D6 7E C7 38 BD 41 26 CC 31 45 5B 7A 65 1F D7 16 DA 2F DE 37 F6 DF 57 69 31 92 EB
FA 85 A3 0C BC B7 57 8B 25 36 7B 8E D0 FE 35 90 F0 C8 E4 92 E7 DF C8 6D 17 97 3B EF A8 98 36 88
D8 4F 8B 0B FC ED 69 54 E1 84 14 A3 2A B1 AB 7E A4 2C 0B 8B FF 10 50 1C 0D 58 A5 03 2F 35 7A 20
6F 7E 6E AC 9B E7 F7 72 DA 10 D8 33 50 BD 75 D6 60 A4 5F AD C2 0C 84 97 B1 C3 EF 00 77 B7 4B 82
A7 2A 98 80 3F 8C 09 C3 1A D7 35 67 19 E3 8F 7F 60 C8 3C D0 32 36 22 5F C5 02 87 B8 94 9C E4 F2
DE 7F 40 09 F2 91 B2 7E 2C FF AF CA 4E F2 FD F8 30 78 90 21 BD 25 6E EA AD 9B 09 2C CF 52 B2 B0
3A 65 02 D8 95 D7 70 D3 EB 81 16 7E 4E F2 83 61 0F 07 AB F9 CB FC 41 08 6F 6D 58 AA 4A 23 9D 76
F1 F1 05 51 2F FC 04 61 38 E9 DE B8 5F 57 54 13 67 71 4F C6 02 5D 70 38 37 B2 F7 33 6F 9B D5 5E
3F F6 6D 6B 8D E5 EC C7 07 0D 0A 78 19 B3 38 91 4B A5 09 34 7D A6 90 5C 42 C9 2A B5 79 0E EE D1
65 A6 5D DD 1C 2A 4F C1 73 E9 28 C5 50 36 AE F5 D7 A5 5D ED 8A C3 8D FA C9 9A 4B AE F1 73 1A D9
51 44 58 85 03 3D D8 82 87 16 27 00 A6 B9 A4 5E 52 72 53 A1 11 4D A1 03 DD EB BC 67 20 01 92 AA
C0 DC 88 41 58 BA DB E4 9D E8 8C 7F 40 D7 A9 85 C8 D7 AE 03 5C 41 78 99 6D 02 AD F9 FE 70 54 E9
F9 22 73 8D 40 3E 00 9A 71 50 84 3E 97 38 47 7B A0 E5 66 F7 F2 89 8B 3D 4C 16 F4 7E B6 AB F7 46
E8 3A 9D 43 25 EF A7 CE 7C 2F 51 4A E0 80 C4 7A FA 5C A1 64 94 07 3B 11 9F 0F AC EC CE 85 87 45
48 57 9B C2 4E 43 08 8D 78 D3 A3 CB 6B E0 88 5D 45 E7 65 60 E3 03 5C 99 B6 C4 80 6B 47 D3 62 72
8A C8 EA 96 4F 37 8F 54 2F 37 B5 CA 60 E7 05 9F A9 E1 25 FF A9 41 70 18 6C 27 3D 08 3B 64 7B 86
92 1B 4D 36 01 2A DA 15 F5 7F C4 DA 53 43 37 E3 4C 5E 80 24 42 9C 1F 09 E9 32 89 A7 3D 16 39 BA
2C D0 9D 17 82 76 B1 3C 31 F5 A4 6B 14 54 77 5C DC 0F D8 BE 86 5C 6A DF E8 F0 78 77 9D 8D BA 05
8C 98 3E C4 6B A4 C6 74 50 F1 F8 68 6C F6 B2 37 B1 58 A1 E3 BF 0E FE A2 E7 62 2E 65 75 E3 2C F8
2D FC 47 7A C0 99 28 1D 02 C8 86 13 CC 0F 51 D4 CB D4 BC EB 19 0D EB 65 0B 0E 95 02 08 0B EB 65
09 0A EA 66 09 70 90 0F 43 7C 9E 06 42 67 87 03 59 42 A0 12 6A 58 AF 0E 56 4B 91 3B 49 5E 98 1C
53 56 A6 09 00 00 00 00 00 00 00 00 00 00 00 00

复制3次

取中间部分的数据到程序数据段中

再复制1次

005825EE E8 1127F8FF    CALL 00504D04                         ; 00504D04

红药包，共x个

1 2 可绕不吃
  2 可绕不吃

004EF351 main_dat Disabled                MOV EAX,[58FE00]                   22
005097A7 main_dat Always                   JLE SHORT 005097EF                   1
00520D90 main_dat Always                   MOV EAX,[58F870]                   2

00520DF9 DD00          FLD QWORD PTR [EAX]
00520DFB D81D 240E5200 FCOMP DWORD PTR [520E24]
00520E01 DFE0          FSTSW AX
00520E03 9E             SAHF
00520E04 75 0D          JNZ SHORT 00520E13                      ; 00520E13
00520E06 E8 DDA3EEFF    CALL 0040B1E8                         ; 0040B1E8
00520E0B A1 0CF65800    MOV EAX,[58F60C]
00520E10 DD18          FSTP QWORD PTR [EAX]
00520E12 9B             WAIT

IVi<Wjt?<<<<<<<<!

35 AB 40 6E EE 03 00 00 00 00 00 00 00 00 00 00

06 FE 42 6D EE 03 00 00 00 00 00 00 00 00 00 00

#2cIvuNjt?<<<<<<<<!
#J=tyAx\<<<<<<<@<?GsliGONfN_LdXB{F[pN<<<=<<<<KDt=<L<P<<<<<<<<<<<<<<=E<A<<<<?mEWiF<L<=<<!
#J=tyAx\<<<<<<<@<?GsliGONfN_LdXB{F[pN<<<=<<<<KDt=<L<P<<<<<<<<<<<<<<=E<A<<<<?nEWiF<L<=<<!
#J=tyAx\<<<<<<<@<?GsliGONfN_LdXB{F[pN<<<=<<<<KDt=<L<P<<<<<<<<<<<<<<=E<A<<<<?oEWiF<L<=<<!
#J=tyAx\<<<<<<<@<?GsliGONfN_LdXB{F[pN<<<=<<<<KDt=<L<P<<<<<<<<<<<<<<=E<A<<<<?pEWiF<L<=<<!
#J=tyAx\<<<<<<<@<?GsliGONfN_LdXB{F[pN<<<=<<<<KDt=<L<P<<<<<<<<<<<<<<=E<A<<<<?qEWiF<L<=<<!
#J=tyAx\<<<<<<<@<?GsliGONfN_LdXB{F[pN<<<=<<<<KDt=<L<P<<<<<<<<<<<<<<=E<A<<<<?rEWiF<L<=<<!
*
#<<<<<Ch><<<<<<<<!
#gl<<<Bt>B<<x<<<<!
*

?GsliGONfN_LdXB{F[pN

金创药(小量)?

#s@MGA<d<>L<G<<D>H\<A<<<<<<<!
#4IFi<Wjt?<<<<<<<<k[>piIFedv_LdVJehKl!
#hB@iAX\<<<<<<<@<?GsliGONfN_LdXB{F[pN<<<=<<<<KDt=<L<P<<<<<<<<<<<<<<=E<A<<<<<cN]uP<L<=<<!
*
#hB@iAX\<<<<<<<@<?GsliGONfN_LdXB{F[pN<<<=<<<<KDt=<L<P<<<<<<<<<<<<<<=E<A<<<<<dN]uP<L<=<<!
#hB@iAX\<<<<<<<@<?GsliGONfN_LdXB{F[pN<<<=<<<<KDt=<L<P<<<<<<<<<<<<<<=E<A<<<<<eN]uP<L<=<<!
#hB@iAX\<<<<<<<@<?GsliGONfN_LdXB{F[pN<<<=<<<<KDt=<L<P<<<<<<<<<<<<<<=E<A<<<<<fN]uP<L<=<<!
#hB@iAX\<<<<<<<@<?GsliGONfN_LdXB{F[pN<<<=<<<<KDt=<L<P<<<<<<<<<<<<<<=E<A<<<<<gN]uP<L<=<<!
#hB@iAX\<<<<<<<@<?GsliGONfN_LdXB{F[pN<<<=<<<<KDt=<L<P<<<<<<<<<<<<<<=E<A<<<<<hN]uP<L<=<<!
#<<<<<Ch><<<<<<<<!
#PL<<<Bt>=L<D<<<<!
*

004F14D6 8B15 60E65800 MOV EDX,[58E660]                      ; main_dat.006131AC
004F14DC 833C82 00    CMP DWORD PTR [EDX+EAX*4],0
004F14E0 74 5A          JE SHORT 004F153C                      ; 004F153C

吃蓝
004F1BCF A1 A0EA5800    MOV EAX,[58EAA0]
004F1BD4 8338 00       CMP DWORD PTR [EAX],0

吃红
004F1947 A1 F0015900    MOV EAX,[5901F0]
004F194C 8338 00       CMP DWORD PTR [EAX],0
004F194F 0F84 24010000 JE 004F1A79

004F1BCF A1 A0EA5800    MOV EAX,[58EAA0]
004F1BD4 8338 00       CMP DWORD PTR [EAX],0
004F1BD7 0F84 24010000 JE 004F1D01
004F1BDD 8B15 04E55800 MOV EDX,[58E504]                      ; main_dat.0058E2C8
004F1BE3 8B12          MOV EDX,[EDX]
004F1BE5 A1 6CE95800    MOV EAX,[58E96C]
004F1BEA 8B00          MOV EAX,[EAX]
004F1BEC 8B4D D8       MOV ECX,[EBP-28]
004F1BEF E8 6C010100    CALL 00501D60
004F1BF4 85C0          TEST EAX,EAX
004F1BF6 0F84 05010000 JE 004F1D01
004F1BFC 33C0          XOR EAX,EAX

004F19E3 837D E0 00    CMP DWORD PTR [EBP-20],0                ; 检查红药
004F19E7 0F8F 8C000000 JG 004F1A79
004F19ED A1 3CFD5800    MOV EAX,[58FD3C]
004F19F2 8B00          MOV EAX,[EAX]
004F19F4 48             DEC EAX
004F19F5 85C0          TEST EAX,EAX
004F19F7 7C 76          JL SHORT 004F1A6F
004F19F9 40             INC EAX
004F19FA 8945 B4       MOV [EBP-4C],EAX
004F19FD C745 DC 0000000>MOV DWORD PTR [EBP-24],0
004F1A04 6B45 DC 43    IMUL EAX,[EBP-24],43
004F1A08 8B15 60E65800 MOV EDX,[58E660]                      ; main_dat.006131AC
004F1A0E 833C82 00    CMP DWORD PTR [EDX+EAX*4],0
004F1A12 74 53          JE SHORT 004F1A67
004F1A14 6B45 DC 43    IMUL EAX,[EBP-24],43
004F1A18 8B15 60E65800 MOV EDX,[58E660]                      ; main_dat.006131AC
004F1A1E 8D0482       LEA EAX,[EDX+EAX*4]
004F1A21 E8 4AF70100    CALL 00511170
004F1A26 85C0          TEST EAX,EAX
004F1A28 75 3D          JNZ SHORT 004F1A67
004F1A2A 6B45 DC 43    IMUL EAX,[EBP-24],43
004F1A2E 8B15 60E65800 MOV EDX,[58E660]                      ; main_dat.006131AC
004F1A34 807C82 2C 00 CMP BYTE PTR [EDX+EAX*4+2C],0
004F1A39 76 2C          JBE SHORT 004F1A67
004F1A3B 55             PUSH EBP
004F1A3C E8 2BF9FFFF    CALL 004F136C
004F1A41 59             POP ECX
004F1A42 85C0          TEST EAX,EAX
004F1A44 74 21          JE SHORT 004F1A67
004F1A46 A1 CC005900    MOV EAX,[5900CC]
004F1A4B 8B55 D8       MOV EDX,[EBP-28]
004F1A4E 8910          MOV [EAX],EDX
004F1A50 6B45 DC 43    IMUL EAX,[EBP-24],43
004F1A54 8B15 60E65800 MOV EDX,[58E660]                      ; main_dat.006131AC
004F1A5A 8B0482       MOV EAX,[EDX+EAX*4]
004F1A5D E8 9252FDFF    CALL 004C6CF4                         ; 解包
004F1A62 E9 E5030000    JMP 004F1E4C
004F1A67 FF45 DC       INC DWORD PTR [EBP-24]
004F1A6A FF4D B4       DEC DWORD PTR [EBP-4C]
004F1A6D  ^ 75 95          JNZ SHORT 004F1A04
004F1A6F B8 FC1E4F00    MOV EAX,004F1EFC                      ; 没有红药了..

物品存放
006131AC  D1                                              言

00522168 E8 872DEEFF    CALL 00404EF4                         ; 复制包里的物品名字准备比较
0052216D 8B45 D0       MOV EAX,[EBP-30]
00522170 E8 F733FEFF    CALL 0050556C                         ; 比较物品是否是红药
00522175 40             INC EAX
00522176 8B55 FC       MOV EDX,[EBP-4]
00522179 8842 2A       MOV [EDX+2A],AL
0052217C 8D45 CC       LEA EAX,[EBP-34]
0052217F 8B55 FC       MOV EDX,[EBP-4]
00522182 83C2 04       ADD EDX,4
00522185 E8 6A2DEEFF    CALL 00404EF4
0052218A 8B45 CC       MOV EAX,[EBP-34]
0052218D E8 8234FEFF    CALL 00505614                         ; 蓝药
00522192 40             INC EAX
00522193 8B55 FC       MOV EDX,[EBP-4]
00522196 8842 2B       MOV [EDX+2B],AL
00522199 8D45 C8       LEA EAX,[EBP-38]
0052219C 8B55 FC       MOV EDX,[EBP-4]
0052219F 83C2 04       ADD EDX,4
005221A2 E8 4D2DEEFF    CALL 00404EF4
005221A7 8B45 C8       MOV EAX,[EBP-38]
005221AA E8 F5140000    CALL 005236A4                         ; 随即传送卷

005056F7 A1 84EC5800    MOV EAX,[58EC84]
005056FC 8B00          MOV EAX,[EAX]
005056FE 48             DEC EAX
005056FF 85C0          TEST EAX,EAX

00568A37 /E9 95000000    JMP 00568AD1
00568A3C |90             NOP                                     ; 不喝红
00568A3D |90             NOP
00568A3E |90             NOP
00568A3F |90             NOP
00568A40 |90             NOP
00568A41 |E9 8B000000    JMP 00568AD1
00568A46 |90             NOP                                     ; 估计绕障碍物
00568A47 |90             NOP
00568A48 |90             NOP
00568A49 |90             NOP
00568A4A |90             NOP
00568A4B |E9 81000000    JMP 00568AD1
00568A50 |E8 EFF3FFFF    CALL 00567E44                         ; -1
00568A55 |EB 7A          JMP SHORT 00568AD1

2005-8-21 1:52

CPU 100%,服务器满员，乱pk

612100
00216100
0?216100
1?216100

[培训]传播安全知识、拓宽行业人脉——看雪讲师团队等你加入！

收藏・0

免费・0

支持