******************************
* - xxxxxGIS DK8 破解手记 *
* - by AZMC.13 *
* - 2006.05 *
******************************
第零部分:磨刀
==============
1) 使用 PEInfo/PEScan/ASProtect/UPXShell 等工具,查看 xxxxxGIS.EXE 相关加壳、开发工具等信息,没有
加壳,使用 Delphi 开发。
2) 使用Delphi反汇编工具 DeDe,反汇编 xxxxxGIS.EXE,查看关键 API 的引用情况。
3) 使用 OllyDebug 调试工具开膛破肚。
4) 准备 CryptTool,用于各种加密算法的验证。
5) 启动 Windows 任务管理器,记录当前进程;然后,启动 xxxxxGIS.EXE,发现,任务管理器列表里面多了两个进程:xxxxxGIS.EXE
和 INS??.tmp,然后,退出安装,这两个进程消失,这说明,xxxxxGIS 的安装是双进程安装过程。
第一部分: 概述
==============
xxxxxGIS DK8 的安装过程如下:运行 xxxxxGIS.exe 安装程序,在系统当前用户的临时目录(例如 C:\Documents and Settings\
Dou Dou\Local Settings\Temp),生成一个辅助安装程序INS??.tmp,然后,使用 Windows API CreateProcess 按下列命令行格式
创建辅助安装进程:
"C:\DOCUME~1\AZITHR~1\LOCALS~1\Temp\INS51.tmp /SL3 $D600E6 D:\xTemp\xxxxxGIS\xxxxxGIS.exe 6968069 6971485 78336 ",
xxxxxGIS 进程等待/守护 INS??.tmp 结束并清理现场退出。
xxxxxGIS 中下断处:0040E40C,可以查看创建安装进程的详细信息:
0040E40C |. 50 push eax ; |CommandLine,创建实际的安装进程:INS??.tmp
0040E40D |. 6A 00 push 0 ; |ModuleFileName = NULL
0040E40F |. E8 746AFFFF call <jmp.&kernel32.CreateProcessA> ; \CreateProcessA
0040E414 |. 85C0 test eax,eax
0040E416 |. 75 07 jnz short xxxxxGIS.0040E41F
安装进程 INS51.tmp 命令行参数说明:
/SL3 -------- 在 INS?? 安装进程中,用于比较验证,仅此而已
$D600E6 ----- 可变,在 INS?? 安装进程中,转换成16进制数字后0xD600E6,没看到什么用途,希望不是什么暗桩:(
6968069 ----- 安装提示信息压缩块,在 xxxxxGIS.exe 中的偏移
6971485 ----- 安装界面信息压缩块,在 xxxxxGIS.exe 中的偏移
78336 ------- xxxxxGIS DK8 源码压缩块,在 xxxxxGIS.exe 中的偏移
第二部分:INS??.tmp 安装进程
===========================
在 OllyDebug 中,以上述命令行形式,直接加载 INS??.tmp 进程,下断列表如下:
下断处:0048BE00
0048BE00 /. 55 push ebp ; 安装向导 [下一步] 处理入口
0048BE01 |. 8BEC mov ebp,esp
0048BE03 |. 83C4 EC add esp,-14
0048BE06 |. 53 push ebx
0048BE07 |. 8945 FC mov dword ptr ss:[ebp-4],eax
0048BE0A |. 8D5D FC lea ebx,dword ptr ss:[ebp-4]
0048BE0D |. 8B03 mov eax,dword ptr ds:[ebx]
0048BE0F |. 8A80 00040000 mov al,byte ptr ds:[eax+400]
0048BE15 |. 2C 02 sub al,2 ; Switch (cases 2..6)
0048BE17 |. 74 0E je short INS.0048BE27
0048BE19 |. 2C 02 sub al,2
0048BE1B |. 74 1B je short INS.0048BE38
0048BE1D |. FEC8 dec al
0048BE1F |. 74 28 je short INS.0048BE49
0048BE21 |. FEC8 dec al
0048BE23 |. 74 35 je short INS.0048BE5A
0048BE25 |. EB 42 jmp short INS.0048BE69
0048BE27 |> 55 push ebp ; Case 2 of switch 0048BE15
0048BE28 |. E8 97F5FFFF call INS.0048B3C4 ; 输入密码后,按 [下一步] 处理入口
0048BE2D |. 59 pop ecx
0048BE2E |. 84C0 test al,al
0048BE30 |. 0F84 06010000 je INS.0048BF3C
0048BE36 |. EB 31 jmp short INS.0048BE69
0048BE38 |> 55 push ebp ; Case 4 of switch 0048BE15
0048BE39 |. E8 9AF8FFFF call INS.0048B6D8
0048BE3E |. 59 pop ecx
0048BE3F |. 84C0 test al,al
0048BE41 |. 0F84 F5000000 je INS.0048BF3C
下断处:0048B3C4
0048B3C4 /$ 55 push ebp ; 密码处理入口
0048B3C5 |. 8BEC mov ebp,esp
0048B3C7 |. 83C4 E8 add esp,-18
0048B3CA |. 53 push ebx
0048B3CB |. 56 push esi
0048B3CC |. 33C0 xor eax,eax
0048B3CE |. 8945 F8 mov dword ptr ss:[ebp-8],eax
0048B3D1 |. 8945 FC mov dword ptr ss:[ebp-4],eax
0048B3D4 |. 33C0 xor eax,eax
0048B3D6 |. 55 push ebp
0048B3D7 |. 68 44B54800 push INS.0048B544
0048B3DC |. 64:FF30 push dword ptr fs:[eax]
0048B3DF |. 64:8920 mov dword ptr fs:[eax],esp
0048B3E2 |. 33DB xor ebx,ebx
0048B3E4 |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]
0048B3E7 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
0048B3EA |. 8B40 FC mov eax,dword ptr ds:[eax-4]
0048B3ED |. 8B80 34030000 mov eax,dword ptr ds:[eax+334]
0048B3F3 |. E8 905FFBFF call INS.00441388 ; 获取输入的密码
0048B3F8 |. 8B55 F8 mov edx,dword ptr ss:[ebp-8] ; 密码
0048B3FB |. A1 D85F4A00 mov eax,dword ptr ds:[4A5FD8]
0048B400 |. E8 5B9BF7FF call INS.00404F60
0048B405 |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
0048B408 |. A1 D85F4A00 mov eax,dword ptr ds:[4A5FD8]
0048B40D |. 8B00 mov eax,dword ptr ds:[eax]
0048B40F |. E8 FCC1FFFF call INS.00487610
0048B414 |. A1 28614A00 mov eax,dword ptr ds:[4A6128]
0048B419 F680 DD000000 >test byte ptr ds:[eax+DD],40
0048B420 |. 74 42 je short INS.0048B464
0048B422 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; Part1-Part2-Part3: Part2
0048B425 |. E8 A29DF7FF call INS.004051CC
0048B42A |. 50 push eax
0048B42B |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
0048B42E |. E8 F19FF7FF call INS.00405424
0048B433 |. 5A pop edx
0048B434 |. E8 CF9DFDFF call INS.00465208 ; 计算 Part2 的 CRC32
0048B439 |. 8B15 28614A00 mov edx,dword ptr ds:[4A6128] ; INS.004A8738
0048B43F |. 3B82 CC000000 cmp eax,dword ptr ds:[edx+CC] ; Part2 的CRC32 与 [4A8804] 处70EAF483比较,70EAF483
0048B445 |. 0F94C3 sete bl
0048B448 |. 84DB test bl,bl
0048B44A |. 74 10 je short INS.0048B45C ; 如果 不同,则 转走,完蛋!
0048B44C |. A1 D85F4A00 mov eax,dword ptr ds:[4A5FD8]
0048B451 |. 8B00 mov eax,dword ptr ds:[eax] ; 输入的密码
0048B453 |. E8 3CC2FFFF call INS.00487694 ; 校验密码入口
0048B458 |. 84C0 test al,al
下断处:00487694
00487694 /$ 55 push ebp
00487695 |. 8BEC mov ebp,esp
00487697 |. B9 05000000 mov ecx,5
0048769C |> 6A 00 /push 0
0048769E |. 6A 00 |push 0
004876A0 |. 49 |dec ecx
004876A1 |.^ 75 F9 \jnz short INS.0048769C
004876A3 |. 51 push ecx
004876A4 |. 53 push ebx
004876A5 |. 8BD8 mov ebx,eax
004876A7 |. 33C0 xor eax,eax
004876A9 |. 55 push ebp
004876AA |. 68 29784800 push INS.00487829
004876AF |. 64:FF30 push dword ptr fs:[eax]
004876B2 |. 64:8920 mov dword ptr fs:[eax],esp
004876B5 |. B2 01 mov dl,1
004876B7 |. A1 E8714100 mov eax,dword ptr ds:[4171E8]
004876BC |. E8 E3CAF7FF call INS.004041A4
004876C1 |. 8945 F4 mov dword ptr ss:[ebp-C],eax
004876C4 |. 33C0 xor eax,eax
004876C6 |. 55 push ebp
004876C7 |. 68 FF774800 push INS.004877FF
004876CC |. 64:FF30 push dword ptr fs:[eax]
004876CF |. 64:8920 mov dword ptr fs:[eax],esp
004876D2 |. 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
004876D5 |. 8BC3 mov eax,ebx
004876D7 |. E8 241BF8FF call INS.00409200
004876DC |. 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
004876DF |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]
004876E2 |. E8 C918F8FF call INS.00408FB0
004876E7 |. B2 2D mov dl,2D
004876E9 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004876EC |. E8 8334F9FF call INS.0041AB74
004876F1 |. 8B55 F8 mov edx,dword ptr ss:[ebp-8]
004876F4 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004876F7 |. E8 E832F9FF call INS.0041A9E4
004876FC |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004876FF |. 8B10 mov edx,dword ptr ds:[eax]
00487701 |. FF52 14 call dword ptr ds:[edx+14]
00487704 |. 83F8 03 cmp eax,3
00487707 |. 0F85 D8000000 jnz INS.004877E5
0048770D |. 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00487710 |. 33D2 xor edx,edx
00487712 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00487715 |. 8B18 mov ebx,dword ptr ds:[eax]
00487717 |. FF53 0C call dword ptr ds:[ebx+C]
0048771A |. FF75 E0 push dword ptr ss:[ebp-20]
0048771D |. 68 40784800 push INS.00487840
00487722 |. 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00487725 |. BA 01000000 mov edx,1
0048772A |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0048772D |. 8B18 mov ebx,dword ptr ds:[eax]
0048772F |. FF53 0C call dword ptr ds:[ebx+C]
00487732 |. FF75 DC push dword ptr ss:[ebp-24]
00487735 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00487738 |. BA 03000000 mov edx,3
0048773D |. E8 4ADBF7FF call INS.0040528C
00487742 |. 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00487745 |. 50 push eax
00487746 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00487749 |. E8 7EDAF7FF call INS.004051CC
0048774E |. 50 push eax
0048774F |. 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00487752 |. E8 CDDCF7FF call INS.00405424
00487757 |. 5A pop edx ; 计算 Part1-Part2 的 CRC32
00487758 |. E8 ABDAFDFF call INS.00465208
0048775D |. 8945 D4 mov dword ptr ss:[ebp-2C],eax ; |
00487760 |. C645 D8 00 mov byte ptr ss:[ebp-28],0 ; |
00487764 |. 8D55 D4 lea edx,dword ptr ss:[ebp-2C] ; |
00487767 |. 33C9 xor ecx,ecx ; |
00487769 |. B8 4C784800 mov eax,INS.0048784C ; |ASCII "%X"
0048776E |. E8 D535F8FF call INS.0040AD48 ; \INS.0040AD48
00487773 |. FF75 F0 push dword ptr ss:[ebp-10]
00487776 |. 68 40784800 push INS.00487840
0048777B |. FF75 E8 push dword ptr ss:[ebp-18]
0048777E |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
00487781 |. BA 03000000 mov edx,3
00487786 |. E8 01DBF7FF call INS.0040528C
0048778B |. 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0048778E |. 50 push eax
0048778F |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00487792 |. E8 35DAF7FF call INS.004051CC
00487797 |. 50 push eax
00487798 |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
0048779B |. E8 84DCF7FF call INS.00405424
004877A0 |. 5A pop edx ; 计算 Part1-Part2-CRC32(Part1-Part2) 的 CRC32
004877A1 |. E8 62DAFDFF call INS.00465208
004877A6 |. 8945 D4 mov dword ptr ss:[ebp-2C],eax ; |
004877A9 |. C645 D8 00 mov byte ptr ss:[ebp-28],0 ; |
004877AD |. 8D55 D4 lea edx,dword ptr ss:[ebp-2C] ; |
004877B0 |. 33C9 xor ecx,ecx ; |
004877B2 |. B8 4C784800 mov eax,INS.0048784C ; |ASCII "%X"
004877B7 |. E8 8C35F8FF call INS.0040AD48 ; \INS.0040AD48
004877BC |. FF75 F0 push dword ptr ss:[ebp-10]
004877BF |. 68 40784800 push INS.00487840
004877C4 |. FF75 E8 push dword ptr ss:[ebp-18]
004877C7 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10]
004877CA |. BA 03000000 mov edx,3
004877CF |. E8 B8DAF7FF call INS.0040528C
004877D4 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; Part1-Part2-CRC32(Part1-Part2-CRC32(Part1-Part2))
004877D7 |. 8B55 F8 mov edx,dword ptr ss:[ebp-8] ; Part1-Part2-Part3
004877DA |. E8 39DBF7FF call INS.00405318 ; 计算出的密码 和 原始输入的密码 逐一比较,不等就死翘翘
004877DF |. 0F9445 FF sete byte ptr ss:[ebp-1]
004877E3 |. EB 04 jmp short INS.004877E9
004877E5 |> C645 FF 00 mov byte ptr ss:[ebp-1],0
004877E9 |> 33C0 xor eax,eax
004877EB |. 5A pop edx
004877EC |. 59 pop ecx
004877ED |. 59 pop ecx
004877EE |. 64:8910 mov dword ptr fs:[eax],edx
004877F1 |. 68 06784800 push INS.00487806
004877F6 |> 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004877F9 |. E8 D6C9F7FF call INS.004041D4
004877FE \. C3 retn
小结一下
--------
1) 密码形式:
XXXXXXXX-YYYYYYYY-ZZZZZZZZ
Part1:XXXXXXXX - 大写字母/数字,任意长度,也不要太长哦,按习惯输入8个足够了
Part2:YYYYYYYY - A-F/0-9,长度8字节
Part3:ZZZZZZZZ - A-F/0-9,长度8字节
2) 各部分关系及要求:
输入 XXXXXXXX-YYYYYYYY-ZZZZZZZZ
CRC32(YYYYYYYY) 必须等于 0x70EAF483
SSSSSSSS = CRC32(XXXXXXXX-YYYYYYYY)
TTTTTTTT = CRC32(XXXXXXXX-YYYYYYYY-SSSSSSSS)
XXXXXXXX-YYYYYYYY-TTTTTTTT 和 XXXXXXXX-YYYYYYYY-ZZZZZZZZ 比较,必须相等
也就是说:ZZZZZZZZ = CRC32(XXXXXXXX-YYYYYYYY-CRC32(XXXXXXXX-YYYYYYYY))
[注意: CRC32 值高位为0的情况,比如 0x0nnnnnnn,转换成字符串是 nnnnnnn,不是 0nnnnnnn]
第三部分:安装源码时的密码再次验证
==================================
安装源码时,再次获取密码的第二部分Part2:YYYYYYYY,并进行 MD5 变换,获取"2D9D13E987AD1FC9EA8B62261030F3AA"形式的 MD5 算法
变换后的字符串。
下断处:00487508
00487508 /$ 55 push ebp ; HAHA!解密源码,Part2 密码变换处!结果用于解密!
00487509 |. 8BEC mov ebp,esp
0048750B |. 51 push ecx
0048750C |. 53 push ebx
0048750D |. 8BDA mov ebx,edx
0048750F |. 8945 FC mov dword ptr ss:[ebp-4],eax
00487512 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00487515 |. E8 A2DEF7FF call INS.004053BC ; LStrAddRef
0048751A |. 33C0 xor eax,eax
0048751C |. 55 push ebp
0048751D |. 68 57754800 push INS.00487557
00487522 |. 64:FF30 push dword ptr fs:[eax]
00487525 |. 64:8920 mov dword ptr fs:[eax],esp
00487528 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048752B |. E8 9CDCF7FF call INS.004051CC ; Length of Part2
00487530 |. 50 push eax
00487531 |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
00487534 |. E8 EBDEF7FF call INS.00405424
00487539 |. 8BCB mov ecx,ebx
0048753B |. 5A pop edx
0048753C |. E8 1BFFFFFF call INS.0048745C
00487541 |. 33C0 xor eax,eax
00487543 |. 5A pop edx
00487544 |. 59 pop ecx
00487545 |. 59 pop ecx
00487546 |. 64:8910 mov dword ptr fs:[eax],edx
00487549 |. 68 5E754800 push INS.0048755E
0048754E |> 8D45 FC lea eax,dword ptr ss:[ebp-4]
00487551 |. E8 B6D9F7FF call INS.00404F0C
00487556 \. C3 retn
下断处0048745C:
0048745C /$ 55 push ebp
0048745D |. 8BEC mov ebp,esp
0048745F |. 83C4 90 add esp,-70
00487462 |. 53 push ebx
00487463 |. 56 push esi
00487464 |. 57 push edi
00487465 |. 33DB xor ebx,ebx
00487467 |. 895D 90 mov dword ptr ss:[ebp-70],ebx
0048746A |. 894D FC mov dword ptr ss:[ebp-4],ecx
0048746D |. 8BFA mov edi,edx
0048746F |. 8BF0 mov esi,eax
00487471 |. 33C0 xor eax,eax
00487473 |. 55 push ebp
00487474 |. 68 F8744800 push INS.004874F8
00487479 |. 64:FF30 push dword ptr fs:[eax]
0048747C |. 64:8920 mov dword ptr fs:[eax],esp
0048747F |. 33DB xor ebx,ebx
00487481 |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
00487484 |> 8BD3 /mov edx,ebx
00487486 |. 42 |inc edx
00487487 |. 8810 |mov byte ptr ds:[eax],dl
00487489 |. 43 |inc ebx
0048748A |. 40 |inc eax
0048748B |. 83FB 10 |cmp ebx,10
0048748E |.^ 75 F4 \jnz short INS.00487484
00487490 |. 8D45 94 lea eax,dword ptr ss:[ebp-6C]
00487493 |. E8 74F5FFFF call INS.00486A0C
00487498 |. 8D45 94 lea eax,dword ptr ss:[ebp-6C]
0048749B |. 8BCF mov ecx,edi
0048749D |. 8BD6 mov edx,esi
0048749F |. E8 20FFFFFF call INS.004873C4 ; 开始变换
004874A4 |. 8D55 94 lea edx,dword ptr ss:[ebp-6C]
004874A7 |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
004874AA |. E8 59F6FFFF call INS.00486B08
004874AF |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004874B2 |. E8 55DAF7FF call INS.00404F0C
004874B7 |. BB 10000000 mov ebx,10 ; 转换成字符串
004874BC |. 8D75 EC lea esi,dword ptr ss:[ebp-14]
004874BF |> 8D4D 90 /lea ecx,dword ptr ss:[ebp-70]
004874C2 |. 33C0 |xor eax,eax
004874C4 |. 8A06 |mov al,byte ptr ds:[esi]
004874C6 |. BA 02000000 |mov edx,2
004874CB |. E8 3823F8FF |call INS.00409808
004874D0 |. 8B55 90 |mov edx,dword ptr ss:[ebp-70]
004874D3 |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
004874D6 |. E8 F9DCF7FF |call INS.004051D4
004874DB |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
004874DE |. 46 |inc esi
004874DF |. 4B |dec ebx
004874E0 |.^ 75 DD \jnz short INS.004874BF
004874E2 |. 33C0 xor eax,eax
004874E4 |. 5A pop edx
004874E5 |. 59 pop ecx
004874E6 |. 59 pop ecx
004874E7 |. 64:8910 mov dword ptr fs:[eax],edx
004874EA |. 68 FF744800 push INS.004874FF
004874EF |> 8D45 90 lea eax,dword ptr ss:[ebp-70]
004874F2 |. E8 15DAF7FF call INS.00404F0C
004874F7 \. C3 retn
下断处00486B08:
00486B08 /$ 53 push ebx ; 真正的变换处!
00486B09 |. 56 push esi
00486B0A |. 8BDA mov ebx,edx
00486B0C |. 8BF0 mov esi,eax
00486B0E |. 8B43 10 mov eax,dword ptr ds:[ebx+10]
00486B11 |. C1E8 03 shr eax,3
00486B14 |. 66:83E0 3F and ax,3F
00486B18 |. 8BD0 mov edx,eax
00486B1A |. 33C9 xor ecx,ecx
00486B1C |. 8ACA mov cl,dl
00486B1E |. C6440B 18 80 mov byte ptr ds:[ebx+ecx+18],80
00486B23 |. 42 inc edx
00486B24 |. 66:B9 3F00 mov cx,3F
00486B28 |. 66:2BC8 sub cx,ax
00486B2B |. 8BC1 mov eax,ecx
00486B2D |. 66:83F8 08 cmp ax,8
00486B31 |. 73 37 jnb short INS.00486B6A
00486B33 |. 81E2 FF000000 and edx,0FF
00486B39 |. 8D5413 18 lea edx,dword ptr ds:[ebx+edx+18]
00486B3D |. 0FB7C0 movzx eax,ax
00486B40 |. 33C9 xor ecx,ecx
00486B42 |. 92 xchg eax,edx
00486B43 |. E8 D4C7F7FF call INS.0040331C
00486B48 |. 6A 0F push 0F ; /Arg1 = 0000000F
00486B4A |. 8D4B 18 lea ecx,dword ptr ds:[ebx+18] ; |
00486B4D |. 8BC3 mov eax,ebx ; |
00486B4F |. BA 03000000 mov edx,3 ; |
00486B54 |. E8 4F010000 call INS.00486CA8 ; \INS.00486CA8
00486B59 |. 8D43 18 lea eax,dword ptr ds:[ebx+18]
00486B5C |. 33C9 xor ecx,ecx
00486B5E |. BA 38000000 mov edx,38
00486B63 |. E8 B4C7F7FF call INS.0040331C ; 清除缓冲区
00486B68 |. EB 18 jmp short INS.00486B82
00486B6A |> 81E2 FF000000 and edx,0FF
00486B70 |. 8D5413 18 lea edx,dword ptr ds:[ebx+edx+18]
00486B74 |. 0FB7C0 movzx eax,ax
00486B77 |. 83E8 08 sub eax,8
00486B7A |. 33C9 xor ecx,ecx
00486B7C |. 92 xchg eax,edx
00486B7D |. E8 9AC7F7FF call INS.0040331C
00486B82 |> 8B43 10 mov eax,dword ptr ds:[ebx+10]
00486B85 |. 8943 50 mov dword ptr ds:[ebx+50],eax
00486B88 |. 8B43 14 mov eax,dword ptr ds:[ebx+14]
00486B8B |. 8943 54 mov dword ptr ds:[ebx+54],eax
00486B8E |. 6A 0F push 0F ; /Arg1 = 0000000F
00486B90 |. 8D4B 18 lea ecx,dword ptr ds:[ebx+18] ; |
00486B93 |. 8BC3 mov eax,ebx ; |
00486B95 |. BA 03000000 mov edx,3 ; |
00486B9A |. E8 09010000 call INS.00486CA8 ; \INS.00486CA8
00486B9F |. 8BD6 mov edx,esi
00486BA1 |. 8BC3 mov eax,ebx
00486BA3 |. B9 10000000 mov ecx,10
00486BA8 |. E8 2BBEF7FF call INS.004029D8
00486BAD |. 8BC3 mov eax,ebx
00486BAF |. 33C9 xor ecx,ecx
00486BB1 |. BA 58000000 mov edx,58
00486BB6 |. E8 61C7F7FF call INS.0040331C
00486BBB |. 5E pop esi
00486BBC |. 5B pop ebx
00486BBD \. C3 retn 传说中的 MD5 算法,四轮运算,下断处00486CA8:
00486CA8 /$ 55 push ebp
00486CA9 |. 8BEC mov ebp,esp
00486CAB |. 83C4 EC add esp,-14
00486CAE |. 53 push ebx
00486CAF |. 56 push esi
00486CB0 |. 57 push edi
00486CB1 |. 8BD9 mov ebx,ecx
00486CB3 |. 8945 FC mov dword ptr ss:[ebp-4],eax
00486CB6 |. 8D75 F8 lea esi,dword ptr ss:[ebp-8]
00486CB9 |. 8D7D F4 lea edi,dword ptr ss:[ebp-C]
00486CBC |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00486CBF |. 8B00 mov eax,dword ptr ds:[eax]
00486CC1 |. 8906 mov dword ptr ds:[esi],eax
00486CC3 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00486CC6 |. 8B40 04 mov eax,dword ptr ds:[eax+4]
00486CC9 |. 8907 mov dword ptr ds:[edi],eax
00486CCB |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00486CCE |. 8B40 08 mov eax,dword ptr ds:[eax+8]
00486CD1 |. 8945 F0 mov dword ptr ss:[ebp-10],eax
00486CD4 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00486CD7 |. 8B40 0C mov eax,dword ptr ds:[eax+C]
00486CDA |. 8945 EC mov dword ptr ss:[ebp-14],eax
00486CDD |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00486CE0 |. 50 push eax ; /Arg3
00486CE1 |. 8B03 mov eax,dword ptr ds:[ebx] ; |
00486CE3 |. 05 78A46AD7 add eax,D76AA478 ; |
00486CE8 |. 50 push eax ; |Arg2
00486CE9 |. 6A 07 push 7 ; |Arg1 = 00000007
00486CEB |. 8BC6 mov eax,esi ; |
00486CED |. 8B4D F0 mov ecx,dword ptr ss:[ebp-10] ; |
00486CF0 |. 8B17 mov edx,dword ptr ds:[edi] ; |
00486CF2 |. E8 C9FEFFFF call INS.00486BC0 ; \INS.00486BC0
00486CF7 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00486CFA |. 50 push eax ; /Arg3
00486CFB |. 8B43 04 mov eax,dword ptr ds:[ebx+4] ; |
00486CFE |. 05 56B7C7E8 add eax,E8C7B756 ; |
00486D03 |. 50 push eax ; |Arg2
00486D04 |. 6A 0C push 0C ; |Arg1 = 0000000C
00486D06 |. 8D45 EC lea eax,dword ptr ss:[ebp-14] ; |
00486D09 |. 8B0F mov ecx,dword ptr ds:[edi] ; |
00486D0B |. 8B16 mov edx,dword ptr ds:[esi] ; |
00486D0D |. E8 AEFEFFFF call INS.00486BC0 ; \INS.00486BC0
00486D12 |. 8B07 mov eax,dword ptr ds:[edi]
00486D14 |. 50 push eax ; /Arg3
00486D15 |. 8B43 08 mov eax,dword ptr ds:[ebx+8] ; |
00486D18 |. 05 DB702024 add eax,242070DB ; |
00486D1D |. 50 push eax ; |Arg2
00486D1E |. 6A 11 push 11 ; |Arg1 = 00000011
00486D20 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10] ; |
00486D23 |. 8B0E mov ecx,dword ptr ds:[esi] ; |
00486D25 |. 8B55 EC mov edx,dword ptr ss:[ebp-14] ; |
00486D28 |. E8 93FEFFFF call INS.00486BC0 ; \INS.00486BC0
00486D2D |. 8B06 mov eax,dword ptr ds:[esi]
00486D2F |. 50 push eax ; /Arg3
00486D30 |. 8B43 0C mov eax,dword ptr ds:[ebx+C] ; |
00486D33 |. 05 EECEBDC1 add eax,C1BDCEEE ; |
00486D38 |. 50 push eax ; |Arg2
00486D39 |. 6A 16 push 16 ; |Arg1 = 00000016
00486D3B |. 8BC7 mov eax,edi ; |
00486D3D |. 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; |
00486D40 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; |
00486D43 |. E8 78FEFFFF call INS.00486BC0 ; \INS.00486BC0
00486D48 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00486D4B |. 50 push eax ; /Arg3
00486D4C |. 8B43 10 mov eax,dword ptr ds:[ebx+10] ; |
00486D4F |. 05 AF0F7CF5 add eax,F57C0FAF ; |
00486D54 |. 50 push eax ; |Arg2
00486D55 |. 6A 07 push 7 ; |Arg1 = 00000007
00486D57 |. 8BC6 mov eax,esi ; |
00486D59 |. 8B4D F0 mov ecx,dword ptr ss:[ebp-10] ; |
00486D5C |. 8B17 mov edx,dword ptr ds:[edi] ; |
00486D5E |. E8 5DFEFFFF call INS.00486BC0 ; \INS.00486BC0
00486D63 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00486D66 |. 50 push eax ; /Arg3
00486D67 |. 8B43 14 mov eax,dword ptr ds:[ebx+14] ; |
00486D6A |. 05 2AC68747 add eax,4787C62A ; |
00486D6F |. 50 push eax ; |Arg2
00486D70 |. 6A 0C push 0C ; |Arg1 = 0000000C
00486D72 |. 8D45 EC lea eax,dword ptr ss:[ebp-14] ; |
00486D75 |. 8B0F mov ecx,dword ptr ds:[edi] ; |
00486D77 |. 8B16 mov edx,dword ptr ds:[esi] ; |
00486D79 |. E8 42FEFFFF call INS.00486BC0 ; \INS.00486BC0
00486D7E |. 8B07 mov eax,dword ptr ds:[edi]
00486D80 |. 50 push eax ; /Arg3
00486D81 |. 8B43 18 mov eax,dword ptr ds:[ebx+18] ; |
00486D84 |. 05 134630A8 add eax,A8304613 ; |
00486D89 |. 50 push eax ; |Arg2
00486D8A |. 6A 11 push 11 ; |Arg1 = 00000011
00486D8C |. 8D45 F0 lea eax,dword ptr ss:[ebp-10] ; |
00486D8F |. 8B0E mov ecx,dword ptr ds:[esi] ; |
00486D91 |. 8B55 EC mov edx,dword ptr ss:[ebp-14] ; |
00486D94 |. E8 27FEFFFF call INS.00486BC0 ; \INS.00486BC0
00486D99 |. 8B06 mov eax,dword ptr ds:[esi]
00486D9B |. 50 push eax ; /Arg3
00486D9C |. 8B43 1C mov eax,dword ptr ds:[ebx+1C] ; |
00486D9F |. 05 019546FD add eax,FD469501 ; |
00486DA4 |. 50 push eax ; |Arg2
00486DA5 |. 6A 16 push 16 ; |Arg1 = 00000016
00486DA7 |. 8BC7 mov eax,edi ; |
00486DA9 |. 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; |
00486DAC |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; |
00486DAF |. E8 0CFEFFFF call INS.00486BC0 ; \INS.00486BC0
00486DB4 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00486DB7 |. 50 push eax ; /Arg3
00486DB8 |. 8B43 20 mov eax,dword ptr ds:[ebx+20] ; |
00486DBB |. 05 D8988069 add eax,698098D8 ; |
00486DC0 |. 50 push eax ; |Arg2
00486DC1 |. 6A 07 push 7 ; |Arg1 = 00000007
00486DC3 |. 8BC6 mov eax,esi ; |
00486DC5 |. 8B4D F0 mov ecx,dword ptr ss:[ebp-10] ; |
00486DC8 |. 8B17 mov edx,dword ptr ds:[edi] ; |
00486DCA |. E8 F1FDFFFF call INS.00486BC0 ; \INS.00486BC0
00486DCF |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00486DD2 |. 50 push eax ; /Arg3
00486DD3 |. 8B43 24 mov eax,dword ptr ds:[ebx+24] ; |
00486DD6 |. 05 AFF7448B add eax,8B44F7AF ; |
00486DDB |. 50 push eax ; |Arg2
00486DDC |. 6A 0C push 0C ; |Arg1 = 0000000C
00486DDE |. 8D45 EC lea eax,dword ptr ss:[ebp-14] ; |
00486DE1 |. 8B0F mov ecx,dword ptr ds:[edi] ; |
00486DE3 |. 8B16 mov edx,dword ptr ds:[esi] ; |
00486DE5 |. E8 D6FDFFFF call INS.00486BC0 ; \INS.00486BC0
00486DEA |. 8B07 mov eax,dword ptr ds:[edi]
00486DEC |. 50 push eax ; /Arg3
00486DED |. 8B43 28 mov eax,dword ptr ds:[ebx+28] ; |
00486DF0 |. 05 B15BFFFF add eax,FFFF5BB1 ; |
00486DF5 |. 50 push eax ; |Arg2
00486DF6 |. 6A 11 push 11 ; |Arg1 = 00000011
00486DF8 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10] ; |
00486DFB |. 8B0E mov ecx,dword ptr ds:[esi] ; |
00486DFD |. 8B55 EC mov edx,dword ptr ss:[ebp-14] ; |
00486E00 |. E8 BBFDFFFF call INS.00486BC0 ; \INS.00486BC0
00486E05 |. 8B06 mov eax,dword ptr ds:[esi]
00486E07 |. 50 push eax ; /Arg3
00486E08 |. 8B43 2C mov eax,dword ptr ds:[ebx+2C] ; |
00486E0B |. 05 BED75C89 add eax,895CD7BE ; |
00486E10 |. 50 push eax ; |Arg2
00486E11 |. 6A 16 push 16 ; |Arg1 = 00000016
00486E13 |. 8BC7 mov eax,edi ; |
00486E15 |. 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; |
00486E18 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; |
00486E1B |. E8 A0FDFFFF call INS.00486BC0 ; \INS.00486BC0
00486E20 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00486E23 |. 50 push eax ; /Arg3
00486E24 |. 8B43 30 mov eax,dword ptr ds:[ebx+30] ; |
00486E27 |. 05 2211906B add eax,6B901122 ; |
00486E2C |. 50 push eax ; |Arg2
00486E2D |. 6A 07 push 7 ; |Arg1 = 00000007
00486E2F |. 8BC6 mov eax,esi ; |
00486E31 |. 8B4D F0 mov ecx,dword ptr ss:[ebp-10] ; |
00486E34 |. 8B17 mov edx,dword ptr ds:[edi] ; |
00486E36 |. E8 85FDFFFF call INS.00486BC0 ; \INS.00486BC0
00486E3B |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00486E3E |. 50 push eax ; /Arg3
00486E3F |. 8B43 34 mov eax,dword ptr ds:[ebx+34] ; |
00486E42 |. 05 937198FD add eax,FD987193 ; |
00486E47 |. 50 push eax ; |Arg2
00486E48 |. 6A 0C push 0C ; |Arg1 = 0000000C
00486E4A |. 8D45 EC lea eax,dword ptr ss:[ebp-14] ; |
00486E4D |. 8B0F mov ecx,dword ptr ds:[edi] ; |
00486E4F |. 8B16 mov edx,dword ptr ds:[esi] ; |
00486E51 |. E8 6AFDFFFF call INS.00486BC0 ; \INS.00486BC0
00486E56 |. 8B07 mov eax,dword ptr ds:[edi]
00486E58 |. 50 push eax ; /Arg3
00486E59 |. 8B43 38 mov eax,dword ptr ds:[ebx+38] ; |
00486E5C |. 05 8E4379A6 add eax,A679438E ; |
00486E61 |. 50 push eax ; |Arg2
00486E62 |. 6A 11 push 11 ; |Arg1 = 00000011
00486E64 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10] ; |
00486E67 |. 8B0E mov ecx,dword ptr ds:[esi] ; |
00486E69 |. 8B55 EC mov edx,dword ptr ss:[ebp-14] ; |
00486E6C |. E8 4FFDFFFF call INS.00486BC0 ; \INS.00486BC0
00486E71 |. 8B06 mov eax,dword ptr ds:[esi]
00486E73 |. 50 push eax ; /Arg3
00486E74 |. 8B43 3C mov eax,dword ptr ds:[ebx+3C] ; |
00486E77 |. 05 2108B449 add eax,49B40821 ; |
00486E7C |. 50 push eax ; |Arg2
00486E7D |. 6A 16 push 16 ; |Arg1 = 00000016
00486E7F |. 8BC7 mov eax,edi ; |
00486E81 |. 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; |
00486E84 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; |
00486E87 |. E8 34FDFFFF call INS.00486BC0 ; \INS.00486BC0
00486E8C |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00486E8F |. 50 push eax ; /Arg3
00486E90 |. 8B43 04 mov eax,dword ptr ds:[ebx+4] ; |
00486E93 |. 05 62251EF6 add eax,F61E2562 ; |
00486E98 |. 50 push eax ; |Arg2
00486E99 |. 6A 05 push 5 ; |Arg1 = 00000005
00486E9B |. 8BC6 mov eax,esi ; |
00486E9D |. 8B4D F0 mov ecx,dword ptr ss:[ebp-10] ; |
00486EA0 |. 8B17 mov edx,dword ptr ds:[edi] ; |
00486EA2 |. E8 51FDFFFF call INS.00486BF8 ; \INS.00486BF8
00486EA7 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00486EAA |. 50 push eax ; /Arg3
00486EAB |. 8B43 18 mov eax,dword ptr ds:[ebx+18] ; |
00486EAE |. 05 40B340C0 add eax,C040B340 ; |
00486EB3 |. 50 push eax ; |Arg2
00486EB4 |. 6A 09 push 9 ; |Arg1 = 00000009
00486EB6 |. 8D45 EC lea eax,dword ptr ss:[ebp-14] ; |
00486EB9 |. 8B0F mov ecx,dword ptr ds:[edi] ; |
00486EBB |. 8B16 mov edx,dword ptr ds:[esi] ; |
00486EBD |. E8 36FDFFFF call INS.00486BF8 ; \INS.00486BF8
00486EC2 |. 8B07 mov eax,dword ptr ds:[edi]
00486EC4 |. 50 push eax ; /Arg3
00486EC5 |. 8B43 2C mov eax,dword ptr ds:[ebx+2C] ; |
00486EC8 |. 05 515A5E26 add eax,265E5A51 ; |
00486ECD |. 50 push eax ; |Arg2
00486ECE |. 6A 0E push 0E ; |Arg1 = 0000000E
00486ED0 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10] ; |
00486ED3 |. 8B0E mov ecx,dword ptr ds:[esi] ; |
00486ED5 |. 8B55 EC mov edx,dword ptr ss:[ebp-14] ; |
00486ED8 |. E8 1BFDFFFF call INS.00486BF8 ; \INS.00486BF8
00486EDD |. 8B06 mov eax,dword ptr ds:[esi]
00486EDF |. 50 push eax ; /Arg3
00486EE0 |. 8B03 mov eax,dword ptr ds:[ebx] ; |
00486EE2 |. 05 AAC7B6E9 add eax,E9B6C7AA ; |
00486EE7 |. 50 push eax ; |Arg2
00486EE8 |. 6A 14 push 14 ; |Arg1 = 00000014
00486EEA |. 8BC7 mov eax,edi ; |
00486EEC |. 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; |
00486EEF |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; |
00486EF2 |. E8 01FDFFFF call INS.00486BF8 ; \INS.00486BF8
00486EF7 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00486EFA |. 50 push eax ; /Arg3
00486EFB |. 8B43 14 mov eax,dword ptr ds:[ebx+14] ; |
00486EFE |. 05 5D102FD6 add eax,D62F105D ; |
00486F03 |. 50 push eax ; |Arg2
00486F04 |. 6A 05 push 5 ; |Arg1 = 00000005
00486F06 |. 8BC6 mov eax,esi ; |
00486F08 |. 8B4D F0 mov ecx,dword ptr ss:[ebp-10] ; |
00486F0B |. 8B17 mov edx,dword ptr ds:[edi] ; |
00486F0D |. E8 E6FCFFFF call INS.00486BF8 ; \INS.00486BF8
00486F12 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00486F15 |. 50 push eax ; /Arg3
00486F16 |. 8B43 28 mov eax,dword ptr ds:[ebx+28] ; |
00486F19 |. 05 53144402 add eax,2441453 ; |
00486F1E |. 50 push eax ; |Arg2
00486F1F |. 6A 09 push 9 ; |Arg1 = 00000009
00486F21 |. 8D45 EC lea eax,dword ptr ss:[ebp-14] ; |
00486F24 |. 8B0F mov ecx,dword ptr ds:[edi] ; |
00486F26 |. 8B16 mov edx,dword ptr ds:[esi] ; |
00486F28 |. E8 CBFCFFFF call INS.00486BF8 ; \INS.00486BF8
00486F2D |. 8B07 mov eax,dword ptr ds:[edi]
00486F2F |. 50 push eax ; /Arg3
00486F30 |. 8B43 3C mov eax,dword ptr ds:[ebx+3C] ; |
00486F33 |. 05 81E6A1D8 add eax,D8A1E681 ; |
00486F38 |. 50 push eax ; |Arg2
00486F39 |. 6A 0E push 0E ; |Arg1 = 0000000E
00486F3B |. 8D45 F0 lea eax,dword ptr ss:[ebp-10] ; |
00486F3E |. 8B0E mov ecx,dword ptr ds:[esi] ; |
00486F40 |. 8B55 EC mov edx,dword ptr ss:[ebp-14] ; |
00486F43 |. E8 B0FCFFFF call INS.00486BF8 ; \INS.00486BF8
00486F48 |. 8B06 mov eax,dword ptr ds:[esi]
00486F4A |. 50 push eax ; /Arg3
00486F4B |. 8B43 10 mov eax,dword ptr ds:[ebx+10] ; |
00486F4E |. 05 C8FBD3E7 add eax,E7D3FBC8 ; |
00486F53 |. 50 push eax ; |Arg2
00486F54 |. 6A 14 push 14 ; |Arg1 = 00000014
00486F56 |. 8BC7 mov eax,edi ; |
00486F58 |. 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; |
00486F5B |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; |
00486F5E |. E8 95FCFFFF call INS.00486BF8 ; \INS.00486BF8
00486F63 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00486F66 |. 50 push eax ; /Arg3
00486F67 |. 8B43 24 mov eax,dword ptr ds:[ebx+24] ; |
00486F6A |. 05 E6CDE121 add eax,21E1CDE6 ; |
00486F6F |. 50 push eax ; |Arg2
00486F70 |. 6A 05 push 5 ; |Arg1 = 00000005
00486F72 |. 8BC6 mov eax,esi ; |
00486F74 |. 8B4D F0 mov ecx,dword ptr ss:[ebp-10] ; |
00486F77 |. 8B17 mov edx,dword ptr ds:[edi] ; |
00486F79 |. E8 7AFCFFFF call INS.00486BF8 ; \INS.00486BF8
00486F7E |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00486F81 |. 50 push eax ; /Arg3
00486F82 |. 8B43 38 mov eax,dword ptr ds:[ebx+38] ; |
00486F85 |. 05 D60737C3 add eax,C33707D6 ; |
00486F8A |. 50 push eax ; |Arg2
00486F8B |. 6A 09 push 9 ; |Arg1 = 00000009
00486F8D |. 8D45 EC lea eax,dword ptr ss:[ebp-14] ; |
00486F90 |. 8B0F mov ecx,dword ptr ds:[edi] ; |
00486F92 |. 8B16 mov edx,dword ptr ds:[esi] ; |
00486F94 |. E8 5FFCFFFF call INS.00486BF8 ; \INS.00486BF8
00486F99 |. 8B07 mov eax,dword ptr ds:[edi]
00486F9B |. 50 push eax ; /Arg3
00486F9C |. 8B43 0C mov eax,dword ptr ds:[ebx+C] ; |
00486F9F |. 05 870DD5F4 add eax,F4D50D87 ; |
00486FA4 |. 50 push eax ; |Arg2
00486FA5 |. 6A 0E push 0E ; |Arg1 = 0000000E
00486FA7 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10] ; |
00486FAA |. 8B0E mov ecx,dword ptr ds:[esi] ; |
00486FAC |. 8B55 EC mov edx,dword ptr ss:[ebp-14] ; |
00486FAF |. E8 44FCFFFF call INS.00486BF8 ; \INS.00486BF8
00486FB4 |. 8B06 mov eax,dword ptr ds:[esi]
00486FB6 |. 50 push eax ; /Arg3
00486FB7 |. 8B43 20 mov eax,dword ptr ds:[ebx+20] ; |
00486FBA |. 05 ED145A45 add eax,455A14ED ; |
00486FBF |. 50 push eax ; |Arg2
00486FC0 |. 6A 14 push 14 ; |Arg1 = 00000014
00486FC2 |. 8BC7 mov eax,edi ; |
00486FC4 |. 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; |
00486FC7 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; |
00486FCA |. E8 29FCFFFF call INS.00486BF8 ; \INS.00486BF8
00486FCF |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00486FD2 |. 50 push eax ; /Arg3
00486FD3 |. 8B43 34 mov eax,dword ptr ds:[ebx+34] ; |
00486FD6 |. 05 05E9E3A9 add eax,A9E3E905 ; |
00486FDB |. 50 push eax ; |Arg2
00486FDC |. 6A 05 push 5 ; |Arg1 = 00000005
00486FDE |. 8BC6 mov eax,esi ; |
00486FE0 |. 8B4D F0 mov ecx,dword ptr ss:[ebp-10] ; |
00486FE3 |. 8B17 mov edx,dword ptr ds:[edi] ; |
00486FE5 |. E8 0EFCFFFF call INS.00486BF8 ; \INS.00486BF8
00486FEA |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00486FED |. 50 push eax ; /Arg3
00486FEE |. 8B43 08 mov eax,dword ptr ds:[ebx+8] ; |
00486FF1 |. 05 F8A3EFFC add eax,FCEFA3F8 ; |
00486FF6 |. 50 push eax ; |Arg2
00486FF7 |. 6A 09 push 9 ; |Arg1 = 00000009
00486FF9 |. 8D45 EC lea eax,dword ptr ss:[ebp-14] ; |
00486FFC |. 8B0F mov ecx,dword ptr ds:[edi] ; |
00486FFE |. 8B16 mov edx,dword ptr ds:[esi] ; |
00487000 |. E8 F3FBFFFF call INS.00486BF8 ; \INS.00486BF8
00487005 |. 8B07 mov eax,dword ptr ds:[edi]
00487007 |. 50 push eax ; /Arg3
00487008 |. 8B43 1C mov eax,dword ptr ds:[ebx+1C] ; |
0048700B |. 05 D9026F67 add eax,676F02D9 ; |
00487010 |. 50 push eax ; |Arg2
00487011 |. 6A 0E push 0E ; |Arg1 = 0000000E
00487013 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10] ; |
00487016 |. 8B0E mov ecx,dword ptr ds:[esi] ; |
00487018 |. 8B55 EC mov edx,dword ptr ss:[ebp-14] ; |
0048701B |. E8 D8FBFFFF call INS.00486BF8 ; \INS.00486BF8
00487020 |. 8B06 mov eax,dword ptr ds:[esi]
00487022 |. 50 push eax ; /Arg3
00487023 |. 8B43 30 mov eax,dword ptr ds:[ebx+30] ; |
00487026 |. 05 8A4C2A8D add eax,8D2A4C8A ; |
0048702B |. 50 push eax ; |Arg2
0048702C |. 6A 14 push 14 ; |Arg1 = 00000014
0048702E |. 8BC7 mov eax,edi ; |
00487030 |. 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; |
00487033 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; |
00487036 |. E8 BDFBFFFF call INS.00486BF8 ; \INS.00486BF8
0048703B |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
0048703E |. 50 push eax ; /Arg3
0048703F |. 8B43 14 mov eax,dword ptr ds:[ebx+14] ; |
00487042 |. 05 4239FAFF add eax,FFFA3942 ; |
00487047 |. 50 push eax ; |Arg2
00487048 |. 6A 04 push 4 ; |Arg1 = 00000004
0048704A |. 8BC6 mov eax,esi ; |
0048704C |. 8B4D F0 mov ecx,dword ptr ss:[ebp-10] ; |
0048704F |. 8B17 mov edx,dword ptr ds:[edi] ; |
00487051 |. E8 DEFBFFFF call INS.00486C34 ; \INS.00486C34
00487056 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00487059 |. 50 push eax ; /Arg3
0048705A |. 8B43 20 mov eax,dword ptr ds:[ebx+20] ; |
0048705D |. 05 81F67187 add eax,8771F681 ; |
00487062 |. 50 push eax ; |Arg2
00487063 |. 6A 0B push 0B ; |Arg1 = 0000000B
00487065 |. 8D45 EC lea eax,dword ptr ss:[ebp-14] ; |
00487068 |. 8B0F mov ecx,dword ptr ds:[edi] ; |
0048706A |. 8B16 mov edx,dword ptr ds:[esi] ; |
0048706C |. E8 C3FBFFFF call INS.00486C34 ; \INS.00486C34
00487071 |. 8B07 mov eax,dword ptr ds:[edi]
00487073 |. 50 push eax ; /Arg3
00487074 |. 8B43 2C mov eax,dword ptr ds:[ebx+2C] ; |
00487077 |. 05 22619D6D add eax,6D9D6122 ; |
0048707C |. 50 push eax ; |Arg2
0048707D |. 6A 10 push 10 ; |Arg1 = 00000010
0048707F |. 8D45 F0 lea eax,dword ptr ss:[ebp-10] ; |
00487082 |. 8B0E mov ecx,dword ptr ds:[esi] ; |
00487084 |. 8B55 EC mov edx,dword ptr ss:[ebp-14] ; |
00487087 |. E8 A8FBFFFF call INS.00486C34 ; \INS.00486C34
0048708C |. 8B06 mov eax,dword ptr ds:[esi]
0048708E |. 50 push eax ; /Arg3
0048708F |. 8B43 38 mov eax,dword ptr ds:[ebx+38] ; |
00487092 |. 05 0C38E5FD add eax,FDE5380C ; |
00487097 |. 50 push eax ; |Arg2
00487098 |. 6A 17 push 17 ; |Arg1 = 00000017
0048709A |. 8BC7 mov eax,edi ; |
0048709C |. 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; |
0048709F |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; |
004870A2 |. E8 8DFBFFFF call INS.00486C34 ; \INS.00486C34
004870A7 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
004870AA |. 50 push eax ; /Arg3
004870AB |. 8B43 04 mov eax,dword ptr ds:[ebx+4] ; |
004870AE |. 05 44EABEA4 add eax,A4BEEA44 ; |
004870B3 |. 50 push eax ; |Arg2
004870B4 |. 6A 04 push 4 ; |Arg1 = 00000004
004870B6 |. 8BC6 mov eax,esi ; |
004870B8 |. 8B4D F0 mov ecx,dword ptr ss:[ebp-10] ; |
004870BB |. 8B17 mov edx,dword ptr ds:[edi] ; |
004870BD |. E8 72FBFFFF call INS.00486C34 ; \INS.00486C34
004870C2 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004870C5 |. 50 push eax ; /Arg3
004870C6 |. 8B43 10 mov eax,dword ptr ds:[ebx+10] ; |
004870C9 |. 05 A9CFDE4B add eax,4BDECFA9 ; |
004870CE |. 50 push eax ; |Arg2
004870CF |. 6A 0B push 0B ; |Arg1 = 0000000B
004870D1 |. 8D45 EC lea eax,dword ptr ss:[ebp-14] ; |
004870D4 |. 8B0F mov ecx,dword ptr ds:[edi] ; |
004870D6 |. 8B16 mov edx,dword ptr ds:[esi] ; |
004870D8 |. E8 57FBFFFF call INS.00486C34 ; \INS.00486C34
004870DD |. 8B07 mov eax,dword ptr ds:[edi]
004870DF |. 50 push eax ; /Arg3
004870E0 |. 8B43 1C mov eax,dword ptr ds:[ebx+1C] ; |
004870E3 |. 05 604BBBF6 add eax,F6BB4B60 ; |
004870E8 |. 50 push eax ; |Arg2
004870E9 |. 6A 10 push 10 ; |Arg1 = 00000010
004870EB |. 8D45 F0 lea eax,dword ptr ss:[ebp-10] ; |
004870EE |. 8B0E mov ecx,dword ptr ds:[esi] ; |
004870F0 |. 8B55 EC mov edx,dword ptr ss:[ebp-14] ; |
004870F3 |. E8 3CFBFFFF call INS.00486C34 ; \INS.00486C34
004870F8 |. 8B06 mov eax,dword ptr ds:[esi]
004870FA |. 50 push eax ; /Arg3
004870FB |. 8B43 28 mov eax,dword ptr ds:[ebx+28] ; |
004870FE |. 05 70BCBFBE add eax,BEBFBC70 ; |
00487103 |. 50 push eax ; |Arg2
00487104 |. 6A 17 push 17 ; |Arg1 = 00000017
00487106 |. 8BC7 mov eax,edi ; |
00487108 |. 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; |
0048710B |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; |
0048710E |. E8 21FBFFFF call INS.00486C34 ; \INS.00486C34
00487113 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00487116 |. 50 push eax ; /Arg3
00487117 |. 8B43 34 mov eax,dword ptr ds:[ebx+34] ; |
0048711A |. 05 C67E9B28 add eax,289B7EC6 ; |
0048711F |. 50 push eax ; |Arg2
00487120 |. 6A 04 push 4 ; |Arg1 = 00000004
00487122 |. 8BC6 mov eax,esi ; |
00487124 |. 8B4D F0 mov ecx,dword ptr ss:[ebp-10] ; |
00487127 |. 8B17 mov edx,dword ptr ds:[edi] ; |
00487129 |. E8 06FBFFFF call INS.00486C34 ; \INS.00486C34
0048712E |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00487131 |. 50 push eax ; /Arg3
00487132 |. 8B03 mov eax,dword ptr ds:[ebx] ; |
00487134 |. 05 FA27A1EA add eax,EAA127FA ; |
00487139 |. 50 push eax ; |Arg2
0048713A |. 6A 0B push 0B ; |Arg1 = 0000000B
0048713C |. 8D45 EC lea eax,dword ptr ss:[ebp-14] ; |
0048713F |. 8B0F mov ecx,dword ptr ds:[edi] ; |
00487141 |. 8B16 mov edx,dword ptr ds:[esi] ; |
00487143 |. E8 ECFAFFFF call INS.00486C34 ; \INS.00486C34
00487148 |. 8B07 mov eax,dword ptr ds:[edi]
0048714A |. 50 push eax ; /Arg3
0048714B |. 8B43 0C mov eax,dword ptr ds:[ebx+C] ; |
0048714E |. 05 8530EFD4 add eax,D4EF3085 ; |
00487153 |. 50 push eax ; |Arg2
00487154 |. 6A 10 push 10 ; |Arg1 = 00000010
00487156 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10] ; |
00487159 |. 8B0E mov ecx,dword ptr ds:[esi] ; |
0048715B |. 8B55 EC mov edx,dword ptr ss:[ebp-14] ; |
0048715E |. E8 D1FAFFFF call INS.00486C34 ; \INS.00486C34
00487163 |. 8B06 mov eax,dword ptr ds:[esi]
00487165 |. 50 push eax ; /Arg3
00487166 |. 8B43 18 mov eax,dword ptr ds:[ebx+18] ; |
00487169 |. 05 051D8804 add eax,4881D05 ; |
0048716E |. 50 push eax ; |Arg2
0048716F |. 6A 17 push 17 ; |Arg1 = 00000017
00487171 |. 8BC7 mov eax,edi ; |
00487173 |. 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; |
00487176 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; |
00487179 |. E8 B6FAFFFF call INS.00486C34 ; \INS.00486C34
0048717E |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00487181 |. 50 push eax ; /Arg3
00487182 |. 8B43 24 mov eax,dword ptr ds:[ebx+24] ; |
00487185 |. 05 39D0D4D9 add eax,D9D4D039 ; |
0048718A |. 50 push eax ; |Arg2
0048718B |. 6A 04 push 4 ; |Arg1 = 00000004
0048718D |. 8BC6 mov eax,esi ; |
0048718F |. 8B4D F0 mov ecx,dword ptr ss:[ebp-10] ; |
00487192 |. 8B17 mov edx,dword ptr ds:[edi] ; |
00487194 |. E8 9BFAFFFF call INS.00486C34 ; \INS.00486C34
00487199 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0048719C |. 50 push eax ; /Arg3
0048719D |. 8B43 30 mov eax,dword ptr ds:[ebx+30] ; |
004871A0 |. 05 E599DBE6 add eax,E6DB99E5 ; |
004871A5 |. 50 push eax ; |Arg2
004871A6 |. 6A 0B push 0B ; |Arg1 = 0000000B
004871A8 |. 8D45 EC lea eax,dword ptr ss:[ebp-14] ; |
004871AB |. 8B0F mov ecx,dword ptr ds:[edi] ; |
004871AD |. 8B16 mov edx,dword ptr ds:[esi] ; |
004871AF |. E8 80FAFFFF call INS.00486C34 ; \INS.00486C34
004871B4 |. 8B07 mov eax,dword ptr ds:[edi]
004871B6 |. 50 push eax ; /Arg3
004871B7 |. 8B43 3C mov eax,dword ptr ds:[ebx+3C] ; |
004871BA |. 05 F87CA21F add eax,1FA27CF8 ; |
004871BF |. 50 push eax ; |Arg2
004871C0 |. 6A 10 push 10 ; |Arg1 = 00000010
004871C2 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10] ; |
004871C5 |. 8B0E mov ecx,dword ptr ds:[esi] ; |
004871C7 |. 8B55 EC mov edx,dword ptr ss:[ebp-14] ; |
004871CA |. E8 65FAFFFF call INS.00486C34 ; \INS.00486C34
004871CF |. 8B06 mov eax,dword ptr ds:[esi]
004871D1 |. 50 push eax ; /Arg3
004871D2 |. 8B43 08 mov eax,dword ptr ds:[ebx+8] ; |
004871D5 |. 05 6556ACC4 add eax,C4AC5665 ; |
004871DA |. 50 push eax ; |Arg2
004871DB |. 6A 17 push 17 ; |Arg1 = 00000017
004871DD |. 8BC7 mov eax,edi ; |
004871DF |. 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; |
004871E2 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; |
004871E5 |. E8 4AFAFFFF call INS.00486C34 ; \INS.00486C34
004871EA |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
004871ED |. 50 push eax ; /Arg3
004871EE |. 8B03 mov eax,dword ptr ds:[ebx] ; |
004871F0 |. 05 442229F4 add eax,F4292244 ; |
004871F5 |. 50 push eax ; |Arg2
004871F6 |. 6A 06 push 6 ; |Arg1 = 00000006
004871F8 |. 8BC6 mov eax,esi ; |
004871FA |. 8B4D F0 mov ecx,dword ptr ss:[ebp-10] ; |
004871FD |. 8B17 mov edx,dword ptr ds:[edi] ; |
004871FF |. E8 68FAFFFF call INS.00486C6C ; \INS.00486C6C
00487204 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00487207 |. 50 push eax ; /Arg3
00487208 |. 8B43 1C mov eax,dword ptr ds:[ebx+1C] ; |
0048720B |. 05 97FF2A43 add eax,432AFF97 ; |
00487210 |. 50 push eax ; |Arg2
00487211 |. 6A 0A push 0A ; |Arg1 = 0000000A
00487213 |. 8D45 EC lea eax,dword ptr ss:[ebp-14] ; |
00487216 |. 8B0F mov ecx,dword ptr ds:[edi] ; |
00487218 |. 8B16 mov edx,dword ptr ds:[esi] ; |
0048721A |. E8 4DFAFFFF call INS.00486C6C ; \INS.00486C6C
0048721F |. 8B07 mov eax,dword ptr ds:[edi]
00487221 |. 50 push eax ; /Arg3
00487222 |. 8B43 38 mov eax,dword ptr ds:[ebx+38] ; |
00487225 |. 05 A72394AB add eax,AB9423A7 ; |
0048722A |. 50 push eax ; |Arg2
0048722B |. 6A 0F push 0F ; |Arg1 = 0000000F
0048722D |. 8D45 F0 lea eax,dword ptr ss:[ebp-10] ; |
00487230 |. 8B0E mov ecx,dword ptr ds:[esi] ; |
00487232 |. 8B55 EC mov edx,dword ptr ss:[ebp-14] ; |
00487235 |. E8 32FAFFFF call INS.00486C6C ; \INS.00486C6C
0048723A |. 8B06 mov eax,dword ptr ds:[esi]
0048723C |. 50 push eax ; /Arg3
0048723D |. 8B43 14 mov eax,dword ptr ds:[ebx+14] ; |
00487240 |. 05 39A093FC add eax,FC93A039 ; |
00487245 |. 50 push eax ; |Arg2
00487246 |. 6A 15 push 15 ; |Arg1 = 00000015
00487248 |. 8BC7 mov eax,edi ; |
0048724A |. 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; |
0048724D |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; |
00487250 |. E8 17FAFFFF call INS.00486C6C ; \INS.00486C6C
00487255 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00487258 |. 50 push eax ; /Arg3
00487259 |. 8B43 30 mov eax,dword ptr ds:[ebx+30] ; |
0048725C |. 05 C3595B65 add eax,655B59C3 ; |
00487261 |. 50 push eax ; |Arg2
00487262 |. 6A 06 push 6 ; |Arg1 = 00000006
00487264 |. 8BC6 mov eax,esi ; |
00487266 |. 8B4D F0 mov ecx,dword ptr ss:[ebp-10] ; |
00487269 |. 8B17 mov edx,dword ptr ds:[edi] ; |
0048726B |. E8 FCF9FFFF call INS.00486C6C ; \INS.00486C6C
00487270 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00487273 |. 50 push eax ; /Arg3
00487274 |. 8B43 0C mov eax,dword ptr ds:[ebx+C] ; |
00487277 |. 05 92CC0C8F add eax,8F0CCC92 ; |
0048727C |. 50 push eax ; |Arg2
0048727D |. 6A 0A push 0A ; |Arg1 = 0000000A
0048727F |. 8D45 EC lea eax,dword ptr ss:[ebp-14] ; |
00487282 |. 8B0F mov ecx,dword ptr ds:[edi] ; |
00487284 |. 8B16 mov edx,dword ptr ds:[esi] ; |
00487286 |. E8 E1F9FFFF call INS.00486C6C ; \INS.00486C6C
0048728B |. 8B07 mov eax,dword ptr ds:[edi]
0048728D |. 50 push eax ; /Arg3
0048728E |. 8B43 28 mov eax,dword ptr ds:[ebx+28] ; |
00487291 |. 05 7DF4EFFF add eax,FFEFF47D ; |
00487296 |. 50 push eax ; |Arg2
00487297 |. 6A 0F push 0F ; |Arg1 = 0000000F
00487299 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10] ; |
0048729C |. 8B0E mov ecx,dword ptr ds:[esi] ; |
0048729E |. 8B55 EC mov edx,dword ptr ss:[ebp-14] ; |
004872A1 |. E8 C6F9FFFF call INS.00486C6C ; \INS.00486C6C
004872A6 |. 8B06 mov eax,dword ptr ds:[esi]
004872A8 |. 50 push eax ; /Arg3
004872A9 |. 8B43 04 mov eax,dword ptr ds:[ebx+4] ; |
004872AC |. 05 D15D8485 add eax,85845DD1 ; |
004872B1 |. 50 push eax ; |Arg2
004872B2 |. 6A 15 push 15 ; |Arg1 = 00000015
004872B4 |. 8BC7 mov eax,edi ; |
004872B6 |. 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; |
004872B9 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; |
004872BC |. E8 ABF9FFFF call INS.00486C6C ; \INS.00486C6C
004872C1 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
004872C4 |. 50 push eax ; /Arg3
004872C5 |. 8B43 20 mov eax,dword ptr ds:[ebx+20] ; |
004872C8 |. 05 4F7EA86F add eax,6FA87E4F ; |
004872CD |. 50 push eax ; |Arg2
004872CE |. 6A 06 push 6 ; |Arg1 = 00000006
004872D0 |. 8BC6 mov eax,esi ; |
004872D2 |. 8B4D F0 mov ecx,dword ptr ss:[ebp-10] ; |
004872D5 |. 8B17 mov edx,dword ptr ds:[edi] ; |
004872D7 |. E8 90F9FFFF call INS.00486C6C ; \INS.00486C6C
004872DC |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004872DF |. 50 push eax ; /Arg3
004872E0 |. 8B43 3C mov eax,dword ptr ds:[ebx+3C] ; |
004872E3 |. 05 E0E62CFE add eax,FE2CE6E0 ; |
004872E8 |. 50 push eax ; |Arg2
004872E9 |. 6A 0A push 0A ; |Arg1 = 0000000A
004872EB |. 8D45 EC lea eax,dword ptr ss:[ebp-14] ; |
004872EE |. 8B0F mov ecx,dword ptr ds:[edi] ; |
004872F0 |. 8B16 mov edx,dword ptr ds:[esi] ; |
004872F2 |. E8 75F9FFFF call INS.00486C6C ; \INS.00486C6C
004872F7 |. 8B07 mov eax,dword ptr ds:[edi]
004872F9 |. 50 push eax ; /Arg3
004872FA |. 8B43 18 mov eax,dword ptr ds:[ebx+18] ; |
004872FD |. 05 144301A3 add eax,A3014314 ; |
00487302 |. 50 push eax ; |Arg2
00487303 |. 6A 0F push 0F ; |Arg1 = 0000000F
00487305 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10] ; |
00487308 |. 8B0E mov ecx,dword ptr ds:[esi] ; |
0048730A |. 8B55 EC mov edx,dword ptr ss:[ebp-14] ; |
0048730D |. E8 5AF9FFFF call INS.00486C6C ; \INS.00486C6C
00487312 |. 8B06 mov eax,dword ptr ds:[esi]
00487314 |. 50 push eax ; /Arg3
00487315 |. 8B43 34 mov eax,dword ptr ds:[ebx+34] ; |
00487318 |. 05 A111084E add eax,4E0811A1 ; |
0048731D |. 50 push eax ; |Arg2
0048731E |. 6A 15 push 15 ; |Arg1 = 00000015
00487320 |. 8BC7 mov eax,edi ; |
00487322 |. 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; |
00487325 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; |
00487328 |. E8 3FF9FFFF call INS.00486C6C ; \INS.00486C6C
0048732D |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00487330 |. 50 push eax ; /Arg3
00487331 |. 8B43 10 mov eax,dword ptr ds:[ebx+10] ; |
00487334 |. 05 827E53F7 add eax,F7537E82 ; |
00487339 |. 50 push eax ; |Arg2
0048733A |. 6A 06 push 6 ; |Arg1 = 00000006
0048733C |. 8BC6 mov eax,esi ; |
0048733E |. 8B4D F0 mov ecx,dword ptr ss:[ebp-10] ; |
00487341 |. 8B17 mov edx,dword ptr ds:[edi] ; |
00487343 |. E8 24F9FFFF call INS.00486C6C ; \INS.00486C6C
00487348 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0048734B |. 50 push eax ; /Arg3
0048734C |. 8B43 2C mov eax,dword ptr ds:[ebx+2C] ; |
0048734F |. 05 35F23ABD add eax,BD3AF235 ; |
00487354 |. 50 push eax ; |Arg2
00487355 |. 6A 0A push 0A ; |Arg1 = 0000000A
00487357 |. 8D45 EC lea eax,dword ptr ss:[ebp-14] ; |
0048735A |. 8B0F mov ecx,dword ptr ds:[edi] ; |
0048735C |. 8B16 mov edx,dword ptr ds:[esi] ; |
0048735E |. E8 09F9FFFF call INS.00486C6C ; \INS.00486C6C
00487363 |. 8B07 mov eax,dword ptr ds:[edi]
00487365 |. 50 push eax ; /Arg3
00487366 |. 8B43 08 mov eax,dword ptr ds:[ebx+8] ; |
00487369 |. 05 BBD2D72A add eax,2AD7D2BB ; |
0048736E |. 50 push eax ; |Arg2
0048736F |. 6A 0F push 0F ; |Arg1 = 0000000F
00487371 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10] ; |
00487374 |. 8B0E mov ecx,dword ptr ds:[esi] ; |
00487376 |. 8B55 EC mov edx,dword ptr ss:[ebp-14] ; |
00487379 |. E8 EEF8FFFF call INS.00486C6C ; \INS.00486C6C
0048737E |. 8B06 mov eax,dword ptr ds:[esi]
00487380 |. 50 push eax ; /Arg3
00487381 |. 8B43 24 mov eax,dword ptr ds:[ebx+24] ; |
00487384 |. 05 91D386EB add eax,EB86D391 ; |
00487389 |. 50 push eax ; |Arg2
0048738A |. 6A 15 push 15 ; |Arg1 = 00000015
0048738C |. 8BC7 mov eax,edi ; |
0048738E |. 8B4D EC mov ecx,dword ptr ss:[ebp-14] ; |
00487391 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; |
00487394 |. E8 D3F8FFFF call INS.00486C6C ; \INS.00486C6C
00487399 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048739C |. 8B16 mov edx,dword ptr ds:[esi]
0048739E |. 0110 add dword ptr ds:[eax],edx
004873A0 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004873A3 |. 8B17 mov edx,dword ptr ds:[edi]
004873A5 |. 0150 04 add dword ptr ds:[eax+4],edx
004873A8 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004873AB |. 8B55 F0 mov edx,dword ptr ss:[ebp-10]
004873AE |. 0150 08 add dword ptr ds:[eax+8],edx
004873B1 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004873B4 |. 8B55 EC mov edx,dword ptr ss:[ebp-14]
004873B7 |. 0150 0C add dword ptr ds:[eax+C],edx
004873BA |. 5F pop edi
004873BB |. 5E pop esi
004873BC |. 5B pop ebx
004873BD |. 8BE5 mov esp,ebp
004873BF |. 5D pop ebp
004873C0 \. C2 0400 retn 4
第一轮运算,下断处00486BC0:
00486BC0 /$ 55 push ebp
00486BC1 |. 8BEC mov ebp,esp
00486BC3 |. 53 push ebx
00486BC4 |. 56 push esi
00486BC5 |. 8B5D 10 mov ebx,dword ptr ss:[ebp+10]
00486BC8 |. 33CB xor ecx,ebx
00486BCA |. 23CA and ecx,edx
00486BCC |. 33D9 xor ebx,ecx
00486BCE |. 035D 0C add ebx,dword ptr ss:[ebp+C]
00486BD1 |. 0118 add dword ptr ds:[eax],ebx
00486BD3 |. 33C9 xor ecx,ecx
00486BD5 |. 8A4D 08 mov cl,byte ptr ss:[ebp+8]
00486BD8 |. 51 push ecx
00486BD9 |. B9 20000000 mov ecx,20
00486BDE |. 5B pop ebx
00486BDF |. 2BCB sub ecx,ebx
00486BE1 |. 8B18 mov ebx,dword ptr ds:[eax]
00486BE3 |. D3EB shr ebx,cl
00486BE5 |. 8A4D 08 mov cl,byte ptr ss:[ebp+8]
00486BE8 |. 8B30 mov esi,dword ptr ds:[eax]
00486BEA |. D3E6 shl esi,cl
00486BEC |. 0BDE or ebx,esi
00486BEE |. 8918 mov dword ptr ds:[eax],ebx
00486BF0 |. 0110 add dword ptr ds:[eax],edx
00486BF2 |. 5E pop esi
00486BF3 |. 5B pop ebx
00486BF4 |. 5D pop ebp
00486BF5 \. C2 0C00 retn 0C
第二轮运算,下断处00486BF8:
00486BF8 /$ 55 push ebp
00486BF9 |. 8BEC mov ebp,esp
00486BFB |. 53 push ebx
00486BFC |. 56 push esi
00486BFD |. 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
00486C00 |. 8BF1 mov esi,ecx
00486C02 |. 33F2 xor esi,edx
00486C04 |. 2375 10 and esi,dword ptr ss:[ebp+10]
00486C07 |. 33CE xor ecx,esi
00486C09 |. 034D 0C add ecx,dword ptr ss:[ebp+C]
00486C0C |. 0108 add dword ptr ds:[eax],ecx
00486C0E |. 33C9 xor ecx,ecx
00486C10 |. 8ACB mov cl,bl
00486C12 |. 51 push ecx
00486C13 |. B9 20000000 mov ecx,20
00486C18 |. 5E pop esi
00486C19 |. 2BCE sub ecx,esi
00486C1B |. 8B30 mov esi,dword ptr ds:[eax]
00486C1D |. D3EE shr esi,cl
00486C1F |. 8BCB mov ecx,ebx
00486C21 |. 8B18 mov ebx,dword ptr ds:[eax]
00486C23 |. D3E3 shl ebx,cl
00486C25 |. 0BF3 or esi,ebx
00486C27 |. 8930 mov dword ptr ds:[eax],esi
00486C29 |. 0110 add dword ptr ds:[eax],edx
00486C2B |. 5E pop esi
00486C2C |. 5B pop ebx
00486C2D |. 5D pop ebp
00486C2E \. C2 0C00 retn 0C 第三轮运算,下断处00486C34:
00486C34 /$ 55 push ebp
00486C35 |. 8BEC mov ebp,esp
00486C37 |. 53 push ebx
00486C38 |. 56 push esi
00486C39 |. 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
00486C3C |. 33CA xor ecx,edx
00486C3E |. 334D 10 xor ecx,dword ptr ss:[ebp+10]
00486C41 |. 034D 0C add ecx,dword ptr ss:[ebp+C]
00486C44 |. 0108 add dword ptr ds:[eax],ecx
00486C46 |. 33C9 xor ecx,ecx
00486C48 |. 8ACB mov cl,bl
00486C4A |. 51 push ecx
00486C4B |. B9 20000000 mov ecx,20
00486C50 |. 5E pop esi
00486C51 |. 2BCE sub ecx,esi
00486C53 |. 8B30 mov esi,dword ptr ds:[eax]
00486C55 |. D3EE shr esi,cl
00486C57 |. 8BCB mov ecx,ebx
00486C59 |. 8B18 mov ebx,dword ptr ds:[eax]
00486C5B |. D3E3 shl ebx,cl
00486C5D |. 0BF3 or esi,ebx
00486C5F |. 8930 mov dword ptr ds:[eax],esi
00486C61 |. 0110 add dword ptr ds:[eax],edx
00486C63 |. 5E pop esi
00486C64 |. 5B pop ebx
00486C65 |. 5D pop ebp
00486C66 \. C2 0C00 retn 0C 第四轮运算,下断处00486C6C:
00486C6C /$ 55 push ebp
00486C6D |. 8BEC mov ebp,esp
00486C6F |. 53 push ebx
00486C70 |. 56 push esi
00486C71 |. 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
00486C74 |. 8B75 10 mov esi,dword ptr ss:[ebp+10]
00486C77 |. F7D6 not esi
00486C79 |. 0BF2 or esi,edx
00486C7B |. 33CE xor ecx,esi
00486C7D |. 034D 0C add ecx,dword ptr ss:[ebp+C]
00486C80 |. 0108 add dword ptr ds:[eax],ecx
00486C82 |. 33C9 xor ecx,ecx
00486C84 |. 8ACB mov cl,bl
00486C86 |. 51 push ecx
00486C87 |. B9 20000000 mov ecx,20
00486C8C |. 5E pop esi
00486C8D |. 2BCE sub ecx,esi
00486C8F |. 8B30 mov esi,dword ptr ds:[eax]
00486C91 |. D3EE shr esi,cl
00486C93 |. 8BCB mov ecx,ebx
00486C95 |. 8B18 mov ebx,dword ptr ds:[eax]
00486C97 |. D3E3 shl ebx,cl
00486C99 |. 0BF3 or esi,ebx
00486C9B |. 8930 mov dword ptr ds:[eax],esi
00486C9D |. 0110 add dword ptr ds:[eax],edx
00486C9F |. 5E pop esi
00486CA0 |. 5B pop ebx
00486CA1 |. 5D pop ebp
00486CA2 \. C2 0C00 retn 0C 把 YYYYYYYY 变换为 32字节的 0-9/A-F 字节形如"2D9D13E987AD1FC9EA8B62261030F3AA"的序列,用于解密 源码压缩块:
先用待解密字节和解密字节XOR,结果再和解密字节的序号XOR,保存到原位置。
下断处:00487904
00487904 /$ 53 push ebx ; 使用 Part2 变换解码!
00487905 |. 56 push esi
00487906 |. 57 push edi
00487907 |. 51 push ecx
00487908 |. 891424 mov dword ptr ss:[esp],edx
0048790B |. 8BD8 mov ebx,eax
0048790D |. 8BF9 mov edi,ecx
0048790F |. 4F dec edi
00487910 |. 85FF test edi,edi
00487912 |. 7C 2A jl short INS.0048793E
00487914 |. 47 inc edi
00487915 |. 33F6 xor esi,esi
00487917 |> FF43 0C /inc dword ptr ds:[ebx+C]
0048791A |. 8B43 10 |mov eax,dword ptr ds:[ebx+10]
0048791D |. 8B53 08 |mov edx,dword ptr ds:[ebx+8]
00487920 |. 8A1410 |mov dl,byte ptr ds:[eax+edx]
00487923 |. 8B0424 |mov eax,dword ptr ss:[esp]
00487926 |. 03C6 |add eax,esi
00487928 |. 3210 |xor dl,byte ptr ds:[eax] ; 待解密字节 XOR MD5 序列某字节
0048792A |. 3253 0C |xor dl,byte ptr ds:[ebx+C] ; 上一步结果 XOR 待解密字节的索引(1开始计数)
0048792D |. 8810 |mov byte ptr ds:[eax],dl ; 保存到原位置
0048792F |. 8B43 08 |mov eax,dword ptr ds:[ebx+8]
00487932 |. 40 |inc eax
00487933 |. 99 |cdq
00487934 |. F77B 04 |idiv dword ptr ds:[ebx+4]
00487937 |. 8953 08 |mov dword ptr ds:[ebx+8],edx
0048793A |. 46 |inc esi
0048793B |. 4F |dec edi
0048793C |.^ 75 D9 \jnz short INS.00487917
0048793E |> 5A pop edx
0048793F |. 5F pop edi
00487940 |. 5E pop esi
00487941 |. 5B pop ebx
00487942 \. C3 retn
小结一下
--------
虽然可以构造密码,过密码验证关,但安装源码的时候,源码是通过对Part2变换加密压缩的,对Part2采用的是 MD5 算法,
所以,没有正确的Part2,最终是不可爆破的!
第四部分:CRC32
===============
下断处:00465208,CRC32 计算入口
00465208 /$ 53 push ebx
00465209 |. 56 push esi
0046520A |. 8BF2 mov esi,edx
0046520C |. 8BD8 mov ebx,eax
0046520E |. 8BD3 mov edx,ebx
00465210 |. 8BCE mov ecx,esi
00465212 |. 83C8 FF or eax,FFFFFFFF
00465215 |. E8 9EFFFFFF call INS.004651B8
0046521A |. 83F0 FF xor eax,FFFFFFFF
0046521D |. 5E pop esi
0046521E |. 5B pop ebx
0046521F \. C3 retn 下断处:004651B8,计算 CRC32
004651B8 /$ 53 push ebx
004651B9 |. 56 push esi
004651BA |. 57 push edi
004651BB |. 8BF1 mov esi,ecx
004651BD |. 8BFA mov edi,edx
004651BF |. 8BD8 mov ebx,eax
004651C1 |. 803D 007C4A00 >cmp byte ptr ds:[4A7C00],0
004651C8 |. 75 0C jnz short INS.004651D6
004651CA |. E8 B5FFFFFF call INS.00465184
004651CF |. C605 007C4A00 >mov byte ptr ds:[4A7C00],1
004651D6 |> 8BC7 mov eax,edi
004651D8 |. 85F6 test esi,esi
004651DA |. 74 26 je short INS.00465202
004651DC |> 8BD3 /mov edx,ebx
004651DE |. 81E2 FF000000 |and edx,0FF
004651E4 |. 33C9 |xor ecx,ecx
004651E6 |. 8A08 |mov cl,byte ptr ds:[eax]
004651E8 |. 66:33D1 |xor dx,cx
004651EB |. 0FB7D2 |movzx edx,dx
004651EE |. 8B1495 047C4A0>|mov edx,dword ptr ds:[edx*4+4A7C04]
004651F5 |. C1EB 08 |shr ebx,8
004651F8 |. 33D3 |xor edx,ebx
004651FA |. 8BDA |mov ebx,edx
004651FC |. 4E |dec esi
004651FD |. 40 |inc eax
004651FE |. 85F6 |test esi,esi
00465200 |.^ 75 DA \jnz short INS.004651DC
00465202 |> 8BC3 mov eax,ebx
00465204 |. 5F pop edi
00465205 |. 5E pop esi
00465206 |. 5B pop ebx
00465207 \. C3 retn
下断处:00465184,初始化 CRC32 常数表
00465184 /$ 56 push esi
00465185 |. 33F6 xor esi,esi
00465187 |. B9 047C4A00 mov ecx,INS.004A7C04
0046518C |> 8BC6 /mov eax,esi
0046518E |. BA 08000000 |mov edx,8
00465193 |> A8 01 |/test al,1
00465195 |. 74 09 ||je short INS.004651A0
00465197 |. D1E8 ||shr eax,1
00465199 |. 35 2083B8ED ||xor eax,EDB88320
0046519E |. EB 02 ||jmp short INS.004651A2
004651A0 |> D1E8 ||shr eax,1
004651A2 |> 4A ||dec edx
004651A3 |.^ 75 EE |\jnz short INS.00465193
004651A5 |. 8901 |mov dword ptr ds:[ecx],eax
004651A7 |. 46 |inc esi
004651A8 |. 83C1 04 |add ecx,4
004651AB |. 81FE 00010000 |cmp esi,100
004651B1 |.^ 75 D9 \jnz short INS.0046518C
004651B3 |. 5E pop esi
004651B4 \. C3 retn 第五部分:终极解决
==================
任务: 找到Part2
要求: CRC32(Part2)=0x70EAF483
方法: CRC32 反射
满足条件的Part2很多,根据惯例,限定 Part2 为 A-F/0-9 8字节长的字符串,从 0xFFFF 开始递减反射后面四个字节,且每个字节必须在['0'-'9' OR 'A'-'F']范围之内,在 0xC442 的时候,得到反射 0xCC99,在 0x3A0F 的时候得到反射 0xE983,根据密码各部分之间的关系,
并验证,只有 C442CC99 符合要求!感谢POLAND人,没有使用其它e文字母,不然,$^#(!$()YZ_#$_!&...
于是,构造出 xxxxxGIS DK8 的安装密码:
19970419-C442CC99-E6CFE9DA
YANGTZE-C442CC99-512CCE18
......
[Part1: 可变]
[Part2: 固定]
[Part3: 计算]
第六部分: CRC32 相关代码
========================
1) AZMC_CRC32.h
#pragma once
#define MakeLong(a,b) MAKELONG(b,a)
#define MakeWord(a,b) MAKEWORD(b,a)
class CAZMC_CRC32
{
public:
CAZMC_CRC32(void);
~CAZMC_CRC32(void);
private:
unsigned long CRC32Table[ 256 ];
void InitTable();
public:
unsigned long GetCRC32(unsigned char* data, unsigned long size);
unsigned char RF(unsigned char x);
unsigned char F(unsigned char x);
unsigned char G(unsigned char x);
unsigned char H(unsigned char x);
unsigned char I(unsigned char x);
unsigned long CRC32CAT(unsigned long CRC32Prev,unsigned long BytesToCat);
unsigned long CRC32RF(unsigned long WXYZ,unsigned long abcd );
};
2) AZMC_CRC32.cpp
#include "StdAfx.h"
#include ".\azmc_crc32.h"
CAZMC_CRC32::CAZMC_CRC32(void)
{
InitTable();
}
CAZMC_CRC32::~CAZMC_CRC32(void)
{
}
void CAZMC_CRC32::InitTable()
{
unsigned long i,j;
unsigned long crc;
for( i = 0; i < 256; i ++ )
{
crc = i;
for( j = 0; j < 8; j ++ )
{
if( crc & 1 ) crc = ( crc >> 1 ) ^ 0xEDB88320;
else crc >>= 1;
}
CRC32Table[ i ] = crc;
}
}
unsigned long CAZMC_CRC32::GetCRC32(unsigned char* data, unsigned long size)
{
unsigned long crc = 0xFFFFFFFF;
unsigned long len;
unsigned char* buffer;
if( !data || ( size == 0 ) ) return 0xFFFFFFFF;
len = size;
buffer = data;
while( len -- ) crc = (crc >> 8 ) ^ CRC32Table[ ( crc & 0xFF ) ^ *buffer++ ];
return crc^0xFFFFFFFF;
}
// ==================================================================================
// 1.CRC32 of String1: ABCD
// 2.String2
// 3.CRC32 of String1+String2
// 4.WXYZ = ABCD + CRC32( string2 )
// ==================================================================================
unsigned long CAZMC_CRC32::CRC32CAT(unsigned long ABCD,unsigned long abcd)
{
unsigned char p,o,n,m,a,b,c,d,W,X,Y,Z,A,B,C,D;
A = HIBYTE( HIWORD( ABCD ) );
B = LOBYTE( HIWORD( ABCD ) );
C = HIBYTE( LOWORD( ABCD ) );
D = LOBYTE( LOWORD( ABCD ) );
a = HIBYTE( HIWORD( abcd ) );
b = LOBYTE( HIWORD( abcd ) );
c = HIBYTE( LOWORD( abcd ) );
d = LOBYTE( LOWORD( abcd ) );
m = d ^ D;
n = c ^ C ^ I( m );
o = b ^ B ^ H( m ) ^ I( n );
p = a ^ A ^ G( m ) ^ H( n ) ^ I( o );
W = F( p );
X = F( o ) ^ G( p );
Y = F( n ) ^ G( o ) ^ H( p );
Z = F( m ) ^ G( n ) ^ H( o ) ^ I( p );
return 0xFFFFFFFF ^ ( MakeLong( MakeWord( W,X ),MakeWord( Y,Z ) ) );
}
// ==================================================================================
// 1.CRC32 of String1+String2: WXYZ
// 2.CRC32 of String2
// 3.CRC32 of String1
// 4.ABCD = WXYZ - CRC32( abcd )
// ==================================================================================
unsigned long CAZMC_CRC32::CRC32RF(unsigned long WXYZ,unsigned long abcd )
{
unsigned char p,o,n,m,a,b,c,d,W,X,Y,Z,A,B,C,D;
W = HIBYTE( HIWORD( WXYZ ) );
X = LOBYTE( HIWORD( WXYZ ) );
Y = HIBYTE( LOWORD( WXYZ ) );
Z = LOBYTE( LOWORD( WXYZ ) );
a = HIBYTE( HIWORD( abcd ) );
b = LOBYTE( HIWORD( abcd ) );
c = HIBYTE( LOWORD( abcd ) );
d = LOBYTE( LOWORD( abcd ) );
p = RF( W );
o = RF( X ^ G( p ) );
n = RF( Y ^ G( o ) ^ H( p ) );
m = RF( Z ^ G( n ) ^ H( o ) ^ I( p ) );
D = m ^ d;
C = n ^ c ^ I( m );
B = o ^ b ^ H( m ) ^ I( n );
A = p ^ a ^ G( m ) ^ H( n ) ^ I( o );
return MakeLong( MakeWord( A,B ),MakeWord( C,D ) );
}
unsigned char CAZMC_CRC32::RF(unsigned char x)
{
unsigned char j;
for( j = 0; j <= 0xFF; j ++ )
{
if( HIBYTE( HIWORD( CRC32Table[ j ] ) ) == x ) break;
}
return j;
}
unsigned char CAZMC_CRC32::F(unsigned char x)
{
return HIBYTE( HIWORD( CRC32Table[ x ] ) );
}
unsigned char CAZMC_CRC32::G(unsigned char x)
{
return LOBYTE( HIWORD( CRC32Table[ x ] ) );
}
unsigned char CAZMC_CRC32::H( unsigned char x )
{
return HIBYTE( LOWORD( CRC32Table[ x ] ) );
}
unsigned char CAZMC_CRC32::I(unsigned char x)
{
return LOBYTE( LOWORD( CRC32Table[ x ] ) );
}
3) CRC32 反射
m_Counter = 0xFFFF
CString str;
str.Format("%04X",m_Counter);
char data[50];
lstrcpy(data,str);
unsigned long CRC32_1 = m_objCRC32.GetCRC32( (unsigned char*)data,4 );
unsigned long x = m_objCRC32.CRC32RF( 0x70EAF483 ^ 0xFFFFFFFF,CRC32_1 ^ 0xFFFFFFFF );
CString str2;
str2.Format("%08X",x);
str +="---";
str += str2;
CEdit* pEdit = (CEdit*)GetDlgItem(IDC_EDIT_CURRENT);
pEdit->SetWindowText( str );
unsigned char* p = ( unsigned char* )&x;
if( ( ( ( *p >= '0' && *p <= '9' ) || ( *p >= 'A' && *p <= 'F' ) )
&& ( ( *(p+1) >= '0' && *(p+1) <= '9' ) || ( *(p+1) >= 'A' && *(p+1) <= 'F' ) )
&& ( ( *(p+2) >= '0' && *(p+2) <= '9' ) || ( *(p+2) >= 'A' && *(p+2) <= 'F' ) )
&& ( ( *(p+3) >= '0' && *(p+3) <= '9' ) || ( *(p+3) >= 'A' && *(p+3) <= 'F' ) ) )
)
{
CListBox* pListBox = ( CListBox* )GetDlgItem(IDC_LIST_70EAF483);
pListBox->AddString(str);
}
if( m_Counter == 0 ) OnBnClickedButtonEndtimer();
m_Counter--;
4) 注册机 KeyGen.cpp
#include "stdafx.h"
#include "AZMC_CRC32.h"
#include <conio.h>
int _tmain(int argc, _TCHAR* argv[])
{
CAZMC_CRC32 objCRC32;
char str[1024];
char strtmp[1024];
char strKey[1024];
unsigned long x;
printf("\r\nKeyGen for xxxxxGIS DK8 - AZMC.13 - 2006.05.04\r\n\r\n");
printf("Please input your name(0-9/a-z/A-Z):");
scanf("%32s",str);
strupr(str);
strcat(str,"-C442CC99");
strcpy(strKey,str);
x=objCRC32.GetCRC32((unsigned char*)str,strlen(str));
sprintf(strtmp,"-%X",x);
strcat(str,strtmp);
x=objCRC32.GetCRC32((unsigned char*)str,strlen(str));
sprintf(strtmp,"-%X",x);
strcat(strKey,strtmp);
printf("\r\nThe key is: %s\r\n",strKey);
printf("\r\n\r\nPress any key to exit...\r\n");
getch();
return 0;
}
第七部分: ^#$(@($&!@()
======================
1) 弄一车兵器,不是杀人手段;我有寸铁,便可杀人。
2) 放下屠刀,立地成佛;成佛之后,杀人便不见血。
3) 如果使用 Part1,作为源码安装时的 MD5 输入信息,我会不会很郁闷?
4) 给可爱的波兰人致敬!
5) 最后的总结陈述:
xxxxxGIS.EXE ---> CRC32 校验关键数据 ---> 生成安装进程 INS??.tmp ---> 等待 INS??.tmp 进程结束。
|
|
INS??.tmp
|
+---> CRC32 校验关键数据
|
+---> 要求输入密码: XXXXXXXX-YYYYYYYY-ZZZZZZZZ
|
+---> 验证密码 CRC32(YYYYYYYY) = 0x70EAF483 ? 不等,Game over.
|
+---> 根据 XXXXXXXX-YYYYYYYY 计算 Part3,并和原始输入比较,不同,Game over.
|
+---> 安装源码,重新获取 Part2,YYYYYYYY
|
+---> Ret = MD5(YYYYYYYY)
|
+---> 使用 Ret 解密源码数据
|
+---> YYYYYYYY 不正确,Game over. 第八部分: 你以为是天龙八部哦?没了。
附注:文中 CRC32 部分代码来自网络上相关文章,特别是那个 CRC32反射代码,衷心感谢作者!谢谢!
==========================================================================================
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)