[原创]我的第九个CrackMe-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

最新回复 (21)
jxanu 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 22 粉丝 0 关注私信	jxanu 2006-2-16 20:32 2 楼 0 好像挺厉害的CrackMe!~~
happytown 雪币： 721 活跃值： (350) 能力值： ( LV9，RANK：1250 ) 在线值：发帖 131 回帖 1014 粉丝 1 关注私信	happytown 31 2006-2-16 20:40 3 楼 0 欢迎你试试看！
mirrormask 雪币： 242 活跃值： (135) 能力值： ( LV8，RANK：130 ) 在线值：发帖 8 回帖 64 粉丝 1 关注私信	mirrormask 3 2006-2-17 14:05 4 楼 0 爆了.... 查了一下有blowfish 不会
busheler 雪币： 236 活跃值： (160) 能力值： ( LV8，RANK：130 ) 在线值：发帖 9 回帖 46 粉丝 0 关注私信	busheler 3 2006-2-17 14:18 5 楼 0 确实有些变态的说！夹克很容易脱去的；反汇编，反调试，还有校验里！前面分析放上来：一、脱壳免。。。二、去反调试、去掉校验： 004596EC /. 55 push ebp 004596ED \|. 8BEC mov ebp, esp 004596EF \|. 83C4 F0 add esp, -10 004596F2 \|. 8955 F0 mov [ebp-10], edx 004596F5 \|. 8945 FC mov [ebp-4], eax 004596F8 \|. 8B45 FC mov eax, [ebp-4] 004596FB \|. E8 C420FEFF call 0043B7C4 00459700 \|. A3 F4DF4500 mov [45DFF4], eax 00459705 \|. E8 DAEFFFFF call 004586E4 ; 监测调试、反汇编等... 0045970A \|. E8 51F8FFFF call 00458F60 0045970F \|. E8 5CE9FFFF call 00458070 ; 取文件属性，未仔细跟踪，有文件名、文件大小等等。并进行运算！ 00459714 \|. 8945 F4 mov [ebp-C], eax 00459717 \|. A1 E0DF4500 mov eax, [45DFE0] 0045971C \|. 3B45 F4 cmp eax, [ebp-C] 0045971F 74 05 je short 00459726 ; 相等，跳去继续；不等，退出！改为jmp 00459721 \|. E8 CEA7FAFF call 00403EF4 00459726 \|> 68 7C974500 push 0045977C ; /ResourceType = "WAV" 0045972B \|. 68 80974500 push 00459780 ; \|ResourceName = "BackSound" 00459730 \|. A1 F0DF4500 mov eax, [45DFF0] ; \| 00459735 \|. 50 push eax ; \|hModule => NULL 00459736 \|. E8 3DC9FAFF call <jmp.&kernel32.FindResourceA> ; \FindResourceA 0045973B \|. 8945 F8 mov [ebp-8], eax 0045973E \|. 8B45 F8 mov eax, [ebp-8] 00459741 \|. 50 push eax ; /hResource 00459742 \|. A1 F0DF4500 mov eax, [45DFF0] ; \| 00459747 \|. 50 push eax ; \|hModule => NULL 00459748 \|. E8 5BCAFAFF call <jmp.&kernel32.LoadResource> ; \LoadResource 0045974D \|. A3 FCDF4500 mov [45DFFC], eax 00459752 \|. 833D FCDF4500 20 cmp dword ptr [45DFFC], 20 00459759 \|. 76 10 jbe short 0045976B 0045975B \|. A1 FCDF4500 mov eax, [45DFFC] 00459760 \|. 50 push eax ; /hResource => NULL 00459761 \|. E8 4ACAFAFF call <jmp.&kernel32.LockResource> ; \LockResource 00459766 \|. A3 F8DF4500 mov [45DFF8], eax 0045976B \|> 6A 0D push 0D 0045976D \|. A1 F8DF4500 mov eax, [45DFF8] 00459772 \|. 50 push eax 00459773 \|. E8 10CAFFFF call <jmp.&winmm.sndPlaySoundA> 00459778 \|. 8BE5 mov esp, ebp 0045977A \|. 5D pop ebp 0045977B \. C3 retn
busheler 雪币： 236 活跃值： (160) 能力值： ( LV8，RANK：130 ) 在线值：发帖 9 回帖 46 粉丝 0 关注私信	busheler 3 2006-2-17 14:19 6 楼 0 跟进call 004586E4 进取看看： 004586E4 /$ 55 push ebp 004586E5 \|. 8BEC mov ebp, esp 004586E7 \|. B9 29000000 mov ecx, 29 004586EC \|> 6A 00 /push 0 004586EE \|. 6A 00 \|push 0 004586F0 \|. 49 \|dec ecx 004586F1 \|.^ 75 F9 \jnz short 004586EC 004586F3 \|. 51 push ecx 004586F4 \|. 33C0 xor eax, eax 004586F6 \|. 55 push ebp 004586F7 \|. 68 118A4500 push 00458A11 004586FC \|. 64:FF30 push dword ptr fs:[eax] 004586FF \|. 64:8920 mov fs:[eax], esp 00458702 \|. 8D45 D0 lea eax, [ebp-30] 00458705 \|. BA 248A4500 mov edx, 00458A24 0045870A \|. E8 6DB9FAFF call 0040407C 0045870F \|. 8D45 F4 lea eax, [ebp-C] 00458712 \|. BA 348A4500 mov edx, 00458A34 00458717 \|. E8 60B9FAFF call 0040407C 0045871C \|. 8D4D CC lea ecx, [ebp-34] 0045871F \|. 8B55 F4 mov edx, [ebp-C] 00458722 \|. 8B45 D0 mov eax, [ebp-30] 00458725 \|. E8 D6FEFFFF call 00458600 0045872A \|. 8D45 F4 lea eax, [ebp-C] 0045872D \|. 8B55 CC mov edx, [ebp-34] 00458730 \|. E8 47B9FAFF call 0040407C ; OLLYDBG 00458735 \|. 8D45 CC lea eax, [ebp-34] 00458738 \|. E8 A7B8FAFF call 00403FE4 0045873D \|. 8D45 D0 lea eax, [ebp-30] 00458740 \|. BA 448A4500 mov edx, 00458A44 00458745 \|. E8 32B9FAFF call 0040407C 0045874A \|. 8D45 F0 lea eax, [ebp-10] 0045874D \|. BA 548A4500 mov edx, 00458A54 00458752 \|. E8 25B9FAFF call 0040407C 00458757 \|. 8D4D CC lea ecx, [ebp-34] 0045875A \|. 8B55 F0 mov edx, [ebp-10] 0045875D \|. 8B45 D0 mov eax, [ebp-30] 00458760 \|. E8 9BFEFFFF call 00458600 00458765 \|. 8D45 F0 lea eax, [ebp-10] 00458768 \|. 8B55 CC mov edx, [ebp-34] ; fly0DBG 0045876B \|. E8 0CB9FAFF call 0040407C 00458770 \|. 8D45 CC lea eax, [ebp-34] 00458773 \|. E8 6CB8FAFF call 00403FE4 00458778 \|. 8D45 D0 lea eax, [ebp-30] 0045877B \|. BA 648A4500 mov edx, 00458A64 00458780 \|. E8 F7B8FAFF call 0040407C 00458785 \|. 8D45 E8 lea eax, [ebp-18] 00458788 \|. BA 748A4500 mov edx, 00458A74 0045878D \|. E8 EAB8FAFF call 0040407C 00458792 \|. 8D4D CC lea ecx, [ebp-34] 00458795 \|. 8B55 E8 mov edx, [ebp-18] 00458798 \|. 8B45 D0 mov eax, [ebp-30] 0045879B \|. E8 60FEFFFF call 00458600 004587A0 \|. 8D45 E8 lea eax, [ebp-18] 004587A3 \|. 8B55 CC mov edx, [ebp-34] ; W32DASM 004587A6 \|. E8 D1B8FAFF call 0040407C 004587AB \|. 8D45 CC lea eax, [ebp-34] 004587AE \|. E8 31B8FAFF call 00403FE4 004587B3 \|. 8D45 D0 lea eax, [ebp-30] 004587B6 \|. BA 848A4500 mov edx, 00458A84 ; ASCII "u掊? 004587BB \|. E8 BCB8FAFF call 0040407C 004587C0 \|. 8D45 E0 lea eax, [ebp-20] 004587C3 \|. BA 948A4500 mov edx, 00458A94 004587C8 \|. E8 AFB8FAFF call 0040407C 004587CD \|. 8D4D CC lea ecx, [ebp-34] 004587D0 \|. 8B55 E0 mov edx, [ebp-20] 004587D3 \|. 8B45 D0 mov eax, [ebp-30] 004587D6 \|. E8 25FEFFFF call 00458600 004587DB \|. 8D45 E0 lea eax, [ebp-20] 004587DE \|. 8B55 CC mov edx, [ebp-34] ; DeDe 004587E1 \|. E8 96B8FAFF call 0040407C 004587E6 \|. 8D45 CC lea eax, [ebp-34] 004587E9 \|. E8 F6B7FAFF call 00403FE4 004587EE \|. 8D45 D0 lea eax, [ebp-30] 004587F1 \|. BA A48A4500 mov edx, 00458AA4 004587F6 \|. E8 81B8FAFF call 0040407C 004587FB \|. 8D45 DC lea eax, [ebp-24] 004587FE \|. BA B48A4500 mov edx, 00458AB4 00458803 \|. E8 74B8FAFF call 0040407C 00458808 \|. 8D4D CC lea ecx, [ebp-34] 0045880B \|. 8B55 DC mov edx, [ebp-24] 0045880E \|. 8B45 D0 mov eax, [ebp-30] 00458811 \|. E8 EAFDFFFF call 00458600 00458816 \|. 8D45 DC lea eax, [ebp-24] 00458819 \|. 8B55 CC mov edx, [ebp-34] ; DARK 0045881C \|. E8 5BB8FAFF call 0040407C 00458821 \|. 8D45 CC lea eax, [ebp-34] 00458824 \|. E8 BBB7FAFF call 00403FE4 00458829 \|. 8D45 D0 lea eax, [ebp-30] 0045882C \|. BA C48A4500 mov edx, 00458AC4 ; ASCII "user32.dll" 00458831 \|. E8 46B8FAFF call 0040407C 00458836 \|. 8D45 D4 lea eax, [ebp-2C] 00458839 \|. BA D88A4500 mov edx, 00458AD8 0045883E \|. E8 39B8FAFF call 0040407C 00458843 \|. 8D4D CC lea ecx, [ebp-34] 00458846 \|. 8B55 D4 mov edx, [ebp-2C] 00458849 \|. 8B45 D0 mov eax, [ebp-30] 0045884C \|. E8 AFFDFFFF call 00458600 00458851 \|. 8D45 D4 lea eax, [ebp-2C] 00458854 \|. 8B55 CC mov edx, [ebp-34] ; SmartCheck 00458857 \|. E8 20B8FAFF call 0040407C 0045885C \|. 8D45 CC lea eax, [ebp-34] 0045885F \|. E8 80B7FAFF call 00403FE4 00458864 \|. 6A 00 push 0 ; /Relation = GW_HWNDFIRST 00458866 \|. A1 F4DF4500 mov eax, [45DFF4] ; \| 0045886B \|. 50 push eax ; \|hWnd => 003103AC ('CrackMe_0009',class='TfrmMain',parent=005603BC) 0045886C \|. E8 7FDEFAFF call <jmp.&user32.GetWindow> ; \GetWindow 00458871 \|. 8945 FC mov [ebp-4], eax 00458874 \|. 837D FC 00 cmp dword ptr [ebp-4], 0 00458878 \|. 0F84 68010000 je 004589E6 0045887E \|> 68 FF000000 /push 0FF ; /Count = FF (255.) 00458883 \|. 8D85 C9FEFFFF \|lea eax, [ebp-137] ; \| 00458889 \|. 50 \|push eax ; \|Buffer 0045888A \|. 8B45 FC \|mov eax, [ebp-4] ; \| 0045888D \|. 50 \|push eax ; \|hWnd 0045888E \|. E8 85DEFAFF \|call <jmp.&user32.GetWindowTextA> ; \GetWindowTextA 00458893 \|. 85C0 \|test eax, eax 00458895 \|. 0F8E 33010000 \|jle 004589CE 0045889B \|. 8D55 F8 \|lea edx, [ebp-8] 0045889E \|. 8D85 C9FEFFFF \|lea eax, [ebp-137] 004588A4 \|. E8 ABFEFAFF \|call 00408754 004588A9 \|. 8D55 EC \|lea edx, [ebp-14] 004588AC \|. 8D85 C9FEFFFF \|lea eax, [ebp-137] 004588B2 \|. E8 9DFEFAFF \|call 00408754 004588B7 \|. 8D55 E4 \|lea edx, [ebp-1C] 004588BA \|. 8D85 C9FEFFFF \|lea eax, [ebp-137] 004588C0 \|. E8 8FFEFAFF \|call 00408754 004588C5 \|. 8D55 D8 \|lea edx, [ebp-28] 004588C8 \|. 8D85 C9FEFFFF \|lea eax, [ebp-137] 004588CE \|. E8 81FEFAFF \|call 00408754 004588D3 \|. 8D85 C0FEFFFF \|lea eax, [ebp-140] 004588D9 \|. 50 \|push eax 004588DA \|. B9 07000000 \|mov ecx, 7 004588DF \|. BA 01000000 \|mov edx, 1 004588E4 \|. 8B45 F8 \|mov eax, [ebp-8] 004588E7 \|. E8 18BCFAFF \|call 00404504 004588EC \|. 8B85 C0FEFFFF \|mov eax, [ebp-140] 004588F2 \|. 8D95 C4FEFFFF \|lea edx, [ebp-13C] 004588F8 \|. E8 BBF2FAFF \|call 00407BB8 004588FD \|. 8B85 C4FEFFFF \|mov eax, [ebp-13C] 00458903 \|. 8B55 F4 \|mov edx, [ebp-C] ; OLLYDBG 00458906 \|. E8 E5BAFAFF \|call 004043F0 0045890B \|. 0F84 90000000 \|je 004589A1 ; nop掉 00458911 \|. 8D85 BCFEFFFF \|lea eax, [ebp-144] 00458917 \|. 50 \|push eax 00458918 \|. B9 07000000 \|mov ecx, 7 0045891D \|. BA 01000000 \|mov edx, 1 00458922 \|. 8B45 F8 \|mov eax, [ebp-8] 00458925 \|. E8 DABBFAFF \|call 00404504 0045892A \|. 8B85 BCFEFFFF \|mov eax, [ebp-144] 00458930 \|. 8B55 F0 \|mov edx, [ebp-10] 00458933 \|. E8 B8BAFAFF \|call 004043F0 ; fly0DBG 00458938 \|. 74 67 \|je short 004589A1 ; nop掉 0045893A \|. 8B55 E8 \|mov edx, [ebp-18] 0045893D \|. 8B45 EC \|mov eax, [ebp-14] 00458940 \|. E8 A7F4FCFF \|call 00427DEC ; W32DASM 00458945 \|. 3C 01 \|cmp al, 1 00458947 \|. 74 58 \|je short 004589A1 ; nop掉 00458949 \|. 8B55 E0 \|mov edx, [ebp-20] 0045894C \|. 8B45 E4 \|mov eax, [ebp-1C] 0045894F \|. E8 98F4FCFF \|call 00427DEC ; DeDe 00458954 \|. 3C 01 \|cmp al, 1 00458956 \|. 74 49 \|je short 004589A1 ; nop掉 00458958 \|. 8D85 B4FEFFFF \|lea eax, [ebp-14C] 0045895E \|. 50 \|push eax 0045895F \|. B9 04000000 \|mov ecx, 4 00458964 \|. BA 01000000 \|mov edx, 1 00458969 \|. 8B45 E4 \|mov eax, [ebp-1C] 0045896C \|. E8 93BBFAFF \|call 00404504 00458971 \|. 8B85 B4FEFFFF \|mov eax, [ebp-14C] 00458977 \|. 8D95 B8FEFFFF \|lea edx, [ebp-148] 0045897D \|. E8 36F2FAFF \|call 00407BB8 00458982 \|. 8B85 B8FEFFFF \|mov eax, [ebp-148] 00458988 \|. 8B55 DC \|mov edx, [ebp-24] 0045898B \|. E8 60BAFAFF \|call 004043F0 ; DARK 00458990 \|. 74 0F \|je short 004589A1 ; nop掉 00458992 \|. 8B55 D4 \|mov edx, [ebp-2C] 00458995 \|. 8B45 D8 \|mov eax, [ebp-28] 00458998 \|. E8 4FF4FCFF \|call 00427DEC ; SmartCheck 0045899D \|. 3C 01 \|cmp al, 1 0045899F \|. 75 2D \|jnz short 004589CE ; 改为jmp 004589A1 \|> 8D45 C8 \|lea eax, [ebp-38] 004589A4 \|. 50 \|push eax ; /pProcessID 004589A5 \|. 8B45 FC \|mov eax, [ebp-4] ; \| 004589A8 \|. 50 \|push eax ; \|hWnd 004589A9 \|. E8 72DDFAFF \|call <jmp.&user32.GetWindowThreadPro>; \GetWindowThreadProcessId 004589AE \|. 837D C8 00 \|cmp dword ptr [ebp-38], 0 004589B2 \|. 74 15 \|je short 004589C9 004589B4 \|. 6A FF \|push -1 ; /ExitCode = FFFFFFFF (-1.) 004589B6 \|. 8B45 C8 \|mov eax, [ebp-38] ; \| 004589B9 \|. 50 \|push eax ; \|/ProcessId 004589BA \|. 6A 00 \|push 0 ; \|\|Inheritable = FALSE 004589BC \|. 6A 01 \|push 1 ; \|\|Access = TERMINATE 004589BE \|. E8 FDD7FAFF \|call <jmp.&kernel32.OpenProcess> ; \|\OpenProcess 004589C3 \|. 50 \|push eax ; \|hProcess 004589C4 \|. E8 47D8FAFF \|call <jmp.&kernel32.TerminateProcess>; \TerminateProcess 004589C9 \|> E8 26B5FAFF \|call 00403EF4 004589CE \|> 6A 02 \|push 2 ; /Relation = GW_HWNDNEXT 004589D0 \|. 8B45 FC \|mov eax, [ebp-4] ; \| 004589D3 \|. 50 \|push eax ; \|hWnd 004589D4 \|. E8 17DDFAFF \|call <jmp.&user32.GetWindow> ; \GetWindow 004589D9 \|. 8945 FC \|mov [ebp-4], eax 004589DC \|. 837D FC 00 \|cmp dword ptr [ebp-4], 0 004589E0 \|.^ 0F85 98FEFFFF \jnz 0045887E 004589E6 \|> 33C0 xor eax, eax 004589E8 \|. 5A pop edx 004589E9 \|. 59 pop ecx 004589EA \|. 59 pop ecx 004589EB \|. 64:8910 mov fs:[eax], edx 004589EE \|. 68 188A4500 push 00458A18 004589F3 \|> 8D85 B4FEFFFF lea eax, [ebp-14C] 004589F9 \|. BA 05000000 mov edx, 5 004589FE \|. E8 05B6FAFF call 00404008 00458A03 \|. 8D45 CC lea eax, [ebp-34] 00458A06 \|. BA 0C000000 mov edx, 0C 00458A0B \|. E8 F8B5FAFF call 00404008 00458A10 \. C3 retn
busheler 雪币： 236 活跃值： (160) 能力值： ( LV8，RANK：130 ) 在线值：发帖 9 回帖 46 粉丝 0 关注私信	busheler 3 2006-2-17 14:19 7 楼 0 跟进call 00458070去看看： 00458070 /$ 55 push ebp 00458071 \|. 8BEC mov ebp, esp 00458073 \|. 83C4 CC add esp, -34 00458076 \|. 33C0 xor eax, eax 00458078 \|. 8945 E4 mov [ebp-1C], eax 0045807B \|. 33C0 xor eax, eax 0045807D \|. 55 push ebp 0045807E \|. 68 BB814500 push 004581BB 00458083 \|. 64:FF30 push dword ptr fs:[eax] 00458086 \|. 64:8920 mov fs:[eax], esp 00458089 \|. 8D55 E4 lea edx, [ebp-1C] 0045808C \|. 33C0 xor eax, eax 0045808E \|. E8 51A9FAFF call 004029E4 00458093 \|. 8B45 E4 mov eax, [ebp-1C] 00458096 \|. E8 09C4FAFF call 004044A4 0045809B \|. 8945 E0 mov [ebp-20], eax ; 取文件路径及名称 0045809E \|. 6A 00 push 0 ; /hTemplateFile = NULL 004580A0 \|. 6A 20 push 20 ; \|Attributes = ARCHIVE 004580A2 \|. 6A 03 push 3 ; \|Mode = OPEN_EXISTING 004580A4 \|. 6A 00 push 0 ; \|pSecurity = NULL 004580A6 \|. 6A 01 push 1 ; \|ShareMode = FILE_SHARE_READ 004580A8 \|. 68 00000080 push 80000000 ; \|Access = GENERIC_READ 004580AD \|. 8B45 E0 mov eax, [ebp-20] ; \| 004580B0 \|. 50 push eax ; \|FileName 004580B1 \|. E8 92DFFAFF call <jmp.&kernel32.CreateFileA> ; \CreateFileA 004580B6 \|. 8945 EC mov [ebp-14], eax 004580B9 \|. 6A 00 push 0 ; /pFileSizeHigh = NULL 004580BB \|. 8B45 EC mov eax, [ebp-14] ; \| 004580BE \|. 50 push eax ; \|hFile 004580BF \|. E8 0CE0FAFF call <jmp.&kernel32.GetFileSize> ; \取文件大小 004580C4 \|. 8945 DC mov [ebp-24], eax ; eax为文件大小 004580C7 \|. 8B45 DC mov eax, [ebp-24] 004580CA \|. 50 push eax ; /MemSize 004580CB \|. 6A 42 push 42 ; \|Flags = GHND 004580CD \|. E8 7EE0FAFF call <jmp.&kernel32.GlobalAlloc> ; \GlobalAlloc 004580D2 \|. 8945 E8 mov [ebp-18], eax 004580D5 \|. 8B45 E8 mov eax, [ebp-18] 004580D8 \|. 50 push eax ; /hMem 004580D9 \|. E8 92E0FAFF call <jmp.&kernel32.GlobalLock> ; \GlobalLock 004580DE \|. 8945 FC mov [ebp-4], eax 004580E1 \|. 6A 00 push 0 ; /pOverlapped = NULL 004580E3 \|. 8D45 D8 lea eax, [ebp-28] ; \| 004580E6 \|. 50 push eax ; \|pBytesRead 004580E7 \|. 8B45 DC mov eax, [ebp-24] ; \| 004580EA \|. 50 push eax ; \|BytesToRead 004580EB \|. 8B45 FC mov eax, [ebp-4] ; \| 004580EE \|. 50 push eax ; \|Buffer 004580EF \|. 8B45 EC mov eax, [ebp-14] ; \| 004580F2 \|. 50 push eax ; \|hFile 004580F3 \|. E8 D0E0FAFF call <jmp.&kernel32.ReadFile> ; \ReadFile 004580F8 \|. 8B45 EC mov eax, [ebp-14] 004580FB \|. 50 push eax ; /hObject 004580FC \|. E8 2FDFFAFF call <jmp.&kernel32.CloseHandle> ; \CloseHandle 00458101 \|. B9 3C000000 mov ecx, 3C 00458106 \|. 034D FC add ecx, [ebp-4] 00458109 \|. 8B09 mov ecx, [ecx] 0045810B \|. 83C1 44 add ecx, 44 0045810E \|. 034D FC add ecx, [ebp-4] 00458111 \|. 8B01 mov eax, [ecx] 00458113 \|. A3 E0DF4500 mov [45DFE0], eax ; EAX中的值入[45DFE0],用来和后面计算结果进行对比！ 00458118 \|. C701 00000000 mov dword ptr [ecx], 0 0045811E \|. E8 EDFEFFFF call 00458010 00458123 \|. 8B55 FC mov edx, [ebp-4] 00458126 \|. 8955 F8 mov [ebp-8], edx 00458129 \|. 837D DC 00 cmp dword ptr [ebp-24], 0 0045812D \|. 76 64 jbe short 00458193 0045812F \|. 8B45 DC mov eax, [ebp-24] 00458132 \|. 85C0 test eax, eax 00458134 \|. 76 4D jbe short 00458183 00458136 \|. 8945 CC mov [ebp-34], eax 00458139 \|. C745 D0 01000000 mov dword ptr [ebp-30], 1 00458140 \|> 8B55 F8 /mov edx, [ebp-8] 00458143 \|. 8A02 \|mov al, [edx] 00458145 \|. 0FB6C0 \|movzx eax, al 00458148 \|. 8945 F4 \|mov [ebp-C], eax 0045814B \|. 42 \|inc edx 0045814C \|. 8955 F8 \|mov [ebp-8], edx 0045814F \|. A1 2CBE4500 \|mov eax, [45BE2C] 00458154 \|. 3345 F4 \|xor eax, [ebp-C] 00458157 \|. 25 FF000000 \|and eax, 0FF 0045815C \|. 8945 D4 \|mov [ebp-2C], eax 0045815F \|. A1 2CBE4500 \|mov eax, [45BE2C] 00458164 \|. C1E8 08 \|shr eax, 8 00458167 \|. 25 FFFFFF00 \|and eax, 0FFFFFF 0045816C \|. 8B55 D4 \|mov edx, [ebp-2C] 0045816F \|. 330495 E0DB4500 \|xor eax, [edx*4+45DBE0] 00458176 \|. A3 2CBE4500 \|mov [45BE2C], eax 0045817B \|. FF45 D0 \|inc dword ptr [ebp-30] ; 每循环一次，+1 0045817E \|. FF4D CC \|dec dword ptr [ebp-34] ; 每循环一次，-1 00458181 \|.^ 75 BD \jnz short 00458140 ; 没晚没了的的运算，循环次数与文件大小相同！晕倒：（ 00458183 \|> F715 2CBE4500 not dword ptr [45BE2C] ; 前面结果 not，运算结束！ 00458189 \|. A1 2CBE4500 mov eax, [45BE2C] ; 运算结果入EAX 0045818E \|. 8945 F0 mov [ebp-10], eax 00458191 \|. EB 12 jmp short 004581A5 00458193 \|> C705 2CBE4500 FFFFFFF>mov dword ptr [45BE2C], -1 0045819D \|. A1 2CBE4500 mov eax, [45BE2C] 004581A2 \|. 8945 F0 mov [ebp-10], eax 004581A5 \|> 33C0 xor eax, eax 004581A7 \|. 5A pop edx 004581A8 \|. 59 pop ecx 004581A9 \|. 59 pop ecx 004581AA \|. 64:8910 mov fs:[eax], edx 004581AD \|. 68 C2814500 push 004581C2 004581B2 \|> 8D45 E4 lea eax, [ebp-1C] 004581B5 \|. E8 2ABEFAFF call 00403FE4 004581BA \. C3 retn 004581BB .^ E9 28B8FAFF jmp 004039E8 004581C0 .^ EB F0 jmp short 004581B2 004581C2 . 8B45 F0 mov eax, [ebp-10] 004581C5 . 8BE5 mov esp, ebp 004581C7 . 5D pop ebp 004581C8 . C3 retn
laomms 雪币： 560 活跃值： (309) 能力值： ( LV13，RANK：1370 ) 在线值：发帖 83 回帖 384 粉丝 7 关注私信	laomms 34 2006-2-17 14:31 8 楼 0 强！领教了。
busheler 雪币： 236 活跃值： (160) 能力值： ( LV8，RANK：130 ) 在线值：发帖 9 回帖 46 粉丝 0 关注私信	busheler 3 2006-2-17 14:31 9 楼 0 因为未监测OllyICE，脱壳后文件可以用OllyICE载入，在0045971F处下断点，F9运行,直接被断下,je改为jmp就可运行. 我用UltraEdit把"7405"改为"EB05"，运行有出错，但可以到主界面！好奇怪：这个壳比较软，我脱壳水平奇丑，学习中......
mirrormask 雪币： 242 活跃值： (135) 能力值： ( LV8，RANK：130 ) 在线值：发帖 8 回帖 64 粉丝 1 关注私信	mirrormask 3 2006-2-17 14:34 10 楼 0 antidbg我都没发现....
busheler 雪币： 236 活跃值： (160) 能力值： ( LV8，RANK：130 ) 在线值：发帖 9 回帖 46 粉丝 0 关注私信	busheler 3 2006-2-18 00:07 11 楼 0 图好漂亮：）可惜注册算法还没有出来里！
Ryosuke 雪币： 370 活跃值： (78) 能力值： ( LV9，RANK：970 ) 在线值：发帖 26 回帖 196 粉丝 2 关注私信	Ryosuke 24 2006-2-18 17:47 12 楼 0 我来说说我的分析：跟了2个多小时，说说我的理解。目前还只对name就行了分析，剩下的部分等有时间再做。目前分析用到的算法有md5,sha。 004597EC /. 55 push ebp 004597ED \|. 8BEC mov ebp, esp 004597EF \|. B9 0B000000 mov ecx, 0B 004597F4 \|> 6A 00 /push 0 004597F6 \|. 6A 00 \|push 0 004597F8 \|. 49 \|dec ecx 004597F9 \|.^ 75 F9 \jnz short 004597F4 004597FB \|. 53 push ebx 004597FC \|. 56 push esi 004597FD \|. 8955 C4 mov [ebp-3C], edx 00459800 \|. 8945 FC mov [ebp-4], eax 00459803 \|. 33C0 xor eax, eax 00459805 \|. 55 push ebp 00459806 \|. 68 6E9A4500 push 00459A6E 0045980B \|. 64:FF30 push dword ptr fs:[eax] 0045980E \|. 64:8920 mov fs:[eax], esp 00459811 \|. 8D55 C0 lea edx, [ebp-40] 00459814 \|. 8B45 FC mov eax, [ebp-4] 00459817 \|. 8B80 04030000 mov eax, [eax+304] 0045981D \|. E8 C6B7FDFF call 00434FE8 ; get serail 00459822 \|. 8B45 C0 mov eax, [ebp-40] ; serail string 00459825 \|. E8 7AAAFAFF call 004042A4 0045982A \|. 83F8 10 cmp eax, 10 0045982D \|. 0F85 E1010000 jnz 00459A14 00459833 \|. 8D55 F8 lea edx, [ebp-8] 00459836 \|. 8B45 FC mov eax, [ebp-4] 00459839 \|. 8B80 F8020000 mov eax, [eax+2F8] 0045983F \|. E8 A4B7FDFF call 00434FE8 ; get name 00459844 \|. 8B45 F8 mov eax, [ebp-8] ; name string 00459847 \|. E8 80E9FFFF call 004581CC ; 加密name 0045984C \|. 8945 F4 mov [ebp-C], eax 0045984F \|. 8D45 F8 lea eax, [ebp-8] 00459852 \|. E8 2DF7FFFF call 00458F84 ; getproductid 00459857 \|. 8B45 F8 mov eax, [ebp-8] 0045985A \|. E8 6DE9FFFF call 004581CC ; 加密productid 0045985F \|. 3145 F4 xor [ebp-C], eax ; xor 加密name 和加密productid 为important 00459862 \|. 8D45 F8 lea eax, [ebp-8] 00459865 \|. E8 7AA7FAFF call 00403FE4 0045986A \|. 8B45 F4 mov eax, [ebp-C] 0045986D \|. 33D2 xor edx, edx 0045986F \|. 52 push edx ; /Arg2 => 00000000 00459870 \|. 50 push eax ; \|Arg1 00459871 \|. 8D55 D4 lea edx, [ebp-2C] ; \| 00459874 \|. B8 08000000 mov eax, 8 ; \| 00459879 \|. E8 C6E7FAFF call 00408044 ; \dumped_1.00408044 将important变成16进制的字符串形式strimportant 0045987E \|. 8D55 BC lea edx, [ebp-44] 00459881 8B45 D4 mov eax, [ebp-2C] ; 上面的结果转换成的字符strimportant 00459884 \|. E8 2BE7FFFF call 00457FB4 ; md5变换上面的strimportant 00459889 8B45 BC mov eax, [ebp-44];变换结果string1 0045988C \|. 8D55 D0 lea edx, [ebp-30] 0045988F \|. E8 24E3FAFF call 00407BB8 ; 大写变换string1 00459894 \|. 8D55 B4 lea edx, [ebp-4C] 00459897 \|. 8B45 D0 mov eax, [ebp-30] 0045989A \|. E8 29C9FFFF call 004561C8 ; sha变换string1 0045989F \|. 8B45 B4 mov eax, [ebp-4C] ; 变换结果String2 004598A2 \|. 8D55 B8 lea edx, [ebp-48] 004598A5 \|. E8 0EE3FAFF call 00407BB8 ; 大写变换String2 004598AA \|. 8B55 B8 mov edx, [ebp-48] ; String2的大写字符串 004598AD \|. 8D45 D0 lea eax, [ebp-30] 004598B0 \|. E8 C7A7FAFF call 0040407C 004598B5 \|. 8B45 D0 mov eax, [ebp-30] 004598B8 \|. E8 E3EBFFFF call 004584A0 ; 目前分析到这里 004598BD \|. 8B45 F4 mov eax, [ebp-C] 004598C0 \|. 33D2 xor edx, edx 004598C2 \|. 8945 D8 mov [ebp-28], eax 004598C5 \|. 8955 DC mov [ebp-24], edx 004598C8 \|. FF75 DC push dword ptr [ebp-24] ; /Arg2 004598CB \|. FF75 D8 push dword ptr [ebp-28] ; \|Arg1 004598CE \|. E8 6DEAFFFF call 00458340 ; \dumped_1.00458340 004598D3 \|. 52 push edx ; /Arg2 004598D4 \|. 50 push eax ; \|Arg1 004598D5 \|. 8D55 CC lea edx, [ebp-34] ; \| 004598D8 \|. 33C0 xor eax, eax ; \| 004598DA \|. E8 65E7FAFF call 00408044 ; \dumped_1.00408044 004598DF \|. B8 849A4500 mov eax, 00459A84 ; ASCII "kernel32.dll" 004598E4 \|. E8 B7EBFFFF call 004584A0 004598E9 \|. 8D55 B0 lea edx, [ebp-50] 004598EC \|. 8B45 FC mov eax, [ebp-4] 004598EF \|. 8B80 04030000 mov eax, [eax+304] 004598F5 \|. E8 EEB6FDFF call 00434FE8 004598FA \|. 8B45 B0 mov eax, [ebp-50] 004598FD \|. E8 F6CFFFFF call 004568F8 00459902 \|. 8945 D8 mov [ebp-28], eax 00459905 \|. 8955 DC mov [ebp-24], edx 00459908 \|. FF75 DC push dword ptr [ebp-24] ; /Arg2 0045990B \|. FF75 D8 push dword ptr [ebp-28] ; \|Arg1 0045990E \|. E8 7DE9FFFF call 00458290 ; \dumped_1.00458290 00459913 \|. 52 push edx ; /Arg2 00459914 \|. 50 push eax ; \|Arg1 00459915 \|. 8D55 C8 lea edx, [ebp-38] ; \| 00459918 \|. 33C0 xor eax, eax ; \| 0045991A \|. E8 25E7FAFF call 00408044 ; \dumped_1.00408044 0045991F \|. 8B45 F4 mov eax, [ebp-C] 00459922 \|. 33D2 xor edx, edx 00459924 \|. 52 push edx ; /Arg2 => 00000000 00459925 \|. 50 push eax ; \|Arg1 00459926 \|. 8D55 A8 lea edx, [ebp-58] ; \| 00459929 \|. 33C0 xor eax, eax ; \| 0045992B \|. E8 14E7FAFF call 00408044 ; \dumped_1.00408044 00459930 \|. 8B45 A8 mov eax, [ebp-58] 00459933 \|. 8D55 AC lea edx, [ebp-54] 00459936 \|. E8 7DE2FAFF call 00407BB8 0045993B \|. 8B55 AC mov edx, [ebp-54] ;strimportant 0045993E \|. 8B45 C8 mov eax, [ebp-38] ;serail解密成的字符串 00459941 \|. E8 AAAAFAFF call 004043F0 ; 比较函数 00459946 0F85 C8000000 jnz 00459A14 ;关键跳 jz掉就爆破了 0045994C \|. 8D45 F0 lea eax, [ebp-10] 0045994F \|. BA 9C9A4500 mov edx, 00459A9C 00459954 \|. E8 23A7FAFF call 0040407C 00459959 \|. 8D45 EC lea eax, [ebp-14] 0045995C \|. BA B49A4500 mov edx, 00459AB4 00459961 \|. E8 16A7FAFF call 0040407C 00459966 \|. C745 E4 01000>mov dword ptr [ebp-1C], 1 0045996D \|> 8D45 F0 /lea eax, [ebp-10] 00459970 \|. E8 87ABFAFF \|call 004044FC 00459975 \|. 8B55 E4 \|mov edx, [ebp-1C] 00459978 \|. 8B4D F0 \|mov ecx, [ebp-10] 0045997B \|. 8B5D E4 \|mov ebx, [ebp-1C] 0045997E \|. 8A4C19 FF \|mov cl, [ecx+ebx-1] 00459982 \|. 8B5D EC \|mov ebx, [ebp-14] 00459985 \|. 8B75 E4 \|mov esi, [ebp-1C] 00459988 \|. 8A5C33 FF \|mov bl, [ebx+esi-1] 0045998C \|. 32CB \|xor cl, bl 0045998E \|. 884C10 FF \|mov [eax+edx-1], cl 00459992 \|. FF45 E4 \|inc dword ptr [ebp-1C] 00459995 \|. 837D E4 10 \|cmp dword ptr [ebp-1C], 10 00459999 \|.^ 75 D2 \jnz short 0045996D 0045999B \|. 8D45 E8 lea eax, [ebp-18] 0045999E \|. 8B55 F0 mov edx, [ebp-10] 004599A1 \|. E8 D6A6FAFF call 0040407C 004599A6 \|. 8B45 FC mov eax, [ebp-4] 004599A9 \|. 8B80 14030000 mov eax, [eax+314] 004599AF \|. 8B40 68 mov eax, [eax+68] 004599B2 \|. BA FF000000 mov edx, 0FF 004599B7 \|. E8 F82DFCFF call 0041C7B4 004599BC \|. 8B45 FC mov eax, [ebp-4] 004599BF \|. 8B80 14030000 mov eax, [eax+314] 004599C5 \|. 8B40 68 mov eax, [eax+68] 004599C8 \|. 8A15 C49A4500 mov dl, [459AC4] 004599CE \|. E8 AD30FCFF call 0041CA80 004599D3 \|. 8B55 E8 mov edx, [ebp-18] 004599D6 \|. 8B45 FC mov eax, [ebp-4] 004599D9 \|. 8B80 14030000 mov eax, [eax+314] 004599DF \|. E8 34B6FDFF call 00435018 004599E4 \|. 33D2 xor edx, edx 004599E6 \|. 8B45 FC mov eax, [ebp-4] 004599E9 \|. 8B80 F8020000 mov eax, [eax+2F8] 004599EF \|. 8B08 mov ecx, [eax] 004599F1 \|. FF51 64 call [ecx+64] 004599F4 \|. 33D2 xor edx, edx 004599F6 \|. 8B45 FC mov eax, [ebp-4] 004599F9 \|. 8B80 04030000 mov eax, [eax+304] 004599FF \|. 8B08 mov ecx, [eax] 00459A01 \|. FF51 64 call [ecx+64] 00459A04 \|. 33D2 xor edx, edx 00459A06 \|. 8B45 FC mov eax, [ebp-4] 00459A09 \|. 8B80 0C030000 mov eax, [eax+30C] 00459A0F \|. 8B08 mov ecx, [eax] 00459A11 \|. FF51 64 call [ecx+64] 00459A14 \|> 33C0 xor eax, eax 00459A16 \|. 5A pop edx 00459A17 \|. 59 pop ecx 00459A18 \|. 59 pop ecx 00459A19 \|. 64:8910 mov fs:[eax], edx 00459A1C \|. 68 759A4500 push 00459A75 00459A21 \|> 8D45 A8 lea eax, [ebp-58] 00459A24 \|. BA 02000000 mov edx, 2 00459A29 \|. E8 DAA5FAFF call 00404008 00459A2E \|. 8D45 B0 lea eax, [ebp-50] 00459A31 \|. E8 AEA5FAFF call 00403FE4 00459A36 \|. 8D45 B4 lea eax, [ebp-4C] 00459A39 \|. BA 03000000 mov edx, 3 00459A3E \|. E8 C5A5FAFF call 00404008 00459A43 \|. 8D45 C0 lea eax, [ebp-40] 00459A46 \|. E8 99A5FAFF call 00403FE4 00459A4B \|. 8D45 C8 lea eax, [ebp-38] 00459A4E \|. BA 04000000 mov edx, 4 00459A53 \|. E8 B0A5FAFF call 00404008 00459A58 \|. 8D45 E8 lea eax, [ebp-18] 00459A5B \|. BA 03000000 mov edx, 3 00459A60 \|. E8 A3A5FAFF call 00404008 00459A65 \|. 8D45 F8 lea eax, [ebp-8] 00459A68 \|. E8 77A5FAFF call 00403FE4 00459A6D \. C3 retn 关于serail如何解密成important变成的字符串，还没来得及分析。会尽快贴?的。
Ryosuke 雪币： 370 活跃值： (78) 能力值： ( LV9，RANK：970 ) 在线值：发帖 26 回帖 196 粉丝 2 关注私信	Ryosuke 24 2006-2-18 17:50 13 楼 0 加密name和productid的过程 004581CC /$ 55 push ebp 004581CD \|. 8BEC mov ebp, esp 004581CF \|. 83C4 E4 add esp, -1C 004581D2 \|. 8945 FC mov [ebp-4], eax 004581D5 \|. 8B45 FC mov eax, [ebp-4] 004581D8 \|. E8 B7C2FAFF call 00404494 004581DD \|. 33C0 xor eax, eax 004581DF \|. 55 push ebp 004581E0 \|. 68 82824500 push 00458282 004581E5 \|. 64:FF30 push dword ptr fs:[eax] 004581E8 \|. 64:8920 mov fs:[eax], esp 004581EB \|. E8 20FEFFFF call 00458010 ; 初始化加密SBox 004581F0 \|. 8B45 FC mov eax, [ebp-4] 004581F3 \|. E8 ACC0FAFF call 004042A4 ; 获得String的长度 004581F8 \|. 8945 E8 mov [ebp-18], eax ; string len 004581FB \|. C705 2CBE4500>mov dword ptr [45BE2C], -1 ; 加密结果初始位0xffffffff 00458205 \|. 837D E8 00 cmp dword ptr [ebp-18], 0 00458209 \|. 76 61 jbe short 0045826C 0045820B \|. 8B45 E8 mov eax, [ebp-18] 0045820E \|. 85C0 test eax, eax 00458210 \|. 76 4C jbe short 0045825E 00458212 \|. 8945 E4 mov [ebp-1C], eax 00458215 \|. C745 F0 01000>mov dword ptr [ebp-10], 1 0045821C \|> 8B45 FC /mov eax, [ebp-4] 0045821F \|. 8B55 F0 \|mov edx, [ebp-10] 00458222 \|. 0FB64410 FF \|movzx eax, byte ptr [eax+edx-1] ; 对于每个字符 00458227 \|. 8945 EC \|mov [ebp-14], eax 0045822A \|. A1 2CBE4500 \|mov eax, [45BE2C] 0045822F \|. 3345 EC \|xor eax, [ebp-14] ; xor每个字符 00458232 \|. 25 FF000000 \|and eax, 0FF 00458237 \|. 8945 F4 \|mov [ebp-C], eax ; 保存到[ebp-c]中 0045823A \|. A1 2CBE4500 \|mov eax, [45BE2C] 0045823F \|. C1E8 08 \|shr eax, 8 ; 右移8bits 00458242 \|. 25 FFFFFF00 \|and eax, 0FFFFFF 00458247 \|. 8B55 F4 \|mov edx, [ebp-C] 0045824A \|. 330495 E0DB45>\|xor eax, [edx*4+45DBE0] ; 和SBox进行xor,SBox是不变的 00458251 \|. A3 2CBE4500 \|mov [45BE2C], eax ; 保存加密结果 00458256 \|. FF45 F0 \|inc dword ptr [ebp-10] 00458259 \|. FF4D E4 \|dec dword ptr [ebp-1C] 0045825C \|.^ 75 BE \jnz short 0045821C 0045825E \|> F715 2CBE4500 not dword ptr [45BE2C] ; 取反 00458264 \|. A1 2CBE4500 mov eax, [45BE2C] 00458269 \|. 8945 F8 mov [ebp-8], eax 0045826C \|> 33C0 xor eax, eax 0045826E \|. 5A pop edx 0045826F \|. 59 pop ecx 00458270 \|. 59 pop ecx 00458271 \|. 64:8910 mov fs:[eax], edx 00458274 \|. 68 89824500 push 00458289 00458279 \|> 8D45 FC lea eax, [ebp-4] 0045827C \|. E8 63BDFAFF call 00403FE4 00458281 \. C3 retn 由于SBox具有不变性，这里就写具体算法，写注册机时直接用就可以了。
Ryosuke 雪币： 370 活跃值： (78) 能力值： ( LV9，RANK：970 ) 在线值：发帖 26 回帖 196 粉丝 2 关注私信	Ryosuke 24 2006-2-18 18:11 14 楼 0 md5和sha的变换过程，楼主怕可以通过sha和md5的标志数据，分析?采用什么算法，故进行了异或和函数处理。 md5变换过程 004571B4 /$ 55 push ebp 004571B5 \|. 8BEC mov ebp, esp 004571B7 \|. 83C4 A0 add esp, -60 004571BA \|. 8955 F8 mov [ebp-8], edx 004571BD \|. 8945 FC mov [ebp-4], eax 004571C0 \|. 8D55 A0 lea edx, [ebp-60] 004571C3 \|. B9 40000000 mov ecx, 40 004571C8 \|. 8B45 FC mov eax, [ebp-4] 004571CB \|. E8 E0FEFFFF call 004570B0 ; 初始化数据 004571D0 \|. 8B45 F8 mov eax, [ebp-8] 004571D3 \|. 8B00 mov eax, [eax] 004571D5 \|. 8945 F4 mov [ebp-C], eax 004571D8 \|. 8B45 F8 mov eax, [ebp-8] 004571DB \|. 8B40 04 mov eax, [eax+4] 004571DE \|. 8945 F0 mov [ebp-10], eax 004571E1 \|. 8B45 F8 mov eax, [ebp-8] 004571E4 \|. 8B40 08 mov eax, [eax+8] 004571E7 \|. 8945 EC mov [ebp-14], eax 004571EA \|. 8B45 F8 mov eax, [ebp-8] 004571ED \|. 8B40 0C mov eax, [eax+C] 004571F0 \|. 8945 E8 mov [ebp-18], eax 004571F3 \|. C745 E4 01000>mov dword ptr [ebp-1C], 1 004571FA \|. 8B45 E4 mov eax, [ebp-1C] 004571FD \|. E8 BAFCFFFF call 00456EBC ;通过正弦函数构造T表 //下面是md5的4轮循环，每轮16步 00457202 \|. 8945 E0 mov [ebp-20], eax 00457205 \|. 8B45 E8 mov eax, [ebp-18] 00457208 \|. 50 push eax ; /Arg4 00457209 \|. 8B45 A0 mov eax, [ebp-60] ; \| 0045720C \|. 50 push eax ; \|Arg3 0045720D \|. 6A 07 push 7 ; \|Arg2 = 00000007 0045720F \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457212 \|. 50 push eax ; \|Arg1 00457213 \|. 8D45 F4 lea eax, [ebp-C] ; \| 00457216 \|. 8B4D EC mov ecx, [ebp-14] ; \| 00457219 \|. 8B55 F0 mov edx, [ebp-10] ; \| 0045721C \|. E8 7FFDFFFF call 00456FA0 ; \dumped_1.00456FA0 00457221 \|. FF45 E4 inc dword ptr [ebp-1C] 00457224 \|. 8B45 E4 mov eax, [ebp-1C] 00457227 \|. E8 90FCFFFF call 00456EBC 0045722C \|. 8945 E0 mov [ebp-20], eax 0045722F \|. 8B45 EC mov eax, [ebp-14] 00457232 \|. 50 push eax ; /Arg4 00457233 \|. 8B45 A4 mov eax, [ebp-5C] ; \| 00457236 \|. 50 push eax ; \|Arg3 00457237 \|. 6A 0C push 0C ; \|Arg2 = 0000000C 00457239 \|. 8B45 E0 mov eax, [ebp-20] ; \| 0045723C \|. 50 push eax ; \|Arg1 0045723D \|. 8D45 E8 lea eax, [ebp-18] ; \| 00457240 \|. 8B4D F0 mov ecx, [ebp-10] ; \| 00457243 \|. 8B55 F4 mov edx, [ebp-C] ; \| 00457246 \|. E8 55FDFFFF call 00456FA0 ; \dumped_1.00456FA0 0045724B \|. FF45 E4 inc dword ptr [ebp-1C] 0045724E \|. 8B45 E4 mov eax, [ebp-1C] 00457251 \|. E8 66FCFFFF call 00456EBC 00457256 \|. 8945 E0 mov [ebp-20], eax 00457259 \|. 8B45 F0 mov eax, [ebp-10] 0045725C \|. 50 push eax ; /Arg4 0045725D \|. 8B45 A8 mov eax, [ebp-58] ; \| 00457260 \|. 50 push eax ; \|Arg3 00457261 \|. 6A 11 push 11 ; \|Arg2 = 00000011 00457263 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457266 \|. 50 push eax ; \|Arg1 00457267 \|. 8D45 EC lea eax, [ebp-14] ; \| 0045726A \|. 8B4D F4 mov ecx, [ebp-C] ; \| 0045726D \|. 8B55 E8 mov edx, [ebp-18] ; \| 00457270 \|. E8 2BFDFFFF call 00456FA0 ; \dumped_1.00456FA0 00457275 \|. FF45 E4 inc dword ptr [ebp-1C] 00457278 \|. 8B45 E4 mov eax, [ebp-1C] 0045727B \|. E8 3CFCFFFF call 00456EBC 00457280 \|. 8945 E0 mov [ebp-20], eax 00457283 \|. 8B45 F4 mov eax, [ebp-C] 00457286 \|. 50 push eax ; /Arg4 00457287 \|. 8B45 AC mov eax, [ebp-54] ; \| 0045728A \|. 50 push eax ; \|Arg3 0045728B \|. 6A 16 push 16 ; \|Arg2 = 00000016 0045728D \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457290 \|. 50 push eax ; \|Arg1 00457291 \|. 8D45 F0 lea eax, [ebp-10] ; \| 00457294 \|. 8B4D E8 mov ecx, [ebp-18] ; \| 00457297 \|. 8B55 EC mov edx, [ebp-14] ; \| 0045729A \|. E8 01FDFFFF call 00456FA0 ; \dumped_1.00456FA0 0045729F \|. FF45 E4 inc dword ptr [ebp-1C] 004572A2 \|. 8B45 E4 mov eax, [ebp-1C] 004572A5 \|. E8 12FCFFFF call 00456EBC 004572AA \|. 8945 E0 mov [ebp-20], eax 004572AD \|. 8B45 E8 mov eax, [ebp-18] 004572B0 \|. 50 push eax ; /Arg4 004572B1 \|. 8B45 B0 mov eax, [ebp-50] ; \| 004572B4 \|. 50 push eax ; \|Arg3 004572B5 \|. 6A 07 push 7 ; \|Arg2 = 00000007 004572B7 \|. 8B45 E0 mov eax, [ebp-20] ; \| 004572BA \|. 50 push eax ; \|Arg1 004572BB \|. 8D45 F4 lea eax, [ebp-C] ; \| 004572BE \|. 8B4D EC mov ecx, [ebp-14] ; \| 004572C1 \|. 8B55 F0 mov edx, [ebp-10] ; \| 004572C4 \|. E8 D7FCFFFF call 00456FA0 ; \dumped_1.00456FA0 004572C9 \|. FF45 E4 inc dword ptr [ebp-1C] 004572CC \|. 8B45 E4 mov eax, [ebp-1C] 004572CF \|. E8 E8FBFFFF call 00456EBC 004572D4 \|. 8945 E0 mov [ebp-20], eax 004572D7 \|. 8B45 EC mov eax, [ebp-14] 004572DA \|. 50 push eax ; /Arg4 004572DB \|. 8B45 B4 mov eax, [ebp-4C] ; \| 004572DE \|. 50 push eax ; \|Arg3 004572DF \|. 6A 0C push 0C ; \|Arg2 = 0000000C 004572E1 \|. 8B45 E0 mov eax, [ebp-20] ; \| 004572E4 \|. 50 push eax ; \|Arg1 004572E5 \|. 8D45 E8 lea eax, [ebp-18] ; \| 004572E8 \|. 8B4D F0 mov ecx, [ebp-10] ; \| 004572EB \|. 8B55 F4 mov edx, [ebp-C] ; \| 004572EE \|. E8 ADFCFFFF call 00456FA0 ; \dumped_1.00456FA0 004572F3 \|. FF45 E4 inc dword ptr [ebp-1C] 004572F6 \|. 8B45 E4 mov eax, [ebp-1C] 004572F9 \|. E8 BEFBFFFF call 00456EBC 004572FE \|. 8945 E0 mov [ebp-20], eax 00457301 \|. 8B45 F0 mov eax, [ebp-10] 00457304 \|. 50 push eax ; /Arg4 00457305 \|. 8B45 B8 mov eax, [ebp-48] ; \| 00457308 \|. 50 push eax ; \|Arg3 00457309 \|. 6A 11 push 11 ; \|Arg2 = 00000011 0045730B \|. 8B45 E0 mov eax, [ebp-20] ; \| 0045730E \|. 50 push eax ; \|Arg1 0045730F \|. 8D45 EC lea eax, [ebp-14] ; \| 00457312 \|. 8B4D F4 mov ecx, [ebp-C] ; \| 00457315 \|. 8B55 E8 mov edx, [ebp-18] ; \| 00457318 \|. E8 83FCFFFF call 00456FA0 ; \dumped_1.00456FA0 0045731D \|. FF45 E4 inc dword ptr [ebp-1C] 00457320 \|. 8B45 E4 mov eax, [ebp-1C] 00457323 \|. E8 94FBFFFF call 00456EBC 00457328 \|. 8945 E0 mov [ebp-20], eax 0045732B \|. 8B45 F4 mov eax, [ebp-C] 0045732E \|. 50 push eax ; /Arg4 0045732F \|. 8B45 BC mov eax, [ebp-44] ; \| 00457332 \|. 50 push eax ; \|Arg3 00457333 \|. 6A 16 push 16 ; \|Arg2 = 00000016 00457335 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457338 \|. 50 push eax ; \|Arg1 00457339 \|. 8D45 F0 lea eax, [ebp-10] ; \| 0045733C \|. 8B4D E8 mov ecx, [ebp-18] ; \| 0045733F \|. 8B55 EC mov edx, [ebp-14] ; \| 00457342 \|. E8 59FCFFFF call 00456FA0 ; \dumped_1.00456FA0 00457347 \|. FF45 E4 inc dword ptr [ebp-1C] 0045734A \|. 8B45 E4 mov eax, [ebp-1C] 0045734D \|. E8 6AFBFFFF call 00456EBC 00457352 \|. 8945 E0 mov [ebp-20], eax 00457355 \|. 8B45 E8 mov eax, [ebp-18] 00457358 \|. 50 push eax ; /Arg4 00457359 \|. 8B45 C0 mov eax, [ebp-40] ; \| 0045735C \|. 50 push eax ; \|Arg3 0045735D \|. 6A 07 push 7 ; \|Arg2 = 00000007 0045735F \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457362 \|. 50 push eax ; \|Arg1 00457363 \|. 8D45 F4 lea eax, [ebp-C] ; \| 00457366 \|. 8B4D EC mov ecx, [ebp-14] ; \| 00457369 \|. 8B55 F0 mov edx, [ebp-10] ; \| 0045736C \|. E8 2FFCFFFF call 00456FA0 ; \dumped_1.00456FA0 00457371 \|. FF45 E4 inc dword ptr [ebp-1C] 00457374 \|. 8B45 E4 mov eax, [ebp-1C] 00457377 \|. E8 40FBFFFF call 00456EBC 0045737C \|. 8945 E0 mov [ebp-20], eax 0045737F \|. 8B45 EC mov eax, [ebp-14] 00457382 \|. 50 push eax ; /Arg4 00457383 \|. 8B45 C4 mov eax, [ebp-3C] ; \| 00457386 \|. 50 push eax ; \|Arg3 00457387 \|. 6A 0C push 0C ; \|Arg2 = 0000000C 00457389 \|. 8B45 E0 mov eax, [ebp-20] ; \| 0045738C \|. 50 push eax ; \|Arg1 0045738D \|. 8D45 E8 lea eax, [ebp-18] ; \| 00457390 \|. 8B4D F0 mov ecx, [ebp-10] ; \| 00457393 \|. 8B55 F4 mov edx, [ebp-C] ; \| 00457396 \|. E8 05FCFFFF call 00456FA0 ; \dumped_1.00456FA0 0045739B \|. FF45 E4 inc dword ptr [ebp-1C] 0045739E \|. 8B45 E4 mov eax, [ebp-1C] 004573A1 \|. E8 16FBFFFF call 00456EBC 004573A6 \|. 8945 E0 mov [ebp-20], eax 004573A9 \|. 8B45 F0 mov eax, [ebp-10] 004573AC \|. 50 push eax ; /Arg4 004573AD \|. 8B45 C8 mov eax, [ebp-38] ; \| 004573B0 \|. 50 push eax ; \|Arg3 004573B1 \|. 6A 11 push 11 ; \|Arg2 = 00000011 004573B3 \|. 8B45 E0 mov eax, [ebp-20] ; \| 004573B6 \|. 50 push eax ; \|Arg1 004573B7 \|. 8D45 EC lea eax, [ebp-14] ; \| 004573BA \|. 8B4D F4 mov ecx, [ebp-C] ; \| 004573BD \|. 8B55 E8 mov edx, [ebp-18] ; \| 004573C0 \|. E8 DBFBFFFF call 00456FA0 ; \dumped_1.00456FA0 004573C5 \|. FF45 E4 inc dword ptr [ebp-1C] 004573C8 \|. 8B45 E4 mov eax, [ebp-1C] 004573CB \|. E8 ECFAFFFF call 00456EBC 004573D0 \|. 8945 E0 mov [ebp-20], eax 004573D3 \|. 8B45 F4 mov eax, [ebp-C] 004573D6 \|. 50 push eax ; /Arg4 004573D7 \|. 8B45 CC mov eax, [ebp-34] ; \| 004573DA \|. 50 push eax ; \|Arg3 004573DB \|. 6A 16 push 16 ; \|Arg2 = 00000016 004573DD \|. 8B45 E0 mov eax, [ebp-20] ; \| 004573E0 \|. 50 push eax ; \|Arg1 004573E1 \|. 8D45 F0 lea eax, [ebp-10] ; \| 004573E4 \|. 8B4D E8 mov ecx, [ebp-18] ; \| 004573E7 \|. 8B55 EC mov edx, [ebp-14] ; \| 004573EA \|. E8 B1FBFFFF call 00456FA0 ; \dumped_1.00456FA0 004573EF \|. FF45 E4 inc dword ptr [ebp-1C] 004573F2 \|. 8B45 E4 mov eax, [ebp-1C] 004573F5 \|. E8 C2FAFFFF call 00456EBC 004573FA \|. 8945 E0 mov [ebp-20], eax 004573FD \|. 8B45 E8 mov eax, [ebp-18] 00457400 \|. 50 push eax ; /Arg4 00457401 \|. 8B45 D0 mov eax, [ebp-30] ; \| 00457404 \|. 50 push eax ; \|Arg3 00457405 \|. 6A 07 push 7 ; \|Arg2 = 00000007 00457407 \|. 8B45 E0 mov eax, [ebp-20] ; \| 0045740A \|. 50 push eax ; \|Arg1 0045740B \|. 8D45 F4 lea eax, [ebp-C] ; \| 0045740E \|. 8B4D EC mov ecx, [ebp-14] ; \| 00457411 \|. 8B55 F0 mov edx, [ebp-10] ; \| 00457414 \|. E8 87FBFFFF call 00456FA0 ; \dumped_1.00456FA0 00457419 \|. FF45 E4 inc dword ptr [ebp-1C] 0045741C \|. 8B45 E4 mov eax, [ebp-1C] 0045741F \|. E8 98FAFFFF call 00456EBC 00457424 \|. 8945 E0 mov [ebp-20], eax 00457427 \|. 8B45 EC mov eax, [ebp-14] 0045742A \|. 50 push eax ; /Arg4 0045742B \|. 8B45 D4 mov eax, [ebp-2C] ; \| 0045742E \|. 50 push eax ; \|Arg3 0045742F \|. 6A 0C push 0C ; \|Arg2 = 0000000C 00457431 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457434 \|. 50 push eax ; \|Arg1 00457435 \|. 8D45 E8 lea eax, [ebp-18] ; \| 00457438 \|. 8B4D F0 mov ecx, [ebp-10] ; \| 0045743B \|. 8B55 F4 mov edx, [ebp-C] ; \| 0045743E \|. E8 5DFBFFFF call 00456FA0 ; \dumped_1.00456FA0 00457443 \|. FF45 E4 inc dword ptr [ebp-1C] 00457446 \|. 8B45 E4 mov eax, [ebp-1C] 00457449 \|. E8 6EFAFFFF call 00456EBC 0045744E \|. 8945 E0 mov [ebp-20], eax 00457451 \|. 8B45 F0 mov eax, [ebp-10] 00457454 \|. 50 push eax ; /Arg4 00457455 \|. 8B45 D8 mov eax, [ebp-28] ; \| 00457458 \|. 50 push eax ; \|Arg3 00457459 \|. 6A 11 push 11 ; \|Arg2 = 00000011 0045745B \|. 8B45 E0 mov eax, [ebp-20] ; \| 0045745E \|. 50 push eax ; \|Arg1 0045745F \|. 8D45 EC lea eax, [ebp-14] ; \| 00457462 \|. 8B4D F4 mov ecx, [ebp-C] ; \| 00457465 \|. 8B55 E8 mov edx, [ebp-18] ; \| 00457468 \|. E8 33FBFFFF call 00456FA0 ; \dumped_1.00456FA0 0045746D \|. FF45 E4 inc dword ptr [ebp-1C] 00457470 \|. 8B45 E4 mov eax, [ebp-1C] 00457473 \|. E8 44FAFFFF call 00456EBC 00457478 \|. 8945 E0 mov [ebp-20], eax 0045747B \|. 8B45 F4 mov eax, [ebp-C] 0045747E \|. 50 push eax ; /Arg4 0045747F \|. 8B45 DC mov eax, [ebp-24] ; \| 00457482 \|. 50 push eax ; \|Arg3 00457483 \|. 6A 16 push 16 ; \|Arg2 = 00000016 00457485 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457488 \|. 50 push eax ; \|Arg1 00457489 \|. 8D45 F0 lea eax, [ebp-10] ; \| 0045748C \|. 8B4D E8 mov ecx, [ebp-18] ; \| 0045748F \|. 8B55 EC mov edx, [ebp-14] ; \| 00457492 \|. E8 09FBFFFF call 00456FA0 ; \dumped_1.00456FA0 00457497 \|. FF45 E4 inc dword ptr [ebp-1C] 0045749A \|. 8B45 E4 mov eax, [ebp-1C] 0045749D \|. E8 1AFAFFFF call 00456EBC 004574A2 \|. 8945 E0 mov [ebp-20], eax 004574A5 \|. 8B45 E8 mov eax, [ebp-18] 004574A8 \|. 50 push eax ; /Arg4 004574A9 \|. 8B45 A4 mov eax, [ebp-5C] ; \| 004574AC \|. 50 push eax ; \|Arg3 004574AD \|. 6A 05 push 5 ; \|Arg2 = 00000005 004574AF \|. 8B45 E0 mov eax, [ebp-20] ; \| 004574B2 \|. 50 push eax ; \|Arg1 004574B3 \|. 8D45 F4 lea eax, [ebp-C] ; \| 004574B6 \|. 8B4D EC mov ecx, [ebp-14] ; \| 004574B9 \|. 8B55 F0 mov edx, [ebp-10] ; \| 004574BC \|. E8 23FBFFFF call 00456FE4 ; \dumped_1.00456FE4 004574C1 \|. FF45 E4 inc dword ptr [ebp-1C] 004574C4 \|. 8B45 E4 mov eax, [ebp-1C] 004574C7 \|. E8 F0F9FFFF call 00456EBC 004574CC \|. 8945 E0 mov [ebp-20], eax 004574CF \|. 8B45 EC mov eax, [ebp-14] 004574D2 \|. 50 push eax ; /Arg4 004574D3 \|. 8B45 B8 mov eax, [ebp-48] ; \| 004574D6 \|. 50 push eax ; \|Arg3 004574D7 \|. 6A 09 push 9 ; \|Arg2 = 00000009 004574D9 \|. 8B45 E0 mov eax, [ebp-20] ; \| 004574DC \|. 50 push eax ; \|Arg1 004574DD \|. 8D45 E8 lea eax, [ebp-18] ; \| 004574E0 \|. 8B4D F0 mov ecx, [ebp-10] ; \| 004574E3 \|. 8B55 F4 mov edx, [ebp-C] ; \| 004574E6 \|. E8 F9FAFFFF call 00456FE4 ; \dumped_1.00456FE4 004574EB \|. FF45 E4 inc dword ptr [ebp-1C] 004574EE \|. 8B45 E4 mov eax, [ebp-1C] 004574F1 \|. E8 C6F9FFFF call 00456EBC 004574F6 \|. 8945 E0 mov [ebp-20], eax 004574F9 \|. 8B45 F0 mov eax, [ebp-10] 004574FC \|. 50 push eax ; /Arg4 004574FD \|. 8B45 CC mov eax, [ebp-34] ; \| 00457500 \|. 50 push eax ; \|Arg3 00457501 \|. 6A 0E push 0E ; \|Arg2 = 0000000E 00457503 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457506 \|. 50 push eax ; \|Arg1 00457507 \|. 8D45 EC lea eax, [ebp-14] ; \| 0045750A \|. 8B4D F4 mov ecx, [ebp-C] ; \| 0045750D \|. 8B55 E8 mov edx, [ebp-18] ; \| 00457510 \|. E8 CFFAFFFF call 00456FE4 ; \dumped_1.00456FE4 00457515 \|. FF45 E4 inc dword ptr [ebp-1C] 00457518 \|. 8B45 E4 mov eax, [ebp-1C] 0045751B \|. E8 9CF9FFFF call 00456EBC 00457520 \|. 8945 E0 mov [ebp-20], eax 00457523 \|. 8B45 F4 mov eax, [ebp-C] 00457526 \|. 50 push eax ; /Arg4 00457527 \|. 8B45 A0 mov eax, [ebp-60] ; \| 0045752A \|. 50 push eax ; \|Arg3 0045752B \|. 6A 14 push 14 ; \|Arg2 = 00000014 0045752D \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457530 \|. 50 push eax ; \|Arg1 00457531 \|. 8D45 F0 lea eax, [ebp-10] ; \| 00457534 \|. 8B4D E8 mov ecx, [ebp-18] ; \| 00457537 \|. 8B55 EC mov edx, [ebp-14] ; \| 0045753A \|. E8 A5FAFFFF call 00456FE4 ; \dumped_1.00456FE4 0045753F \|. FF45 E4 inc dword ptr [ebp-1C] 00457542 \|. 8B45 E4 mov eax, [ebp-1C] 00457545 \|. E8 72F9FFFF call 00456EBC 0045754A \|. 8945 E0 mov [ebp-20], eax 0045754D \|. 8B45 E8 mov eax, [ebp-18] 00457550 \|. 50 push eax ; /Arg4 00457551 \|. 8B45 B4 mov eax, [ebp-4C] ; \| 00457554 \|. 50 push eax ; \|Arg3 00457555 \|. 6A 05 push 5 ; \|Arg2 = 00000005 00457557 \|. 8B45 E0 mov eax, [ebp-20] ; \| 0045755A \|. 50 push eax ; \|Arg1 0045755B \|. 8D45 F4 lea eax, [ebp-C] ; \| 0045755E \|. 8B4D EC mov ecx, [ebp-14] ; \| 00457561 \|. 8B55 F0 mov edx, [ebp-10] ; \| 00457564 \|. E8 7BFAFFFF call 00456FE4 ; \dumped_1.00456FE4 00457569 \|. FF45 E4 inc dword ptr [ebp-1C] 0045756C \|. 8B45 E4 mov eax, [ebp-1C] 0045756F \|. E8 48F9FFFF call 00456EBC 00457574 \|. 8945 E0 mov [ebp-20], eax 00457577 \|. 8B45 EC mov eax, [ebp-14] 0045757A \|. 50 push eax ; /Arg4 0045757B \|. 8B45 C8 mov eax, [ebp-38] ; \| 0045757E \|. 50 push eax ; \|Arg3 0045757F \|. 6A 09 push 9 ; \|Arg2 = 00000009 00457581 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457584 \|. 50 push eax ; \|Arg1 00457585 \|. 8D45 E8 lea eax, [ebp-18] ; \| 00457588 \|. 8B4D F0 mov ecx, [ebp-10] ; \| 0045758B \|. 8B55 F4 mov edx, [ebp-C] ; \| 0045758E \|. E8 51FAFFFF call 00456FE4 ; \dumped_1.00456FE4 00457593 \|. FF45 E4 inc dword ptr [ebp-1C] 00457596 \|. 8B45 E4 mov eax, [ebp-1C] 00457599 \|. E8 1EF9FFFF call 00456EBC 0045759E \|. 8945 E0 mov [ebp-20], eax 004575A1 \|. 8B45 F0 mov eax, [ebp-10] 004575A4 \|. 50 push eax ; /Arg4 004575A5 \|. 8B45 DC mov eax, [ebp-24] ; \| 004575A8 \|. 50 push eax ; \|Arg3 004575A9 \|. 6A 0E push 0E ; \|Arg2 = 0000000E 004575AB \|. 8B45 E0 mov eax, [ebp-20] ; \| 004575AE \|. 50 push eax ; \|Arg1 004575AF \|. 8D45 EC lea eax, [ebp-14] ; \| 004575B2 \|. 8B4D F4 mov ecx, [ebp-C] ; \| 004575B5 \|. 8B55 E8 mov edx, [ebp-18] ; \| 004575B8 \|. E8 27FAFFFF call 00456FE4 ; \dumped_1.00456FE4 004575BD \|. FF45 E4 inc dword ptr [ebp-1C] 004575C0 \|. 8B45 E4 mov eax, [ebp-1C] 004575C3 \|. E8 F4F8FFFF call 00456EBC 004575C8 \|. 8945 E0 mov [ebp-20], eax 004575CB \|. 8B45 F4 mov eax, [ebp-C] 004575CE \|. 50 push eax ; /Arg4 004575CF \|. 8B45 B0 mov eax, [ebp-50] ; \| 004575D2 \|. 50 push eax ; \|Arg3 004575D3 \|. 6A 14 push 14 ; \|Arg2 = 00000014 004575D5 \|. 8B45 E0 mov eax, [ebp-20] ; \| 004575D8 \|. 50 push eax ; \|Arg1 004575D9 \|. 8D45 F0 lea eax, [ebp-10] ; \| 004575DC \|. 8B4D E8 mov ecx, [ebp-18] ; \| 004575DF \|. 8B55 EC mov edx, [ebp-14] ; \| 004575E2 \|. E8 FDF9FFFF call 00456FE4 ; \dumped_1.00456FE4 004575E7 \|. FF45 E4 inc dword ptr [ebp-1C] 004575EA \|. 8B45 E4 mov eax, [ebp-1C] 004575ED \|. E8 CAF8FFFF call 00456EBC 004575F2 \|. 8945 E0 mov [ebp-20], eax 004575F5 \|. 8B45 E8 mov eax, [ebp-18] 004575F8 \|. 50 push eax ; /Arg4 004575F9 \|. 8B45 C4 mov eax, [ebp-3C] ; \| 004575FC \|. 50 push eax ; \|Arg3 004575FD \|. 6A 05 push 5 ; \|Arg2 = 00000005 004575FF \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457602 \|. 50 push eax ; \|Arg1 00457603 \|. 8D45 F4 lea eax, [ebp-C] ; \| 00457606 \|. 8B4D EC mov ecx, [ebp-14] ; \| 00457609 \|. 8B55 F0 mov edx, [ebp-10] ; \| 0045760C \|. E8 D3F9FFFF call 00456FE4 ; \dumped_1.00456FE4 00457611 \|. FF45 E4 inc dword ptr [ebp-1C] 00457614 \|. 8B45 E4 mov eax, [ebp-1C] 00457617 \|. E8 A0F8FFFF call 00456EBC 0045761C \|. 8945 E0 mov [ebp-20], eax 0045761F \|. 8B45 EC mov eax, [ebp-14] 00457622 \|. 50 push eax ; /Arg4 00457623 \|. 8B45 D8 mov eax, [ebp-28] ; \| 00457626 \|. 50 push eax ; \|Arg3 00457627 \|. 6A 09 push 9 ; \|Arg2 = 00000009 00457629 \|. 8B45 E0 mov eax, [ebp-20] ; \| 0045762C \|. 50 push eax ; \|Arg1 0045762D \|. 8D45 E8 lea eax, [ebp-18] ; \| 00457630 \|. 8B4D F0 mov ecx, [ebp-10] ; \| 00457633 \|. 8B55 F4 mov edx, [ebp-C] ; \| 00457636 \|. E8 A9F9FFFF call 00456FE4 ; \dumped_1.00456FE4 0045763B \|. FF45 E4 inc dword ptr [ebp-1C] 0045763E \|. 8B45 E4 mov eax, [ebp-1C] 00457641 \|. E8 76F8FFFF call 00456EBC 00457646 \|. 8945 E0 mov [ebp-20], eax 00457649 \|. 8B45 F0 mov eax, [ebp-10] 0045764C \|. 50 push eax ; /Arg4 0045764D \|. 8B45 AC mov eax, [ebp-54] ; \| 00457650 \|. 50 push eax ; \|Arg3 00457651 \|. 6A 0E push 0E ; \|Arg2 = 0000000E 00457653 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457656 \|. 50 push eax ; \|Arg1 00457657 \|. 8D45 EC lea eax, [ebp-14] ; \| 0045765A \|. 8B4D F4 mov ecx, [ebp-C] ; \| 0045765D \|. 8B55 E8 mov edx, [ebp-18] ; \| 00457660 \|. E8 7FF9FFFF call 00456FE4 ; \dumped_1.00456FE4 00457665 \|. FF45 E4 inc dword ptr [ebp-1C] 00457668 \|. 8B45 E4 mov eax, [ebp-1C] 0045766B \|. E8 4CF8FFFF call 00456EBC 00457670 \|. 8945 E0 mov [ebp-20], eax 00457673 \|. 8B45 F4 mov eax, [ebp-C] 00457676 \|. 50 push eax ; /Arg4 00457677 \|. 8B45 C0 mov eax, [ebp-40] ; \| 0045767A \|. 50 push eax ; \|Arg3 0045767B \|. 6A 14 push 14 ; \|Arg2 = 00000014 0045767D \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457680 \|. 50 push eax ; \|Arg1 00457681 \|. 8D45 F0 lea eax, [ebp-10] ; \| 00457684 \|. 8B4D E8 mov ecx, [ebp-18] ; \| 00457687 \|. 8B55 EC mov edx, [ebp-14] ; \| 0045768A \|. E8 55F9FFFF call 00456FE4 ; \dumped_1.00456FE4 0045768F \|. FF45 E4 inc dword ptr [ebp-1C] 00457692 \|. 8B45 E4 mov eax, [ebp-1C] 00457695 \|. E8 22F8FFFF call 00456EBC 0045769A \|. 8945 E0 mov [ebp-20], eax 0045769D \|. 8B45 E8 mov eax, [ebp-18] 004576A0 \|. 50 push eax ; /Arg4 004576A1 \|. 8B45 D4 mov eax, [ebp-2C] ; \| 004576A4 \|. 50 push eax ; \|Arg3 004576A5 \|. 6A 05 push 5 ; \|Arg2 = 00000005 004576A7 \|. 8B45 E0 mov eax, [ebp-20] ; \| 004576AA \|. 50 push eax ; \|Arg1 004576AB \|. 8D45 F4 lea eax, [ebp-C] ; \| 004576AE \|. 8B4D EC mov ecx, [ebp-14] ; \| 004576B1 \|. 8B55 F0 mov edx, [ebp-10] ; \| 004576B4 \|. E8 2BF9FFFF call 00456FE4 ; \dumped_1.00456FE4 004576B9 \|. FF45 E4 inc dword ptr [ebp-1C] 004576BC \|. 8B45 E4 mov eax, [ebp-1C] 004576BF \|. E8 F8F7FFFF call 00456EBC 004576C4 \|. 8945 E0 mov [ebp-20], eax 004576C7 \|. 8B45 EC mov eax, [ebp-14] 004576CA \|. 50 push eax ; /Arg4 004576CB \|. 8B45 A8 mov eax, [ebp-58] ; \| 004576CE \|. 50 push eax ; \|Arg3 004576CF \|. 6A 09 push 9 ; \|Arg2 = 00000009 004576D1 \|. 8B45 E0 mov eax, [ebp-20] ; \| 004576D4 \|. 50 push eax ; \|Arg1 004576D5 \|. 8D45 E8 lea eax, [ebp-18] ; \| 004576D8 \|. 8B4D F0 mov ecx, [ebp-10] ; \| 004576DB \|. 8B55 F4 mov edx, [ebp-C] ; \| 004576DE \|. E8 01F9FFFF call 00456FE4 ; \dumped_1.00456FE4 004576E3 \|. FF45 E4 inc dword ptr [ebp-1C] 004576E6 \|. 8B45 E4 mov eax, [ebp-1C] 004576E9 \|. E8 CEF7FFFF call 00456EBC 004576EE \|. 8945 E0 mov [ebp-20], eax 004576F1 \|. 8B45 F0 mov eax, [ebp-10] 004576F4 \|. 50 push eax ; /Arg4 004576F5 \|. 8B45 BC mov eax, [ebp-44] ; \| 004576F8 \|. 50 push eax ; \|Arg3 004576F9 \|. 6A 0E push 0E ; \|Arg2 = 0000000E 004576FB \|. 8B45 E0 mov eax, [ebp-20] ; \| 004576FE \|. 50 push eax ; \|Arg1 004576FF \|. 8D45 EC lea eax, [ebp-14] ; \| 00457702 \|. 8B4D F4 mov ecx, [ebp-C] ; \| 00457705 \|. 8B55 E8 mov edx, [ebp-18] ; \| 00457708 \|. E8 D7F8FFFF call 00456FE4 ; \dumped_1.00456FE4 0045770D \|. FF45 E4 inc dword ptr [ebp-1C] 00457710 \|. 8B45 E4 mov eax, [ebp-1C] 00457713 \|. E8 A4F7FFFF call 00456EBC 00457718 \|. 8945 E0 mov [ebp-20], eax 0045771B \|. 8B45 F4 mov eax, [ebp-C] 0045771E \|. 50 push eax ; /Arg4 0045771F \|. 8B45 D0 mov eax, [ebp-30] ; \| 00457722 \|. 50 push eax ; \|Arg3 00457723 \|. 6A 14 push 14 ; \|Arg2 = 00000014 00457725 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457728 \|. 50 push eax ; \|Arg1 00457729 \|. 8D45 F0 lea eax, [ebp-10] ; \| 0045772C \|. 8B4D E8 mov ecx, [ebp-18] ; \| 0045772F \|. 8B55 EC mov edx, [ebp-14] ; \| 00457732 \|. E8 ADF8FFFF call 00456FE4 ; \dumped_1.00456FE4 00457737 \|. FF45 E4 inc dword ptr [ebp-1C] 0045773A \|. 8B45 E4 mov eax, [ebp-1C] 0045773D \|. E8 7AF7FFFF call 00456EBC 00457742 \|. 8945 E0 mov [ebp-20], eax 00457745 \|. 8B45 E8 mov eax, [ebp-18] 00457748 \|. 50 push eax ; /Arg4 00457749 \|. 8B45 B4 mov eax, [ebp-4C] ; \| 0045774C \|. 50 push eax ; \|Arg3 0045774D \|. 6A 04 push 4 ; \|Arg2 = 00000004 0045774F \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457752 \|. 50 push eax ; \|Arg1 00457753 \|. 8D45 F4 lea eax, [ebp-C] ; \| 00457756 \|. 8B4D EC mov ecx, [ebp-14] ; \| 00457759 \|. 8B55 F0 mov edx, [ebp-10] ; \| 0045775C \|. E8 C7F8FFFF call 00457028 ; \dumped_1.00457028 00457761 \|. FF45 E4 inc dword ptr [ebp-1C] 00457764 \|. 8B45 E4 mov eax, [ebp-1C] 00457767 \|. E8 50F7FFFF call 00456EBC 0045776C \|. 8945 E0 mov [ebp-20], eax 0045776F \|. 8B45 EC mov eax, [ebp-14] 00457772 \|. 50 push eax ; /Arg4 00457773 \|. 8B45 C0 mov eax, [ebp-40] ; \| 00457776 \|. 50 push eax ; \|Arg3 00457777 \|. 6A 0B push 0B ; \|Arg2 = 0000000B 00457779 \|. 8B45 E0 mov eax, [ebp-20] ; \| 0045777C \|. 50 push eax ; \|Arg1 0045777D \|. 8D45 E8 lea eax, [ebp-18] ; \| 00457780 \|. 8B4D F0 mov ecx, [ebp-10] ; \| 00457783 \|. 8B55 F4 mov edx, [ebp-C] ; \| 00457786 \|. E8 9DF8FFFF call 00457028 ; \dumped_1.00457028 0045778B \|. FF45 E4 inc dword ptr [ebp-1C] 0045778E \|. 8B45 E4 mov eax, [ebp-1C] 00457791 \|. E8 26F7FFFF call 00456EBC 00457796 \|. 8945 E0 mov [ebp-20], eax 00457799 \|. 8B45 F0 mov eax, [ebp-10] 0045779C \|. 50 push eax ; /Arg4 0045779D \|. 8B45 CC mov eax, [ebp-34] ; \| 004577A0 \|. 50 push eax ; \|Arg3 004577A1 \|. 6A 10 push 10 ; \|Arg2 = 00000010 004577A3 \|. 8B45 E0 mov eax, [ebp-20] ; \| 004577A6 \|. 50 push eax ; \|Arg1 004577A7 \|. 8D45 EC lea eax, [ebp-14] ; \| 004577AA \|. 8B4D F4 mov ecx, [ebp-C] ; \| 004577AD \|. 8B55 E8 mov edx, [ebp-18] ; \| 004577B0 \|. E8 73F8FFFF call 00457028 ; \dumped_1.00457028 004577B5 \|. FF45 E4 inc dword ptr [ebp-1C] 004577B8 \|. 8B45 E4 mov eax, [ebp-1C] 004577BB \|. E8 FCF6FFFF call 00456EBC 004577C0 \|. 8945 E0 mov [ebp-20], eax 004577C3 \|. 8B45 F4 mov eax, [ebp-C] 004577C6 \|. 50 push eax ; /Arg4 004577C7 \|. 8B45 D8 mov eax, [ebp-28] ; \| 004577CA \|. 50 push eax ; \|Arg3 004577CB \|. 6A 17 push 17 ; \|Arg2 = 00000017 004577CD \|. 8B45 E0 mov eax, [ebp-20] ; \| 004577D0 \|. 50 push eax ; \|Arg1 004577D1 \|. 8D45 F0 lea eax, [ebp-10] ; \| 004577D4 \|. 8B4D E8 mov ecx, [ebp-18] ; \| 004577D7 \|. 8B55 EC mov edx, [ebp-14] ; \| 004577DA \|. E8 49F8FFFF call 00457028 ; \dumped_1.00457028 004577DF \|. FF45 E4 inc dword ptr [ebp-1C] 004577E2 \|. 8B45 E4 mov eax, [ebp-1C] 004577E5 \|. E8 D2F6FFFF call 00456EBC 004577EA \|. 8945 E0 mov [ebp-20], eax 004577ED \|. 8B45 E8 mov eax, [ebp-18] 004577F0 \|. 50 push eax ; /Arg4 004577F1 \|. 8B45 A4 mov eax, [ebp-5C] ; \| 004577F4 \|. 50 push eax ; \|Arg3 004577F5 \|. 6A 04 push 4 ; \|Arg2 = 00000004 004577F7 \|. 8B45 E0 mov eax, [ebp-20] ; \| 004577FA \|. 50 push eax ; \|Arg1 004577FB \|. 8D45 F4 lea eax, [ebp-C] ; \| 004577FE \|. 8B4D EC mov ecx, [ebp-14] ; \| 00457801 \|. 8B55 F0 mov edx, [ebp-10] ; \| 00457804 \|. E8 1FF8FFFF call 00457028 ; \dumped_1.00457028 00457809 \|. FF45 E4 inc dword ptr [ebp-1C] 0045780C \|. 8B45 E4 mov eax, [ebp-1C] 0045780F \|. E8 A8F6FFFF call 00456EBC 00457814 \|. 8945 E0 mov [ebp-20], eax 00457817 \|. 8B45 EC mov eax, [ebp-14] 0045781A \|. 50 push eax ; /Arg4 0045781B \|. 8B45 B0 mov eax, [ebp-50] ; \| 0045781E \|. 50 push eax ; \|Arg3 0045781F \|. 6A 0B push 0B ; \|Arg2 = 0000000B 00457821 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457824 \|. 50 push eax ; \|Arg1 00457825 \|. 8D45 E8 lea eax, [ebp-18] ; \| 00457828 \|. 8B4D F0 mov ecx, [ebp-10] ; \| 0045782B \|. 8B55 F4 mov edx, [ebp-C] ; \| 0045782E \|. E8 F5F7FFFF call 00457028 ; \dumped_1.00457028 00457833 \|. FF45 E4 inc dword ptr [ebp-1C] 00457836 \|. 8B45 E4 mov eax, [ebp-1C] 00457839 \|. E8 7EF6FFFF call 00456EBC 0045783E \|. 8945 E0 mov [ebp-20], eax 00457841 \|. 8B45 F0 mov eax, [ebp-10] 00457844 \|. 50 push eax ; /Arg4 00457845 \|. 8B45 BC mov eax, [ebp-44] ; \| 00457848 \|. 50 push eax ; \|Arg3 00457849 \|. 6A 10 push 10 ; \|Arg2 = 00000010 0045784B \|. 8B45 E0 mov eax, [ebp-20] ; \| 0045784E \|. 50 push eax ; \|Arg1 0045784F \|. 8D45 EC lea eax, [ebp-14] ; \| 00457852 \|. 8B4D F4 mov ecx, [ebp-C] ; \| 00457855 \|. 8B55 E8 mov edx, [ebp-18] ; \| 00457858 \|. E8 CBF7FFFF call 00457028 ; \dumped_1.00457028 0045785D \|. FF45 E4 inc dword ptr [ebp-1C] 00457860 \|. 8B45 E4 mov eax, [ebp-1C] 00457863 \|. E8 54F6FFFF call 00456EBC 00457868 \|. 8945 E0 mov [ebp-20], eax 0045786B \|. 8B45 F4 mov eax, [ebp-C] 0045786E \|. 50 push eax ; /Arg4 0045786F \|. 8B45 C8 mov eax, [ebp-38] ; \| 00457872 \|. 50 push eax ; \|Arg3 00457873 \|. 6A 17 push 17 ; \|Arg2 = 00000017 00457875 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457878 \|. 50 push eax ; \|Arg1 00457879 \|. 8D45 F0 lea eax, [ebp-10] ; \| 0045787C \|. 8B4D E8 mov ecx, [ebp-18] ; \| 0045787F \|. 8B55 EC mov edx, [ebp-14] ; \| 00457882 \|. E8 A1F7FFFF call 00457028 ; \dumped_1.00457028 00457887 \|. FF45 E4 inc dword ptr [ebp-1C] 0045788A \|. 8B45 E4 mov eax, [ebp-1C] 0045788D \|. E8 2AF6FFFF call 00456EBC 00457892 \|. 8945 E0 mov [ebp-20], eax 00457895 \|. 8B45 E8 mov eax, [ebp-18] 00457898 \|. 50 push eax ; /Arg4 00457899 \|. 8B45 D4 mov eax, [ebp-2C] ; \| 0045789C \|. 50 push eax ; \|Arg3 0045789D \|. 6A 04 push 4 ; \|Arg2 = 00000004 0045789F \|. 8B45 E0 mov eax, [ebp-20] ; \| 004578A2 \|. 50 push eax ; \|Arg1 004578A3 \|. 8D45 F4 lea eax, [ebp-C] ; \| 004578A6 \|. 8B4D EC mov ecx, [ebp-14] ; \| 004578A9 \|. 8B55 F0 mov edx, [ebp-10] ; \| 004578AC \|. E8 77F7FFFF call 00457028 ; \dumped_1.00457028 004578B1 \|. FF45 E4 inc dword ptr [ebp-1C] 004578B4 \|. 8B45 E4 mov eax, [ebp-1C] 004578B7 \|. E8 00F6FFFF call 00456EBC 004578BC \|. 8945 E0 mov [ebp-20], eax 004578BF \|. 8B45 EC mov eax, [ebp-14] 004578C2 \|. 50 push eax ; /Arg4 004578C3 \|. 8B45 A0 mov eax, [ebp-60] ; \| 004578C6 \|. 50 push eax ; \|Arg3 004578C7 \|. 6A 0B push 0B ; \|Arg2 = 0000000B 004578C9 \|. 8B45 E0 mov eax, [ebp-20] ; \| 004578CC \|. 50 push eax ; \|Arg1 004578CD \|. 8D45 E8 lea eax, [ebp-18] ; \| 004578D0 \|. 8B4D F0 mov ecx, [ebp-10] ; \| 004578D3 \|. 8B55 F4 mov edx, [ebp-C] ; \| 004578D6 \|. E8 4DF7FFFF call 00457028 ; \dumped_1.00457028 004578DB \|. FF45 E4 inc dword ptr [ebp-1C] 004578DE \|. 8B45 E4 mov eax, [ebp-1C] 004578E1 \|. E8 D6F5FFFF call 00456EBC 004578E6 \|. 8945 E0 mov [ebp-20], eax 004578E9 \|. 8B45 F0 mov eax, [ebp-10] 004578EC \|. 50 push eax ; /Arg4 004578ED \|. 8B45 AC mov eax, [ebp-54] ; \| 004578F0 \|. 50 push eax ; \|Arg3 004578F1 \|. 6A 10 push 10 ; \|Arg2 = 00000010 004578F3 \|. 8B45 E0 mov eax, [ebp-20] ; \| 004578F6 \|. 50 push eax ; \|Arg1 004578F7 \|. 8D45 EC lea eax, [ebp-14] ; \| 004578FA \|. 8B4D F4 mov ecx, [ebp-C] ; \| 004578FD \|. 8B55 E8 mov edx, [ebp-18] ; \| 00457900 \|. E8 23F7FFFF call 00457028 ; \dumped_1.00457028 00457905 \|. FF45 E4 inc dword ptr [ebp-1C] 00457908 \|. 8B45 E4 mov eax, [ebp-1C] 0045790B \|. E8 ACF5FFFF call 00456EBC 00457910 \|. 8945 E0 mov [ebp-20], eax 00457913 \|. 8B45 F4 mov eax, [ebp-C] 00457916 \|. 50 push eax ; /Arg4 00457917 \|. 8B45 B8 mov eax, [ebp-48] ; \| 0045791A \|. 50 push eax ; \|Arg3 0045791B \|. 6A 17 push 17 ; \|Arg2 = 00000017 0045791D \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457920 \|. 50 push eax ; \|Arg1 00457921 \|. 8D45 F0 lea eax, [ebp-10] ; \| 00457924 \|. 8B4D E8 mov ecx, [ebp-18] ; \| 00457927 \|. 8B55 EC mov edx, [ebp-14] ; \| 0045792A \|. E8 F9F6FFFF call 00457028 ; \dumped_1.00457028 0045792F \|. FF45 E4 inc dword ptr [ebp-1C] 00457932 \|. 8B45 E4 mov eax, [ebp-1C] 00457935 \|. E8 82F5FFFF call 00456EBC 0045793A \|. 8945 E0 mov [ebp-20], eax 0045793D \|. 8B45 E8 mov eax, [ebp-18] 00457940 \|. 50 push eax ; /Arg4 00457941 \|. 8B45 C4 mov eax, [ebp-3C] ; \| 00457944 \|. 50 push eax ; \|Arg3 00457945 \|. 6A 04 push 4 ; \|Arg2 = 00000004 00457947 \|. 8B45 E0 mov eax, [ebp-20] ; \| 0045794A \|. 50 push eax ; \|Arg1 0045794B \|. 8D45 F4 lea eax, [ebp-C] ; \| 0045794E \|. 8B4D EC mov ecx, [ebp-14] ; \| 00457951 \|. 8B55 F0 mov edx, [ebp-10] ; \| 00457954 \|. E8 CFF6FFFF call 00457028 ; \dumped_1.00457028 00457959 \|. FF45 E4 inc dword ptr [ebp-1C] 0045795C \|. 8B45 E4 mov eax, [ebp-1C] 0045795F \|. E8 58F5FFFF call 00456EBC 00457964 \|. 8945 E0 mov [ebp-20], eax 00457967 \|. 8B45 EC mov eax, [ebp-14] 0045796A \|. 50 push eax ; /Arg4 0045796B \|. 8B45 D0 mov eax, [ebp-30] ; \| 0045796E \|. 50 push eax ; \|Arg3 0045796F \|. 6A 0B push 0B ; \|Arg2 = 0000000B 00457971 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457974 \|. 50 push eax ; \|Arg1 00457975 \|. 8D45 E8 lea eax, [ebp-18] ; \| 00457978 \|. 8B4D F0 mov ecx, [ebp-10] ; \| 0045797B \|. 8B55 F4 mov edx, [ebp-C] ; \| 0045797E \|. E8 A5F6FFFF call 00457028 ; \dumped_1.00457028 00457983 \|. FF45 E4 inc dword ptr [ebp-1C] 00457986 \|. 8B45 E4 mov eax, [ebp-1C] 00457989 \|. E8 2EF5FFFF call 00456EBC 0045798E \|. 8945 E0 mov [ebp-20], eax 00457991 \|. 8B45 F0 mov eax, [ebp-10] 00457994 \|. 50 push eax ; /Arg4 00457995 \|. 8B45 DC mov eax, [ebp-24] ; \| 00457998 \|. 50 push eax ; \|Arg3 00457999 \|. 6A 10 push 10 ; \|Arg2 = 00000010 0045799B \|. 8B45 E0 mov eax, [ebp-20] ; \| 0045799E \|. 50 push eax ; \|Arg1 0045799F \|. 8D45 EC lea eax, [ebp-14] ; \| 004579A2 \|. 8B4D F4 mov ecx, [ebp-C] ; \| 004579A5 \|. 8B55 E8 mov edx, [ebp-18] ; \| 004579A8 \|. E8 7BF6FFFF call 00457028 ; \dumped_1.00457028 004579AD \|. FF45 E4 inc dword ptr [ebp-1C] 004579B0 \|. 8B45 E4 mov eax, [ebp-1C] 004579B3 \|. E8 04F5FFFF call 00456EBC 004579B8 \|. 8945 E0 mov [ebp-20], eax 004579BB \|. 8B45 F4 mov eax, [ebp-C] 004579BE \|. 50 push eax ; /Arg4 004579BF \|. 8B45 A8 mov eax, [ebp-58] ; \| 004579C2 \|. 50 push eax ; \|Arg3 004579C3 \|. 6A 17 push 17 ; \|Arg2 = 00000017 004579C5 \|. 8B45 E0 mov eax, [ebp-20] ; \| 004579C8 \|. 50 push eax ; \|Arg1 004579C9 \|. 8D45 F0 lea eax, [ebp-10] ; \| 004579CC \|. 8B4D E8 mov ecx, [ebp-18] ; \| 004579CF \|. 8B55 EC mov edx, [ebp-14] ; \| 004579D2 \|. E8 51F6FFFF call 00457028 ; \dumped_1.00457028 004579D7 \|. FF45 E4 inc dword ptr [ebp-1C] 004579DA \|. 8B45 E4 mov eax, [ebp-1C] 004579DD \|. E8 DAF4FFFF call 00456EBC 004579E2 \|. 8945 E0 mov [ebp-20], eax 004579E5 \|. 8B45 E8 mov eax, [ebp-18] 004579E8 \|. 50 push eax ; /Arg4 004579E9 \|. 8B45 A0 mov eax, [ebp-60] ; \| 004579EC \|. 50 push eax ; \|Arg3 004579ED \|. 6A 06 push 6 ; \|Arg2 = 00000006 004579EF \|. 8B45 E0 mov eax, [ebp-20] ; \| 004579F2 \|. 50 push eax ; \|Arg1 004579F3 \|. 8D45 F4 lea eax, [ebp-C] ; \| 004579F6 \|. 8B4D EC mov ecx, [ebp-14] ; \| 004579F9 \|. 8B55 F0 mov edx, [ebp-10] ; \| 004579FC \|. E8 6BF6FFFF call 0045706C ; \dumped_1.0045706C 00457A01 \|. FF45 E4 inc dword ptr [ebp-1C] 00457A04 \|. 8B45 E4 mov eax, [ebp-1C] 00457A07 \|. E8 B0F4FFFF call 00456EBC 00457A0C \|. 8945 E0 mov [ebp-20], eax 00457A0F \|. 8B45 EC mov eax, [ebp-14] 00457A12 \|. 50 push eax ; /Arg4 00457A13 \|. 8B45 BC mov eax, [ebp-44] ; \| 00457A16 \|. 50 push eax ; \|Arg3 00457A17 \|. 6A 0A push 0A ; \|Arg2 = 0000000A 00457A19 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457A1C \|. 50 push eax ; \|Arg1 00457A1D \|. 8D45 E8 lea eax, [ebp-18] ; \| 00457A20 \|. 8B4D F0 mov ecx, [ebp-10] ; \| 00457A23 \|. 8B55 F4 mov edx, [ebp-C] ; \| 00457A26 \|. E8 41F6FFFF call 0045706C ; \dumped_1.0045706C 00457A2B \|. FF45 E4 inc dword ptr [ebp-1C] 00457A2E \|. 8B45 E4 mov eax, [ebp-1C] 00457A31 \|. E8 86F4FFFF call 00456EBC 00457A36 \|. 8945 E0 mov [ebp-20], eax 00457A39 \|. 8B45 F0 mov eax, [ebp-10] 00457A3C \|. 50 push eax ; /Arg4 00457A3D \|. 8B45 D8 mov eax, [ebp-28] ; \| 00457A40 \|. 50 push eax ; \|Arg3 00457A41 \|. 6A 0F push 0F ; \|Arg2 = 0000000F 00457A43 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457A46 \|. 50 push eax ; \|Arg1 00457A47 \|. 8D45 EC lea eax, [ebp-14] ; \| 00457A4A \|. 8B4D F4 mov ecx, [ebp-C] ; \| 00457A4D \|. 8B55 E8 mov edx, [ebp-18] ; \| 00457A50 \|. E8 17F6FFFF call 0045706C ; \dumped_1.0045706C 00457A55 \|. FF45 E4 inc dword ptr [ebp-1C] 00457A58 \|. 8B45 E4 mov eax, [ebp-1C] 00457A5B \|. E8 5CF4FFFF call 00456EBC 00457A60 \|. 8945 E0 mov [ebp-20], eax 00457A63 \|. 8B45 F4 mov eax, [ebp-C] 00457A66 \|. 50 push eax ; /Arg4 00457A67 \|. 8B45 B4 mov eax, [ebp-4C] ; \| 00457A6A \|. 50 push eax ; \|Arg3 00457A6B \|. 6A 15 push 15 ; \|Arg2 = 00000015 00457A6D \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457A70 \|. 50 push eax ; \|Arg1 00457A71 \|. 8D45 F0 lea eax, [ebp-10] ; \| 00457A74 \|. 8B4D E8 mov ecx, [ebp-18] ; \| 00457A77 \|. 8B55 EC mov edx, [ebp-14] ; \| 00457A7A \|. E8 EDF5FFFF call 0045706C ; \dumped_1.0045706C 00457A7F \|. FF45 E4 inc dword ptr [ebp-1C] 00457A82 \|. 8B45 E4 mov eax, [ebp-1C] 00457A85 \|. E8 32F4FFFF call 00456EBC 00457A8A \|. 8945 E0 mov [ebp-20], eax 00457A8D \|. 8B45 E8 mov eax, [ebp-18] 00457A90 \|. 50 push eax ; /Arg4 00457A91 \|. 8B45 D0 mov eax, [ebp-30] ; \| 00457A94 \|. 50 push eax ; \|Arg3 00457A95 \|. 6A 06 push 6 ; \|Arg2 = 00000006 00457A97 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457A9A \|. 50 push eax ; \|Arg1 00457A9B \|. 8D45 F4 lea eax, [ebp-C] ; \| 00457A9E \|. 8B4D EC mov ecx, [ebp-14] ; \| 00457AA1 \|. 8B55 F0 mov edx, [ebp-10] ; \| 00457AA4 \|. E8 C3F5FFFF call 0045706C ; \dumped_1.0045706C 00457AA9 \|. FF45 E4 inc dword ptr [ebp-1C] 00457AAC \|. 8B45 E4 mov eax, [ebp-1C] 00457AAF \|. E8 08F4FFFF call 00456EBC 00457AB4 \|. 8945 E0 mov [ebp-20], eax 00457AB7 \|. 8B45 EC mov eax, [ebp-14] 00457ABA \|. 50 push eax ; /Arg4 00457ABB \|. 8B45 AC mov eax, [ebp-54] ; \| 00457ABE \|. 50 push eax ; \|Arg3 00457ABF \|. 6A 0A push 0A ; \|Arg2 = 0000000A 00457AC1 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457AC4 \|. 50 push eax ; \|Arg1 00457AC5 \|. 8D45 E8 lea eax, [ebp-18] ; \| 00457AC8 \|. 8B4D F0 mov ecx, [ebp-10] ; \| 00457ACB \|. 8B55 F4 mov edx, [ebp-C] ; \| 00457ACE \|. E8 99F5FFFF call 0045706C ; \dumped_1.0045706C 00457AD3 \|. FF45 E4 inc dword ptr [ebp-1C] 00457AD6 \|. 8B45 E4 mov eax, [ebp-1C] 00457AD9 \|. E8 DEF3FFFF call 00456EBC 00457ADE \|. 8945 E0 mov [ebp-20], eax 00457AE1 \|. 8B45 F0 mov eax, [ebp-10] 00457AE4 \|. 50 push eax ; /Arg4 00457AE5 \|. 8B45 C8 mov eax, [ebp-38] ; \| 00457AE8 \|. 50 push eax ; \|Arg3 00457AE9 \|. 6A 0F push 0F ; \|Arg2 = 0000000F 00457AEB \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457AEE \|. 50 push eax ; \|Arg1 00457AEF \|. 8D45 EC lea eax, [ebp-14] ; \| 00457AF2 \|. 8B4D F4 mov ecx, [ebp-C] ; \| 00457AF5 \|. 8B55 E8 mov edx, [ebp-18] ; \| 00457AF8 \|. E8 6FF5FFFF call 0045706C ; \dumped_1.0045706C 00457AFD \|. FF45 E4 inc dword ptr [ebp-1C] 00457B00 \|. 8B45 E4 mov eax, [ebp-1C] 00457B03 \|. E8 B4F3FFFF call 00456EBC 00457B08 \|. 8945 E0 mov [ebp-20], eax 00457B0B \|. 8B45 F4 mov eax, [ebp-C] 00457B0E \|. 50 push eax ; /Arg4 00457B0F \|. 8B45 A4 mov eax, [ebp-5C] ; \| 00457B12 \|. 50 push eax ; \|Arg3 00457B13 \|. 6A 15 push 15 ; \|Arg2 = 00000015 00457B15 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457B18 \|. 50 push eax ; \|Arg1 00457B19 \|. 8D45 F0 lea eax, [ebp-10] ; \| 00457B1C \|. 8B4D E8 mov ecx, [ebp-18] ; \| 00457B1F \|. 8B55 EC mov edx, [ebp-14] ; \| 00457B22 \|. E8 45F5FFFF call 0045706C ; \dumped_1.0045706C 00457B27 \|. FF45 E4 inc dword ptr [ebp-1C] 00457B2A \|. 8B45 E4 mov eax, [ebp-1C] 00457B2D \|. E8 8AF3FFFF call 00456EBC 00457B32 \|. 8945 E0 mov [ebp-20], eax 00457B35 \|. 8B45 E8 mov eax, [ebp-18] 00457B38 \|. 50 push eax ; /Arg4 00457B39 \|. 8B45 C0 mov eax, [ebp-40] ; \| 00457B3C \|. 50 push eax ; \|Arg3 00457B3D \|. 6A 06 push 6 ; \|Arg2 = 00000006 00457B3F \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457B42 \|. 50 push eax ; \|Arg1 00457B43 \|. 8D45 F4 lea eax, [ebp-C] ; \| 00457B46 \|. 8B4D EC mov ecx, [ebp-14] ; \| 00457B49 \|. 8B55 F0 mov edx, [ebp-10] ; \| 00457B4C \|. E8 1BF5FFFF call 0045706C ; \dumped_1.0045706C 00457B51 \|. FF45 E4 inc dword ptr [ebp-1C] 00457B54 \|. 8B45 E4 mov eax, [ebp-1C] 00457B57 \|. E8 60F3FFFF call 00456EBC 00457B5C \|. 8945 E0 mov [ebp-20], eax 00457B5F \|. 8B45 EC mov eax, [ebp-14] 00457B62 \|. 50 push eax ; /Arg4 00457B63 \|. 8B45 DC mov eax, [ebp-24] ; \| 00457B66 \|. 50 push eax ; \|Arg3 00457B67 \|. 6A 0A push 0A ; \|Arg2 = 0000000A 00457B69 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457B6C \|. 50 push eax ; \|Arg1 00457B6D \|. 8D45 E8 lea eax, [ebp-18] ; \| 00457B70 \|. 8B4D F0 mov ecx, [ebp-10] ; \| 00457B73 \|. 8B55 F4 mov edx, [ebp-C] ; \| 00457B76 \|. E8 F1F4FFFF call 0045706C ; \dumped_1.0045706C 00457B7B \|. FF45 E4 inc dword ptr [ebp-1C] 00457B7E \|. 8B45 E4 mov eax, [ebp-1C] 00457B81 \|. E8 36F3FFFF call 00456EBC 00457B86 \|. 8945 E0 mov [ebp-20], eax 00457B89 \|. 8B45 F0 mov eax, [ebp-10] 00457B8C \|. 50 push eax ; /Arg4 00457B8D \|. 8B45 B8 mov eax, [ebp-48] ; \| 00457B90 \|. 50 push eax ; \|Arg3 00457B91 \|. 6A 0F push 0F ; \|Arg2 = 0000000F 00457B93 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457B96 \|. 50 push eax ; \|Arg1 00457B97 \|. 8D45 EC lea eax, [ebp-14] ; \| 00457B9A \|. 8B4D F4 mov ecx, [ebp-C] ; \| 00457B9D \|. 8B55 E8 mov edx, [ebp-18] ; \| 00457BA0 \|. E8 C7F4FFFF call 0045706C ; \dumped_1.0045706C 00457BA5 \|. FF45 E4 inc dword ptr [ebp-1C] 00457BA8 \|. 8B45 E4 mov eax, [ebp-1C] 00457BAB \|. E8 0CF3FFFF call 00456EBC 00457BB0 \|. 8945 E0 mov [ebp-20], eax 00457BB3 \|. 8B45 F4 mov eax, [ebp-C] 00457BB6 \|. 50 push eax ; /Arg4 00457BB7 \|. 8B45 D4 mov eax, [ebp-2C] ; \| 00457BBA \|. 50 push eax ; \|Arg3 00457BBB \|. 6A 15 push 15 ; \|Arg2 = 00000015 00457BBD \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457BC0 \|. 50 push eax ; \|Arg1 00457BC1 \|. 8D45 F0 lea eax, [ebp-10] ; \| 00457BC4 \|. 8B4D E8 mov ecx, [ebp-18] ; \| 00457BC7 \|. 8B55 EC mov edx, [ebp-14] ; \| 00457BCA \|. E8 9DF4FFFF call 0045706C ; \dumped_1.0045706C 00457BCF \|. FF45 E4 inc dword ptr [ebp-1C] 00457BD2 \|. 8B45 E4 mov eax, [ebp-1C] 00457BD5 \|. E8 E2F2FFFF call 00456EBC 00457BDA \|. 8945 E0 mov [ebp-20], eax 00457BDD \|. 8B45 E8 mov eax, [ebp-18] 00457BE0 \|. 50 push eax ; /Arg4 00457BE1 \|. 8B45 B0 mov eax, [ebp-50] ; \| 00457BE4 \|. 50 push eax ; \|Arg3 00457BE5 \|. 6A 06 push 6 ; \|Arg2 = 00000006 00457BE7 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457BEA \|. 50 push eax ; \|Arg1 00457BEB \|. 8D45 F4 lea eax, [ebp-C] ; \| 00457BEE \|. 8B4D EC mov ecx, [ebp-14] ; \| 00457BF1 \|. 8B55 F0 mov edx, [ebp-10] ; \| 00457BF4 \|. E8 73F4FFFF call 0045706C ; \dumped_1.0045706C 00457BF9 \|. FF45 E4 inc dword ptr [ebp-1C] 00457BFC \|. 8B45 E4 mov eax, [ebp-1C] 00457BFF \|. E8 B8F2FFFF call 00456EBC 00457C04 \|. 8945 E0 mov [ebp-20], eax 00457C07 \|. 8B45 EC mov eax, [ebp-14] 00457C0A \|. 50 push eax ; /Arg4 00457C0B \|. 8B45 CC mov eax, [ebp-34] ; \| 00457C0E \|. 50 push eax ; \|Arg3 00457C0F \|. 6A 0A push 0A ; \|Arg2 = 0000000A 00457C11 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457C14 \|. 50 push eax ; \|Arg1 00457C15 \|. 8D45 E8 lea eax, [ebp-18] ; \| 00457C18 \|. 8B4D F0 mov ecx, [ebp-10] ; \| 00457C1B \|. 8B55 F4 mov edx, [ebp-C] ; \| 00457C1E \|. E8 49F4FFFF call 0045706C ; \dumped_1.0045706C 00457C23 \|. FF45 E4 inc dword ptr [ebp-1C] 00457C26 \|. 8B45 E4 mov eax, [ebp-1C] 00457C29 \|. E8 8EF2FFFF call 00456EBC 00457C2E \|. 8945 E0 mov [ebp-20], eax 00457C31 \|. 8B45 F0 mov eax, [ebp-10] 00457C34 \|. 50 push eax ; /Arg4 00457C35 \|. 8B45 A8 mov eax, [ebp-58] ; \| 00457C38 \|. 50 push eax ; \|Arg3 00457C39 \|. 6A 0F push 0F ; \|Arg2 = 0000000F 00457C3B \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457C3E \|. 50 push eax ; \|Arg1 00457C3F \|. 8D45 EC lea eax, [ebp-14] ; \| 00457C42 \|. 8B4D F4 mov ecx, [ebp-C] ; \| 00457C45 \|. 8B55 E8 mov edx, [ebp-18] ; \| 00457C48 \|. E8 1FF4FFFF call 0045706C ; \dumped_1.0045706C 00457C4D \|. FF45 E4 inc dword ptr [ebp-1C] 00457C50 \|. 8B45 E4 mov eax, [ebp-1C] 00457C53 \|. E8 64F2FFFF call 00456EBC 00457C58 \|. 8945 E0 mov [ebp-20], eax 00457C5B \|. 8B45 F4 mov eax, [ebp-C] 00457C5E \|. 50 push eax ; /Arg4 00457C5F \|. 8B45 C4 mov eax, [ebp-3C] ; \| 00457C62 \|. 50 push eax ; \|Arg3 00457C63 \|. 6A 15 push 15 ; \|Arg2 = 00000015 00457C65 \|. 8B45 E0 mov eax, [ebp-20] ; \| 00457C68 \|. 50 push eax ; \|Arg1 00457C69 \|. 8D45 F0 lea eax, [ebp-10] ; \| 00457C6C \|. 8B4D E8 mov ecx, [ebp-18] ; \| 00457C6F \|. 8B55 EC mov edx, [ebp-14] ; \| 00457C72 \|. E8 F5F3FFFF call 0045706C ; \dumped_1.0045706C //上面是md5的4轮循环，每轮16步 00457C77 \|. 8B45 F8 mov eax, [ebp-8] 00457C7A \|. 8B55 F4 mov edx, [ebp-C] ;a 00457C7D \|. 0110 add [eax], edx ;state[0]+=a 00457C7F \|. 8B45 F8 mov eax, [ebp-8] 00457C82 \|. 8B55 F0 mov edx, [ebp-10] ;b 00457C85 \|. 0150 04 add [eax+4], edx ;state[1]+=b 00457C88 \|. 8B45 F8 mov eax, [ebp-8] 00457C8B \|. 8B55 EC mov edx, [ebp-14] ;c 00457C8E \|. 0150 08 add [eax+8], edx ;state[2]+=c 00457C91 \|. 8B45 F8 mov eax, [ebp-8] 00457C94 \|. 8B55 E8 mov edx, [ebp-18] ;d 00457C97 \|. 0150 0C add [eax+C], edx ;;state[3]+=d 00457C9A \|. 8BE5 mov esp, ebp 00457C9C \|. 5D pop ebp 00457C9D \. C3 retn 可以看出，很明显用了md5! sha过程如下： 004563E0 /$ 55 push ebp 004563E1 \|. 8BEC mov ebp, esp 004563E3 \|. 81C4 9CFEFFFF add esp, -164 004563E9 \|. 53 push ebx 004563EA \|. 8945 FC mov [ebp-4], eax 004563ED \|. C745 DC 2AFC6>mov dword ptr [ebp-24], E369FC> 004563F4 \|. 8D95 9CFEFFFF lea edx, [ebp-164] 004563FA \|. 8B45 FC mov eax, [ebp-4] 004563FD \|. 83C0 1C add eax, 1C 00456400 \|. B9 40000000 mov ecx, 40 00456405 \|. E8 AEC4FAFF call 004028B8 0045640A \|. 33C0 xor eax, eax 0045640C \|. 8945 E0 mov [ebp-20], eax 0045640F \|> 8B45 E0 /mov eax, [ebp-20] ; 低位高位交换 00456412 \|. 8B8485 9CFEFF>\|mov eax, [ebp+eax4-164] 00456419 \|. E8 82FFFFFF \|call 004563A0 0045641E \|. 8B55 E0 \|mov edx, [ebp-20] 00456421 \|. 898495 9CFEFF>\|mov [ebp+edx4-164], eax 00456428 \|. FF45 E0 \|inc dword ptr [ebp-20] 0045642B \|. 837D E0 10 \|cmp dword ptr [ebp-20], 10 0045642F \|.^ 75 DE \jnz short 0045640F 00456431 \|. C745 E0 10000>mov dword ptr [ebp-20], 10 00456438 \|> 8B45 E0 /mov eax, [ebp-20] ; 产生80个dword 0045643B \|. 8B8485 90FEFF>\|mov eax, [ebp+eax4-170] 00456442 \|. 8B55 E0 \|mov edx, [ebp-20] 00456445 \|. 338495 7CFEFF>\|xor eax, [ebp+edx4-184] 0045644C \|. 8B55 E0 \|mov edx, [ebp-20] 0045644F \|. 338495 64FEFF>\|xor eax, [ebp+edx4-19C] 00456456 \|. 8B55 E0 \|mov edx, [ebp-20] 00456459 \|. 338495 5CFEFF>\|xor eax, [ebp+edx4-1A4] 00456460 \|. BA 01000000 \|mov edx, 1 00456465 \|. E8 B6FEFFFF \|call 00456320 0045646A \|. 8B55 E0 \|mov edx, [ebp-20] 0045646D \|. 898495 9CFEFF>\|mov [ebp+edx4-164], eax 00456474 \|. FF45 E0 \|inc dword ptr [ebp-20] 00456477 \|. 837D E0 50 \|cmp dword ptr [ebp-20], 50 0045647B \|.^ 75 BB \jnz short 00456438 0045647D \|. 8B45 FC mov eax, [ebp-4] 00456480 \|. 8B00 mov eax, [eax] 00456482 \|. 8945 F8 mov [ebp-8], eax 00456485 \|. 8B45 FC mov eax, [ebp-4] 00456488 \|. 8B40 04 mov eax, [eax+4] 0045648B \|. 8945 F4 mov [ebp-C], eax 0045648E \|. 8B45 FC mov eax, [ebp-4] 00456491 \|. 8B40 08 mov eax, [eax+8] 00456494 \|. 8945 F0 mov [ebp-10], eax 00456497 \|. 8B45 FC mov eax, [ebp-4] 0045649A \|. 8B40 0C mov eax, [eax+C] 0045649D \|. 8945 EC mov [ebp-14], eax 004564A0 \|. 8B45 FC mov eax, [ebp-4] 004564A3 \|. 8B40 10 mov eax, [eax+10] 004564A6 \|. 8945 E8 mov [ebp-18], eax 004564A9 \|. 33C0 xor eax, eax 004564AB \|. 8945 E0 mov [ebp-20], eax 004564AE \|> 8B4D EC /mov ecx, [ebp-14] 004564B1 \|. 8B55 F0 \|mov edx, [ebp-10] 004564B4 \|. 8B45 F4 \|mov eax, [ebp-C] 004564B7 \|. E8 6CFEFFFF \|call 00456328 ; f1(x,y,z) (z^(x&(y^z))) 004564BC \|. 8BD8 \|mov ebx, eax 004564BE \|. BA 05000000 \|mov edx, 5 004564C3 \|. 8B45 F8 \|mov eax, [ebp-8] 004564C6 \|. E8 55FEFFFF \|call 00456320 ; rol(value, bits) (((value) << (bits)) \| ((value) >> (32 - (bits)))) 004564CB \|. 03D8 \|add ebx, eax 004564CD \|. 035D E8 \|add ebx, [ebp-18] 004564D0 \|. 8B45 E0 \|mov eax, [ebp-20] 004564D3 \|. 039C85 9CFEFF>\|add ebx, [ebp+eax4-164] 004564DA \|. 8B45 DC \|mov eax, [ebp-24] 004564DD \|. 35 B385EBB9 \|xor eax, B9EB85B3 ;关键数据异或处理，处理后0x5A827999 004564E2 \|. 03D8 \|add ebx, eax 004564E4 \|. 895D E4 \|mov [ebp-1C], ebx 004564E7 \|. 8B45 EC \|mov eax, [ebp-14] 004564EA \|. 8945 E8 \|mov [ebp-18], eax 004564ED \|. 8B45 F0 \|mov eax, [ebp-10] 004564F0 \|. 8945 EC \|mov [ebp-14], eax 004564F3 \|. BA 1E000000 \|mov edx, 1E 004564F8 \|. 8B45 F4 \|mov eax, [ebp-C] 004564FB \|. E8 20FEFFFF \|call 00456320 ; rol(value, bits) (((value) << (bits)) \| ((value) >> (32 - (bits)))) 00456500 \|. 8945 F0 \|mov [ebp-10], eax 00456503 \|. 8B45 F8 \|mov eax, [ebp-8] 00456506 \|. 8945 F4 \|mov [ebp-C], eax 00456509 \|. 8B45 E4 \|mov eax, [ebp-1C] 0045650C \|. 8945 F8 \|mov [ebp-8], eax 0045650F \|. FF45 E0 \|inc dword ptr [ebp-20] 00456512 \|. 837D E0 14 \|cmp dword ptr [ebp-20], 14 00456516 \|.^ 75 96 \jnz short 004564AE 00456518 \|. C745 E0 14000>mov dword ptr [ebp-20], 14 0045651F \|> 8B4D EC /mov ecx, [ebp-14] 00456522 \|. 8B55 F0 \|mov edx, [ebp-10] 00456525 \|. 8B45 F4 \|mov eax, [ebp-C] 00456528 \|. E8 23FEFFFF \|call 00456350 ; (w^x^y) 0045652D \|. 8BD8 \|mov ebx, eax 0045652F \|. BA 05000000 \|mov edx, 5 00456534 \|. 8B45 F8 \|mov eax, [ebp-8] 00456537 \|. E8 E4FDFFFF \|call 00456320 0045653C \|. 03D8 \|add ebx, eax 0045653E \|. 035D E8 \|add ebx, [ebp-18] 00456541 \|. 8B45 E0 \|mov eax, [ebp-20] 00456544 \|. 039C85 9CFEFF>\|add ebx, [ebp+eax4-164] 0045654B \|. 8B45 DC \|mov eax, [ebp-24] 0045654E \|. 35 8B17B08D \|xor eax, 8DB0178B ;关键数据异或处理，处理后0x6ED9EBA1 00456553 \|. 03D8 \|add ebx, eax 00456555 \|. 895D E4 \|mov [ebp-1C], ebx 00456558 \|. 8B45 EC \|mov eax, [ebp-14] 0045655B \|. 8945 E8 \|mov [ebp-18], eax 0045655E \|. 8B45 F0 \|mov eax, [ebp-10] 00456561 \|. 8945 EC \|mov [ebp-14], eax 00456564 \|. BA 1E000000 \|mov edx, 1E 00456569 \|. 8B45 F4 \|mov eax, [ebp-C] 0045656C \|. E8 AFFDFFFF \|call 00456320 00456571 \|. 8945 F0 \|mov [ebp-10], eax 00456574 \|. 8B45 F8 \|mov eax, [ebp-8] 00456577 \|. 8945 F4 \|mov [ebp-C], eax 0045657A \|. 8B45 E4 \|mov eax, [ebp-1C] 0045657D \|. 8945 F8 \|mov [ebp-8], eax 00456580 \|. FF45 E0 \|inc dword ptr [ebp-20] 00456583 \|. 837D E0 28 \|cmp dword ptr [ebp-20], 28 00456587 \|.^ 75 96 \jnz short 0045651F 00456589 \|. C745 E0 28000>mov dword ptr [ebp-20], 28 00456590 \|> 8B4D EC /mov ecx, [ebp-14] 00456593 \|. 8B55 F0 \|mov edx, [ebp-10] 00456596 \|. 8B45 F4 \|mov eax, [ebp-C] 00456599 \|. E8 D6FDFFFF \|call 00456374 ; f3(x,y,z) ((x&y)\|(z&(x\|y))) 0045659E \|. 8BD8 \|mov ebx, eax 004565A0 \|. BA 05000000 \|mov edx, 5 004565A5 \|. 8B45 F8 \|mov eax, [ebp-8] 004565A8 \|. E8 73FDFFFF \|call 00456320 004565AD \|. 03D8 \|add ebx, eax 004565AF \|. 035D E8 \|add ebx, [ebp-18] 004565B2 \|. 8B45 E0 \|mov eax, [ebp-20] 004565B5 \|. 039C85 9CFEFF>\|add ebx, [ebp+eax4-164] 004565BC \|. 8B45 DC \|mov eax, [ebp-24] 004565BF \|. 35 F640726C \|xor eax, 6C7240F6 ;关键数据异或处理，处理后0x8F1BBCDC 004565C4 \|. 03D8 \|add ebx, eax 004565C6 \|. 895D E4 \|mov [ebp-1C], ebx 004565C9 \|. 8B45 EC \|mov eax, [ebp-14] 004565CC \|. 8945 E8 \|mov [ebp-18], eax 004565CF \|. 8B45 F0 \|mov eax, [ebp-10] 004565D2 \|. 8945 EC \|mov [ebp-14], eax 004565D5 \|. BA 1E000000 \|mov edx, 1E 004565DA \|. 8B45 F4 \|mov eax, [ebp-C] 004565DD \|. E8 3EFDFFFF \|call 00456320 004565E2 \|. 8945 F0 \|mov [ebp-10], eax 004565E5 \|. 8B45 F8 \|mov eax, [ebp-8] 004565E8 \|. 8945 F4 \|mov [ebp-C], eax 004565EB \|. 8B45 E4 \|mov eax, [ebp-1C] 004565EE \|. 8945 F8 \|mov [ebp-8], eax 004565F1 \|. FF45 E0 \|inc dword ptr [ebp-20] 004565F4 \|. 837D E0 3C \|cmp dword ptr [ebp-20], 3C 004565F8 \|.^ 75 96 \jnz short 00456590 004565FA \|. C745 E0 3C000>mov dword ptr [ebp-20], 3C 00456601 \|> 8B4D EC mov ecx, [ebp-14] 00456604 \|. 8B55 F0 mov edx, [ebp-10] 00456607 \|. 8B45 F4 mov eax, [ebp-C] 0045660A \|. E8 41FDFFFF call 00456350 ; f4(x,y,z) (x^y^z) 0045660F \|. 8BD8 mov ebx, eax 00456611 \|. BA 05000000 mov edx, 5 00456616 \|. 8B45 F8 mov eax, [ebp-8] 00456619 \|. E8 02FDFFFF call 00456320 0045661E \|. 03D8 add ebx, eax 00456620 \|. 035D E8 add ebx, [ebp-18] 00456623 \|. 8B45 E0 mov eax, [ebp-20] 00456626 \|. 039C85 9CFEFF>add ebx, [ebp+eax*4-164] 0045662D \|. 8B45 DC mov eax, [ebp-24] 00456630 \|. 35 FC3D0B29 xor eax, 290B3DFC ;关键数据异或处理，处理后0xCA62C1D6 00456635 \|. 03D8 add ebx, eax 00456637 \|. 895D E4 mov [ebp-1C], ebx 0045663A \|. 8B45 EC mov eax, [ebp-14] 0045663D \|. 8945 E8 mov [ebp-18], eax 00456640 \|. 8B45 F0 mov eax, [ebp-10] 00456643 \|. 8945 EC mov [ebp-14], eax 00456646 \|. BA 1E000000 mov edx, 1E 0045664B \|. 8B45 F4 mov eax, [ebp-C] 0045664E \|. E8 CDFCFFFF call 00456320 00456653 \|. 8945 F0 mov [ebp-10], eax 00456656 \|. 8B45 F8 mov eax, [ebp-8] 00456659 \|. 8945 F4 mov [ebp-C], eax 0045665C \|. 8B45 E4 mov eax, [ebp-1C] 0045665F \|. 8945 F8 mov [ebp-8], eax 00456662 \|. FF45 E0 inc dword ptr [ebp-20] 00456665 \|. 837D E0 50 cmp dword ptr [ebp-20], 50 00456669 \|.^ 75 96 jnz short 00456601 //以上一共80步，明显是sha 0045666B \|. 8B45 FC mov eax, [ebp-4] 0045666E \|. 8B55 F8 mov edx, [ebp-8] 00456671 \|. 0110 add [eax], edx 00456673 \|. 8B45 FC mov eax, [ebp-4] 00456676 \|. 8B55 F4 mov edx, [ebp-C] 00456679 \|. 0150 04 add [eax+4], edx 0045667C \|. 8B45 FC mov eax, [ebp-4] 0045667F \|. 8B55 F0 mov edx, [ebp-10] 00456682 \|. 0150 08 add [eax+8], edx 00456685 \|. 8B45 FC mov eax, [ebp-4] 00456688 \|. 8B55 EC mov edx, [ebp-14] 0045668B \|. 0150 0C add [eax+C], edx 0045668E \|. 8B45 FC mov eax, [ebp-4] 00456691 \|. 8B55 E8 mov edx, [ebp-18] 00456694 \|. 0150 10 add [eax+10], edx //state加上a,b,c,d,e 00456697 \|. 8D85 9CFEFFFF lea eax, [ebp-164] 0045669D \|. 33C9 xor ecx, ecx 0045669F \|. BA 40010000 mov edx, 140 004566A4 \|. E8 07C6FAFF call 00402CB0 004566A9 \|. 8B45 FC mov eax, [ebp-4] 004566AC \|. 83C0 1C add eax, 1C 004566AF \|. 33C9 xor ecx, ecx 004566B1 \|. BA 40000000 mov edx, 40 004566B6 \|. E8 F5C5FAFF call 00402CB0 004566BB \|. 5B pop ebx 004566BC \|. 8BE5 mov esp, ebp 004566BE \|. 5D pop ebp 004566BF \. C3 retn 通过关键数据复原，很明显分析?是sha!
mirrormask 雪币： 242 活跃值： (135) 能力值： ( LV8，RANK：130 ) 在线值：发帖 8 回帖 64 粉丝 1 关注私信	mirrormask 3 2006-2-18 19:32 15 楼 0 佩服！！密码学...
happytown 雪币： 721 活跃值： (350) 能力值： ( LV9，RANK：1250 ) 在线值：发帖 131 回帖 1014 粉丝 1 关注私信	happytown 31 2006-2-18 20:45 16 楼 0 1、其实，这个CrackMe算不上加壳，所以不存在壳软不软的问题，只是想让peid判断无效而已； 2、Ryosuke和busheler分析的都很不错，希望能尽快做出注册机！
busheler 雪币： 236 活跃值： (160) 能力值： ( LV8，RANK：130 ) 在线值：发帖 9 回帖 46 粉丝 0 关注私信	busheler 3 2006-2-19 04:23 17 楼 0 注册跟踪：此处即为注册码验证段，计算套计算，有点偏复杂，程序是自动监测文本框中内容，所以前面用过的断点全部去掉，并在0045982D下断点，为什么？因为你每输入一次注册码，程序就会自动监测一次，并判断是否等于16位。 004597EC /. 55 push ebp 004597ED \|. 8BEC mov ebp, esp 004597EF \|. B9 0B000000 mov ecx, 0B 004597F4 \|> 6A 00 /push 0 004597F6 \|. 6A 00 \|push 0 004597F8 \|. 49 \|dec ecx 004597F9 \|.^ 75 F9 \jnz short 004597F4 004597FB \|. 53 push ebx 004597FC \|. 56 push esi 004597FD \|. 8955 C4 mov [ebp-3C], edx 00459800 \|. 8945 FC mov [ebp-4], eax 00459803 \|. 33C0 xor eax, eax 00459805 \|. 55 push ebp 00459806 \|. 68 6E9A4500 push 00459A6E 0045980B \|. 64:FF30 push dword ptr fs:[eax] 0045980E \|. 64:8920 mov fs:[eax], esp 00459811 \|. 8D55 C0 lea edx, [ebp-40] 00459814 \|. 8B45 FC mov eax, [ebp-4] 00459817 \|. 8B80 04030000 mov eax, [eax+304] 0045981D \|. E8 C6B7FDFF call 00434FE8 ; 取输入注册码！ 00459822 \|. 8B45 C0 mov eax, [ebp-40] ; 入EAX 00459825 \|. E8 7AAAFAFF call 004042A4 ; 取长度? 0045982A \|. 83F8 10 cmp eax, 10 ; 是否为16位 0045982D \|. 0F85 E1010000 jnz 00459A14 ; 不等跳,相等继续! 00459833 \|. 8D55 F8 lea edx, [ebp-8] 00459836 \|. 8B45 FC mov eax, [ebp-4] 00459839 \|. 8B80 F8020000 mov eax, [eax+2F8] 0045983F \|. E8 A4B7FDFF call 00434FE8 ; 取用户名 00459844 \|. 8B45 F8 mov eax, [ebp-8] ; 入EAX 00459847 \|. E8 80E9FFFF call 004581CC ; 用户名去做运算！运算结果在EAX 0045984C \|. 8945 F4 mov [ebp-C], eax 0045984F \|. 8D45 F8 lea eax, [ebp-8] 00459852 \|. E8 2DF7FFFF call 00458F84 ; 取操作系统ProductId 00459857 \|. 8B45 F8 mov eax, [ebp-8] 0045985A \|. E8 6DE9FFFF call 004581CC ; 操作系统ProductId去做运算,运算结果在EAX(和用户名运算方式相同) 0045985F \|. 3145 F4 xor [ebp-C], eax ; xor(结果1,结果2) 00459862 \|. 8D45 F8 lea eax, [ebp-8] 00459865 \|. E8 7AA7FAFF call 00403FE4 0045986A \|. 8B45 F4 mov eax, [ebp-C] 0045986D \|. 33D2 xor edx, edx 0045986F \|. 52 push edx ; /Arg2 => 00000000 00459870 \|. 50 push eax ; \|xor(结果1,结果2) 00459871 \|. 8D55 D4 lea edx, [ebp-2C] ; \| 00459874 \|. B8 08000000 mov eax, 8 ; \| 00459879 \|. E8 C6E7FAFF call 00408044 ; \转字符串 0045987E \|. 8D55 BC lea edx, [ebp-44] 00459881 \|. 8B45 D4 mov eax, [ebp-2C] 00459884 \|. E8 2BE7FFFF call 00457FB4 ; MD5（xor(结果1,结果2)） 00459889 \|. 8B45 BC mov eax, [ebp-44] 0045988C \|. 8D55 D0 lea edx, [ebp-30] 0045988F \|. E8 24E3FAFF call 00407BB8 ; 小写转大写 00459894 \|. 8D55 B4 lea edx, [ebp-4C] 00459897 \|. 8B45 D0 mov eax, [ebp-30] 0045989A \|. E8 29C9FFFF call 004561C8 ; 去进行运算？NO。。。应该是固定字符串,但不确定 ;"3f18be73e44fa27b6a6bf9b13066cd5563df63b5" 0045989F \|. 8B45 B4 mov eax, [ebp-4C] 004598A2 \|. 8D55 B8 lea edx, [ebp-48] 004598A5 \|. E8 0EE3FAFF call 00407BB8 ; 结果小写转大写， "3F18BE73E44FA27B6A6BF9B13066CD5563DF63B5" 004598AA \|. 8B55 B8 mov edx, [ebp-48] 004598AD \|. 8D45 D0 lea eax, [ebp-30] 004598B0 \|. E8 C7A7FAFF call 0040407C 004598B5 \|. 8B45 D0 mov eax, [ebp-30] 004598B8 \|. E8 E3EBFFFF call 004584A0 ; 去进行一长串的运算 004598BD \|. 8B45 F4 mov eax, [ebp-C] 004598C0 \|. 33D2 xor edx, edx 004598C2 \|. 8945 D8 mov [ebp-28], eax 004598C5 \|. 8955 DC mov [ebp-24], edx 004598C8 \|. FF75 DC push dword ptr [ebp-24] ; /Arg2 004598CB \|. FF75 D8 push dword ptr [ebp-28] ; \|xor(结果1,结果2) 004598CE \|. E8 6DEAFFFF call 00458340 ; \去运算 004598D3 \|. 52 push edx ; /运算结果前8位 004598D4 \|. 50 push eax ; \|运算结果后8位 004598D5 \|. 8D55 CC lea edx, [ebp-34] ; \| 004598D8 \|. 33C0 xor eax, eax ; \| 004598DA \|. E8 65E7FAFF call 00408044 ; \连接成字符串 004598DF \|. B8 849A4500 mov eax, 00459A84 ; kernel32.dll 004598E4 \|. E8 B7EBFFFF call 004584A0 ; 字符串“kernel32.dll”又是一长串的运算??? 004598E9 \|. 8D55 B0 lea edx, [ebp-50] 004598EC \|. 8B45 FC mov eax, [ebp-4] 004598EF \|. 8B80 04030000 mov eax, [eax+304] 004598F5 \|. E8 EEB6FDFF call 00434FE8 004598FA \|. 8B45 B0 mov eax, [ebp-50] ; 注册码入EAX 004598FD \|. E8 F6CFFFFF call 004568F8 ; 16位注册码字符串转为数 00459902 \|. 8945 D8 mov [ebp-28], eax ; EAX中为后8位 00459905 \|. 8955 DC mov [ebp-24], edx ; EDX中为前8位 00459908 \|. FF75 DC push dword ptr [ebp-24] ; /前8位 0045990B \|. FF75 D8 push dword ptr [ebp-28] ; \|后8位 0045990E \|. E8 7DE9FFFF call 00458290 ; \去运算！ 00459913 \|. 52 push edx ; /运算结果前8位 00459914 \|. 50 push eax ; \|运算结后8位 00459915 \|. 8D55 C8 lea edx, [ebp-38] ; \| 00459918 \|. 33C0 xor eax, eax ; \| 0045991A \|. E8 25E7FAFF call 00408044 ; \连接成字符串 0045991F \|. 8B45 F4 mov eax, [ebp-C] 00459922 \|. 33D2 xor edx, edx 00459924 \|. 52 push edx ; /Arg2 => 00000000 00459925 \|. 50 push eax ; \|xor(结果1,结果2) 00459926 \|. 8D55 A8 lea edx, [ebp-58] ; \| 00459929 \|. 33C0 xor eax, eax ; \| 0045992B \|. E8 14E7FAFF call 00408044 ; \连接成字符串 00459930 \|. 8B45 A8 mov eax, [ebp-58] 00459933 \|. 8D55 AC lea edx, [ebp-54] 00459936 \|. E8 7DE2FAFF call 00407BB8 0045993B \|. 8B55 AC mov edx, [ebp-54] 0045993E \|. 8B45 C8 mov eax, [ebp-38] 00459941 \|. E8 AAAAFAFF call 004043F0 ; 比较两个字符串是否相等 00459946 0F85 C8000000 jnz 00459A14 ; 不等跳!nop掉即爆掉了!:) 0045994C \|. 8D45 F0 lea eax, [ebp-10] 0045994F \|. BA 9C9A4500 mov edx, 00459A9C 00459954 \|. E8 23A7FAFF call 0040407C 00459959 \|. 8D45 EC lea eax, [ebp-14] 0045995C \|. BA B49A4500 mov edx, 00459AB4
busheler 雪币： 236 活跃值： (160) 能力值： ( LV8，RANK：130 ) 在线值：发帖 9 回帖 46 粉丝 0 关注私信	busheler 3 2006-2-19 04:33 18 楼 0 call 004581CC 还好些 call 004584A0 太繁琐，循环次数老多，循环套循环，确实太费时间了
mirrormask 雪币： 242 活跃值： (135) 能力值： ( LV8，RANK：130 ) 在线值：发帖 8 回帖 64 粉丝 1 关注私信	mirrormask 3 2006-2-19 10:34 19 楼 0 最初由 busheler 发布 call 004581CC 还好些 call 004584A0 太繁琐，循环次数老多，循环套循环，确实太费时间了可以用ida辅助分析：）
mirrormask 雪币： 242 活跃值： (135) 能力值： ( LV8，RANK：130 ) 在线值：发帖 8 回帖 64 粉丝 1 关注私信	mirrormask 3 2006-2-19 15:04 20 楼 0 0045981D \|. >call <CrackMe_.TControl::GetText(void)> 00459822 \|. >mov eax,dword ptr ss:[ebp-40] 00459825 \|. >call <CrackMe_.System::_16823> 0045982A \|. >cmp eax,10 0045982D \|. >jnz <CrackMe_.DeadJmp> 00459833 \|. >lea edx,dword ptr ss:[ebp-8] 00459836 \|. >mov eax,dword ptr ss:[ebp-4] 00459839 \|. >mov eax,dword ptr ds:[eax+2F8] 0045983F \|. >call <CrackMe_.TControl::GetText(void)> 00459844 \|. >mov eax,dword ptr ss:[ebp-8] 00459847 \|. >call <CrackMe_.transform> 0045984C \|. >mov dword ptr ss:[ebp-C],eax 0045984F \|. >lea eax,dword ptr ss:[ebp-8] 00459852 \|. >call <CrackMe_.getMacinecode> 00459857 \|. >mov eax,dword ptr ss:[ebp-8] 0045985A \|. >call <CrackMe_.transform> 0045985F \|. >xor dword ptr ss:[ebp-C],eax 00459862 \|. >lea eax,dword ptr ss:[ebp-8] 00459865 \|. >call <CrackMe_.System::__linkproc__ LStrClr(Syste>; destroy the temporary string 0045986A \|. >mov eax,dword ptr ss:[ebp-C] 0045986D \|. >xor edx,edx 0045986F \|. >push edx ; /Arg2 => 00000000 00459870 \|. >push eax ; \|Arg1 00459871 \|. >lea edx,dword ptr ss:[ebp-2C] ; \| 00459874 \|. >mov eax,8 ; \| 00459879 \|. >call <CrackMe_.numTostring> ; \sub_408044 0045987E \|. >lea edx,dword ptr ss:[ebp-44] 00459881 \|. >mov eax,dword ptr ss:[ebp-2C] 00459884 \|. >call <CrackMe_.TOMD5> 00459889 \|. >mov eax,dword ptr ss:[ebp-44] 0045988C \|. >lea edx,dword ptr ss:[ebp-30] 0045988F \|. >call <CrackMe_.low_to_up> 00459894 \|. >lea edx,dword ptr ss:[ebp-4C] 00459897 \|. >mov eax,dword ptr ss:[ebp-30] 0045989A \|. >call <CrackMe_.TO_SHA1> 0045989F \|. >mov eax,dword ptr ss:[ebp-4C] 004598A2 \|. >lea edx,dword ptr ss:[ebp-48] 004598A5 \|. >call <CrackMe_.low_to_up> 004598AA \|. >mov edx,dword ptr ss:[ebp-48] 004598AD \|. >lea eax,dword ptr ss:[ebp-30] 004598B0 \|. >call <CrackMe_.System::__linkproc__ LStrLAsg(void> 004598B5 \|. >mov eax,dword ptr ss:[ebp-30] 004598B8 \|. >call <CrackMe_.blowfish_init> 004598BD \|. >mov eax,dword ptr ss:[ebp-C] 004598C0 \|. >xor edx,edx 004598C2 \|. >mov dword ptr ss:[ebp-28],eax 004598C5 \|. >mov dword ptr ss:[ebp-24],edx 004598C8 \|. >push dword ptr ss:[ebp-24] ; /Arg2 004598CB \|. >push dword ptr ss:[ebp-28] ; \|Arg1 004598CE \|. >call <CrackMe_.Blowfish_Encrypt> ; \sub_458340 004598D3 \|. >push edx ; /Arg2 004598D4 \|. >push eax ; \|Arg1 004598D5 \|. >lea edx,dword ptr ss:[ebp-34] ; \| 004598D8 \|. >xor eax,eax ; \| 004598DA \|. >call <CrackMe_.numTostring> ; \sub_408044 004598DF \|. >mov eax,CrackMe_.00459A84 ; ASCII "kernel32.dll" 004598E4 \|. >call <CrackMe_.blowfish_init> 004598E9 \|. >lea edx,dword ptr ss:[ebp-50] 004598EC \|. >mov eax,dword ptr ss:[ebp-4] 004598EF \|. >mov eax,dword ptr ds:[eax+304] 004598F5 \|. >call <CrackMe_.TControl::GetText(void)> 004598FA \|. >mov eax,dword ptr ss:[ebp-50] 004598FD \|. >call <CrackMe_.stringToNum> 00459902 \|. >mov dword ptr ss:[ebp-28],eax 00459905 \|. >mov dword ptr ss:[ebp-24],edx 00459908 \|. >push dword ptr ss:[ebp-24] ; /Arg2 0045990B \|. >push dword ptr ss:[ebp-28] ; \|Arg1 0045990E \|. >call <CrackMe_.snChange> ; \sub_458290 00459913 \|. >push edx ; /Arg2 00459914 \|. >push eax ; \|Arg1 00459915 \|. >lea edx,dword ptr ss:[ebp-38] ; \| 00459918 \|. >xor eax,eax ; \| 0045991A \|. >call <CrackMe_.numTostring> ; \sub_408044 0045991F \|. >mov eax,dword ptr ss:[ebp-C] 00459922 \|. >xor edx,edx 00459924 \|. >push edx ; /Arg2 => 00000000 00459925 \|. >push eax ; \|Arg1 00459926 \|. >lea edx,dword ptr ss:[ebp-58] ; \| 00459929 \|. >xor eax,eax ; \| 0045992B \|. >call <CrackMe_.numTostring> ; \sub_408044 00459930 \|. >mov eax,dword ptr ss:[ebp-58] 00459933 \|. >lea edx,dword ptr ss:[ebp-54] 00459936 \|. >call <CrackMe_.low_to_up> 0045993B \|. >mov edx,dword ptr ss:[ebp-54] ;8位 0045993E \|. >mov eax,dword ptr ss:[ebp-38] ；16位 00459941 \|. >call <CrackMe_.System::__linkproc__ LStrCmp(void)> 00459946 \|. >jnz <CrackMe_.DeadJmp> 最后总是8位和16位的比较，不知何故中间的md5和sha1和blowfish似乎没有用到.... 00459913 \|. >push edx ; /Arg2 00459914 \|. >push eax ; \|Arg1 00459915 \|. >lea edx,dword ptr ss:[ebp-38] ; \| 00459918 \|. >xor eax,eax ; \| 0045991A \|. >call <CrackMe_.numTostring> ; \sub_408044 这里出16位字符串 00459924 \|. >push edx ; /Arg2 => 00000000 00459925 \|. >push eax ; \|Arg1 00459926 \|. >lea edx,dword ptr ss:[ebp-58] ; \| 00459929 \|. >xor eax,eax ; \| 0045992B \|. >call <CrackMe_.numTostring> ; \sub_408044 这里出8位
Ryosuke 雪币： 370 活跃值： (78) 能力值： ( LV9，RANK：970 ) 在线值：发帖 26 回帖 196 粉丝 2 关注私信	Ryosuke 24 2006-2-19 15:55 21 楼 0 http://bbs.pediy.com/showthread.php?s=&threadid=21531 破文和注册机。呵呵，挺好玩的。
hellocat 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 3 粉丝 0 关注私信	hellocat 2006-2-19 21:09 22 楼 0 呵呵。支持啊
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复

jxanu

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

3

回帖

22

粉丝

0

关注

私信

jxanu 2006-2-16 20:32: 2 楼
0

好像挺厉害的CrackMe!~~

happytown

雪币： 721

活跃值： (350)

能力值：

( LV9，RANK：1250 )

在线值：

发帖

131

回帖

1014

粉丝

1

关注

私信

happytown 31 2006-2-16 20:40: 3 楼
0

欢迎你试试看！

mirrormask

雪币： 242

活跃值： (135)

能力值：

( LV8，RANK：130 )

在线值：

发帖

8

回帖

64

粉丝

1

关注

私信

mirrormask 3 2006-2-17 14:05: 4 楼
0

爆了....

查了一下有blowfish
不会

busheler

雪币： 236

活跃值： (160)

能力值：

( LV8，RANK：130 )

在线值：

发帖

9

回帖

46

粉丝

0

关注

私信

busheler 3 2006-2-17 14:18: 5 楼
0

确实有些变态的说！
夹克很容易脱去的；
反汇编，反调试，还有校验里！

前面分析放上来：

一、脱壳免。。。

二、去反调试、去掉校验：

004596EC  /.  55                   push ebp
004596ED  |.  8BEC                mov    ebp, esp
004596EF  |.  83C4 F0             add    esp, -10
004596F2  |.  8955 F0             mov    [ebp-10], edx
004596F5  |.  8945 FC             mov    [ebp-4], eax
004596F8  |.  8B45 FC             mov    eax, [ebp-4]
004596FB  |.  E8 C420FEFF          call 0043B7C4
00459700  |.  A3 F4DF4500          mov    [45DFF4], eax
00459705  |.  E8 DAEFFFFF          call 004586E4                      ;  监测调试、反汇编等...
0045970A  |.  E8 51F8FFFF          call 00458F60
0045970F  |.  E8 5CE9FFFF          call 00458070                      ;  取文件属性，未仔细跟踪，有文件名、文件大小等等。并进行运算！
00459714  |.  8945 F4             mov    [ebp-C], eax
00459717  |.  A1 E0DF4500          mov    eax, [45DFE0]
0045971C  |.  3B45 F4             cmp    eax, [ebp-C]
0045971F    74 05                je    short 00459726                ;  相等，跳去继续；不等，退出！改为jmp
00459721  |.  E8 CEA7FAFF          call 00403EF4
00459726  |>  68 7C974500          push 0045977C                      ; /ResourceType = "WAV"
0045972B  |.  68 80974500          push 00459780                      ; |ResourceName = "BackSound"
00459730  |.  A1 F0DF4500          mov    eax, [45DFF0]                   ; |
00459735  |.  50                   push eax                            ; |hModule => NULL
00459736  |.  E8 3DC9FAFF          call <jmp.&kernel32.FindResourceA> ; \FindResourceA
0045973B  |.  8945 F8             mov    [ebp-8], eax
0045973E  |.  8B45 F8             mov    eax, [ebp-8]
00459741  |.  50                   push eax                            ; /hResource
00459742  |.  A1 F0DF4500          mov    eax, [45DFF0]                   ; |
00459747  |.  50                   push eax                            ; |hModule => NULL
00459748  |.  E8 5BCAFAFF          call <jmp.&kernel32.LoadResource>    ; \LoadResource
0045974D  |.  A3 FCDF4500          mov    [45DFFC], eax
00459752  |.  833D FCDF4500 20    cmp    dword ptr [45DFFC], 20
00459759  |.  76 10                jbe    short 0045976B
0045975B  |.  A1 FCDF4500          mov    eax, [45DFFC]
00459760  |.  50                   push eax                            ; /hResource => NULL
00459761  |.  E8 4ACAFAFF          call <jmp.&kernel32.LockResource>    ; \LockResource
00459766  |.  A3 F8DF4500          mov    [45DFF8], eax
0045976B  |>  6A 0D                push 0D
0045976D  |.  A1 F8DF4500          mov    eax, [45DFF8]
00459772  |.  50                   push eax
00459773  |.  E8 10CAFFFF          call <jmp.&winmm.sndPlaySoundA>
00459778  |.  8BE5                mov    esp, ebp
0045977A  |.  5D                   pop    ebp
0045977B  \.  C3                   retn

busheler

雪币： 236

活跃值： (160)

能力值：

( LV8，RANK：130 )

在线值：

发帖

9

回帖

46

粉丝

0

关注

私信

busheler 3 2006-2-17 14:19: 6 楼
0

跟进call 004586E4 进取看看：

004586E4  /$  55          push ebp
004586E5  |.  8BEC       mov    ebp, esp
004586E7  |.  B9 29000000 mov    ecx, 29
004586EC  |>  6A 00       /push 0
004586EE  |.  6A 00       |push 0
004586F0  |.  49          |dec    ecx
004586F1  |.^ 75 F9       \jnz    short 004586EC
004586F3  |.  51          push ecx
004586F4  |.  33C0       xor    eax, eax
004586F6  |.  55          push ebp
004586F7  |.  68 118A4500 push 00458A11
004586FC  |.  64:FF30    push dword ptr fs:[eax]
004586FF  |.  64:8920    mov    fs:[eax], esp
00458702  |.  8D45 D0    lea    eax, [ebp-30]
00458705  |.  BA 248A4500 mov    edx, 00458A24
0045870A  |.  E8 6DB9FAFF call 0040407C
0045870F  |.  8D45 F4    lea    eax, [ebp-C]
00458712  |.  BA 348A4500 mov    edx, 00458A34
00458717  |.  E8 60B9FAFF call 0040407C
0045871C  |.  8D4D CC    lea    ecx, [ebp-34]
0045871F  |.  8B55 F4    mov    edx, [ebp-C]
00458722  |.  8B45 D0    mov    eax, [ebp-30]
00458725  |.  E8 D6FEFFFF call 00458600
0045872A  |.  8D45 F4    lea    eax, [ebp-C]
0045872D  |.  8B55 CC    mov    edx, [ebp-34]
00458730  |.  E8 47B9FAFF call 0040407C                      ;  OLLYDBG
00458735  |.  8D45 CC    lea    eax, [ebp-34]
00458738  |.  E8 A7B8FAFF call 00403FE4
0045873D  |.  8D45 D0    lea    eax, [ebp-30]
00458740  |.  BA 448A4500 mov    edx, 00458A44
00458745  |.  E8 32B9FAFF call 0040407C
0045874A  |.  8D45 F0    lea    eax, [ebp-10]
0045874D  |.  BA 548A4500 mov    edx, 00458A54
00458752  |.  E8 25B9FAFF call 0040407C
00458757  |.  8D4D CC    lea    ecx, [ebp-34]
0045875A  |.  8B55 F0    mov    edx, [ebp-10]
0045875D  |.  8B45 D0    mov    eax, [ebp-30]
00458760  |.  E8 9BFEFFFF call 00458600
00458765  |.  8D45 F0    lea    eax, [ebp-10]
00458768  |.  8B55 CC    mov    edx, [ebp-34]                   ;  fly0DBG
0045876B  |.  E8 0CB9FAFF call 0040407C
00458770  |.  8D45 CC    lea    eax, [ebp-34]
00458773  |.  E8 6CB8FAFF call 00403FE4
00458778  |.  8D45 D0    lea    eax, [ebp-30]
0045877B  |.  BA 648A4500 mov    edx, 00458A64
00458780  |.  E8 F7B8FAFF call 0040407C
00458785  |.  8D45 E8    lea    eax, [ebp-18]
00458788  |.  BA 748A4500 mov    edx, 00458A74
0045878D  |.  E8 EAB8FAFF call 0040407C
00458792  |.  8D4D CC    lea    ecx, [ebp-34]
00458795  |.  8B55 E8    mov    edx, [ebp-18]
00458798  |.  8B45 D0    mov    eax, [ebp-30]
0045879B  |.  E8 60FEFFFF call 00458600
004587A0  |.  8D45 E8    lea    eax, [ebp-18]
004587A3  |.  8B55 CC    mov    edx, [ebp-34]                   ;  W32DASM
004587A6  |.  E8 D1B8FAFF call 0040407C
004587AB  |.  8D45 CC    lea    eax, [ebp-34]
004587AE  |.  E8 31B8FAFF call 00403FE4
004587B3  |.  8D45 D0    lea    eax, [ebp-30]
004587B6  |.  BA 848A4500 mov    edx, 00458A84                   ;  ASCII "u掊?
004587BB  |.  E8 BCB8FAFF call 0040407C
004587C0  |.  8D45 E0    lea    eax, [ebp-20]
004587C3  |.  BA 948A4500 mov    edx, 00458A94
004587C8  |.  E8 AFB8FAFF call 0040407C
004587CD  |.  8D4D CC    lea    ecx, [ebp-34]
004587D0  |.  8B55 E0    mov    edx, [ebp-20]
004587D3  |.  8B45 D0    mov    eax, [ebp-30]
004587D6  |.  E8 25FEFFFF call 00458600
004587DB  |.  8D45 E0    lea    eax, [ebp-20]
004587DE  |.  8B55 CC    mov    edx, [ebp-34]                   ;  DeDe
004587E1  |.  E8 96B8FAFF call 0040407C
004587E6  |.  8D45 CC    lea    eax, [ebp-34]
004587E9  |.  E8 F6B7FAFF call 00403FE4
004587EE  |.  8D45 D0    lea    eax, [ebp-30]
004587F1  |.  BA A48A4500 mov    edx, 00458AA4
004587F6  |.  E8 81B8FAFF call 0040407C
004587FB  |.  8D45 DC    lea    eax, [ebp-24]
004587FE  |.  BA B48A4500 mov    edx, 00458AB4
00458803  |.  E8 74B8FAFF call 0040407C
00458808  |.  8D4D CC    lea    ecx, [ebp-34]
0045880B  |.  8B55 DC    mov    edx, [ebp-24]
0045880E  |.  8B45 D0    mov    eax, [ebp-30]
00458811  |.  E8 EAFDFFFF call 00458600
00458816  |.  8D45 DC    lea    eax, [ebp-24]
00458819  |.  8B55 CC    mov    edx, [ebp-34]                   ;  DARK
0045881C  |.  E8 5BB8FAFF call 0040407C
00458821  |.  8D45 CC    lea    eax, [ebp-34]
00458824  |.  E8 BBB7FAFF call 00403FE4
00458829  |.  8D45 D0    lea    eax, [ebp-30]
0045882C  |.  BA C48A4500 mov    edx, 00458AC4                   ;  ASCII "user32.dll"
00458831  |.  E8 46B8FAFF call 0040407C
00458836  |.  8D45 D4    lea    eax, [ebp-2C]
00458839  |.  BA D88A4500 mov    edx, 00458AD8
0045883E  |.  E8 39B8FAFF call 0040407C
00458843  |.  8D4D CC    lea    ecx, [ebp-34]
00458846  |.  8B55 D4    mov    edx, [ebp-2C]
00458849  |.  8B45 D0    mov    eax, [ebp-30]
0045884C  |.  E8 AFFDFFFF call 00458600
00458851  |.  8D45 D4    lea    eax, [ebp-2C]
00458854  |.  8B55 CC    mov    edx, [ebp-34]                   ;  SmartCheck
00458857  |.  E8 20B8FAFF call 0040407C
0045885C  |.  8D45 CC    lea    eax, [ebp-34]
0045885F  |.  E8 80B7FAFF call 00403FE4
00458864  |.  6A 00       push 0                               ; /Relation = GW_HWNDFIRST
00458866  |.  A1 F4DF4500 mov    eax, [45DFF4]                   ; |
0045886B  |.  50          push eax                            ; |hWnd => 003103AC ('CrackMe_0009',class='TfrmMain',parent=005603BC)
0045886C  |.  E8 7FDEFAFF call <jmp.&user32.GetWindow>       ; \GetWindow
00458871  |.  8945 FC    mov    [ebp-4], eax
00458874  |.  837D FC 00 cmp    dword ptr [ebp-4], 0
00458878  |.  0F84 68010000 je    004589E6
0045887E  |>  68 FF000000 /push 0FF                            ; /Count = FF (255.)
00458883  |.  8D85 C9FEFFFF |lea    eax, [ebp-137]                ; |
00458889  |.  50          |push eax                            ; |Buffer
0045888A  |.  8B45 FC    |mov    eax, [ebp-4]                   ; |
0045888D  |.  50          |push eax                            ; |hWnd
0045888E  |.  E8 85DEFAFF |call <jmp.&user32.GetWindowTextA> ; \GetWindowTextA
00458893  |.  85C0       |test eax, eax
00458895  |.  0F8E 33010000 |jle    004589CE
0045889B  |.  8D55 F8    |lea    edx, [ebp-8]
0045889E  |.  8D85 C9FEFFFF |lea    eax, [ebp-137]
004588A4  |.  E8 ABFEFAFF |call 00408754
004588A9  |.  8D55 EC    |lea    edx, [ebp-14]
004588AC  |.  8D85 C9FEFFFF |lea    eax, [ebp-137]
004588B2  |.  E8 9DFEFAFF |call 00408754
004588B7  |.  8D55 E4    |lea    edx, [ebp-1C]
004588BA  |.  8D85 C9FEFFFF |lea    eax, [ebp-137]
004588C0  |.  E8 8FFEFAFF |call 00408754
004588C5  |.  8D55 D8    |lea    edx, [ebp-28]
004588C8  |.  8D85 C9FEFFFF |lea    eax, [ebp-137]
004588CE  |.  E8 81FEFAFF |call 00408754
004588D3  |.  8D85 C0FEFFFF |lea    eax, [ebp-140]
004588D9  |.  50          |push eax
004588DA  |.  B9 07000000 |mov    ecx, 7
004588DF  |.  BA 01000000 |mov    edx, 1
004588E4  |.  8B45 F8    |mov    eax, [ebp-8]
004588E7  |.  E8 18BCFAFF |call 00404504
004588EC  |.  8B85 C0FEFFFF |mov    eax, [ebp-140]
004588F2  |.  8D95 C4FEFFFF |lea    edx, [ebp-13C]
004588F8  |.  E8 BBF2FAFF |call 00407BB8
004588FD  |.  8B85 C4FEFFFF |mov    eax, [ebp-13C]
00458903  |.  8B55 F4    |mov    edx, [ebp-C]                   ;  OLLYDBG
00458906  |.  E8 E5BAFAFF |call 004043F0
0045890B  |.  0F84 90000000 |je    004589A1                      ;  nop掉
00458911  |.  8D85 BCFEFFFF |lea    eax, [ebp-144]
00458917  |.  50          |push eax
00458918  |.  B9 07000000 |mov    ecx, 7
0045891D  |.  BA 01000000 |mov    edx, 1
00458922  |.  8B45 F8    |mov    eax, [ebp-8]
00458925  |.  E8 DABBFAFF |call 00404504
0045892A  |.  8B85 BCFEFFFF |mov    eax, [ebp-144]
00458930  |.  8B55 F0    |mov    edx, [ebp-10]
00458933  |.  E8 B8BAFAFF |call 004043F0                      ;  fly0DBG
00458938  |.  74 67       |je    short 004589A1                ;  nop掉
0045893A  |.  8B55 E8    |mov    edx, [ebp-18]
0045893D  |.  8B45 EC    |mov    eax, [ebp-14]
00458940  |.  E8 A7F4FCFF |call 00427DEC                      ;  W32DASM
00458945  |.  3C 01       |cmp    al, 1
00458947  |.  74 58       |je    short 004589A1                ;  nop掉
00458949  |.  8B55 E0    |mov    edx, [ebp-20]
0045894C  |.  8B45 E4    |mov    eax, [ebp-1C]
0045894F  |.  E8 98F4FCFF |call 00427DEC                      ;  DeDe
00458954  |.  3C 01       |cmp    al, 1
00458956  |.  74 49       |je    short 004589A1                ;  nop掉
00458958  |.  8D85 B4FEFFFF |lea    eax, [ebp-14C]
0045895E  |.  50          |push eax
0045895F  |.  B9 04000000 |mov    ecx, 4
00458964  |.  BA 01000000 |mov    edx, 1
00458969  |.  8B45 E4    |mov    eax, [ebp-1C]
0045896C  |.  E8 93BBFAFF |call 00404504
00458971  |.  8B85 B4FEFFFF |mov    eax, [ebp-14C]
00458977  |.  8D95 B8FEFFFF |lea    edx, [ebp-148]
0045897D  |.  E8 36F2FAFF |call 00407BB8
00458982  |.  8B85 B8FEFFFF |mov    eax, [ebp-148]
00458988  |.  8B55 DC    |mov    edx, [ebp-24]
0045898B  |.  E8 60BAFAFF |call 004043F0                      ;  DARK
00458990  |.  74 0F       |je    short 004589A1                ;  nop掉
00458992  |.  8B55 D4    |mov    edx, [ebp-2C]
00458995  |.  8B45 D8    |mov    eax, [ebp-28]
00458998  |.  E8 4FF4FCFF |call 00427DEC                      ;  SmartCheck
0045899D  |.  3C 01       |cmp    al, 1
0045899F  |.  75 2D       |jnz    short 004589CE                ;  改为jmp
004589A1  |>  8D45 C8    |lea    eax, [ebp-38]
004589A4  |.  50          |push eax                            ; /pProcessID
004589A5  |.  8B45 FC    |mov    eax, [ebp-4]                   ; |
004589A8  |.  50          |push eax                            ; |hWnd
004589A9  |.  E8 72DDFAFF |call <jmp.&user32.GetWindowThreadPro>; \GetWindowThreadProcessId
004589AE  |.  837D C8 00 |cmp    dword ptr [ebp-38], 0
004589B2  |.  74 15       |je    short 004589C9
004589B4  |.  6A FF       |push -1                            ; /ExitCode = FFFFFFFF (-1.)
004589B6  |.  8B45 C8    |mov    eax, [ebp-38]                ; |
004589B9  |.  50          |push eax                            ; |/ProcessId
004589BA  |.  6A 00       |push 0                            ; ||Inheritable = FALSE
004589BC  |.  6A 01       |push 1                            ; ||Access = TERMINATE
004589BE  |.  E8 FDD7FAFF |call <jmp.&kernel32.OpenProcess>    ; |\OpenProcess
004589C3  |.  50          |push eax                            ; |hProcess
004589C4  |.  E8 47D8FAFF |call <jmp.&kernel32.TerminateProcess>; \TerminateProcess
004589C9  |>  E8 26B5FAFF |call 00403EF4
004589CE  |>  6A 02       |push 2                            ; /Relation = GW_HWNDNEXT
004589D0  |.  8B45 FC    |mov    eax, [ebp-4]                   ; |
004589D3  |.  50          |push eax                            ; |hWnd
004589D4  |.  E8 17DDFAFF |call <jmp.&user32.GetWindow>       ; \GetWindow
004589D9  |.  8945 FC    |mov    [ebp-4], eax
004589DC  |.  837D FC 00 |cmp    dword ptr [ebp-4], 0
004589E0  |.^ 0F85 98FEFFFF \jnz    0045887E
004589E6  |>  33C0       xor    eax, eax
004589E8  |.  5A          pop    edx
004589E9  |.  59          pop    ecx
004589EA  |.  59          pop    ecx
004589EB  |.  64:8910    mov    fs:[eax], edx
004589EE  |.  68 188A4500 push 00458A18
004589F3  |>  8D85 B4FEFFFF lea    eax, [ebp-14C]
004589F9  |.  BA 05000000 mov    edx, 5
004589FE  |.  E8 05B6FAFF call 00404008
00458A03  |.  8D45 CC    lea    eax, [ebp-34]
00458A06  |.  BA 0C000000 mov    edx, 0C
00458A0B  |.  E8 F8B5FAFF call 00404008
00458A10  \.  C3          retn

busheler

雪币： 236

活跃值： (160)

能力值：

( LV8，RANK：130 )

在线值：

发帖

9

回帖

46

粉丝

0

关注

私信

busheler 3 2006-2-17 14:19: 7 楼
0

跟进call  00458070去看看：

00458070  /$  55                   push ebp
00458071  |.  8BEC                mov    ebp, esp
00458073  |.  83C4 CC             add    esp, -34
00458076  |.  33C0                xor    eax, eax
00458078  |.  8945 E4             mov    [ebp-1C], eax
0045807B  |.  33C0                xor    eax, eax
0045807D  |.  55                   push ebp
0045807E  |.  68 BB814500          push 004581BB
00458083  |.  64:FF30             push dword ptr fs:[eax]
00458086  |.  64:8920             mov    fs:[eax], esp
00458089  |.  8D55 E4             lea    edx, [ebp-1C]
0045808C  |.  33C0                xor    eax, eax
0045808E  |.  E8 51A9FAFF          call 004029E4
00458093  |.  8B45 E4             mov    eax, [ebp-1C]
00458096  |.  E8 09C4FAFF          call 004044A4
0045809B  |.  8945 E0             mov    [ebp-20], eax                   ;  取文件路径及名称
0045809E  |.  6A 00                push 0                               ; /hTemplateFile = NULL
004580A0  |.  6A 20                push 20                            ; |Attributes = ARCHIVE
004580A2  |.  6A 03                push 3                               ; |Mode = OPEN_EXISTING
004580A4  |.  6A 00                push 0                               ; |pSecurity = NULL
004580A6  |.  6A 01                push 1                               ; |ShareMode = FILE_SHARE_READ
004580A8  |.  68 00000080          push 80000000                      ; |Access = GENERIC_READ
004580AD  |.  8B45 E0             mov    eax, [ebp-20]                   ; |
004580B0  |.  50                   push eax                            ; |FileName
004580B1  |.  E8 92DFFAFF          call <jmp.&kernel32.CreateFileA>    ; \CreateFileA
004580B6  |.  8945 EC             mov    [ebp-14], eax
004580B9  |.  6A 00                push 0                               ; /pFileSizeHigh = NULL
004580BB  |.  8B45 EC             mov    eax, [ebp-14]                   ; |
004580BE  |.  50                   push eax                            ; |hFile
004580BF  |.  E8 0CE0FAFF          call <jmp.&kernel32.GetFileSize>    ; \取文件大小
004580C4  |.  8945 DC             mov    [ebp-24], eax                   ;  eax为文件大小
004580C7  |.  8B45 DC             mov    eax, [ebp-24]
004580CA  |.  50                   push eax                            ; /MemSize
004580CB  |.  6A 42                push 42                            ; |Flags = GHND
004580CD  |.  E8 7EE0FAFF          call <jmp.&kernel32.GlobalAlloc>    ; \GlobalAlloc
004580D2  |.  8945 E8             mov    [ebp-18], eax
004580D5  |.  8B45 E8             mov    eax, [ebp-18]
004580D8  |.  50                   push eax                            ; /hMem
004580D9  |.  E8 92E0FAFF          call <jmp.&kernel32.GlobalLock>    ; \GlobalLock
004580DE  |.  8945 FC             mov    [ebp-4], eax
004580E1  |.  6A 00                push 0                               ; /pOverlapped = NULL
004580E3  |.  8D45 D8             lea    eax, [ebp-28]                   ; |
004580E6  |.  50                   push eax                            ; |pBytesRead
004580E7  |.  8B45 DC             mov    eax, [ebp-24]                   ; |
004580EA  |.  50                   push eax                            ; |BytesToRead
004580EB  |.  8B45 FC             mov    eax, [ebp-4]                   ; |
004580EE  |.  50                   push eax                            ; |Buffer
004580EF  |.  8B45 EC             mov    eax, [ebp-14]                   ; |
004580F2  |.  50                   push eax                            ; |hFile
004580F3  |.  E8 D0E0FAFF          call <jmp.&kernel32.ReadFile>       ; \ReadFile
004580F8  |.  8B45 EC             mov    eax, [ebp-14]
004580FB  |.  50                   push eax                            ; /hObject
004580FC  |.  E8 2FDFFAFF          call <jmp.&kernel32.CloseHandle>    ; \CloseHandle
00458101  |.  B9 3C000000          mov    ecx, 3C
00458106  |.  034D FC             add    ecx, [ebp-4]
00458109  |.  8B09                mov    ecx, [ecx]
0045810B  |.  83C1 44             add    ecx, 44
0045810E  |.  034D FC             add    ecx, [ebp-4]
00458111  |.  8B01                mov    eax, [ecx]
00458113  |.  A3 E0DF4500          mov    [45DFE0], eax                   ;  EAX中的值入[45DFE0],用来和后面计算结果进行对比！
00458118  |.  C701 00000000       mov    dword ptr [ecx], 0
0045811E  |.  E8 EDFEFFFF          call 00458010
00458123  |.  8B55 FC             mov    edx, [ebp-4]
00458126  |.  8955 F8             mov    [ebp-8], edx
00458129  |.  837D DC 00          cmp    dword ptr [ebp-24], 0
0045812D  |.  76 64                jbe    short 00458193
0045812F  |.  8B45 DC             mov    eax, [ebp-24]
00458132  |.  85C0                test eax, eax
00458134  |.  76 4D                jbe    short 00458183
00458136  |.  8945 CC             mov    [ebp-34], eax
00458139  |.  C745 D0 01000000    mov    dword ptr [ebp-30], 1
00458140  |>  8B55 F8             /mov    edx, [ebp-8]
00458143  |.  8A02                |mov    al, [edx]
00458145  |.  0FB6C0             |movzx eax, al
00458148  |.  8945 F4             |mov    [ebp-C], eax
0045814B  |.  42                   |inc    edx
0045814C  |.  8955 F8             |mov    [ebp-8], edx
0045814F  |.  A1 2CBE4500          |mov    eax, [45BE2C]
00458154  |.  3345 F4             |xor    eax, [ebp-C]
00458157  |.  25 FF000000          |and    eax, 0FF
0045815C  |.  8945 D4             |mov    [ebp-2C], eax
0045815F  |.  A1 2CBE4500          |mov    eax, [45BE2C]
00458164  |.  C1E8 08             |shr    eax, 8
00458167  |.  25 FFFFFF00          |and    eax, 0FFFFFF
0045816C  |.  8B55 D4             |mov    edx, [ebp-2C]
0045816F  |.  330495 E0DB4500    |xor    eax, [edx*4+45DBE0]
00458176  |.  A3 2CBE4500          |mov    [45BE2C], eax
0045817B  |.  FF45 D0             |inc    dword ptr [ebp-30]             ;  每循环一次，+1
0045817E  |.  FF4D CC             |dec    dword ptr [ebp-34]             ;  每循环一次，-1
00458181  |.^ 75 BD                \jnz    short 00458140                ;  没晚没了的的运算，循环次数与文件大小相同！晕倒：（
00458183  |>  F715 2CBE4500       not    dword ptr [45BE2C]             ;  前面结果 not，运算结束！
00458189  |.  A1 2CBE4500          mov    eax, [45BE2C]                   ;  运算结果入EAX
0045818E  |.  8945 F0             mov    [ebp-10], eax
00458191  |.  EB 12                jmp    short 004581A5
00458193  |>  C705 2CBE4500 FFFFFFF>mov    dword ptr [45BE2C], -1
0045819D  |.  A1 2CBE4500          mov    eax, [45BE2C]
004581A2  |.  8945 F0             mov    [ebp-10], eax
004581A5  |>  33C0                xor    eax, eax
004581A7  |.  5A                   pop    edx
004581A8  |.  59                   pop    ecx
004581A9  |.  59                   pop    ecx
004581AA  |.  64:8910             mov    fs:[eax], edx
004581AD  |.  68 C2814500          push 004581C2
004581B2  |>  8D45 E4             lea    eax, [ebp-1C]
004581B5  |.  E8 2ABEFAFF          call 00403FE4
004581BA  \.  C3                   retn
004581BB .^ E9 28B8FAFF          jmp    004039E8
004581C0 .^ EB F0                jmp    short 004581B2
004581C2 .  8B45 F0             mov    eax, [ebp-10]
004581C5 .  8BE5                mov    esp, ebp
004581C7 .  5D                   pop    ebp
004581C8 .  C3                   retn

laomms

雪币： 560

活跃值： (309)

能力值：

( LV13，RANK：1370 )

在线值：

发帖

83

回帖

384

粉丝

7

关注

私信

laomms 34 2006-2-17 14:31: 8 楼
0

强！领教了。

busheler

雪币： 236

活跃值： (160)

能力值：

( LV8，RANK：130 )

在线值：

发帖

9

回帖

46

粉丝

0

关注

私信

busheler 3 2006-2-17 14:31: 9 楼
0

因为未监测OllyICE，脱壳后文件可以用OllyICE载入，在0045971F处下断点，F9运行,直接被断下,je改为jmp就可运行.

我用UltraEdit把"7405"改为"EB05"，运行有出错，但可以到主界面！好奇怪：

这个壳比较软，我脱壳水平奇丑，学习中......

mirrormask

雪币： 242

活跃值： (135)

能力值：

( LV8，RANK：130 )

在线值：

发帖

8

回帖

64

粉丝

1

关注

私信

mirrormask 3 2006-2-17 14:34: 10 楼
0

antidbg我都没发现....

busheler

雪币： 236

活跃值： (160)

能力值：

( LV8，RANK：130 )

在线值：

发帖

9

回帖

46

粉丝

0

关注

私信

busheler 3 2006-2-18 00:07: 11 楼
0

图好漂亮：）
可惜注册算法还没有出来里！

Ryosuke

雪币： 370

活跃值： (78)

能力值：

( LV9，RANK：970 )

在线值：

发帖

26

回帖

196

粉丝

2

关注

私信

Ryosuke 24 2006-2-18 17:47: 12 楼
0

我来说说我的分析：
跟了2个多小时，说说我的理解。目前还只对name就行了分析，剩下的部分等有时间再做。目前分析用到的算法有md5,sha。
004597EC  /.  55          push ebp
004597ED  |.  8BEC       mov    ebp, esp
004597EF  |.  B9 0B000000 mov    ecx, 0B
004597F4  |>  6A 00       /push 0
004597F6  |.  6A 00       |push 0
004597F8  |.  49          |dec    ecx
004597F9  |.^ 75 F9       \jnz    short 004597F4
004597FB  |.  53          push ebx
004597FC  |.  56          push esi
004597FD  |.  8955 C4    mov    [ebp-3C], edx
00459800  |.  8945 FC    mov    [ebp-4], eax
00459803  |.  33C0       xor    eax, eax
00459805  |.  55          push ebp
00459806  |.  68 6E9A4500 push 00459A6E
0045980B  |.  64:FF30    push dword ptr fs:[eax]
0045980E  |.  64:8920    mov    fs:[eax], esp
00459811  |.  8D55 C0    lea    edx, [ebp-40]
00459814  |.  8B45 FC    mov    eax, [ebp-4]
00459817  |.  8B80 04030000 mov    eax, [eax+304]
0045981D  |.  E8 C6B7FDFF call 00434FE8                      ;  get serail
00459822  |.  8B45 C0    mov    eax, [ebp-40]                ;  serail string
00459825  |.  E8 7AAAFAFF call 004042A4
0045982A  |.  83F8 10    cmp    eax, 10
0045982D  |.  0F85 E1010000 jnz    00459A14
00459833  |.  8D55 F8    lea    edx, [ebp-8]
00459836  |.  8B45 FC    mov    eax, [ebp-4]
00459839  |.  8B80 F8020000 mov    eax, [eax+2F8]
0045983F  |.  E8 A4B7FDFF call 00434FE8                      ;  get name
00459844  |.  8B45 F8    mov    eax, [ebp-8]                   ;  name string
00459847  |.  E8 80E9FFFF call 004581CC                      ;  加密name
0045984C  |.  8945 F4    mov    [ebp-C], eax
0045984F  |.  8D45 F8    lea    eax, [ebp-8]
00459852  |.  E8 2DF7FFFF call 00458F84                      ;  getproductid
00459857  |.  8B45 F8    mov    eax, [ebp-8]
0045985A  |.  E8 6DE9FFFF call 004581CC                      ;  加密productid
0045985F  |.  3145 F4    xor    [ebp-C], eax                   ;  xor 加密name 和加密productid 为important
00459862  |.  8D45 F8    lea    eax, [ebp-8]
00459865  |.  E8 7AA7FAFF call 00403FE4
0045986A  |.  8B45 F4    mov    eax, [ebp-C]
0045986D  |.  33D2       xor    edx, edx
0045986F  |.  52          push edx                            ; /Arg2 => 00000000
00459870  |.  50          push eax                            ; |Arg1
00459871  |.  8D55 D4    lea    edx, [ebp-2C]                ; |
00459874  |.  B8 08000000 mov    eax, 8                         ; |
00459879  |.  E8 C6E7FAFF call 00408044                      ; \dumped_1.00408044 将important变成16进制的字符串形式strimportant
0045987E  |.  8D55 BC    lea    edx, [ebp-44]
00459881    8B45 D4    mov    eax, [ebp-2C]                ;  上面的结果转换成的字符strimportant
00459884  |.  E8 2BE7FFFF call 00457FB4                      ;  md5变换上面的strimportant
00459889    8B45 BC    mov    eax, [ebp-44];变换结果string1
0045988C  |.  8D55 D0    lea    edx, [ebp-30]
0045988F  |.  E8 24E3FAFF call 00407BB8                      ;  大写变换string1
00459894  |.  8D55 B4    lea    edx, [ebp-4C]
00459897  |.  8B45 D0    mov    eax, [ebp-30]
0045989A  |.  E8 29C9FFFF call 004561C8                      ;  sha变换string1
0045989F  |.  8B45 B4    mov    eax, [ebp-4C]                ;  变换结果String2
004598A2  |.  8D55 B8    lea    edx, [ebp-48]
004598A5  |.  E8 0EE3FAFF call 00407BB8                      ;  大写变换String2
004598AA  |.  8B55 B8    mov    edx, [ebp-48]                ;  String2的大写字符串
004598AD  |.  8D45 D0    lea    eax, [ebp-30]
004598B0  |.  E8 C7A7FAFF call 0040407C
004598B5  |.  8B45 D0    mov    eax, [ebp-30]
004598B8  |.  E8 E3EBFFFF call 004584A0                      ;  目前分析到这里
004598BD  |.  8B45 F4    mov    eax, [ebp-C]
004598C0  |.  33D2       xor    edx, edx
004598C2  |.  8945 D8    mov    [ebp-28], eax
004598C5  |.  8955 DC    mov    [ebp-24], edx
004598C8  |.  FF75 DC    push dword ptr [ebp-24]             ; /Arg2
004598CB  |.  FF75 D8    push dword ptr [ebp-28]             ; |Arg1
004598CE  |.  E8 6DEAFFFF call 00458340                      ; \dumped_1.00458340
004598D3  |.  52          push edx                            ; /Arg2
004598D4  |.  50          push eax                            ; |Arg1
004598D5  |.  8D55 CC    lea    edx, [ebp-34]                ; |
004598D8  |.  33C0       xor    eax, eax                      ; |
004598DA  |.  E8 65E7FAFF call 00408044                      ; \dumped_1.00408044
004598DF  |.  B8 849A4500 mov    eax, 00459A84                ;  ASCII "kernel32.dll"
004598E4  |.  E8 B7EBFFFF call 004584A0
004598E9  |.  8D55 B0    lea    edx, [ebp-50]
004598EC  |.  8B45 FC    mov    eax, [ebp-4]
004598EF  |.  8B80 04030000 mov    eax, [eax+304]
004598F5  |.  E8 EEB6FDFF call 00434FE8
004598FA  |.  8B45 B0    mov    eax, [ebp-50]
004598FD  |.  E8 F6CFFFFF call 004568F8
00459902  |.  8945 D8    mov    [ebp-28], eax
00459905  |.  8955 DC    mov    [ebp-24], edx
00459908  |.  FF75 DC    push dword ptr [ebp-24]             ; /Arg2
0045990B  |.  FF75 D8    push dword ptr [ebp-28]             ; |Arg1
0045990E  |.  E8 7DE9FFFF call 00458290                      ; \dumped_1.00458290
00459913  |.  52          push edx                            ; /Arg2
00459914  |.  50          push eax                            ; |Arg1
00459915  |.  8D55 C8    lea    edx, [ebp-38]                ; |
00459918  |.  33C0       xor    eax, eax                      ; |
0045991A  |.  E8 25E7FAFF call 00408044                      ; \dumped_1.00408044
0045991F  |.  8B45 F4    mov    eax, [ebp-C]
00459922  |.  33D2       xor    edx, edx
00459924  |.  52          push edx                            ; /Arg2 => 00000000
00459925  |.  50          push eax                            ; |Arg1
00459926  |.  8D55 A8    lea    edx, [ebp-58]                ; |
00459929  |.  33C0       xor    eax, eax                      ; |
0045992B  |.  E8 14E7FAFF call 00408044                      ; \dumped_1.00408044
00459930  |.  8B45 A8    mov    eax, [ebp-58]
00459933  |.  8D55 AC    lea    edx, [ebp-54]
00459936  |.  E8 7DE2FAFF call 00407BB8
0045993B  |.  8B55 AC    mov    edx, [ebp-54] ;strimportant
0045993E  |.  8B45 C8    mov    eax, [ebp-38] ;serail解密成的字符串
00459941  |.  E8 AAAAFAFF call 004043F0                      ;  比较函数
00459946    0F85 C8000000 jnz    00459A14  ;关键跳 jz掉就爆破了
0045994C  |.  8D45 F0    lea    eax, [ebp-10]
0045994F  |.  BA 9C9A4500 mov    edx, 00459A9C
00459954  |.  E8 23A7FAFF call 0040407C
00459959  |.  8D45 EC    lea    eax, [ebp-14]
0045995C  |.  BA B49A4500 mov    edx, 00459AB4
00459961  |.  E8 16A7FAFF call 0040407C
00459966  |.  C745 E4 01000>mov    dword ptr [ebp-1C], 1
0045996D  |>  8D45 F0    /lea    eax, [ebp-10]
00459970  |.  E8 87ABFAFF |call 004044FC
00459975  |.  8B55 E4    |mov    edx, [ebp-1C]
00459978  |.  8B4D F0    |mov    ecx, [ebp-10]
0045997B  |.  8B5D E4    |mov    ebx, [ebp-1C]
0045997E  |.  8A4C19 FF    |mov    cl, [ecx+ebx-1]
00459982  |.  8B5D EC    |mov    ebx, [ebp-14]
00459985  |.  8B75 E4    |mov    esi, [ebp-1C]
00459988  |.  8A5C33 FF    |mov    bl, [ebx+esi-1]
0045998C  |.  32CB       |xor    cl, bl
0045998E  |.  884C10 FF    |mov    [eax+edx-1], cl
00459992  |.  FF45 E4    |inc    dword ptr [ebp-1C]
00459995  |.  837D E4 10 |cmp    dword ptr [ebp-1C], 10
00459999  |.^ 75 D2       \jnz    short 0045996D
0045999B  |.  8D45 E8    lea    eax, [ebp-18]
0045999E  |.  8B55 F0    mov    edx, [ebp-10]
004599A1  |.  E8 D6A6FAFF call 0040407C
004599A6  |.  8B45 FC    mov    eax, [ebp-4]
004599A9  |.  8B80 14030000 mov    eax, [eax+314]
004599AF  |.  8B40 68    mov    eax, [eax+68]
004599B2  |.  BA FF000000 mov    edx, 0FF
004599B7  |.  E8 F82DFCFF call 0041C7B4
004599BC  |.  8B45 FC    mov    eax, [ebp-4]
004599BF  |.  8B80 14030000 mov    eax, [eax+314]
004599C5  |.  8B40 68    mov    eax, [eax+68]
004599C8  |.  8A15 C49A4500 mov    dl, [459AC4]
004599CE  |.  E8 AD30FCFF call 0041CA80
004599D3  |.  8B55 E8    mov    edx, [ebp-18]
004599D6  |.  8B45 FC    mov    eax, [ebp-4]
004599D9  |.  8B80 14030000 mov    eax, [eax+314]
004599DF  |.  E8 34B6FDFF call 00435018
004599E4  |.  33D2       xor    edx, edx
004599E6  |.  8B45 FC    mov    eax, [ebp-4]
004599E9  |.  8B80 F8020000 mov    eax, [eax+2F8]
004599EF  |.  8B08       mov    ecx, [eax]
004599F1  |.  FF51 64    call [ecx+64]
004599F4  |.  33D2       xor    edx, edx
004599F6  |.  8B45 FC    mov    eax, [ebp-4]
004599F9  |.  8B80 04030000 mov    eax, [eax+304]
004599FF  |.  8B08       mov    ecx, [eax]
00459A01  |.  FF51 64    call [ecx+64]
00459A04  |.  33D2       xor    edx, edx
00459A06  |.  8B45 FC    mov    eax, [ebp-4]
00459A09  |.  8B80 0C030000 mov    eax, [eax+30C]
00459A0F  |.  8B08       mov    ecx, [eax]
00459A11  |.  FF51 64    call [ecx+64]
00459A14  |>  33C0       xor    eax, eax
00459A16  |.  5A          pop    edx
00459A17  |.  59          pop    ecx
00459A18  |.  59          pop    ecx
00459A19  |.  64:8910    mov    fs:[eax], edx
00459A1C  |.  68 759A4500 push 00459A75
00459A21  |>  8D45 A8    lea    eax, [ebp-58]
00459A24  |.  BA 02000000 mov    edx, 2
00459A29  |.  E8 DAA5FAFF call 00404008
00459A2E  |.  8D45 B0    lea    eax, [ebp-50]
00459A31  |.  E8 AEA5FAFF call 00403FE4
00459A36  |.  8D45 B4    lea    eax, [ebp-4C]
00459A39  |.  BA 03000000 mov    edx, 3
00459A3E  |.  E8 C5A5FAFF call 00404008
00459A43  |.  8D45 C0    lea    eax, [ebp-40]
00459A46  |.  E8 99A5FAFF call 00403FE4
00459A4B  |.  8D45 C8    lea    eax, [ebp-38]
00459A4E  |.  BA 04000000 mov    edx, 4
00459A53  |.  E8 B0A5FAFF call 00404008
00459A58  |.  8D45 E8    lea    eax, [ebp-18]
00459A5B  |.  BA 03000000 mov    edx, 3
00459A60  |.  E8 A3A5FAFF call 00404008
00459A65  |.  8D45 F8    lea    eax, [ebp-8]
00459A68  |.  E8 77A5FAFF call 00403FE4
00459A6D  \.  C3          retn

关于serail如何解密成important变成的字符串，还没来得及分析。会尽快贴?的。

Ryosuke

雪币： 370

活跃值： (78)

能力值：

( LV9，RANK：970 )

在线值：

发帖

26

回帖

196

粉丝

2

关注

私信

Ryosuke 24 2006-2-18 17:50: 13 楼
0

Ryosuke

雪币： 370

活跃值： (78)

能力值：

( LV9，RANK：970 )

在线值：

发帖

26

回帖

196

粉丝

2

关注

私信

Ryosuke 24 2006-2-18 18:11: 14 楼
0

mirrormask

雪币： 242

活跃值： (135)

能力值：

( LV8，RANK：130 )

在线值：

发帖

8

回帖

64

粉丝

1

关注

私信

mirrormask 3 2006-2-18 19:32: 15 楼
0

佩服！！密码学...

happytown

雪币： 721

活跃值： (350)

能力值：

( LV9，RANK：1250 )

在线值：

发帖

131

回帖

1014

粉丝

1

关注

私信

happytown 31 2006-2-18 20:45: 16 楼
0

1、其实，这个CrackMe算不上加壳，所以不存在壳软不软的问题，只是想让peid判断无效而已；

2、Ryosuke和busheler分析的都很不错，希望能尽快做出注册机！

busheler

雪币： 236

活跃值： (160)

能力值：

( LV8，RANK：130 )

在线值：

发帖

9

回帖

46

粉丝

0

关注

私信

busheler 3 2006-2-19 04:23: 17 楼
0

注册跟踪：

此处即为注册码验证段，计算套计算，有点偏复杂，程序是自动监测文本框中内容，所以前面用过的断点全部去掉，并在0045982D下断点，为什么？因为你每输入一次注册码，程序就会自动监测一次，并判断是否等于16位。

004597EC  /.  55          push ebp
004597ED  |.  8BEC       mov    ebp, esp
004597EF  |.  B9 0B000000 mov    ecx, 0B
004597F4  |>  6A 00       /push 0
004597F6  |.  6A 00       |push 0
004597F8  |.  49          |dec    ecx
004597F9  |.^ 75 F9       \jnz    short 004597F4
004597FB  |.  53          push ebx
004597FC  |.  56          push esi
004597FD  |.  8955 C4    mov    [ebp-3C], edx
00459800  |.  8945 FC    mov    [ebp-4], eax
00459803  |.  33C0       xor    eax, eax
00459805  |.  55          push ebp
00459806  |.  68 6E9A4500 push 00459A6E
0045980B  |.  64:FF30    push dword ptr fs:[eax]
0045980E  |.  64:8920    mov    fs:[eax], esp
00459811  |.  8D55 C0    lea    edx, [ebp-40]
00459814  |.  8B45 FC    mov    eax, [ebp-4]
00459817  |.  8B80 04030000 mov    eax, [eax+304]
0045981D  |.  E8 C6B7FDFF call 00434FE8                      ;  取输入注册码！
00459822  |.  8B45 C0    mov    eax, [ebp-40]                   ;  入EAX
00459825  |.  E8 7AAAFAFF call 004042A4                      ;  取长度?
0045982A  |.  83F8 10    cmp    eax, 10                         ;  是否为16位
0045982D  |.  0F85 E1010000 jnz    00459A14                      ;  不等跳,相等继续!
00459833  |.  8D55 F8    lea    edx, [ebp-8]
00459836  |.  8B45 FC    mov    eax, [ebp-4]
00459839  |.  8B80 F8020000 mov    eax, [eax+2F8]
0045983F  |.  E8 A4B7FDFF call 00434FE8                      ;  取用户名
00459844  |.  8B45 F8    mov    eax, [ebp-8]                   ;  入EAX
00459847  |.  E8 80E9FFFF call 004581CC                      ;  用户名去做运算！运算结果在EAX
0045984C  |.  8945 F4    mov    [ebp-C], eax
0045984F  |.  8D45 F8    lea    eax, [ebp-8]
00459852  |.  E8 2DF7FFFF call 00458F84                      ;  取操作系统ProductId
00459857  |.  8B45 F8    mov    eax, [ebp-8]
0045985A  |.  E8 6DE9FFFF call 004581CC                      ;  操作系统ProductId去做运算,运算结果在EAX(和用户名运算方式相同)
0045985F  |.  3145 F4    xor    [ebp-C], eax                   ;  xor(结果1,结果2)
00459862  |.  8D45 F8    lea    eax, [ebp-8]
00459865  |.  E8 7AA7FAFF call 00403FE4
0045986A  |.  8B45 F4    mov    eax, [ebp-C]
0045986D  |.  33D2       xor    edx, edx
0045986F  |.  52          push edx                            ; /Arg2 => 00000000
00459870  |.  50          push eax                            ; |xor(结果1,结果2)
00459871  |.  8D55 D4    lea    edx, [ebp-2C]                   ; |
00459874  |.  B8 08000000 mov    eax, 8                         ; |
00459879  |.  E8 C6E7FAFF call 00408044                      ; \转字符串
0045987E  |.  8D55 BC    lea    edx, [ebp-44]
00459881  |.  8B45 D4    mov    eax, [ebp-2C]
00459884  |.  E8 2BE7FFFF call 00457FB4                      ;  MD5（xor(结果1,结果2)）
00459889  |.  8B45 BC    mov    eax, [ebp-44]
0045988C  |.  8D55 D0    lea    edx, [ebp-30]
0045988F  |.  E8 24E3FAFF call 00407BB8                      ;  小写转大写
00459894  |.  8D55 B4    lea    edx, [ebp-4C]
00459897  |.  8B45 D0    mov    eax, [ebp-30]
0045989A  |.  E8 29C9FFFF call 004561C8                      ;  去进行运算？NO。。。应该是固定字符串,但不确定

;"3f18be73e44fa27b6a6bf9b13066cd5563df63b5"
0045989F  |.  8B45 B4    mov    eax, [ebp-4C]
004598A2  |.  8D55 B8    lea    edx, [ebp-48]
004598A5  |.  E8 0EE3FAFF call 00407BB8                      ;  结果小写转大写，

"3F18BE73E44FA27B6A6BF9B13066CD5563DF63B5"
004598AA  |.  8B55 B8    mov    edx, [ebp-48]
004598AD  |.  8D45 D0    lea    eax, [ebp-30]
004598B0  |.  E8 C7A7FAFF call 0040407C
004598B5  |.  8B45 D0    mov    eax, [ebp-30]
004598B8  |.  E8 E3EBFFFF call 004584A0                      ;  去进行一长串的运算
004598BD  |.  8B45 F4    mov    eax, [ebp-C]
004598C0  |.  33D2       xor    edx, edx
004598C2  |.  8945 D8    mov    [ebp-28], eax
004598C5  |.  8955 DC    mov    [ebp-24], edx
004598C8  |.  FF75 DC    push dword ptr [ebp-24]             ; /Arg2
004598CB  |.  FF75 D8    push dword ptr [ebp-28]             ; |xor(结果1,结果2)
004598CE  |.  E8 6DEAFFFF call 00458340                      ; \去运算
004598D3  |.  52          push edx                            ; /运算结果前8位
004598D4  |.  50          push eax                            ; |运算结果后8位
004598D5  |.  8D55 CC    lea    edx, [ebp-34]                   ; |
004598D8  |.  33C0       xor    eax, eax                      ; |
004598DA  |.  E8 65E7FAFF call 00408044                      ; \连接成字符串
004598DF  |.  B8 849A4500 mov    eax, 00459A84                   ;  kernel32.dll
004598E4  |.  E8 B7EBFFFF call 004584A0                      ;  字符串“kernel32.dll”又是一长串的运算???
004598E9  |.  8D55 B0    lea    edx, [ebp-50]
004598EC  |.  8B45 FC    mov    eax, [ebp-4]
004598EF  |.  8B80 04030000 mov    eax, [eax+304]
004598F5  |.  E8 EEB6FDFF call 00434FE8
004598FA  |.  8B45 B0    mov    eax, [ebp-50]                   ;  注册码入EAX
004598FD  |.  E8 F6CFFFFF call 004568F8                      ;  16位注册码字符串转为数
00459902  |.  8945 D8    mov    [ebp-28], eax                   ;  EAX中为后8位
00459905  |.  8955 DC    mov    [ebp-24], edx                   ;  EDX中为前8位
00459908  |.  FF75 DC    push dword ptr [ebp-24]             ; /前8位
0045990B  |.  FF75 D8    push dword ptr [ebp-28]             ; |后8位
0045990E  |.  E8 7DE9FFFF call 00458290                      ; \去运算！
00459913  |.  52          push edx                            ; /运算结果前8位
00459914  |.  50          push eax                            ; |运算结后8位
00459915  |.  8D55 C8    lea    edx, [ebp-38]                   ; |
00459918  |.  33C0       xor    eax, eax                      ; |
0045991A  |.  E8 25E7FAFF call 00408044                      ; \连接成字符串
0045991F  |.  8B45 F4    mov    eax, [ebp-C]
00459922  |.  33D2       xor    edx, edx
00459924  |.  52          push edx                            ; /Arg2 => 00000000
00459925  |.  50          push eax                            ; |xor(结果1,结果2)
00459926  |.  8D55 A8    lea    edx, [ebp-58]                   ; |
00459929  |.  33C0       xor    eax, eax                      ; |
0045992B  |.  E8 14E7FAFF call 00408044                      ; \连接成字符串
00459930  |.  8B45 A8    mov    eax, [ebp-58]
00459933  |.  8D55 AC    lea    edx, [ebp-54]
00459936  |.  E8 7DE2FAFF call 00407BB8
0045993B  |.  8B55 AC    mov    edx, [ebp-54]
0045993E  |.  8B45 C8    mov    eax, [ebp-38]
00459941  |.  E8 AAAAFAFF call 004043F0                      ;  比较两个字符串是否相等
00459946    0F85 C8000000 jnz    00459A14                      ;  不等跳!nop掉即爆掉了!:)
0045994C  |.  8D45 F0    lea    eax, [ebp-10]
0045994F  |.  BA 9C9A4500 mov    edx, 00459A9C
00459954  |.  E8 23A7FAFF call 0040407C
00459959  |.  8D45 EC    lea    eax, [ebp-14]
0045995C  |.  BA B49A4500 mov    edx, 00459AB4

busheler

雪币： 236

活跃值： (160)

能力值：

( LV8，RANK：130 )

在线值：

发帖

9

回帖

46

粉丝

0

关注

私信

busheler 3 2006-2-19 04:33: 18 楼
0

call 004581CC 还好些

call 004584A0 太繁琐，循环次数老多，循环套循环，确实太费时间了

mirrormask

雪币： 242

活跃值： (135)

能力值：

( LV8，RANK：130 )

在线值：

发帖

8

回帖

64

粉丝

1

关注

私信

mirrormask 3 2006-2-19 10:34: 19 楼
0

最初由 busheler 发布
call 004581CC 还好些

call 004584A0 太繁琐，循环次数老多，循环套循环，确实太费时间了

可以用ida辅助分析：）

mirrormask

雪币： 242

活跃值： (135)

能力值：

( LV8，RANK：130 )

在线值：

发帖

8

回帖

64

粉丝

1

关注

私信

mirrormask 3 2006-2-19 15:04: 20 楼
0

0045981D       |. >call <CrackMe_.TControl::GetText(void)>
00459822       |. >mov eax,dword ptr ss:[ebp-40]
00459825       |. >call <CrackMe_.System::_16823>
0045982A       |. >cmp eax,10
0045982D       |. >jnz <CrackMe_.DeadJmp>
00459833       |. >lea edx,dword ptr ss:[ebp-8]
00459836       |. >mov eax,dword ptr ss:[ebp-4]
00459839       |. >mov eax,dword ptr ds:[eax+2F8]
0045983F       |. >call <CrackMe_.TControl::GetText(void)>
00459844       |. >mov eax,dword ptr ss:[ebp-8]
00459847       |. >call <CrackMe_.transform>
0045984C       |. >mov dword ptr ss:[ebp-C],eax
0045984F       |. >lea eax,dword ptr ss:[ebp-8]
00459852       |. >call <CrackMe_.getMacinecode>
00459857       |. >mov eax,dword ptr ss:[ebp-8]
0045985A       |. >call <CrackMe_.transform>
0045985F       |. >xor dword ptr ss:[ebp-C],eax
00459862       |. >lea eax,dword ptr ss:[ebp-8]
00459865       |. >call <CrackMe_.System::__linkproc__ LStrClr(Syste>;  destroy the temporary string
0045986A       |. >mov eax,dword ptr ss:[ebp-C]
0045986D       |. >xor edx,edx
0045986F       |. >push edx                                        ; /Arg2 => 00000000
00459870       |. >push eax                                        ; |Arg1
00459871       |. >lea edx,dword ptr ss:[ebp-2C]                   ; |
00459874       |. >mov eax,8                                        ; |
00459879       |. >call <CrackMe_.numTostring>                      ; \sub_408044
0045987E       |. >lea edx,dword ptr ss:[ebp-44]
00459881       |. >mov eax,dword ptr ss:[ebp-2C]
00459884       |. >call <CrackMe_.TOMD5>
00459889       |. >mov eax,dword ptr ss:[ebp-44]
0045988C       |. >lea edx,dword ptr ss:[ebp-30]
0045988F       |. >call <CrackMe_.low_to_up>
00459894       |. >lea edx,dword ptr ss:[ebp-4C]
00459897       |. >mov eax,dword ptr ss:[ebp-30]
0045989A       |. >call <CrackMe_.TO_SHA1>
0045989F       |. >mov eax,dword ptr ss:[ebp-4C]
004598A2       |. >lea edx,dword ptr ss:[ebp-48]
004598A5       |. >call <CrackMe_.low_to_up>
004598AA       |. >mov edx,dword ptr ss:[ebp-48]
004598AD       |. >lea eax,dword ptr ss:[ebp-30]
004598B0       |. >call <CrackMe_.System::__linkproc__ LStrLAsg(void>
004598B5       |. >mov eax,dword ptr ss:[ebp-30]
004598B8       |. >call <CrackMe_.blowfish_init>
004598BD       |. >mov eax,dword ptr ss:[ebp-C]
004598C0       |. >xor edx,edx
004598C2       |. >mov dword ptr ss:[ebp-28],eax
004598C5       |. >mov dword ptr ss:[ebp-24],edx
004598C8       |. >push dword ptr ss:[ebp-24]                      ; /Arg2
004598CB       |. >push dword ptr ss:[ebp-28]                      ; |Arg1
004598CE       |. >call <CrackMe_.Blowfish_Encrypt>                ; \sub_458340
004598D3       |. >push edx                                        ; /Arg2
004598D4       |. >push eax                                        ; |Arg1
004598D5       |. >lea edx,dword ptr ss:[ebp-34]                   ; |
004598D8       |. >xor eax,eax                                     ; |
004598DA       |. >call <CrackMe_.numTostring>                      ; \sub_408044
004598DF       |. >mov eax,CrackMe_.00459A84                      ;  ASCII "kernel32.dll"
004598E4       |. >call <CrackMe_.blowfish_init>
004598E9       |. >lea edx,dword ptr ss:[ebp-50]
004598EC       |. >mov eax,dword ptr ss:[ebp-4]
004598EF       |. >mov eax,dword ptr ds:[eax+304]
004598F5       |. >call <CrackMe_.TControl::GetText(void)>
004598FA       |. >mov eax,dword ptr ss:[ebp-50]
004598FD       |. >call <CrackMe_.stringToNum>
00459902       |. >mov dword ptr ss:[ebp-28],eax
00459905       |. >mov dword ptr ss:[ebp-24],edx
00459908       |. >push dword ptr ss:[ebp-24]                      ; /Arg2
0045990B       |. >push dword ptr ss:[ebp-28]                      ; |Arg1
0045990E       |. >call <CrackMe_.snChange>                         ; \sub_458290
00459913       |. >push edx                                        ; /Arg2
00459914       |. >push eax                                        ; |Arg1
00459915       |. >lea edx,dword ptr ss:[ebp-38]                   ; |
00459918       |. >xor eax,eax                                     ; |
0045991A       |. >call <CrackMe_.numTostring>                      ; \sub_408044
0045991F       |. >mov eax,dword ptr ss:[ebp-C]
00459922       |. >xor edx,edx
00459924       |. >push edx                                        ; /Arg2 => 00000000
00459925       |. >push eax                                        ; |Arg1
00459926       |. >lea edx,dword ptr ss:[ebp-58]                   ; |
00459929       |. >xor eax,eax                                     ; |
0045992B       |. >call <CrackMe_.numTostring>                      ; \sub_408044
00459930       |. >mov eax,dword ptr ss:[ebp-58]
00459933       |. >lea edx,dword ptr ss:[ebp-54]
00459936       |. >call <CrackMe_.low_to_up>
0045993B       |. >mov edx,dword ptr ss:[ebp-54] ;8位
0045993E       |. >mov eax,dword ptr ss:[ebp-38] ；16位
00459941       |. >call <CrackMe_.System::__linkproc__ LStrCmp(void)>
00459946       |. >jnz <CrackMe_.DeadJmp>

最后总是8位和16位的比较，不知何故
中间的md5和sha1和blowfish似乎没有用到....

00459913       |. >push edx                                        ; /Arg2
00459914       |. >push eax                                        ; |Arg1
00459915       |. >lea edx,dword ptr ss:[ebp-38]                   ; |
00459918       |. >xor eax,eax                                     ; |
0045991A       |. >call <CrackMe_.numTostring>                      ; \sub_408044

这里出16位字符串

00459924       |. >push edx                                        ; /Arg2 => 00000000
00459925       |. >push eax                                        ; |Arg1
00459926       |. >lea edx,dword ptr ss:[ebp-58]                   ; |
00459929       |. >xor eax,eax                                     ; |
0045992B       |. >call <CrackMe_.numTostring>                      ; \sub_408044

这里出8位

Ryosuke

雪币： 370

活跃值： (78)

能力值：

( LV9，RANK：970 )

在线值：

发帖

26

回帖

196

粉丝

2