xxxxxGIS DK8 - 开发包安装密码破解手记-软件逆向-看雪-安全社区|安全招聘|kanxue.com

xxxxxGIS DK8 - 开发包安装密码破解手记

发表于: 2006-5-23 09:35 9566

xxxxxGIS DK8 - 开发包安装密码破解手记

AZMC

2006-5-23 09:35

9566

******************************
* - xxxxxGIS DK8 破解手记 *
* - by AZMC.13             *
* - 2006.05                *
******************************

第零部分：磨刀
==============

1) 使用 PEInfo/PEScan/ASProtect/UPXShell 等工具，查看 xxxxxGIS.EXE 相关加壳、开发工具等信息，没有
加壳，使用 Delphi 开发。

2) 使用Delphi反汇编工具 DeDe，反汇编 xxxxxGIS.EXE,查看关键 API 的引用情况。

3) 使用 OllyDebug 调试工具开膛破肚。

4) 准备 CryptTool，用于各种加密算法的验证。

5) 启动 Windows 任务管理器,记录当前进程；然后，启动 xxxxxGIS.EXE，发现，任务管理器列表里面多了两个进程：xxxxxGIS.EXE
和 INS??.tmp，然后，退出安装，这两个进程消失，这说明，xxxxxGIS 的安装是双进程安装过程。

第一部分: 概述
==============

xxxxxGIS DK8 的安装过程如下：运行 xxxxxGIS.exe 安装程序，在系统当前用户的临时目录(例如 C:\Documents and Settings\
Dou Dou\Local Settings\Temp)，生成一个辅助安装程序INS??.tmp,然后，使用 Windows API CreateProcess 按下列命令行格式
创建辅助安装进程:
"C:\DOCUME~1\AZITHR~1\LOCALS~1\Temp\INS51.tmp /SL3 $D600E6 D:\xTemp\xxxxxGIS\xxxxxGIS.exe 6968069 6971485 78336 ",
xxxxxGIS 进程等待/守护 INS??.tmp 结束并清理现场退出。

xxxxxGIS 中下断处:0040E40C,可以查看创建安装进程的详细信息:

0040E40C |.  50          push eax                            ; |CommandLine,创建实际的安装进程：INS??.tmp
0040E40D |.  6A 00       push 0                            ; |ModuleFileName = NULL
0040E40F |.  E8 746AFFFF call <jmp.&kernel32.CreateProcessA>  ; \CreateProcessA
0040E414 |.  85C0          test eax,eax
0040E416 |.  75 07       jnz short xxxxxGIS.0040E41F

安装进程 INS51.tmp 命令行参数说明:

/SL3 -------- 在 INS?? 安装进程中,用于比较验证,仅此而已
$D600E6 ----- 可变,在 INS?? 安装进程中,转换成16进制数字后0xD600E6,没看到什么用途,希望不是什么暗桩:(
6968069 ----- 安装提示信息压缩块,在 xxxxxGIS.exe 中的偏移
6971485 ----- 安装界面信息压缩块,在 xxxxxGIS.exe 中的偏移
78336 ------- xxxxxGIS DK8 源码压缩块,在 xxxxxGIS.exe 中的偏移

第二部分:INS??.tmp 安装进程
===========================

在 OllyDebug 中,以上述命令行形式,直接加载 INS??.tmp 进程,下断列表如下:

下断处:0048BE00

0048BE00 /.  55          push ebp                            ;  安装向导 [下一步] 处理入口
0048BE01 |.  8BEC          mov ebp,esp
0048BE03 |.  83C4 EC       add esp,-14
0048BE06 |.  53          push ebx
0048BE07 |.  8945 FC       mov dword ptr ss:[ebp-4],eax
0048BE0A |.  8D5D FC       lea ebx,dword ptr ss:[ebp-4]
0048BE0D |.  8B03          mov eax,dword ptr ds:[ebx]
0048BE0F |.  8A80 00040000  mov al,byte ptr ds:[eax+400]
0048BE15 |.  2C 02       sub al,2                            ;  Switch (cases 2..6)
0048BE17 |.  74 0E       je short INS.0048BE27
0048BE19 |.  2C 02       sub al,2
0048BE1B |.  74 1B       je short INS.0048BE38
0048BE1D |.  FEC8          dec al
0048BE1F |.  74 28       je short INS.0048BE49
0048BE21 |.  FEC8          dec al
0048BE23 |.  74 35       je short INS.0048BE5A
0048BE25 |.  EB 42       jmp short INS.0048BE69
0048BE27 |>  55          push ebp                            ;  Case 2 of switch 0048BE15
0048BE28 |.  E8 97F5FFFF call INS.0048B3C4                   ;  输入密码后，按 [下一步] 处理入口
0048BE2D |.  59          pop ecx
0048BE2E |.  84C0          test al,al
0048BE30 |.  0F84 06010000  je INS.0048BF3C
0048BE36 |.  EB 31       jmp short INS.0048BE69
0048BE38 |>  55          push ebp                            ;  Case 4 of switch 0048BE15
0048BE39 |.  E8 9AF8FFFF call INS.0048B6D8
0048BE3E |.  59          pop ecx
0048BE3F |.  84C0          test al,al
0048BE41 |.  0F84 F5000000  je INS.0048BF3C

下断处:0048B3C4

0048B3C4 /$  55          push ebp                            ;  密码处理入口
0048B3C5 |.  8BEC          mov ebp,esp
0048B3C7 |.  83C4 E8       add esp,-18
0048B3CA |.  53          push ebx
0048B3CB |.  56          push esi
0048B3CC |.  33C0          xor eax,eax
0048B3CE |.  8945 F8       mov dword ptr ss:[ebp-8],eax
0048B3D1 |.  8945 FC       mov dword ptr ss:[ebp-4],eax
0048B3D4 |.  33C0          xor eax,eax
0048B3D6 |.  55          push ebp
0048B3D7 |.  68 44B54800 push INS.0048B544
0048B3DC |.  64:FF30       push dword ptr fs:[eax]
0048B3DF |.  64:8920       mov dword ptr fs:[eax],esp
0048B3E2 |.  33DB          xor ebx,ebx
0048B3E4 |.  8D55 F8       lea edx,dword ptr ss:[ebp-8]
0048B3E7 |.  8B45 08       mov eax,dword ptr ss:[ebp+8]
0048B3EA |.  8B40 FC       mov eax,dword ptr ds:[eax-4]
0048B3ED |.  8B80 34030000  mov eax,dword ptr ds:[eax+334]
0048B3F3 |.  E8 905FFBFF call INS.00441388                   ;  获取输入的密码
0048B3F8 |.  8B55 F8       mov edx,dword ptr ss:[ebp-8]       ;  密码
0048B3FB |.  A1 D85F4A00 mov eax,dword ptr ds:[4A5FD8]
0048B400 |.  E8 5B9BF7FF call INS.00404F60
0048B405 |.  8D55 FC       lea edx,dword ptr ss:[ebp-4]
0048B408 |.  A1 D85F4A00 mov eax,dword ptr ds:[4A5FD8]
0048B40D |.  8B00          mov eax,dword ptr ds:[eax]
0048B40F |.  E8 FCC1FFFF call INS.00487610
0048B414 |.  A1 28614A00 mov eax,dword ptr ds:[4A6128]
0048B419    F680 DD000000 >test byte ptr ds:[eax+DD],40
0048B420 |.  74 42       je short INS.0048B464
0048B422 |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]       ;  Part1-Part2-Part3: Part2
0048B425 |.  E8 A29DF7FF call INS.004051CC
0048B42A |.  50          push eax
0048B42B |.  8D45 FC       lea eax,dword ptr ss:[ebp-4]
0048B42E |.  E8 F19FF7FF call INS.00405424
0048B433 |.  5A          pop edx
0048B434 |.  E8 CF9DFDFF call INS.00465208                   ;  计算 Part2 的 CRC32
0048B439 |.  8B15 28614A00  mov edx,dword ptr ds:[4A6128]       ;  INS.004A8738
0048B43F |.  3B82 CC000000  cmp eax,dword ptr ds:[edx+CC]       ;  Part2 的CRC32 与 [4A8804] 处70EAF483比较,70EAF483
0048B445 |.  0F94C3       sete bl
0048B448 |.  84DB          test bl,bl
0048B44A |.  74 10       je short INS.0048B45C             ;  如果不同，则转走，完蛋！
0048B44C |.  A1 D85F4A00 mov eax,dword ptr ds:[4A5FD8]
0048B451 |.  8B00          mov eax,dword ptr ds:[eax]          ;  输入的密码
0048B453 |.  E8 3CC2FFFF call INS.00487694                   ;  校验密码入口
0048B458 |.  84C0          test al,al

下断处:00487694

00487694 /$  55          push ebp
00487695 |.  8BEC          mov ebp,esp
00487697 |.  B9 05000000 mov ecx,5
0048769C |>  6A 00       /push 0
0048769E |.  6A 00       |push 0
004876A0 |.  49          |dec ecx
004876A1 |.^ 75 F9       \jnz short INS.0048769C
004876A3 |.  51          push ecx
004876A4 |.  53          push ebx
004876A5 |.  8BD8          mov ebx,eax
004876A7 |.  33C0          xor eax,eax
004876A9 |.  55          push ebp
004876AA |.  68 29784800 push INS.00487829
004876AF |.  64:FF30       push dword ptr fs:[eax]
004876B2 |.  64:8920       mov dword ptr fs:[eax],esp
004876B5 |.  B2 01       mov dl,1
004876B7 |.  A1 E8714100 mov eax,dword ptr ds:[4171E8]
004876BC |.  E8 E3CAF7FF call INS.004041A4
004876C1 |.  8945 F4       mov dword ptr ss:[ebp-C],eax
004876C4 |.  33C0          xor eax,eax
004876C6 |.  55          push ebp
004876C7 |.  68 FF774800 push INS.004877FF
004876CC |.  64:FF30       push dword ptr fs:[eax]
004876CF |.  64:8920       mov dword ptr fs:[eax],esp
004876D2 |.  8D55 E4       lea edx,dword ptr ss:[ebp-1C]
004876D5 |.  8BC3          mov eax,ebx
004876D7 |.  E8 241BF8FF call INS.00409200
004876DC |.  8B45 E4       mov eax,dword ptr ss:[ebp-1C]
004876DF |.  8D55 F8       lea edx,dword ptr ss:[ebp-8]
004876E2 |.  E8 C918F8FF call INS.00408FB0
004876E7 |.  B2 2D       mov dl,2D
004876E9 |.  8B45 F4       mov eax,dword ptr ss:[ebp-C]
004876EC |.  E8 8334F9FF call INS.0041AB74
004876F1 |.  8B55 F8       mov edx,dword ptr ss:[ebp-8]
004876F4 |.  8B45 F4       mov eax,dword ptr ss:[ebp-C]
004876F7 |.  E8 E832F9FF call INS.0041A9E4
004876FC |.  8B45 F4       mov eax,dword ptr ss:[ebp-C]
004876FF |.  8B10          mov edx,dword ptr ds:[eax]
00487701 |.  FF52 14       call dword ptr ds:[edx+14]
00487704 |.  83F8 03       cmp eax,3
00487707 |.  0F85 D8000000  jnz INS.004877E5
0048770D |.  8D4D E0       lea ecx,dword ptr ss:[ebp-20]
00487710 |.  33D2          xor edx,edx
00487712 |.  8B45 F4       mov eax,dword ptr ss:[ebp-C]
00487715 |.  8B18          mov ebx,dword ptr ds:[eax]
00487717 |.  FF53 0C       call dword ptr ds:[ebx+C]
0048771A |.  FF75 E0       push dword ptr ss:[ebp-20]
0048771D |.  68 40784800 push INS.00487840
00487722 |.  8D4D DC       lea ecx,dword ptr ss:[ebp-24]
00487725 |.  BA 01000000 mov edx,1
0048772A |.  8B45 F4       mov eax,dword ptr ss:[ebp-C]
0048772D |.  8B18          mov ebx,dword ptr ds:[eax]
0048772F |.  FF53 0C       call dword ptr ds:[ebx+C]
00487732 |.  FF75 DC       push dword ptr ss:[ebp-24]
00487735 |.  8D45 F0       lea eax,dword ptr ss:[ebp-10]
00487738 |.  BA 03000000 mov edx,3
0048773D |.  E8 4ADBF7FF call INS.0040528C
00487742 |.  8D45 E8       lea eax,dword ptr ss:[ebp-18]
00487745 |.  50          push eax
00487746 |.  8B45 F0       mov eax,dword ptr ss:[ebp-10]
00487749 |.  E8 7EDAF7FF call INS.004051CC
0048774E |.  50          push eax
0048774F |.  8D45 F0       lea eax,dword ptr ss:[ebp-10]
00487752 |.  E8 CDDCF7FF call INS.00405424
00487757 |.  5A          pop edx                            ;  计算 Part1-Part2 的 CRC32
00487758 |.  E8 ABDAFDFF call INS.00465208
0048775D |.  8945 D4       mov dword ptr ss:[ebp-2C],eax       ; |
00487760 |.  C645 D8 00    mov byte ptr ss:[ebp-28],0          ; |
00487764 |.  8D55 D4       lea edx,dword ptr ss:[ebp-2C]       ; |
00487767 |.  33C9          xor ecx,ecx                         ; |
00487769 |.  B8 4C784800 mov eax,INS.0048784C                ; |ASCII "%X"
0048776E |.  E8 D535F8FF call INS.0040AD48                   ; \INS.0040AD48
00487773 |.  FF75 F0       push dword ptr ss:[ebp-10]
00487776 |.  68 40784800 push INS.00487840
0048777B |.  FF75 E8       push dword ptr ss:[ebp-18]
0048777E |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]
00487781 |.  BA 03000000 mov edx,3
00487786 |.  E8 01DBF7FF call INS.0040528C
0048778B |.  8D45 E8       lea eax,dword ptr ss:[ebp-18]
0048778E |.  50          push eax
0048778F |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
00487792 |.  E8 35DAF7FF call INS.004051CC
00487797 |.  50          push eax
00487798 |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]
0048779B |.  E8 84DCF7FF call INS.00405424
004877A0 |.  5A          pop edx                            ;  计算 Part1-Part2-CRC32(Part1-Part2) 的 CRC32
004877A1 |.  E8 62DAFDFF call INS.00465208
004877A6 |.  8945 D4       mov dword ptr ss:[ebp-2C],eax       ; |
004877A9 |.  C645 D8 00    mov byte ptr ss:[ebp-28],0          ; |
004877AD |.  8D55 D4       lea edx,dword ptr ss:[ebp-2C]       ; |
004877B0 |.  33C9          xor ecx,ecx                         ; |
004877B2 |.  B8 4C784800 mov eax,INS.0048784C                ; |ASCII "%X"
004877B7 |.  E8 8C35F8FF call INS.0040AD48                   ; \INS.0040AD48
004877BC |.  FF75 F0       push dword ptr ss:[ebp-10]
004877BF |.  68 40784800 push INS.00487840
004877C4 |.  FF75 E8       push dword ptr ss:[ebp-18]
004877C7 |.  8D45 F0       lea eax,dword ptr ss:[ebp-10]
004877CA |.  BA 03000000 mov edx,3
004877CF |.  E8 B8DAF7FF call INS.0040528C
004877D4 |.  8B45 F0       mov eax,dword ptr ss:[ebp-10]       ;  Part1-Part2-CRC32(Part1-Part2-CRC32(Part1-Part2))
004877D7 |.  8B55 F8       mov edx,dword ptr ss:[ebp-8]       ;  Part1-Part2-Part3
004877DA |.  E8 39DBF7FF call INS.00405318                   ;  计算出的密码和原始输入的密码逐一比较,不等就死翘翘
004877DF |.  0F9445 FF    sete byte ptr ss:[ebp-1]
004877E3 |.  EB 04       jmp short INS.004877E9
004877E5 |>  C645 FF 00    mov byte ptr ss:[ebp-1],0
004877E9 |>  33C0          xor eax,eax
004877EB |.  5A          pop edx
004877EC |.  59          pop ecx
004877ED |.  59          pop ecx
004877EE |.  64:8910       mov dword ptr fs:[eax],edx
004877F1 |.  68 06784800 push INS.00487806
004877F6 |>  8B45 F4       mov eax,dword ptr ss:[ebp-C]
004877F9 |.  E8 D6C9F7FF call INS.004041D4
004877FE \.  C3          retn

小结一下
--------

1) 密码形式:
XXXXXXXX-YYYYYYYY-ZZZZZZZZ
Part1:XXXXXXXX - 大写字母/数字,任意长度,也不要太长哦,按习惯输入8个足够了
Part2:YYYYYYYY - A-F/0-9,长度8字节
Part3:ZZZZZZZZ - A-F/0-9,长度8字节

2) 各部分关系及要求:
输入 XXXXXXXX-YYYYYYYY-ZZZZZZZZ
CRC32(YYYYYYYY) 必须等于 0x70EAF483
SSSSSSSS = CRC32(XXXXXXXX-YYYYYYYY)
TTTTTTTT = CRC32(XXXXXXXX-YYYYYYYY-SSSSSSSS)
XXXXXXXX-YYYYYYYY-TTTTTTTT 和 XXXXXXXX-YYYYYYYY-ZZZZZZZZ 比较，必须相等
也就是说：ZZZZZZZZ = CRC32(XXXXXXXX-YYYYYYYY-CRC32(XXXXXXXX-YYYYYYYY))
[注意: CRC32 值高位为0的情况,比如 0x0nnnnnnn,转换成字符串是 nnnnnnn,不是 0nnnnnnn]

第三部分：安装源码时的密码再次验证
==================================

安装源码时，再次获取密码的第二部分Part2:YYYYYYYY,并进行 MD5 变换，获取"2D9D13E987AD1FC9EA8B62261030F3AA"形式的 MD5 算法
变换后的字符串。

下断处:00487508

00487508 /$  55          push ebp                            ;  HAHA！解密源码，Part2 密码变换处！结果用于解密！
00487509 |.  8BEC          mov ebp,esp
0048750B |.  51          push ecx
0048750C |.  53          push ebx
0048750D |.  8BDA          mov ebx,edx
0048750F |.  8945 FC       mov dword ptr ss:[ebp-4],eax
00487512 |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
00487515 |.  E8 A2DEF7FF call INS.004053BC                   ;  LStrAddRef
0048751A |.  33C0          xor eax,eax
0048751C |.  55          push ebp
0048751D |.  68 57754800 push INS.00487557
00487522 |.  64:FF30       push dword ptr fs:[eax]
00487525 |.  64:8920       mov dword ptr fs:[eax],esp
00487528 |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
0048752B |.  E8 9CDCF7FF call INS.004051CC                   ;  Length of Part2
00487530 |.  50          push eax
00487531 |.  8D45 FC       lea eax,dword ptr ss:[ebp-4]
00487534 |.  E8 EBDEF7FF call INS.00405424
00487539 |.  8BCB          mov ecx,ebx
0048753B |.  5A          pop edx
0048753C |.  E8 1BFFFFFF call INS.0048745C
00487541 |.  33C0          xor eax,eax
00487543 |.  5A          pop edx
00487544 |.  59          pop ecx
00487545 |.  59          pop ecx
00487546 |.  64:8910       mov dword ptr fs:[eax],edx
00487549 |.  68 5E754800 push INS.0048755E
0048754E |>  8D45 FC       lea eax,dword ptr ss:[ebp-4]
00487551 |.  E8 B6D9F7FF call INS.00404F0C
00487556 \.  C3          retn

下断处0048745C:

0048745C /$  55          push ebp
0048745D |.  8BEC          mov ebp,esp
0048745F |.  83C4 90       add esp,-70
00487462 |.  53          push ebx
00487463 |.  56          push esi
00487464 |.  57          push edi
00487465 |.  33DB          xor ebx,ebx
00487467 |.  895D 90       mov dword ptr ss:[ebp-70],ebx
0048746A |.  894D FC       mov dword ptr ss:[ebp-4],ecx
0048746D |.  8BFA          mov edi,edx
0048746F |.  8BF0          mov esi,eax
00487471 |.  33C0          xor eax,eax
00487473 |.  55          push ebp
00487474 |.  68 F8744800 push INS.004874F8
00487479 |.  64:FF30       push dword ptr fs:[eax]
0048747C |.  64:8920       mov dword ptr fs:[eax],esp
0048747F |.  33DB          xor ebx,ebx
00487481 |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]
00487484 |>  8BD3          /mov edx,ebx
00487486 |.  42          |inc edx
00487487 |.  8810          |mov byte ptr ds:[eax],dl
00487489 |.  43          |inc ebx
0048748A |.  40          |inc eax
0048748B |.  83FB 10       |cmp ebx,10
0048748E |.^ 75 F4       \jnz short INS.00487484
00487490 |.  8D45 94       lea eax,dword ptr ss:[ebp-6C]
00487493 |.  E8 74F5FFFF call INS.00486A0C
00487498 |.  8D45 94       lea eax,dword ptr ss:[ebp-6C]
0048749B |.  8BCF          mov ecx,edi
0048749D |.  8BD6          mov edx,esi
0048749F |.  E8 20FFFFFF call INS.004873C4                   ;  开始变换
004874A4 |.  8D55 94       lea edx,dword ptr ss:[ebp-6C]
004874A7 |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]
004874AA |.  E8 59F6FFFF call INS.00486B08
004874AF |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004874B2 |.  E8 55DAF7FF call INS.00404F0C
004874B7 |.  BB 10000000 mov ebx,10                         ;  转换成字符串
004874BC |.  8D75 EC       lea esi,dword ptr ss:[ebp-14]
004874BF |>  8D4D 90       /lea ecx,dword ptr ss:[ebp-70]
004874C2 |.  33C0          |xor eax,eax
004874C4 |.  8A06          |mov al,byte ptr ds:[esi]
004874C6 |.  BA 02000000 |mov edx,2
004874CB |.  E8 3823F8FF |call INS.00409808
004874D0 |.  8B55 90       |mov edx,dword ptr ss:[ebp-70]
004874D3 |.  8B45 FC       |mov eax,dword ptr ss:[ebp-4]
004874D6 |.  E8 F9DCF7FF |call INS.004051D4
004874DB |.  8B45 FC       |mov eax,dword ptr ss:[ebp-4]
004874DE |.  46          |inc esi
004874DF |.  4B          |dec ebx
004874E0 |.^ 75 DD       \jnz short INS.004874BF
004874E2 |.  33C0          xor eax,eax
004874E4 |.  5A          pop edx
004874E5 |.  59          pop ecx
004874E6 |.  59          pop ecx
004874E7 |.  64:8910       mov dword ptr fs:[eax],edx
004874EA |.  68 FF744800 push INS.004874FF
004874EF |>  8D45 90       lea eax,dword ptr ss:[ebp-70]
004874F2 |.  E8 15DAF7FF call INS.00404F0C
004874F7 \.  C3          retn

下断处00486B08:

00486B08 /$  53          push ebx                            ;  真正的变换处!
00486B09 |.  56          push esi
00486B0A |.  8BDA          mov ebx,edx
00486B0C |.  8BF0          mov esi,eax
00486B0E |.  8B43 10       mov eax,dword ptr ds:[ebx+10]
00486B11 |.  C1E8 03       shr eax,3
00486B14 |.  66:83E0 3F    and ax,3F
00486B18 |.  8BD0          mov edx,eax
00486B1A |.  33C9          xor ecx,ecx
00486B1C |.  8ACA          mov cl,dl
00486B1E |.  C6440B 18 80 mov byte ptr ds:[ebx+ecx+18],80
00486B23 |.  42          inc edx
00486B24 |.  66:B9 3F00    mov cx,3F
00486B28 |.  66:2BC8       sub cx,ax
00486B2B |.  8BC1          mov eax,ecx
00486B2D |.  66:83F8 08    cmp ax,8
00486B31 |.  73 37       jnb short INS.00486B6A
00486B33 |.  81E2 FF000000  and edx,0FF
00486B39 |.  8D5413 18    lea edx,dword ptr ds:[ebx+edx+18]
00486B3D |.  0FB7C0       movzx eax,ax
00486B40 |.  33C9          xor ecx,ecx
00486B42 |.  92          xchg eax,edx
00486B43 |.  E8 D4C7F7FF call INS.0040331C
00486B48 |.  6A 0F       push 0F                            ; /Arg1 = 0000000F
00486B4A |.  8D4B 18       lea ecx,dword ptr ds:[ebx+18]       ; |
00486B4D |.  8BC3          mov eax,ebx                         ; |
00486B4F |.  BA 03000000 mov edx,3                         ; |
00486B54 |.  E8 4F010000 call INS.00486CA8                   ; \INS.00486CA8
00486B59 |.  8D43 18       lea eax,dword ptr ds:[ebx+18]
00486B5C |.  33C9          xor ecx,ecx
00486B5E |.  BA 38000000 mov edx,38
00486B63 |.  E8 B4C7F7FF call INS.0040331C                   ; 清除缓冲区
00486B68 |.  EB 18       jmp short INS.00486B82
00486B6A |>  81E2 FF000000  and edx,0FF
00486B70 |.  8D5413 18    lea edx,dword ptr ds:[ebx+edx+18]
00486B74 |.  0FB7C0       movzx eax,ax
00486B77 |.  83E8 08       sub eax,8
00486B7A |.  33C9          xor ecx,ecx
00486B7C |.  92          xchg eax,edx
00486B7D |.  E8 9AC7F7FF call INS.0040331C
00486B82 |>  8B43 10       mov eax,dword ptr ds:[ebx+10]
00486B85 |.  8943 50       mov dword ptr ds:[ebx+50],eax
00486B88 |.  8B43 14       mov eax,dword ptr ds:[ebx+14]
00486B8B |.  8943 54       mov dword ptr ds:[ebx+54],eax
00486B8E |.  6A 0F       push 0F                            ; /Arg1 = 0000000F
00486B90 |.  8D4B 18       lea ecx,dword ptr ds:[ebx+18]       ; |
00486B93 |.  8BC3          mov eax,ebx                         ; |
00486B95 |.  BA 03000000 mov edx,3                         ; |
00486B9A |.  E8 09010000 call INS.00486CA8                   ; \INS.00486CA8
00486B9F |.  8BD6          mov edx,esi
00486BA1 |.  8BC3          mov eax,ebx
00486BA3 |.  B9 10000000 mov ecx,10
00486BA8 |.  E8 2BBEF7FF call INS.004029D8
00486BAD |.  8BC3          mov eax,ebx
00486BAF |.  33C9          xor ecx,ecx
00486BB1 |.  BA 58000000 mov edx,58
00486BB6 |.  E8 61C7F7FF call INS.0040331C
00486BBB |.  5E          pop esi
00486BBC |.  5B          pop ebx
00486BBD \.  C3          retn

传说中的 MD5 算法,四轮运算，下断处00486CA8:

00486CA8 /$  55          push ebp
00486CA9 |.  8BEC          mov ebp,esp
00486CAB |.  83C4 EC       add esp,-14
00486CAE |.  53          push ebx
00486CAF |.  56          push esi
00486CB0 |.  57          push edi
00486CB1 |.  8BD9          mov ebx,ecx
00486CB3 |.  8945 FC       mov dword ptr ss:[ebp-4],eax
00486CB6 |.  8D75 F8       lea esi,dword ptr ss:[ebp-8]
00486CB9 |.  8D7D F4       lea edi,dword ptr ss:[ebp-C]
00486CBC |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
00486CBF |.  8B00          mov eax,dword ptr ds:[eax]
00486CC1 |.  8906          mov dword ptr ds:[esi],eax
00486CC3 |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
00486CC6 |.  8B40 04       mov eax,dword ptr ds:[eax+4]
00486CC9 |.  8907          mov dword ptr ds:[edi],eax
00486CCB |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
00486CCE |.  8B40 08       mov eax,dword ptr ds:[eax+8]
00486CD1 |.  8945 F0       mov dword ptr ss:[ebp-10],eax
00486CD4 |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
00486CD7 |.  8B40 0C       mov eax,dword ptr ds:[eax+C]
00486CDA |.  8945 EC       mov dword ptr ss:[ebp-14],eax
00486CDD |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
00486CE0 |.  50          push eax                            ; /Arg3
00486CE1 |.  8B03          mov eax,dword ptr ds:[ebx]          ; |
00486CE3 |.  05 78A46AD7 add eax,D76AA478                   ; |
00486CE8 |.  50          push eax                            ; |Arg2
00486CE9 |.  6A 07       push 7                            ; |Arg1 = 00000007
00486CEB |.  8BC6          mov eax,esi                         ; |
00486CED |.  8B4D F0       mov ecx,dword ptr ss:[ebp-10]       ; |
00486CF0 |.  8B17          mov edx,dword ptr ds:[edi]          ; |
00486CF2 |.  E8 C9FEFFFF call INS.00486BC0                   ; \INS.00486BC0
00486CF7 |.  8B45 F0       mov eax,dword ptr ss:[ebp-10]
00486CFA |.  50          push eax                            ; /Arg3
00486CFB |.  8B43 04       mov eax,dword ptr ds:[ebx+4]       ; |
00486CFE |.  05 56B7C7E8 add eax,E8C7B756                   ; |
00486D03 |.  50          push eax                            ; |Arg2
00486D04 |.  6A 0C       push 0C                            ; |Arg1 = 0000000C
00486D06 |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]       ; |
00486D09 |.  8B0F          mov ecx,dword ptr ds:[edi]          ; |
00486D0B |.  8B16          mov edx,dword ptr ds:[esi]          ; |
00486D0D |.  E8 AEFEFFFF call INS.00486BC0                   ; \INS.00486BC0
00486D12 |.  8B07          mov eax,dword ptr ds:[edi]
00486D14 |.  50          push eax                            ; /Arg3
00486D15 |.  8B43 08       mov eax,dword ptr ds:[ebx+8]       ; |
00486D18 |.  05 DB702024 add eax,242070DB                   ; |
00486D1D |.  50          push eax                            ; |Arg2
00486D1E |.  6A 11       push 11                            ; |Arg1 = 00000011
00486D20 |.  8D45 F0       lea eax,dword ptr ss:[ebp-10]       ; |
00486D23 |.  8B0E          mov ecx,dword ptr ds:[esi]          ; |
00486D25 |.  8B55 EC       mov edx,dword ptr ss:[ebp-14]       ; |
00486D28 |.  E8 93FEFFFF call INS.00486BC0                   ; \INS.00486BC0
00486D2D |.  8B06          mov eax,dword ptr ds:[esi]
00486D2F |.  50          push eax                            ; /Arg3
00486D30 |.  8B43 0C       mov eax,dword ptr ds:[ebx+C]       ; |
00486D33 |.  05 EECEBDC1 add eax,C1BDCEEE                   ; |
00486D38 |.  50          push eax                            ; |Arg2
00486D39 |.  6A 16       push 16                            ; |Arg1 = 00000016
00486D3B |.  8BC7          mov eax,edi                         ; |
00486D3D |.  8B4D EC       mov ecx,dword ptr ss:[ebp-14]       ; |
00486D40 |.  8B55 F0       mov edx,dword ptr ss:[ebp-10]       ; |
00486D43 |.  E8 78FEFFFF call INS.00486BC0                   ; \INS.00486BC0
00486D48 |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
00486D4B |.  50          push eax                            ; /Arg3
00486D4C |.  8B43 10       mov eax,dword ptr ds:[ebx+10]       ; |
00486D4F |.  05 AF0F7CF5 add eax,F57C0FAF                   ; |
00486D54 |.  50          push eax                            ; |Arg2
00486D55 |.  6A 07       push 7                            ; |Arg1 = 00000007
00486D57 |.  8BC6          mov eax,esi                         ; |
00486D59 |.  8B4D F0       mov ecx,dword ptr ss:[ebp-10]       ; |
00486D5C |.  8B17          mov edx,dword ptr ds:[edi]          ; |
00486D5E |.  E8 5DFEFFFF call INS.00486BC0                   ; \INS.00486BC0
00486D63 |.  8B45 F0       mov eax,dword ptr ss:[ebp-10]
00486D66 |.  50          push eax                            ; /Arg3
00486D67 |.  8B43 14       mov eax,dword ptr ds:[ebx+14]       ; |
00486D6A |.  05 2AC68747 add eax,4787C62A                   ; |
00486D6F |.  50          push eax                            ; |Arg2
00486D70 |.  6A 0C       push 0C                            ; |Arg1 = 0000000C
00486D72 |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]       ; |
00486D75 |.  8B0F          mov ecx,dword ptr ds:[edi]          ; |
00486D77 |.  8B16          mov edx,dword ptr ds:[esi]          ; |
00486D79 |.  E8 42FEFFFF call INS.00486BC0                   ; \INS.00486BC0
00486D7E |.  8B07          mov eax,dword ptr ds:[edi]
00486D80 |.  50          push eax                            ; /Arg3
00486D81 |.  8B43 18       mov eax,dword ptr ds:[ebx+18]       ; |
00486D84 |.  05 134630A8 add eax,A8304613                   ; |
00486D89 |.  50          push eax                            ; |Arg2
00486D8A |.  6A 11       push 11                            ; |Arg1 = 00000011
00486D8C |.  8D45 F0       lea eax,dword ptr ss:[ebp-10]       ; |
00486D8F |.  8B0E          mov ecx,dword ptr ds:[esi]          ; |
00486D91 |.  8B55 EC       mov edx,dword ptr ss:[ebp-14]       ; |
00486D94 |.  E8 27FEFFFF call INS.00486BC0                   ; \INS.00486BC0
00486D99 |.  8B06          mov eax,dword ptr ds:[esi]
00486D9B |.  50          push eax                            ; /Arg3
00486D9C |.  8B43 1C       mov eax,dword ptr ds:[ebx+1C]       ; |
00486D9F |.  05 019546FD add eax,FD469501                   ; |
00486DA4 |.  50          push eax                            ; |Arg2
00486DA5 |.  6A 16       push 16                            ; |Arg1 = 00000016
00486DA7 |.  8BC7          mov eax,edi                         ; |
00486DA9 |.  8B4D EC       mov ecx,dword ptr ss:[ebp-14]       ; |
00486DAC |.  8B55 F0       mov edx,dword ptr ss:[ebp-10]       ; |
00486DAF |.  E8 0CFEFFFF call INS.00486BC0                   ; \INS.00486BC0
00486DB4 |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
00486DB7 |.  50          push eax                            ; /Arg3
00486DB8 |.  8B43 20       mov eax,dword ptr ds:[ebx+20]       ; |
00486DBB |.  05 D8988069 add eax,698098D8                   ; |
00486DC0 |.  50          push eax                            ; |Arg2
00486DC1 |.  6A 07       push 7                            ; |Arg1 = 00000007
00486DC3 |.  8BC6          mov eax,esi                         ; |
00486DC5 |.  8B4D F0       mov ecx,dword ptr ss:[ebp-10]       ; |
00486DC8 |.  8B17          mov edx,dword ptr ds:[edi]          ; |
00486DCA |.  E8 F1FDFFFF call INS.00486BC0                   ; \INS.00486BC0
00486DCF |.  8B45 F0       mov eax,dword ptr ss:[ebp-10]
00486DD2 |.  50          push eax                            ; /Arg3
00486DD3 |.  8B43 24       mov eax,dword ptr ds:[ebx+24]       ; |
00486DD6 |.  05 AFF7448B add eax,8B44F7AF                   ; |
00486DDB |.  50          push eax                            ; |Arg2
00486DDC |.  6A 0C       push 0C                            ; |Arg1 = 0000000C
00486DDE |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]       ; |
00486DE1 |.  8B0F          mov ecx,dword ptr ds:[edi]          ; |
00486DE3 |.  8B16          mov edx,dword ptr ds:[esi]          ; |
00486DE5 |.  E8 D6FDFFFF call INS.00486BC0                   ; \INS.00486BC0
00486DEA |.  8B07          mov eax,dword ptr ds:[edi]
00486DEC |.  50          push eax                            ; /Arg3
00486DED |.  8B43 28       mov eax,dword ptr ds:[ebx+28]       ; |
00486DF0 |.  05 B15BFFFF add eax,FFFF5BB1                   ; |
00486DF5 |.  50          push eax                            ; |Arg2
00486DF6 |.  6A 11       push 11                            ; |Arg1 = 00000011
00486DF8 |.  8D45 F0       lea eax,dword ptr ss:[ebp-10]       ; |
00486DFB |.  8B0E          mov ecx,dword ptr ds:[esi]          ; |
00486DFD |.  8B55 EC       mov edx,dword ptr ss:[ebp-14]       ; |
00486E00 |.  E8 BBFDFFFF call INS.00486BC0                   ; \INS.00486BC0
00486E05 |.  8B06          mov eax,dword ptr ds:[esi]
00486E07 |.  50          push eax                            ; /Arg3
00486E08 |.  8B43 2C       mov eax,dword ptr ds:[ebx+2C]       ; |
00486E0B |.  05 BED75C89 add eax,895CD7BE                   ; |
00486E10 |.  50          push eax                            ; |Arg2
00486E11 |.  6A 16       push 16                            ; |Arg1 = 00000016
00486E13 |.  8BC7          mov eax,edi                         ; |
00486E15 |.  8B4D EC       mov ecx,dword ptr ss:[ebp-14]       ; |
00486E18 |.  8B55 F0       mov edx,dword ptr ss:[ebp-10]       ; |
00486E1B |.  E8 A0FDFFFF call INS.00486BC0                   ; \INS.00486BC0
00486E20 |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
00486E23 |.  50          push eax                            ; /Arg3
00486E24 |.  8B43 30       mov eax,dword ptr ds:[ebx+30]       ; |
00486E27 |.  05 2211906B add eax,6B901122                   ; |
00486E2C |.  50          push eax                            ; |Arg2
00486E2D |.  6A 07       push 7                            ; |Arg1 = 00000007
00486E2F |.  8BC6          mov eax,esi                         ; |
00486E31 |.  8B4D F0       mov ecx,dword ptr ss:[ebp-10]       ; |
00486E34 |.  8B17          mov edx,dword ptr ds:[edi]          ; |
00486E36 |.  E8 85FDFFFF call INS.00486BC0                   ; \INS.00486BC0
00486E3B |.  8B45 F0       mov eax,dword ptr ss:[ebp-10]
00486E3E |.  50          push eax                            ; /Arg3
00486E3F |.  8B43 34       mov eax,dword ptr ds:[ebx+34]       ; |
00486E42 |.  05 937198FD add eax,FD987193                   ; |
00486E47 |.  50          push eax                            ; |Arg2
00486E48 |.  6A 0C       push 0C                            ; |Arg1 = 0000000C
00486E4A |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]       ; |
00486E4D |.  8B0F          mov ecx,dword ptr ds:[edi]          ; |
00486E4F |.  8B16          mov edx,dword ptr ds:[esi]          ; |
00486E51 |.  E8 6AFDFFFF call INS.00486BC0                   ; \INS.00486BC0
00486E56 |.  8B07          mov eax,dword ptr ds:[edi]
00486E58 |.  50          push eax                            ; /Arg3
00486E59 |.  8B43 38       mov eax,dword ptr ds:[ebx+38]       ; |
00486E5C |.  05 8E4379A6 add eax,A679438E                   ; |
00486E61 |.  50          push eax                            ; |Arg2
00486E62 |.  6A 11       push 11                            ; |Arg1 = 00000011
00486E64 |.  8D45 F0       lea eax,dword ptr ss:[ebp-10]       ; |
00486E67 |.  8B0E          mov ecx,dword ptr ds:[esi]          ; |
00486E69 |.  8B55 EC       mov edx,dword ptr ss:[ebp-14]       ; |
00486E6C |.  E8 4FFDFFFF call INS.00486BC0                   ; \INS.00486BC0
00486E71 |.  8B06          mov eax,dword ptr ds:[esi]
00486E73 |.  50          push eax                            ; /Arg3
00486E74 |.  8B43 3C       mov eax,dword ptr ds:[ebx+3C]       ; |
00486E77 |.  05 2108B449 add eax,49B40821                   ; |
00486E7C |.  50          push eax                            ; |Arg2
00486E7D |.  6A 16       push 16                            ; |Arg1 = 00000016
00486E7F |.  8BC7          mov eax,edi                         ; |
00486E81 |.  8B4D EC       mov ecx,dword ptr ss:[ebp-14]       ; |
00486E84 |.  8B55 F0       mov edx,dword ptr ss:[ebp-10]       ; |
00486E87 |.  E8 34FDFFFF call INS.00486BC0                   ; \INS.00486BC0
00486E8C |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
00486E8F |.  50          push eax                            ; /Arg3
00486E90 |.  8B43 04       mov eax,dword ptr ds:[ebx+4]       ; |
00486E93 |.  05 62251EF6 add eax,F61E2562                   ; |
00486E98 |.  50          push eax                            ; |Arg2
00486E99 |.  6A 05       push 5                            ; |Arg1 = 00000005
00486E9B |.  8BC6          mov eax,esi                         ; |
00486E9D |.  8B4D F0       mov ecx,dword ptr ss:[ebp-10]       ; |
00486EA0 |.  8B17          mov edx,dword ptr ds:[edi]          ; |
00486EA2 |.  E8 51FDFFFF call INS.00486BF8                   ; \INS.00486BF8
00486EA7 |.  8B45 F0       mov eax,dword ptr ss:[ebp-10]
00486EAA |.  50          push eax                            ; /Arg3
00486EAB |.  8B43 18       mov eax,dword ptr ds:[ebx+18]       ; |
00486EAE |.  05 40B340C0 add eax,C040B340                   ; |
00486EB3 |.  50          push eax                            ; |Arg2
00486EB4 |.  6A 09       push 9                            ; |Arg1 = 00000009
00486EB6 |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]       ; |
00486EB9 |.  8B0F          mov ecx,dword ptr ds:[edi]          ; |
00486EBB |.  8B16          mov edx,dword ptr ds:[esi]          ; |
00486EBD |.  E8 36FDFFFF call INS.00486BF8                   ; \INS.00486BF8
00486EC2 |.  8B07          mov eax,dword ptr ds:[edi]
00486EC4 |.  50          push eax                            ; /Arg3
00486EC5 |.  8B43 2C       mov eax,dword ptr ds:[ebx+2C]       ; |
00486EC8 |.  05 515A5E26 add eax,265E5A51                   ; |
00486ECD |.  50          push eax                            ; |Arg2
00486ECE |.  6A 0E       push 0E                            ; |Arg1 = 0000000E
00486ED0 |.  8D45 F0       lea eax,dword ptr ss:[ebp-10]       ; |
00486ED3 |.  8B0E          mov ecx,dword ptr ds:[esi]          ; |
00486ED5 |.  8B55 EC       mov edx,dword ptr ss:[ebp-14]       ; |
00486ED8 |.  E8 1BFDFFFF call INS.00486BF8                   ; \INS.00486BF8
00486EDD |.  8B06          mov eax,dword ptr ds:[esi]
00486EDF |.  50          push eax                            ; /Arg3
00486EE0 |.  8B03          mov eax,dword ptr ds:[ebx]          ; |
00486EE2 |.  05 AAC7B6E9 add eax,E9B6C7AA                   ; |
00486EE7 |.  50          push eax                            ; |Arg2
00486EE8 |.  6A 14       push 14                            ; |Arg1 = 00000014
00486EEA |.  8BC7          mov eax,edi                         ; |
00486EEC |.  8B4D EC       mov ecx,dword ptr ss:[ebp-14]       ; |
00486EEF |.  8B55 F0       mov edx,dword ptr ss:[ebp-10]       ; |
00486EF2 |.  E8 01FDFFFF call INS.00486BF8                   ; \INS.00486BF8
00486EF7 |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
00486EFA |.  50          push eax                            ; /Arg3
00486EFB |.  8B43 14       mov eax,dword ptr ds:[ebx+14]       ; |
00486EFE |.  05 5D102FD6 add eax,D62F105D                   ; |
00486F03 |.  50          push eax                            ; |Arg2
00486F04 |.  6A 05       push 5                            ; |Arg1 = 00000005
00486F06 |.  8BC6          mov eax,esi                         ; |
00486F08 |.  8B4D F0       mov ecx,dword ptr ss:[ebp-10]       ; |
00486F0B |.  8B17          mov edx,dword ptr ds:[edi]          ; |
00486F0D |.  E8 E6FCFFFF call INS.00486BF8                   ; \INS.00486BF8
00486F12 |.  8B45 F0       mov eax,dword ptr ss:[ebp-10]
00486F15 |.  50          push eax                            ; /Arg3
00486F16 |.  8B43 28       mov eax,dword ptr ds:[ebx+28]       ; |
00486F19 |.  05 53144402 add eax,2441453                   ; |
00486F1E |.  50          push eax                            ; |Arg2
00486F1F |.  6A 09       push 9                            ; |Arg1 = 00000009
00486F21 |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]       ; |
00486F24 |.  8B0F          mov ecx,dword ptr ds:[edi]          ; |
00486F26 |.  8B16          mov edx,dword ptr ds:[esi]          ; |
00486F28 |.  E8 CBFCFFFF call INS.00486BF8                   ; \INS.00486BF8
00486F2D |.  8B07          mov eax,dword ptr ds:[edi]
00486F2F |.  50          push eax                            ; /Arg3
00486F30 |.  8B43 3C       mov eax,dword ptr ds:[ebx+3C]       ; |
00486F33 |.  05 81E6A1D8 add eax,D8A1E681                   ; |
00486F38 |.  50          push eax                            ; |Arg2
00486F39 |.  6A 0E       push 0E                            ; |Arg1 = 0000000E
00486F3B |.  8D45 F0       lea eax,dword ptr ss:[ebp-10]       ; |
00486F3E |.  8B0E          mov ecx,dword ptr ds:[esi]          ; |
00486F40 |.  8B55 EC       mov edx,dword ptr ss:[ebp-14]       ; |
00486F43 |.  E8 B0FCFFFF call INS.00486BF8                   ; \INS.00486BF8
00486F48 |.  8B06          mov eax,dword ptr ds:[esi]
00486F4A |.  50          push eax                            ; /Arg3
00486F4B |.  8B43 10       mov eax,dword ptr ds:[ebx+10]       ; |
00486F4E |.  05 C8FBD3E7 add eax,E7D3FBC8                   ; |
00486F53 |.  50          push eax                            ; |Arg2
00486F54 |.  6A 14       push 14                            ; |Arg1 = 00000014
00486F56 |.  8BC7          mov eax,edi                         ; |
00486F58 |.  8B4D EC       mov ecx,dword ptr ss:[ebp-14]       ; |
00486F5B |.  8B55 F0       mov edx,dword ptr ss:[ebp-10]       ; |
00486F5E |.  E8 95FCFFFF call INS.00486BF8                   ; \INS.00486BF8
00486F63 |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
00486F66 |.  50          push eax                            ; /Arg3
00486F67 |.  8B43 24       mov eax,dword ptr ds:[ebx+24]       ; |
00486F6A |.  05 E6CDE121 add eax,21E1CDE6                   ; |
00486F6F |.  50          push eax                            ; |Arg2
00486F70 |.  6A 05       push 5                            ; |Arg1 = 00000005
00486F72 |.  8BC6          mov eax,esi                         ; |
00486F74 |.  8B4D F0       mov ecx,dword ptr ss:[ebp-10]       ; |
00486F77 |.  8B17          mov edx,dword ptr ds:[edi]          ; |
00486F79 |.  E8 7AFCFFFF call INS.00486BF8                   ; \INS.00486BF8
00486F7E |.  8B45 F0       mov eax,dword ptr ss:[ebp-10]
00486F81 |.  50          push eax                            ; /Arg3
00486F82 |.  8B43 38       mov eax,dword ptr ds:[ebx+38]       ; |
00486F85 |.  05 D60737C3 add eax,C33707D6                   ; |
00486F8A |.  50          push eax                            ; |Arg2
00486F8B |.  6A 09       push 9                            ; |Arg1 = 00000009
00486F8D |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]       ; |
00486F90 |.  8B0F          mov ecx,dword ptr ds:[edi]          ; |
00486F92 |.  8B16          mov edx,dword ptr ds:[esi]          ; |
00486F94 |.  E8 5FFCFFFF call INS.00486BF8                   ; \INS.00486BF8
00486F99 |.  8B07          mov eax,dword ptr ds:[edi]
00486F9B |.  50          push eax                            ; /Arg3
00486F9C |.  8B43 0C       mov eax,dword ptr ds:[ebx+C]       ; |
00486F9F |.  05 870DD5F4 add eax,F4D50D87                   ; |
00486FA4 |.  50          push eax                            ; |Arg2
00486FA5 |.  6A 0E       push 0E                            ; |Arg1 = 0000000E
00486FA7 |.  8D45 F0       lea eax,dword ptr ss:[ebp-10]       ; |
00486FAA |.  8B0E          mov ecx,dword ptr ds:[esi]          ; |
00486FAC |.  8B55 EC       mov edx,dword ptr ss:[ebp-14]       ; |
00486FAF |.  E8 44FCFFFF call INS.00486BF8                   ; \INS.00486BF8
00486FB4 |.  8B06          mov eax,dword ptr ds:[esi]
00486FB6 |.  50          push eax                            ; /Arg3
00486FB7 |.  8B43 20       mov eax,dword ptr ds:[ebx+20]       ; |
00486FBA |.  05 ED145A45 add eax,455A14ED                   ; |
00486FBF |.  50          push eax                            ; |Arg2
00486FC0 |.  6A 14       push 14                            ; |Arg1 = 00000014
00486FC2 |.  8BC7          mov eax,edi                         ; |
00486FC4 |.  8B4D EC       mov ecx,dword ptr ss:[ebp-14]       ; |
00486FC7 |.  8B55 F0       mov edx,dword ptr ss:[ebp-10]       ; |
00486FCA |.  E8 29FCFFFF call INS.00486BF8                   ; \INS.00486BF8
00486FCF |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
00486FD2 |.  50          push eax                            ; /Arg3
00486FD3 |.  8B43 34       mov eax,dword ptr ds:[ebx+34]       ; |
00486FD6 |.  05 05E9E3A9 add eax,A9E3E905                   ; |
00486FDB |.  50          push eax                            ; |Arg2
00486FDC |.  6A 05       push 5                            ; |Arg1 = 00000005
00486FDE |.  8BC6          mov eax,esi                         ; |
00486FE0 |.  8B4D F0       mov ecx,dword ptr ss:[ebp-10]       ; |
00486FE3 |.  8B17          mov edx,dword ptr ds:[edi]          ; |
00486FE5 |.  E8 0EFCFFFF call INS.00486BF8                   ; \INS.00486BF8
00486FEA |.  8B45 F0       mov eax,dword ptr ss:[ebp-10]
00486FED |.  50          push eax                            ; /Arg3
00486FEE |.  8B43 08       mov eax,dword ptr ds:[ebx+8]       ; |
00486FF1 |.  05 F8A3EFFC add eax,FCEFA3F8                   ; |
00486FF6 |.  50          push eax                            ; |Arg2
00486FF7 |.  6A 09       push 9                            ; |Arg1 = 00000009
00486FF9 |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]       ; |
00486FFC |.  8B0F          mov ecx,dword ptr ds:[edi]          ; |
00486FFE |.  8B16          mov edx,dword ptr ds:[esi]          ; |
00487000 |.  E8 F3FBFFFF call INS.00486BF8                   ; \INS.00486BF8
00487005 |.  8B07          mov eax,dword ptr ds:[edi]
00487007 |.  50          push eax                            ; /Arg3
00487008 |.  8B43 1C       mov eax,dword ptr ds:[ebx+1C]       ; |
0048700B |.  05 D9026F67 add eax,676F02D9                   ; |
00487010 |.  50          push eax                            ; |Arg2
00487011 |.  6A 0E       push 0E                            ; |Arg1 = 0000000E
00487013 |.  8D45 F0       lea eax,dword ptr ss:[ebp-10]       ; |
00487016 |.  8B0E          mov ecx,dword ptr ds:[esi]          ; |
00487018 |.  8B55 EC       mov edx,dword ptr ss:[ebp-14]       ; |
0048701B |.  E8 D8FBFFFF call INS.00486BF8                   ; \INS.00486BF8
00487020 |.  8B06          mov eax,dword ptr ds:[esi]
00487022 |.  50          push eax                            ; /Arg3
00487023 |.  8B43 30       mov eax,dword ptr ds:[ebx+30]       ; |
00487026 |.  05 8A4C2A8D add eax,8D2A4C8A                   ; |
0048702B |.  50          push eax                            ; |Arg2
0048702C |.  6A 14       push 14                            ; |Arg1 = 00000014
0048702E |.  8BC7          mov eax,edi                         ; |
00487030 |.  8B4D EC       mov ecx,dword ptr ss:[ebp-14]       ; |
00487033 |.  8B55 F0       mov edx,dword ptr ss:[ebp-10]       ; |
00487036 |.  E8 BDFBFFFF call INS.00486BF8                   ; \INS.00486BF8
0048703B |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
0048703E |.  50          push eax                            ; /Arg3
0048703F |.  8B43 14       mov eax,dword ptr ds:[ebx+14]       ; |
00487042 |.  05 4239FAFF add eax,FFFA3942                   ; |
00487047 |.  50          push eax                            ; |Arg2
00487048 |.  6A 04       push 4                            ; |Arg1 = 00000004
0048704A |.  8BC6          mov eax,esi                         ; |
0048704C |.  8B4D F0       mov ecx,dword ptr ss:[ebp-10]       ; |
0048704F |.  8B17          mov edx,dword ptr ds:[edi]          ; |
00487051 |.  E8 DEFBFFFF call INS.00486C34                   ; \INS.00486C34
00487056 |.  8B45 F0       mov eax,dword ptr ss:[ebp-10]
00487059 |.  50          push eax                            ; /Arg3
0048705A |.  8B43 20       mov eax,dword ptr ds:[ebx+20]       ; |
0048705D |.  05 81F67187 add eax,8771F681                   ; |
00487062 |.  50          push eax                            ; |Arg2
00487063 |.  6A 0B       push 0B                            ; |Arg1 = 0000000B
00487065 |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]       ; |
00487068 |.  8B0F          mov ecx,dword ptr ds:[edi]          ; |
0048706A |.  8B16          mov edx,dword ptr ds:[esi]          ; |
0048706C |.  E8 C3FBFFFF call INS.00486C34                   ; \INS.00486C34
00487071 |.  8B07          mov eax,dword ptr ds:[edi]
00487073 |.  50          push eax                            ; /Arg3
00487074 |.  8B43 2C       mov eax,dword ptr ds:[ebx+2C]       ; |
00487077 |.  05 22619D6D add eax,6D9D6122                   ; |
0048707C |.  50          push eax                            ; |Arg2
0048707D |.  6A 10       push 10                            ; |Arg1 = 00000010
0048707F |.  8D45 F0       lea eax,dword ptr ss:[ebp-10]       ; |
00487082 |.  8B0E          mov ecx,dword ptr ds:[esi]          ; |
00487084 |.  8B55 EC       mov edx,dword ptr ss:[ebp-14]       ; |
00487087 |.  E8 A8FBFFFF call INS.00486C34                   ; \INS.00486C34
0048708C |.  8B06          mov eax,dword ptr ds:[esi]
0048708E |.  50          push eax                            ; /Arg3
0048708F |.  8B43 38       mov eax,dword ptr ds:[ebx+38]       ; |
00487092 |.  05 0C38E5FD add eax,FDE5380C                   ; |
00487097 |.  50          push eax                            ; |Arg2
00487098 |.  6A 17       push 17                            ; |Arg1 = 00000017
0048709A |.  8BC7          mov eax,edi                         ; |
0048709C |.  8B4D EC       mov ecx,dword ptr ss:[ebp-14]       ; |
0048709F |.  8B55 F0       mov edx,dword ptr ss:[ebp-10]       ; |
004870A2 |.  E8 8DFBFFFF call INS.00486C34                   ; \INS.00486C34
004870A7 |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
004870AA |.  50          push eax                            ; /Arg3
004870AB |.  8B43 04       mov eax,dword ptr ds:[ebx+4]       ; |
004870AE |.  05 44EABEA4 add eax,A4BEEA44                   ; |
004870B3 |.  50          push eax                            ; |Arg2
004870B4 |.  6A 04       push 4                            ; |Arg1 = 00000004
004870B6 |.  8BC6          mov eax,esi                         ; |
004870B8 |.  8B4D F0       mov ecx,dword ptr ss:[ebp-10]       ; |
004870BB |.  8B17          mov edx,dword ptr ds:[edi]          ; |
004870BD |.  E8 72FBFFFF call INS.00486C34                   ; \INS.00486C34
004870C2 |.  8B45 F0       mov eax,dword ptr ss:[ebp-10]
004870C5 |.  50          push eax                            ; /Arg3
004870C6 |.  8B43 10       mov eax,dword ptr ds:[ebx+10]       ; |
004870C9 |.  05 A9CFDE4B add eax,4BDECFA9                   ; |
004870CE |.  50          push eax                            ; |Arg2
004870CF |.  6A 0B       push 0B                            ; |Arg1 = 0000000B
004870D1 |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]       ; |
004870D4 |.  8B0F          mov ecx,dword ptr ds:[edi]          ; |
004870D6 |.  8B16          mov edx,dword ptr ds:[esi]          ; |
004870D8 |.  E8 57FBFFFF call INS.00486C34                   ; \INS.00486C34
004870DD |.  8B07          mov eax,dword ptr ds:[edi]
004870DF |.  50          push eax                            ; /Arg3
004870E0 |.  8B43 1C       mov eax,dword ptr ds:[ebx+1C]       ; |
004870E3 |.  05 604BBBF6 add eax,F6BB4B60                   ; |
004870E8 |.  50          push eax                            ; |Arg2
004870E9 |.  6A 10       push 10                            ; |Arg1 = 00000010
004870EB |.  8D45 F0       lea eax,dword ptr ss:[ebp-10]       ; |
004870EE |.  8B0E          mov ecx,dword ptr ds:[esi]          ; |
004870F0 |.  8B55 EC       mov edx,dword ptr ss:[ebp-14]       ; |
004870F3 |.  E8 3CFBFFFF call INS.00486C34                   ; \INS.00486C34
004870F8 |.  8B06          mov eax,dword ptr ds:[esi]
004870FA |.  50          push eax                            ; /Arg3
004870FB |.  8B43 28       mov eax,dword ptr ds:[ebx+28]       ; |
004870FE |.  05 70BCBFBE add eax,BEBFBC70                   ; |
00487103 |.  50          push eax                            ; |Arg2
00487104 |.  6A 17       push 17                            ; |Arg1 = 00000017
00487106 |.  8BC7          mov eax,edi                         ; |
00487108 |.  8B4D EC       mov ecx,dword ptr ss:[ebp-14]       ; |
0048710B |.  8B55 F0       mov edx,dword ptr ss:[ebp-10]       ; |
0048710E |.  E8 21FBFFFF call INS.00486C34                   ; \INS.00486C34
00487113 |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
00487116 |.  50          push eax                            ; /Arg3
00487117 |.  8B43 34       mov eax,dword ptr ds:[ebx+34]       ; |
0048711A |.  05 C67E9B28 add eax,289B7EC6                   ; |
0048711F |.  50          push eax                            ; |Arg2
00487120 |.  6A 04       push 4                            ; |Arg1 = 00000004
00487122 |.  8BC6          mov eax,esi                         ; |
00487124 |.  8B4D F0       mov ecx,dword ptr ss:[ebp-10]       ; |
00487127 |.  8B17          mov edx,dword ptr ds:[edi]          ; |
00487129 |.  E8 06FBFFFF call INS.00486C34                   ; \INS.00486C34
0048712E |.  8B45 F0       mov eax,dword ptr ss:[ebp-10]
00487131 |.  50          push eax                            ; /Arg3
00487132 |.  8B03          mov eax,dword ptr ds:[ebx]          ; |
00487134 |.  05 FA27A1EA add eax,EAA127FA                   ; |
00487139 |.  50          push eax                            ; |Arg2
0048713A |.  6A 0B       push 0B                            ; |Arg1 = 0000000B
0048713C |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]       ; |
0048713F |.  8B0F          mov ecx,dword ptr ds:[edi]          ; |
00487141 |.  8B16          mov edx,dword ptr ds:[esi]          ; |
00487143 |.  E8 ECFAFFFF call INS.00486C34                   ; \INS.00486C34
00487148 |.  8B07          mov eax,dword ptr ds:[edi]
0048714A |.  50          push eax                            ; /Arg3
0048714B |.  8B43 0C       mov eax,dword ptr ds:[ebx+C]       ; |
0048714E |.  05 8530EFD4 add eax,D4EF3085                   ; |
00487153 |.  50          push eax                            ; |Arg2
00487154 |.  6A 10       push 10                            ; |Arg1 = 00000010
00487156 |.  8D45 F0       lea eax,dword ptr ss:[ebp-10]       ; |
00487159 |.  8B0E          mov ecx,dword ptr ds:[esi]          ; |
0048715B |.  8B55 EC       mov edx,dword ptr ss:[ebp-14]       ; |
0048715E |.  E8 D1FAFFFF call INS.00486C34                   ; \INS.00486C34
00487163 |.  8B06          mov eax,dword ptr ds:[esi]
00487165 |.  50          push eax                            ; /Arg3
00487166 |.  8B43 18       mov eax,dword ptr ds:[ebx+18]       ; |
00487169 |.  05 051D8804 add eax,4881D05                   ; |
0048716E |.  50          push eax                            ; |Arg2
0048716F |.  6A 17       push 17                            ; |Arg1 = 00000017
00487171 |.  8BC7          mov eax,edi                         ; |
00487173 |.  8B4D EC       mov ecx,dword ptr ss:[ebp-14]       ; |
00487176 |.  8B55 F0       mov edx,dword ptr ss:[ebp-10]       ; |
00487179 |.  E8 B6FAFFFF call INS.00486C34                   ; \INS.00486C34
0048717E |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
00487181 |.  50          push eax                            ; /Arg3
00487182 |.  8B43 24       mov eax,dword ptr ds:[ebx+24]       ; |
00487185 |.  05 39D0D4D9 add eax,D9D4D039                   ; |
0048718A |.  50          push eax                            ; |Arg2
0048718B |.  6A 04       push 4                            ; |Arg1 = 00000004
0048718D |.  8BC6          mov eax,esi                         ; |
0048718F |.  8B4D F0       mov ecx,dword ptr ss:[ebp-10]       ; |
00487192 |.  8B17          mov edx,dword ptr ds:[edi]          ; |
00487194 |.  E8 9BFAFFFF call INS.00486C34                   ; \INS.00486C34
00487199 |.  8B45 F0       mov eax,dword ptr ss:[ebp-10]
0048719C |.  50          push eax                            ; /Arg3
0048719D |.  8B43 30       mov eax,dword ptr ds:[ebx+30]       ; |
004871A0 |.  05 E599DBE6 add eax,E6DB99E5                   ; |
004871A5 |.  50          push eax                            ; |Arg2
004871A6 |.  6A 0B       push 0B                            ; |Arg1 = 0000000B
004871A8 |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]       ; |
004871AB |.  8B0F          mov ecx,dword ptr ds:[edi]          ; |
004871AD |.  8B16          mov edx,dword ptr ds:[esi]          ; |
004871AF |.  E8 80FAFFFF call INS.00486C34                   ; \INS.00486C34
004871B4 |.  8B07          mov eax,dword ptr ds:[edi]
004871B6 |.  50          push eax                            ; /Arg3
004871B7 |.  8B43 3C       mov eax,dword ptr ds:[ebx+3C]       ; |
004871BA |.  05 F87CA21F add eax,1FA27CF8                   ; |
004871BF |.  50          push eax                            ; |Arg2
004871C0 |.  6A 10       push 10                            ; |Arg1 = 00000010
004871C2 |.  8D45 F0       lea eax,dword ptr ss:[ebp-10]       ; |
004871C5 |.  8B0E          mov ecx,dword ptr ds:[esi]          ; |
004871C7 |.  8B55 EC       mov edx,dword ptr ss:[ebp-14]       ; |
004871CA |.  E8 65FAFFFF call INS.00486C34                   ; \INS.00486C34
004871CF |.  8B06          mov eax,dword ptr ds:[esi]
004871D1 |.  50          push eax                            ; /Arg3
004871D2 |.  8B43 08       mov eax,dword ptr ds:[ebx+8]       ; |
004871D5 |.  05 6556ACC4 add eax,C4AC5665                   ; |
004871DA |.  50          push eax                            ; |Arg2
004871DB |.  6A 17       push 17                            ; |Arg1 = 00000017
004871DD |.  8BC7          mov eax,edi                         ; |
004871DF |.  8B4D EC       mov ecx,dword ptr ss:[ebp-14]       ; |
004871E2 |.  8B55 F0       mov edx,dword ptr ss:[ebp-10]       ; |
004871E5 |.  E8 4AFAFFFF call INS.00486C34                   ; \INS.00486C34
004871EA |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
004871ED |.  50          push eax                            ; /Arg3
004871EE |.  8B03          mov eax,dword ptr ds:[ebx]          ; |
004871F0 |.  05 442229F4 add eax,F4292244                   ; |
004871F5 |.  50          push eax                            ; |Arg2
004871F6 |.  6A 06       push 6                            ; |Arg1 = 00000006
004871F8 |.  8BC6          mov eax,esi                         ; |
004871FA |.  8B4D F0       mov ecx,dword ptr ss:[ebp-10]       ; |
004871FD |.  8B17          mov edx,dword ptr ds:[edi]          ; |
004871FF |.  E8 68FAFFFF call INS.00486C6C                   ; \INS.00486C6C
00487204 |.  8B45 F0       mov eax,dword ptr ss:[ebp-10]
00487207 |.  50          push eax                            ; /Arg3
00487208 |.  8B43 1C       mov eax,dword ptr ds:[ebx+1C]       ; |
0048720B |.  05 97FF2A43 add eax,432AFF97                   ; |
00487210 |.  50          push eax                            ; |Arg2
00487211 |.  6A 0A       push 0A                            ; |Arg1 = 0000000A
00487213 |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]       ; |
00487216 |.  8B0F          mov ecx,dword ptr ds:[edi]          ; |
00487218 |.  8B16          mov edx,dword ptr ds:[esi]          ; |
0048721A |.  E8 4DFAFFFF call INS.00486C6C                   ; \INS.00486C6C
0048721F |.  8B07          mov eax,dword ptr ds:[edi]
00487221 |.  50          push eax                            ; /Arg3
00487222 |.  8B43 38       mov eax,dword ptr ds:[ebx+38]       ; |
00487225 |.  05 A72394AB add eax,AB9423A7                   ; |
0048722A |.  50          push eax                            ; |Arg2
0048722B |.  6A 0F       push 0F                            ; |Arg1 = 0000000F
0048722D |.  8D45 F0       lea eax,dword ptr ss:[ebp-10]       ; |
00487230 |.  8B0E          mov ecx,dword ptr ds:[esi]          ; |
00487232 |.  8B55 EC       mov edx,dword ptr ss:[ebp-14]       ; |
00487235 |.  E8 32FAFFFF call INS.00486C6C                   ; \INS.00486C6C
0048723A |.  8B06          mov eax,dword ptr ds:[esi]
0048723C |.  50          push eax                            ; /Arg3
0048723D |.  8B43 14       mov eax,dword ptr ds:[ebx+14]       ; |
00487240 |.  05 39A093FC add eax,FC93A039                   ; |
00487245 |.  50          push eax                            ; |Arg2
00487246 |.  6A 15       push 15                            ; |Arg1 = 00000015
00487248 |.  8BC7          mov eax,edi                         ; |
0048724A |.  8B4D EC       mov ecx,dword ptr ss:[ebp-14]       ; |
0048724D |.  8B55 F0       mov edx,dword ptr ss:[ebp-10]       ; |
00487250 |.  E8 17FAFFFF call INS.00486C6C                   ; \INS.00486C6C
00487255 |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
00487258 |.  50          push eax                            ; /Arg3
00487259 |.  8B43 30       mov eax,dword ptr ds:[ebx+30]       ; |
0048725C |.  05 C3595B65 add eax,655B59C3                   ; |
00487261 |.  50          push eax                            ; |Arg2
00487262 |.  6A 06       push 6                            ; |Arg1 = 00000006
00487264 |.  8BC6          mov eax,esi                         ; |
00487266 |.  8B4D F0       mov ecx,dword ptr ss:[ebp-10]       ; |
00487269 |.  8B17          mov edx,dword ptr ds:[edi]          ; |
0048726B |.  E8 FCF9FFFF call INS.00486C6C                   ; \INS.00486C6C
00487270 |.  8B45 F0       mov eax,dword ptr ss:[ebp-10]
00487273 |.  50          push eax                            ; /Arg3
00487274 |.  8B43 0C       mov eax,dword ptr ds:[ebx+C]       ; |
00487277 |.  05 92CC0C8F add eax,8F0CCC92                   ; |
0048727C |.  50          push eax                            ; |Arg2
0048727D |.  6A 0A       push 0A                            ; |Arg1 = 0000000A
0048727F |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]       ; |
00487282 |.  8B0F          mov ecx,dword ptr ds:[edi]          ; |
00487284 |.  8B16          mov edx,dword ptr ds:[esi]          ; |
00487286 |.  E8 E1F9FFFF call INS.00486C6C                   ; \INS.00486C6C
0048728B |.  8B07          mov eax,dword ptr ds:[edi]
0048728D |.  50          push eax                            ; /Arg3
0048728E |.  8B43 28       mov eax,dword ptr ds:[ebx+28]       ; |
00487291 |.  05 7DF4EFFF add eax,FFEFF47D                   ; |
00487296 |.  50          push eax                            ; |Arg2
00487297 |.  6A 0F       push 0F                            ; |Arg1 = 0000000F
00487299 |.  8D45 F0       lea eax,dword ptr ss:[ebp-10]       ; |
0048729C |.  8B0E          mov ecx,dword ptr ds:[esi]          ; |
0048729E |.  8B55 EC       mov edx,dword ptr ss:[ebp-14]       ; |
004872A1 |.  E8 C6F9FFFF call INS.00486C6C                   ; \INS.00486C6C
004872A6 |.  8B06          mov eax,dword ptr ds:[esi]
004872A8 |.  50          push eax                            ; /Arg3
004872A9 |.  8B43 04       mov eax,dword ptr ds:[ebx+4]       ; |
004872AC |.  05 D15D8485 add eax,85845DD1                   ; |
004872B1 |.  50          push eax                            ; |Arg2
004872B2 |.  6A 15       push 15                            ; |Arg1 = 00000015
004872B4 |.  8BC7          mov eax,edi                         ; |
004872B6 |.  8B4D EC       mov ecx,dword ptr ss:[ebp-14]       ; |
004872B9 |.  8B55 F0       mov edx,dword ptr ss:[ebp-10]       ; |
004872BC |.  E8 ABF9FFFF call INS.00486C6C                   ; \INS.00486C6C
004872C1 |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
004872C4 |.  50          push eax                            ; /Arg3
004872C5 |.  8B43 20       mov eax,dword ptr ds:[ebx+20]       ; |
004872C8 |.  05 4F7EA86F add eax,6FA87E4F                   ; |
004872CD |.  50          push eax                            ; |Arg2
004872CE |.  6A 06       push 6                            ; |Arg1 = 00000006
004872D0 |.  8BC6          mov eax,esi                         ; |
004872D2 |.  8B4D F0       mov ecx,dword ptr ss:[ebp-10]       ; |
004872D5 |.  8B17          mov edx,dword ptr ds:[edi]          ; |
004872D7 |.  E8 90F9FFFF call INS.00486C6C                   ; \INS.00486C6C
004872DC |.  8B45 F0       mov eax,dword ptr ss:[ebp-10]
004872DF |.  50          push eax                            ; /Arg3
004872E0 |.  8B43 3C       mov eax,dword ptr ds:[ebx+3C]       ; |
004872E3 |.  05 E0E62CFE add eax,FE2CE6E0                   ; |
004872E8 |.  50          push eax                            ; |Arg2
004872E9 |.  6A 0A       push 0A                            ; |Arg1 = 0000000A
004872EB |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]       ; |
004872EE |.  8B0F          mov ecx,dword ptr ds:[edi]          ; |
004872F0 |.  8B16          mov edx,dword ptr ds:[esi]          ; |
004872F2 |.  E8 75F9FFFF call INS.00486C6C                   ; \INS.00486C6C
004872F7 |.  8B07          mov eax,dword ptr ds:[edi]
004872F9 |.  50          push eax                            ; /Arg3
004872FA |.  8B43 18       mov eax,dword ptr ds:[ebx+18]       ; |
004872FD |.  05 144301A3 add eax,A3014314                   ; |
00487302 |.  50          push eax                            ; |Arg2
00487303 |.  6A 0F       push 0F                            ; |Arg1 = 0000000F
00487305 |.  8D45 F0       lea eax,dword ptr ss:[ebp-10]       ; |
00487308 |.  8B0E          mov ecx,dword ptr ds:[esi]          ; |
0048730A |.  8B55 EC       mov edx,dword ptr ss:[ebp-14]       ; |
0048730D |.  E8 5AF9FFFF call INS.00486C6C                   ; \INS.00486C6C
00487312 |.  8B06          mov eax,dword ptr ds:[esi]
00487314 |.  50          push eax                            ; /Arg3
00487315 |.  8B43 34       mov eax,dword ptr ds:[ebx+34]       ; |
00487318 |.  05 A111084E add eax,4E0811A1                   ; |
0048731D |.  50          push eax                            ; |Arg2
0048731E |.  6A 15       push 15                            ; |Arg1 = 00000015
00487320 |.  8BC7          mov eax,edi                         ; |
00487322 |.  8B4D EC       mov ecx,dword ptr ss:[ebp-14]       ; |
00487325 |.  8B55 F0       mov edx,dword ptr ss:[ebp-10]       ; |
00487328 |.  E8 3FF9FFFF call INS.00486C6C                   ; \INS.00486C6C
0048732D |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
00487330 |.  50          push eax                            ; /Arg3
00487331 |.  8B43 10       mov eax,dword ptr ds:[ebx+10]       ; |
00487334 |.  05 827E53F7 add eax,F7537E82                   ; |
00487339 |.  50          push eax                            ; |Arg2
0048733A |.  6A 06       push 6                            ; |Arg1 = 00000006
0048733C |.  8BC6          mov eax,esi                         ; |
0048733E |.  8B4D F0       mov ecx,dword ptr ss:[ebp-10]       ; |
00487341 |.  8B17          mov edx,dword ptr ds:[edi]          ; |
00487343 |.  E8 24F9FFFF call INS.00486C6C                   ; \INS.00486C6C
00487348 |.  8B45 F0       mov eax,dword ptr ss:[ebp-10]
0048734B |.  50          push eax                            ; /Arg3
0048734C |.  8B43 2C       mov eax,dword ptr ds:[ebx+2C]       ; |
0048734F |.  05 35F23ABD add eax,BD3AF235                   ; |
00487354 |.  50          push eax                            ; |Arg2
00487355 |.  6A 0A       push 0A                            ; |Arg1 = 0000000A
00487357 |.  8D45 EC       lea eax,dword ptr ss:[ebp-14]       ; |
0048735A |.  8B0F          mov ecx,dword ptr ds:[edi]          ; |
0048735C |.  8B16          mov edx,dword ptr ds:[esi]          ; |
0048735E |.  E8 09F9FFFF call INS.00486C6C                   ; \INS.00486C6C
00487363 |.  8B07          mov eax,dword ptr ds:[edi]
00487365 |.  50          push eax                            ; /Arg3
00487366 |.  8B43 08       mov eax,dword ptr ds:[ebx+8]       ; |
00487369 |.  05 BBD2D72A add eax,2AD7D2BB                   ; |
0048736E |.  50          push eax                            ; |Arg2
0048736F |.  6A 0F       push 0F                            ; |Arg1 = 0000000F
00487371 |.  8D45 F0       lea eax,dword ptr ss:[ebp-10]       ; |
00487374 |.  8B0E          mov ecx,dword ptr ds:[esi]          ; |
00487376 |.  8B55 EC       mov edx,dword ptr ss:[ebp-14]       ; |
00487379 |.  E8 EEF8FFFF call INS.00486C6C                   ; \INS.00486C6C
0048737E |.  8B06          mov eax,dword ptr ds:[esi]
00487380 |.  50          push eax                            ; /Arg3
00487381 |.  8B43 24       mov eax,dword ptr ds:[ebx+24]       ; |
00487384 |.  05 91D386EB add eax,EB86D391                   ; |
00487389 |.  50          push eax                            ; |Arg2
0048738A |.  6A 15       push 15                            ; |Arg1 = 00000015
0048738C |.  8BC7          mov eax,edi                         ; |
0048738E |.  8B4D EC       mov ecx,dword ptr ss:[ebp-14]       ; |
00487391 |.  8B55 F0       mov edx,dword ptr ss:[ebp-10]       ; |
00487394 |.  E8 D3F8FFFF call INS.00486C6C                   ; \INS.00486C6C
00487399 |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
0048739C |.  8B16          mov edx,dword ptr ds:[esi]
0048739E |.  0110          add dword ptr ds:[eax],edx
004873A0 |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004873A3 |.  8B17          mov edx,dword ptr ds:[edi]
004873A5 |.  0150 04       add dword ptr ds:[eax+4],edx
004873A8 |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004873AB |.  8B55 F0       mov edx,dword ptr ss:[ebp-10]
004873AE |.  0150 08       add dword ptr ds:[eax+8],edx
004873B1 |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004873B4 |.  8B55 EC       mov edx,dword ptr ss:[ebp-14]
004873B7 |.  0150 0C       add dword ptr ds:[eax+C],edx
004873BA |.  5F          pop edi
004873BB |.  5E          pop esi
004873BC |.  5B          pop ebx
004873BD |.  8BE5          mov esp,ebp
004873BF |.  5D          pop ebp
004873C0 \.  C2 0400       retn 4

第一轮运算，下断处00486BC0:

00486BC0 /$  55          push ebp
00486BC1 |.  8BEC          mov ebp,esp
00486BC3 |.  53          push ebx
00486BC4 |.  56          push esi
00486BC5 |.  8B5D 10       mov ebx,dword ptr ss:[ebp+10]
00486BC8 |.  33CB          xor ecx,ebx
00486BCA |.  23CA          and ecx,edx
00486BCC |.  33D9          xor ebx,ecx
00486BCE |.  035D 0C       add ebx,dword ptr ss:[ebp+C]
00486BD1 |.  0118          add dword ptr ds:[eax],ebx
00486BD3 |.  33C9          xor ecx,ecx
00486BD5 |.  8A4D 08       mov cl,byte ptr ss:[ebp+8]
00486BD8 |.  51          push ecx
00486BD9 |.  B9 20000000 mov ecx,20
00486BDE |.  5B          pop ebx
00486BDF |.  2BCB          sub ecx,ebx
00486BE1 |.  8B18          mov ebx,dword ptr ds:[eax]
00486BE3 |.  D3EB          shr ebx,cl
00486BE5 |.  8A4D 08       mov cl,byte ptr ss:[ebp+8]
00486BE8 |.  8B30          mov esi,dword ptr ds:[eax]
00486BEA |.  D3E6          shl esi,cl
00486BEC |.  0BDE          or ebx,esi
00486BEE |.  8918          mov dword ptr ds:[eax],ebx
00486BF0 |.  0110          add dword ptr ds:[eax],edx
00486BF2 |.  5E          pop esi
00486BF3 |.  5B          pop ebx
00486BF4 |.  5D          pop ebp
00486BF5 \.  C2 0C00       retn 0C

第二轮运算，下断处00486BF8:

00486BF8 /$  55          push ebp
00486BF9 |.  8BEC          mov ebp,esp
00486BFB |.  53          push ebx
00486BFC |.  56          push esi
00486BFD |.  8B5D 08       mov ebx,dword ptr ss:[ebp+8]
00486C00 |.  8BF1          mov esi,ecx
00486C02 |.  33F2          xor esi,edx
00486C04 |.  2375 10       and esi,dword ptr ss:[ebp+10]
00486C07 |.  33CE          xor ecx,esi
00486C09 |.  034D 0C       add ecx,dword ptr ss:[ebp+C]
00486C0C |.  0108          add dword ptr ds:[eax],ecx
00486C0E |.  33C9          xor ecx,ecx
00486C10 |.  8ACB          mov cl,bl
00486C12 |.  51          push ecx
00486C13 |.  B9 20000000 mov ecx,20
00486C18 |.  5E          pop esi
00486C19 |.  2BCE          sub ecx,esi
00486C1B |.  8B30          mov esi,dword ptr ds:[eax]
00486C1D |.  D3EE          shr esi,cl
00486C1F |.  8BCB          mov ecx,ebx
00486C21 |.  8B18          mov ebx,dword ptr ds:[eax]
00486C23 |.  D3E3          shl ebx,cl
00486C25 |.  0BF3          or esi,ebx
00486C27 |.  8930          mov dword ptr ds:[eax],esi
00486C29 |.  0110          add dword ptr ds:[eax],edx
00486C2B |.  5E          pop esi
00486C2C |.  5B          pop ebx
00486C2D |.  5D          pop ebp
00486C2E \.  C2 0C00       retn 0C

第三轮运算，下断处00486C34:

00486C34 /$  55          push ebp
00486C35 |.  8BEC          mov ebp,esp
00486C37 |.  53          push ebx
00486C38 |.  56          push esi
00486C39 |.  8B5D 08       mov ebx,dword ptr ss:[ebp+8]
00486C3C |.  33CA          xor ecx,edx
00486C3E |.  334D 10       xor ecx,dword ptr ss:[ebp+10]
00486C41 |.  034D 0C       add ecx,dword ptr ss:[ebp+C]
00486C44 |.  0108          add dword ptr ds:[eax],ecx
00486C46 |.  33C9          xor ecx,ecx
00486C48 |.  8ACB          mov cl,bl
00486C4A |.  51          push ecx
00486C4B |.  B9 20000000 mov ecx,20
00486C50 |.  5E          pop esi
00486C51 |.  2BCE          sub ecx,esi
00486C53 |.  8B30          mov esi,dword ptr ds:[eax]
00486C55 |.  D3EE          shr esi,cl
00486C57 |.  8BCB          mov ecx,ebx
00486C59 |.  8B18          mov ebx,dword ptr ds:[eax]
00486C5B |.  D3E3          shl ebx,cl
00486C5D |.  0BF3          or esi,ebx
00486C5F |.  8930          mov dword ptr ds:[eax],esi
00486C61 |.  0110          add dword ptr ds:[eax],edx
00486C63 |.  5E          pop esi
00486C64 |.  5B          pop ebx
00486C65 |.  5D          pop ebp
00486C66 \.  C2 0C00       retn 0C

第四轮运算，下断处00486C6C:

00486C6C /$  55          push ebp
00486C6D |.  8BEC          mov ebp,esp
00486C6F |.  53          push ebx
00486C70 |.  56          push esi
00486C71 |.  8B5D 08       mov ebx,dword ptr ss:[ebp+8]
00486C74 |.  8B75 10       mov esi,dword ptr ss:[ebp+10]
00486C77 |.  F7D6          not esi
00486C79 |.  0BF2          or esi,edx
00486C7B |.  33CE          xor ecx,esi
00486C7D |.  034D 0C       add ecx,dword ptr ss:[ebp+C]
00486C80 |.  0108          add dword ptr ds:[eax],ecx
00486C82 |.  33C9          xor ecx,ecx
00486C84 |.  8ACB          mov cl,bl
00486C86 |.  51          push ecx
00486C87 |.  B9 20000000 mov ecx,20
00486C8C |.  5E          pop esi
00486C8D |.  2BCE          sub ecx,esi
00486C8F |.  8B30          mov esi,dword ptr ds:[eax]
00486C91 |.  D3EE          shr esi,cl
00486C93 |.  8BCB          mov ecx,ebx
00486C95 |.  8B18          mov ebx,dword ptr ds:[eax]
00486C97 |.  D3E3          shl ebx,cl
00486C99 |.  0BF3          or esi,ebx
00486C9B |.  8930          mov dword ptr ds:[eax],esi
00486C9D |.  0110          add dword ptr ds:[eax],edx
00486C9F |.  5E          pop esi
00486CA0 |.  5B          pop ebx
00486CA1 |.  5D          pop ebp
00486CA2 \.  C2 0C00       retn 0C

把 YYYYYYYY 变换为 32字节的 0-9/A-F 字节形如"2D9D13E987AD1FC9EA8B62261030F3AA"的序列，用于解密源码压缩块：
先用待解密字节和解密字节XOR，结果再和解密字节的序号XOR，保存到原位置。

下断处:00487904

00487904 /$  53          push ebx                            ; 使用 Part2 变换解码！
00487905 |.  56          push esi
00487906 |.  57          push edi
00487907 |.  51          push ecx
00487908 |.  891424       mov dword ptr ss:[esp],edx
0048790B |.  8BD8          mov ebx,eax
0048790D |.  8BF9          mov edi,ecx
0048790F |.  4F          dec edi
00487910 |.  85FF          test edi,edi
00487912 |.  7C 2A       jl short INS.0048793E
00487914 |.  47          inc edi
00487915 |.  33F6          xor esi,esi
00487917 |>  FF43 0C       /inc dword ptr ds:[ebx+C]
0048791A |.  8B43 10       |mov eax,dword ptr ds:[ebx+10]
0048791D |.  8B53 08       |mov edx,dword ptr ds:[ebx+8]
00487920 |.  8A1410       |mov dl,byte ptr ds:[eax+edx]
00487923 |.  8B0424       |mov eax,dword ptr ss:[esp]
00487926 |.  03C6          |add eax,esi
00487928 |.  3210          |xor dl,byte ptr ds:[eax]             ; 待解密字节 XOR MD5 序列某字节
0048792A |.  3253 0C       |xor dl,byte ptr ds:[ebx+C]          ; 上一步结果 XOR 待解密字节的索引(1开始计数)
0048792D |.  8810          |mov byte ptr ds:[eax],dl             ; 保存到原位置
0048792F |.  8B43 08       |mov eax,dword ptr ds:[ebx+8]
00487932 |.  40          |inc eax
00487933 |.  99          |cdq
00487934 |.  F77B 04       |idiv dword ptr ds:[ebx+4]
00487937 |.  8953 08       |mov dword ptr ds:[ebx+8],edx
0048793A |.  46          |inc esi
0048793B |.  4F          |dec edi
0048793C |.^ 75 D9       \jnz short INS.00487917
0048793E |>  5A          pop edx
0048793F |.  5F          pop edi
00487940 |.  5E          pop esi
00487941 |.  5B          pop ebx
00487942 \.  C3          retn

小结一下
--------

虽然可以构造密码，过密码验证关，但安装源码的时候，源码是通过对Part2变换加密压缩的，对Part2采用的是 MD5 算法，
所以，没有正确的Part2，最终是不可爆破的！

第四部分：CRC32
===============

下断处:00465208,CRC32 计算入口

00465208 /$  53          push ebx
00465209 |.  56          push esi
0046520A |.  8BF2          mov esi,edx
0046520C |.  8BD8          mov ebx,eax
0046520E |.  8BD3          mov edx,ebx
00465210 |.  8BCE          mov ecx,esi
00465212 |.  83C8 FF       or eax,FFFFFFFF
00465215 |.  E8 9EFFFFFF call INS.004651B8
0046521A |.  83F0 FF       xor eax,FFFFFFFF
0046521D |.  5E          pop esi
0046521E |.  5B          pop ebx
0046521F \.  C3          retn

下断处:004651B8,计算 CRC32

004651B8 /$  53          push ebx
004651B9 |.  56          push esi
004651BA |.  57          push edi
004651BB |.  8BF1          mov esi,ecx
004651BD |.  8BFA          mov edi,edx
004651BF |.  8BD8          mov ebx,eax
004651C1 |.  803D 007C4A00 >cmp byte ptr ds:[4A7C00],0
004651C8 |.  75 0C       jnz short INS.004651D6
004651CA |.  E8 B5FFFFFF call INS.00465184
004651CF |.  C605 007C4A00 >mov byte ptr ds:[4A7C00],1
004651D6 |>  8BC7          mov eax,edi
004651D8 |.  85F6          test esi,esi
004651DA |.  74 26       je short INS.00465202
004651DC |>  8BD3          /mov edx,ebx
004651DE |.  81E2 FF000000  |and edx,0FF
004651E4 |.  33C9          |xor ecx,ecx
004651E6 |.  8A08          |mov cl,byte ptr ds:[eax]
004651E8 |.  66:33D1       |xor dx,cx
004651EB |.  0FB7D2       |movzx edx,dx
004651EE |.  8B1495 047C4A0>|mov edx,dword ptr ds:[edx*4+4A7C04]
004651F5 |.  C1EB 08       |shr ebx,8
004651F8 |.  33D3          |xor edx,ebx
004651FA |.  8BDA          |mov ebx,edx
004651FC |.  4E          |dec esi
004651FD |.  40          |inc eax
004651FE |.  85F6          |test esi,esi
00465200 |.^ 75 DA       \jnz short INS.004651DC
00465202 |>  8BC3          mov eax,ebx
00465204 |.  5F          pop edi
00465205 |.  5E          pop esi
00465206 |.  5B          pop ebx
00465207 \.  C3          retn

下断处:00465184,初始化 CRC32 常数表

00465184 /$  56          push esi
00465185 |.  33F6          xor esi,esi
00465187 |.  B9 047C4A00 mov ecx,INS.004A7C04
0046518C |>  8BC6          /mov eax,esi
0046518E |.  BA 08000000 |mov edx,8
00465193 |>  A8 01       |/test al,1
00465195 |.  74 09       ||je short INS.004651A0
00465197 |.  D1E8          ||shr eax,1
00465199 |.  35 2083B8ED ||xor eax,EDB88320
0046519E |.  EB 02       ||jmp short INS.004651A2
004651A0 |>  D1E8          ||shr eax,1
004651A2 |>  4A          ||dec edx
004651A3 |.^ 75 EE       |\jnz short INS.00465193
004651A5 |.  8901          |mov dword ptr ds:[ecx],eax
004651A7 |.  46          |inc esi
004651A8 |.  83C1 04       |add ecx,4
004651AB |.  81FE 00010000  |cmp esi,100
004651B1 |.^ 75 D9       \jnz short INS.0046518C
004651B3 |.  5E          pop esi
004651B4 \.  C3          retn

第五部分：终极解决
==================

任务: 找到Part2
要求: CRC32(Part2)=0x70EAF483
方法: CRC32 反射

满足条件的Part2很多,根据惯例,限定 Part2 为 A-F/0-9 8字节长的字符串,从 0xFFFF 开始递减反射后面四个字节,且每个字节必须在['0'-'9' OR 'A'-'F']范围之内,在 0xC442 的时候,得到反射 0xCC99,在 0x3A0F 的时候得到反射 0xE983,根据密码各部分之间的关系,
并验证,只有 C442CC99 符合要求!感谢POLAND人，没有使用其它e文字母，不然，$^#(!$()YZ_#$_!&...

于是,构造出 xxxxxGIS DK8 的安装密码:

19970419-C442CC99-E6CFE9DA
YANGTZE-C442CC99-512CCE18
......

[Part1: 可变]
[Part2: 固定]
[Part3: 计算]

第六部分: CRC32 相关代码
========================

1) AZMC_CRC32.h

#pragma once

#define MakeLong(a,b) MAKELONG(b,a)
#define MakeWord(a,b) MAKEWORD(b,a)

class CAZMC_CRC32
{
public:
CAZMC_CRC32(void);
~CAZMC_CRC32(void);

private:
unsigned long CRC32Table[ 256 ];
void InitTable();

public:
unsigned long GetCRC32(unsigned char* data, unsigned long size);
unsigned char RF(unsigned char x);
unsigned char F(unsigned char x);
unsigned char G(unsigned char x);
unsigned char H(unsigned char x);
unsigned char I(unsigned char x);
unsigned long CRC32CAT(unsigned long CRC32Prev,unsigned long BytesToCat);
unsigned long CRC32RF(unsigned long WXYZ,unsigned long abcd );
};

2) AZMC_CRC32.cpp

#include "StdAfx.h"

#include ".\azmc_crc32.h"

CAZMC_CRC32::CAZMC_CRC32(void)
{
InitTable();
}

CAZMC_CRC32::~CAZMC_CRC32(void)
{
}

void CAZMC_CRC32::InitTable()
{
unsigned long i,j;
unsigned long crc;

for( i = 0; i < 256; i ++ )
{
crc = i;
for( j = 0; j < 8; j ++ )
{
if( crc & 1 ) crc = ( crc >> 1 ) ^ 0xEDB88320;
else crc >>= 1;
}
CRC32Table[ i ] = crc;
}
}

unsigned long CAZMC_CRC32::GetCRC32(unsigned char* data, unsigned long size)
{
unsigned long crc = 0xFFFFFFFF;
unsigned long len;
unsigned char* buffer;

if( !data || ( size == 0 ) ) return 0xFFFFFFFF;

len = size;
buffer = data;

while( len -- ) crc = (crc >> 8 ) ^ CRC32Table[ ( crc & 0xFF ) ^ *buffer++ ];

return crc^0xFFFFFFFF;
}

// ==================================================================================
// 1.CRC32 of String1: ABCD
// 2.String2
// 3.CRC32 of String1+String2
// 4.WXYZ = ABCD + CRC32( string2 )
// ==================================================================================
unsigned long CAZMC_CRC32::CRC32CAT(unsigned long ABCD,unsigned long abcd)
{
unsigned char p,o,n,m,a,b,c,d,W,X,Y,Z,A,B,C,D;

A = HIBYTE( HIWORD( ABCD ) );
B = LOBYTE( HIWORD( ABCD ) );
C = HIBYTE( LOWORD( ABCD ) );
D = LOBYTE( LOWORD( ABCD ) );

a = HIBYTE( HIWORD( abcd ) );
b = LOBYTE( HIWORD( abcd ) );
c = HIBYTE( LOWORD( abcd ) );
d = LOBYTE( LOWORD( abcd ) );

m = d ^ D;
n = c ^ C ^ I( m );
o = b ^ B ^ H( m ) ^ I( n );
p = a ^ A ^ G( m ) ^ H( n ) ^ I( o );

W = F( p );
X = F( o ) ^ G( p );
Y = F( n ) ^ G( o ) ^ H( p );
Z = F( m ) ^ G( n ) ^ H( o ) ^ I( p );

return 0xFFFFFFFF ^ ( MakeLong( MakeWord( W,X ),MakeWord( Y,Z ) ) );
}

// ==================================================================================
// 1.CRC32 of String1+String2: WXYZ
// 2.CRC32 of String2
// 3.CRC32 of String1
// 4.ABCD = WXYZ - CRC32( abcd )
// ==================================================================================
unsigned long CAZMC_CRC32::CRC32RF(unsigned long WXYZ,unsigned long abcd )
{
unsigned char p,o,n,m,a,b,c,d,W,X,Y,Z,A,B,C,D;

W = HIBYTE( HIWORD( WXYZ ) );
X = LOBYTE( HIWORD( WXYZ ) );
Y = HIBYTE( LOWORD( WXYZ ) );
Z = LOBYTE( LOWORD( WXYZ ) );

a = HIBYTE( HIWORD( abcd ) );
b = LOBYTE( HIWORD( abcd ) );
c = HIBYTE( LOWORD( abcd ) );
d = LOBYTE( LOWORD( abcd ) );

p = RF( W );
o = RF( X ^ G( p ) );
n = RF( Y ^ G( o ) ^ H( p ) );
m = RF( Z ^ G( n ) ^ H( o ) ^ I( p ) );

D = m ^ d;
C = n ^ c ^ I( m );
B = o ^ b ^ H( m ) ^ I( n );
A = p ^ a ^ G( m ) ^ H( n ) ^ I( o );

return MakeLong( MakeWord( A,B ),MakeWord( C,D ) );
}

unsigned char CAZMC_CRC32::RF(unsigned char x)
{
unsigned char j;

for( j = 0; j <= 0xFF; j ++ )
{
if( HIBYTE( HIWORD( CRC32Table[ j ] ) ) == x ) break;
}
return j;
}

unsigned char CAZMC_CRC32::F(unsigned char x)
{
return HIBYTE( HIWORD( CRC32Table[ x ] ) );
}

unsigned char CAZMC_CRC32::G(unsigned char x)
{
return LOBYTE( HIWORD( CRC32Table[ x ] ) );
}

unsigned char CAZMC_CRC32::H( unsigned char x )
{
return HIBYTE( LOWORD( CRC32Table[ x ] ) );
}

unsigned char CAZMC_CRC32::I(unsigned char x)
{
  return LOBYTE( LOWORD( CRC32Table[ x ] ) );
}

3) CRC32 反射

m_Counter = 0xFFFF

CString str;
str.Format("%04X",m_Counter);

char data[50];
lstrcpy(data,str);
unsigned long CRC32_1 = m_objCRC32.GetCRC32( (unsigned char*)data,4 );
unsigned long x = m_objCRC32.CRC32RF( 0x70EAF483 ^ 0xFFFFFFFF,CRC32_1 ^ 0xFFFFFFFF );

CString str2;
str2.Format("%08X",x);
str +="---";
str += str2;

CEdit* pEdit = (CEdit*)GetDlgItem(IDC_EDIT_CURRENT);
pEdit->SetWindowText( str );

unsigned char* p = ( unsigned char* )&x;
if( ( ( ( *p >= '0' && *p <= '9' ) || ( *p >= 'A' && *p <= 'F' ) )
&& ( ( *(p+1) >= '0' && *(p+1) <= '9' ) || ( *(p+1) >= 'A' && *(p+1) <= 'F' ) )
&& ( ( *(p+2) >= '0' && *(p+2) <= '9' ) || ( *(p+2) >= 'A' && *(p+2) <= 'F' ) )
&& ( ( *(p+3) >= '0' && *(p+3) <= '9' ) || ( *(p+3) >= 'A' && *(p+3) <= 'F' ) ) )
)
{
CListBox* pListBox = ( CListBox* )GetDlgItem(IDC_LIST_70EAF483);
pListBox->AddString(str);
}

if( m_Counter == 0 ) OnBnClickedButtonEndtimer();
m_Counter--;

4) 注册机 KeyGen.cpp

#include "stdafx.h"

#include "AZMC_CRC32.h"

#include <conio.h>

int _tmain(int argc, _TCHAR* argv[])
{
CAZMC_CRC32 objCRC32;
char str[1024];
char strtmp[1024];
char strKey[1024];
unsigned long x;

printf("\r\nKeyGen for xxxxxGIS DK8 - AZMC.13 - 2006.05.04\r\n\r\n");
printf("Please input your name(0-9/a-z/A-Z):");
scanf("%32s",str);
strupr(str);
strcat(str,"-C442CC99");
strcpy(strKey,str);

x=objCRC32.GetCRC32((unsigned char*)str,strlen(str));
sprintf(strtmp,"-%X",x);
strcat(str,strtmp);
x=objCRC32.GetCRC32((unsigned char*)str,strlen(str));
sprintf(strtmp,"-%X",x);
strcat(strKey,strtmp);

printf("\r\nThe key is: %s\r\n",strKey);

printf("\r\n\r\nPress any key to exit...\r\n");
getch();

return 0;
}

第七部分: ^#$(@($&!@()
======================

1) 弄一车兵器，不是杀人手段；我有寸铁，便可杀人。
2) 放下屠刀，立地成佛；成佛之后，杀人便不见血。
3) 如果使用 Part1,作为源码安装时的 MD5 输入信息，我会不会很郁闷？
4) 给可爱的波兰人致敬！
5) 最后的总结陈述:

xxxxxGIS.EXE ---> CRC32 校验关键数据 ---> 生成安装进程 INS??.tmp ---> 等待 INS??.tmp 进程结束。
                                                |
                                                |
                                             INS??.tmp
                                                |
                                                +---> CRC32 校验关键数据
                                                |
                                                +---> 要求输入密码: XXXXXXXX-YYYYYYYY-ZZZZZZZZ
                                                |
                                                +---> 验证密码 CRC32(YYYYYYYY) = 0x70EAF483 ? 不等，Game over.
                                                |
                                                +---> 根据 XXXXXXXX-YYYYYYYY 计算 Part3,并和原始输入比较,不同,Game over.
                                                |
                                                +---> 安装源码，重新获取 Part2,YYYYYYYY
                                                |
                                                +---> Ret = MD5(YYYYYYYY)
                                                |
                                                +---> 使用 Ret 解密源码数据
                                                |
                                                +---> YYYYYYYY 不正确,Game over.

第八部分: 你以为是天龙八部哦？没了。

附注：文中 CRC32 部分代码来自网络上相关文章，特别是那个 CRC32反射代码，衷心感谢作者！谢谢！
==========================================================================================

登录后可查看完整内容

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

收藏・0

免费・7

支持

最新回复 (12)
baby2008 雪币： 442 活跃值： (1216) 能力值： ( LV12，RANK：1130 ) 在线值：发帖 87 回帖 1435 粉丝 5 关注私信	baby2008 28 2 楼好文,学习 2006-5-23 09:43 0
UniPho 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 66 粉丝 0 关注私信	UniPho 3 楼顶 2006-5-23 10:07 0
紫色缘雪币： 253 活跃值： (25) 能力值： ( LV9，RANK：290 ) 在线值：发帖 12 回帖 384 粉丝 0 关注私信	紫色缘 7 4 楼支持~ 2006-5-23 10:22 0
bfqyygy 雪币： 338 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 1 回帖 523 粉丝 0 关注私信	bfqyygy 1 5 楼太厉害了 2006-5-23 12:26 0
误入楼台雪币： 236 活跃值： (35) 能力值： ( LV4，RANK：50 ) 在线值：发帖 24 回帖 200 粉丝 0 关注私信	误入楼台 1 6 楼厉害角色 2006-5-23 12:30 0
hrbx 雪币： 267 活跃值： (44) 能力值： ( LV9，RANK：330 ) 在线值：发帖 11 回帖 195 粉丝 1 关注私信	hrbx 8 7 楼强，支持一下 2006-5-23 20:08 0
koala 雪币： 222 活跃值： (40) 能力值： ( LV8，RANK：130 ) 在线值：发帖 4 回帖 178 粉丝 0 关注私信	koala 3 8 楼支持 2006-5-23 20:30 0
linhanshi 雪币： 97697 活跃值： (200834) 能力值： (RANK：10 ) 在线值：发帖 9249 回帖 27947 粉丝 453 关注私信	linhanshi 9 楼 2006-5-23 20:36 0
fcupf 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	fcupf 10 楼没看明白，学习。 2006-5-24 11:52 0
amaddy 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 21 粉丝 0 关注私信	amaddy 11 楼太深奥了!如果用VC++编的程序,能否一样破解?注册码是三个四位数组成的 2006-8-7 10:26 0
amaddy 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 21 粉丝 0 关注私信	amaddy 12 楼晕了,无法发Email给你,楼主能公布Email地址吗? 2006-8-7 10:28 0
sbfan 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 13 粉丝 0 关注私信	sbfan 13 楼以前安装时见过这样的软件，没辙，从今以后要好好学习去试试了。 2006-8-7 11:27 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

AZMC

发帖

129

回帖

250

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (12)
baby2008 雪币： 442 活跃值： (1216) 能力值： ( LV12，RANK：1130 ) 在线值：发帖 87 回帖 1435 粉丝 5 关注私信	baby2008 28 2 楼好文,学习 2006-5-23 09:43 0
UniPho 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 66 粉丝 0 关注私信	UniPho 3 楼顶 2006-5-23 10:07 0
紫色缘雪币： 253 活跃值： (25) 能力值： ( LV9，RANK：290 ) 在线值：发帖 12 回帖 384 粉丝 0 关注私信	紫色缘 7 4 楼支持~ 2006-5-23 10:22 0
bfqyygy 雪币： 338 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 1 回帖 523 粉丝 0 关注私信	bfqyygy 1 5 楼太厉害了 2006-5-23 12:26 0
误入楼台雪币： 236 活跃值： (35) 能力值： ( LV4，RANK：50 ) 在线值：发帖 24 回帖 200 粉丝 0 关注私信	误入楼台 1 6 楼厉害角色 2006-5-23 12:30 0
hrbx 雪币： 267 活跃值： (44) 能力值： ( LV9，RANK：330 ) 在线值：发帖 11 回帖 195 粉丝 1 关注私信	hrbx 8 7 楼强，支持一下 2006-5-23 20:08 0
koala 雪币： 222 活跃值： (40) 能力值： ( LV8，RANK：130 ) 在线值：发帖 4 回帖 178 粉丝 0 关注私信	koala 3 8 楼支持 2006-5-23 20:30 0
linhanshi 雪币： 97697 活跃值： (200834) 能力值： (RANK：10 ) 在线值：发帖 9249 回帖 27947 粉丝 453 关注私信	linhanshi 9 楼 2006-5-23 20:36 0
fcupf 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	fcupf 10 楼没看明白，学习。 2006-5-24 11:52 0
amaddy 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 21 粉丝 0 关注私信	amaddy 11 楼太深奥了!如果用VC++编的程序,能否一样破解?注册码是三个四位数组成的 2006-8-7 10:26 0
amaddy 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 21 粉丝 0 关注私信	amaddy 12 楼晕了,无法发Email给你,楼主能公布Email地址吗? 2006-8-7 10:28 0
sbfan 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 13 粉丝 0 关注私信	sbfan 13 楼以前安装时见过这样的软件，没辙，从今以后要好好学习去试试了。 2006-8-7 11:27 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复