【破文作者】
Ryosuke
原帖:
http://bbs.pediy.com/showthread.php?s=&threadid=26144
首先赞一下xyz_119兄这个CrackMe做的十分的好,花了我两个晚上才破掉。
【分析】
算法用到了一种类似于DES的加密算法,和RSA大数运算,还有两种未知的加密算法unknown1,unknown2。
一种unknown1是把16 BYTE <=> (A)8 BYTE (B)8 BYTE,这16BYTE是注册码,8 BYTE A是类DES的明文,B是类DES的密钥,是可逆的运算。
一种unknown2是4BYTE 明密文 4BYTE 密钥的加密算法,算法皆未知。主要是用于程序启动后的验证工作,是用上面的B的前4位做密钥,加密后四位,看看加密后的密文是不是0x78,0x79,0x7A,0x00,也就是("xyz")。
好,Let's Begin!
根据提示来到:
00402C10 . 64:A1 00000000 mov eax, fs:[0] ; 注册时候输入的
00402C16 . 6A FF push -1
00402C18 . 68 38504400 push 00445038
00402C1D . 50 push eax
00402C1E . 64:8925 00000000 mov fs:[0], esp
00402C25 . 83EC 68 sub esp, 68
00402C28 . 8D4424 44 lea eax, [esp+44]
00402C2C . 56 push esi
00402C2D . 8BF1 mov esi, ecx
00402C2F . 8B4C24 7C mov ecx, [esp+7C]
00402C33 . 50 push eax ; /Arg2
00402C34 . 51 push ecx ; |Arg1
00402C35 . 8BCE mov ecx, esi ; |
00402C37 . E8 94030000 call 00402FD0 ; \注册码serial格式检查
00402C3C . 85C0 test eax, eax
00402C3E . 75 12 jnz short 00402C52
00402C40 . 5E pop esi
00402C41 . 8B4C24 68 mov ecx, [esp+68]
00402C45 . 64:890D 00000000 mov fs:[0], ecx
00402C4C . 83C4 74 add esp, 74
00402C4F . C2 0400 retn 4
00402C52 > 8D5424 14 lea edx, [esp+14]
00402C56 . 53 push ebx
00402C57 . 8D4424 10 lea eax, [esp+10]
00402C5B . 52 push edx
00402C5C . 8D4C24 50 lea ecx, [esp+50]
00402C60 . 50 push eax
00402C61 . 51 push ecx
00402C62 . 8BCE mov ecx, esi
00402C64 . C64424 34 00 mov byte ptr [esp+34], 0
00402C69 . E8 62FBFFFF call 004027D0 ; unknown1正向变换serial组成的16字节,生成plain和key
00402C6E . 8B5C24 10 mov ebx, [esp+10] ; out1
00402C72 . 33D2 xor edx, edx
00402C74 . 8A56 14 mov dl, [esi+14] ; 11
00402C77 . 8D4424 10 lea eax, [esp+10]
00402C7B . C1E2 18 shl edx, 18
00402C7E . 0BDA or ebx, edx key第一个DWORD XOR 0x11000000
00402C80 . 8D4C24 20 lea ecx, [esp+20]
00402C84 . 50 push eax
00402C85 . 8D5424 1C lea edx, [esp+1C]
00402C89 . 51 push ecx
00402C8A . 52 push edx
00402C8B . 895C24 1C mov [esp+1C], ebx
00402C8F . E8 3CC90000 call 0040F5D0 类DES的加密
00402C94 . B0 FA mov al, 0FA
00402C96 . 83C4 0C add esp, 0C
00402C99 . 884424 39 mov [esp+39], al
00402C9D . 884424 4B mov [esp+4B], al
00402CA1 . 8D4424 08 lea eax, [esp+8]
00402CA5 . 6A 08 push 8 ; /Arg7 = 00000008
00402CA7 . 50 push eax ; |Arg6
00402CA8 . 8D4C24 34 lea ecx, [esp+34] ; |
00402CAC . 6A 10 push 10 ; |Arg5 = 00000010
00402CAE . 51 push ecx ; |Arg4
00402CAF . 8D5424 4C lea edx, [esp+4C] ; |
00402CB3 . 6A 10 push 10 ; |Arg3 = 00000010
00402CB5 . 8D4424 70 lea eax, [esp+70] ; |
00402CB9 . 52 push edx ; |Arg2
00402CBA . 50 push eax ; |Arg1
00402CBB . 8BCE mov ecx, esi ; |
00402CBD . C64424 48 CA mov byte ptr [esp+48], 0CA ; |
00402CC2 . C64424 49 C4 mov byte ptr [esp+49], 0C4 ; |
00402CC7 . C64424 4A 7C mov byte ptr [esp+4A], 7C ; |
00402CCC . C64424 4B 54 mov byte ptr [esp+4B], 54 ; |
00402CD1 . C64424 4C 52 mov byte ptr [esp+4C], 52 ; |
00402CD6 . C64424 4D 72 mov byte ptr [esp+4D], 72 ; |
00402CDB . C64424 4E 88 mov byte ptr [esp+4E], 88 ; |
00402CE0 . C64424 4F 82 mov byte ptr [esp+4F], 82 ; |
00402CE5 . C64424 50 74 mov byte ptr [esp+50], 74 ; |
00402CEA . C64424 51 B2 mov byte ptr [esp+51], 0B2 ; |
00402CEF . C64424 52 95 mov byte ptr [esp+52], 95 ; |
00402CF4 . C64424 53 A2 mov byte ptr [esp+53], 0A2 ; |
00402CF9 . C64424 54 66 mov byte ptr [esp+54], 66 ; |
00402CFE . C64424 56 A0 mov byte ptr [esp+56], 0A0 ; |
00402D03 . C64424 57 8D mov byte ptr [esp+57], 8D ; |
00402D08 . C64424 24 D4 mov byte ptr [esp+24], 0D4 ; |
00402D0D . C64424 25 D0 mov byte ptr [esp+25], 0D0 ; |
00402D12 . C64424 26 ED mov byte ptr [esp+26], 0ED ; |
00402D17 . C64424 27 36 mov byte ptr [esp+27], 36 ; |
00402D1C . C64424 28 D3 mov byte ptr [esp+28], 0D3 ; |
00402D21 . C64424 29 BC mov byte ptr [esp+29], 0BC ; |
00402D26 . C64424 2A 55 mov byte ptr [esp+2A], 55 ; |
00402D2B . C64424 2B E7 mov byte ptr [esp+2B], 0E7 ; |
00402D30 . C64424 58 6D mov byte ptr [esp+58], 6D ; |
00402D35 . C64424 59 C7 mov byte ptr [esp+59], 0C7 ; |
00402D3A . C64424 5A A8 mov byte ptr [esp+5A], 0A8 ; |
00402D3F . C64424 5B 2F mov byte ptr [esp+5B], 2F ; |
00402D44 . C64424 5C 50 mov byte ptr [esp+5C], 50 ; |
00402D49 . C64424 5D 9F mov byte ptr [esp+5D], 9F ; |
00402D4E . C64424 5E 7E mov byte ptr [esp+5E], 7E ; |
00402D53 . C64424 5F A1 mov byte ptr [esp+5F], 0A1 ; |
00402D58 . C64424 60 AB mov byte ptr [esp+60], 0AB ; |
00402D5D . C64424 61 81 mov byte ptr [esp+61], 81 ; |
00402D62 . C64424 62 60 mov byte ptr [esp+62], 60 ; |
00402D67 . C64424 63 05 mov byte ptr [esp+63], 5 ; |
00402D6C . C64424 64 DC mov byte ptr [esp+64], 0DC ; |
00402D71 . C64424 65 E9 mov byte ptr [esp+65], 0E9 ; |
00402D76 . C64424 66 71 mov byte ptr [esp+66], 71 ; |
00402D7B . E8 B0EEFFFF call 00401C30 ; \RSA 这里涉及到C=M^E mod N的计算
00402D80 . 8BD0 mov edx, eax
00402D82 . 8D4C24 20 lea ecx, [esp+20]
00402D86 . 85C9 test ecx, ecx
00402D88 . 74 51 je short 00402DDB
00402D8A . 57 push edi
00402D8B . 8D7C24 24 lea edi, [esp+24]
00402D8F . 83C9 FF or ecx, FFFFFFFF
00402D92 . 33C0 xor eax, eax
00402D94 . F2:AE repne scas byte ptr es:[edi]
00402D96 . 8B42 0C mov eax, [edx+C]
00402D99 . F7D1 not ecx
00402D9B . 49 dec ecx
00402D9C . 8BD9 mov ebx, ecx
00402D9E . 8BC8 mov ecx, eax
00402DA0 . 3BC3 cmp eax, ebx
00402DA2 . 72 02 jb short 00402DA6
00402DA4 . 8BCB mov ecx, ebx
00402DA6 > 8B52 08 mov edx, [edx+8]
00402DA9 . 8D7C24 24 lea edi, [esp+24]
00402DAD . 8BF2 mov esi, edx
00402DAF . 33D2 xor edx, edx
00402DB1 . F3:A6 repe cmps byte ptr es:[edi], byte ptr [esi]
//加密结果和RSA计算结果比较,相等则成功,第一次RSA计算结果BA D9 BA D9 B2 BB B4 ED,见下面RSA部分可知。
00402DB3 . 5F pop edi
00402DB4 . 74 05 je short 00402DBB
00402DB6 . 1BD2 sbb edx, edx
00402DB8 . 83DA FF sbb edx, -1
00402DBB > 85D2 test edx, edx
00402DBD . 75 17 jnz short 00402DD6
00402DBF . 3BC3 cmp eax, ebx
00402DC1 . 73 0A jnb short 00402DCD
00402DC3 . 83CA FF or edx, FFFFFFFF
00402DC6 . 85D2 test edx, edx
00402DC8 . 0F95C3 setne bl
00402DCB . EB 10 jmp short 00402DDD
00402DCD > 33D2 xor edx, edx
00402DCF . 3BC3 cmp eax, ebx
00402DD1 . 0F95C2 setne dl
00402DD4 . 85D2 test edx, edx
00402DD6 > 0F95C3 setne bl
00402DD9 . EB 02 jmp short 00402DDD
00402DDB > B3 01 mov bl, 1
00402DDD > 8D4C24 5C lea ecx, [esp+5C]
00402DE1 . C74424 78 FFFFFFFF mov dword ptr [esp+78], -1
00402DE9 . E8 920D0000 call 00403B80
00402DEE . 8B4C24 70 mov ecx, [esp+70]
00402DF2 . 33C0 xor eax, eax
00402DF4 . 84DB test bl, bl
00402DF6 . 5B pop ebx
00402DF7 . 5E pop esi
00402DF8 . 0F94C0 sete al
00402DFB . 64:890D 00000000 mov fs:[0], ecx
00402E02 . 83C4 74 add esp, 74
00402E05 . C2 0400 retn 4
注意这个前面设计到一个注册码格式的验证问题,由于不是重点,跳过了。注册码37位,是XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XX形式。
[unknown1 part]
unknown1正向变换,见
004027D0 /$ 51 push ecx ; serial=>key cipher
004027D1 |. 8B4C24 0C mov ecx, [esp+C]
004027D5 |. 33C0 xor eax, eax
004027D7 |. 33D2 xor edx, edx
004027D9 |. 53 push ebx
004027DA |. 8901 mov [ecx], eax ; out1清0
004027DC |. 8B5C24 0C mov ebx, [esp+C] ; in 16 BYTE
004027E0 |. 55 push ebp
004027E1 |. 56 push esi
004027E2 |. 8941 04 mov [ecx+4], eax ; out1清0
004027E5 |. 8B4424 1C mov eax, [esp+1C]
004027E9 |. 57 push edi
004027EA |. 8910 mov [eax], edx ; out2清0
004027EC |. 8950 04 mov [eax+4], edx ; out2清0
004027EF |. 33C0 xor eax, eax
004027F1 |. 894424 10 mov [esp+10], eax ; 计数器
004027F5 |> 8BC8 /mov ecx, eax
004027F7 |. 81E1 01000080 |and ecx, 80000001
004027FD |. 79 05 |jns short 00402804
004027FF |. 49 |dec ecx
00402800 |. 83C9 FE |or ecx, FFFFFFFE
00402803 |. 41 |inc ecx
00402804 |> 99 |cdq
00402805 |. 2BC2 |sub eax, edx
00402807 |. BE 1F000000 |mov esi, 1F
0040280C |. C1E1 04 |shl ecx, 4
0040280F |. D1F8 |sar eax, 1
00402811 |. 2BF1 |sub esi, ecx
00402813 |. 33FF |xor edi, edi
00402815 |. C1E0 02 |shl eax, 2
00402818 |. 897424 18 |mov [esp+18], esi ; 计数器2
0040281C |. 33D2 |xor edx, edx
0040281E |. EB 04 |jmp short 00402824
00402820 |> 8B7424 18 |/mov esi, [esp+18]
00402824 |> 8B2B | mov ebp, [ebx] ; in
00402826 |. 8BCA ||mov ecx, edx
00402828 |. D3ED ||shr ebp, cl
0040282A |. 2BF7 ||sub esi, edi
0040282C |. 8BCE ||mov ecx, esi
0040282E |. C1E5 1F ||shl ebp, 1F
00402831 |. D3ED ||shr ebp, cl
00402833 |. 8B4C24 1C ||mov ecx, [esp+1C]
00402837 |. 092C08 ||or [eax+ecx], ebp
0040283A |. 8B2B ||mov ebp, [ebx]
0040283C |. 8D4A 01 ||lea ecx, [edx+1]
0040283F |. 83C2 02 ||add edx, 2
00402842 |. D3ED ||shr ebp, cl
00402844 |. 8BCE ||mov ecx, esi
00402846 |. C1E5 1F ||shl ebp, 1F
00402849 |. D3ED ||shr ebp, cl
0040284B |. 8B4C24 20 ||mov ecx, [esp+20]
0040284F |. 8B3408 ||mov esi, [eax+ecx]
00402852 |. 0BF5 ||or esi, ebp
00402854 |. 47 ||inc edi
00402855 |. 83FA 20 ||cmp edx, 20
00402858 |. 893408 ||mov [eax+ecx], esi
0040285B |.^ 7C C3 |\jl short 00402820
0040285D |. 8B4424 10 |mov eax, [esp+10]
00402861 |. 83C3 04 |add ebx, 4
00402864 |. 40 |inc eax
00402865 |. 83F8 04 |cmp eax, 4
00402868 |. 894424 10 |mov [esp+10], eax
0040286C |.^ 7C 87 \jl short 004027F5
0040286E |. 5F pop edi
0040286F |. 5E pop esi
00402870 |. 5D pop ebp
00402871 |. 5B pop ebx
00402872 |. 59 pop ecx
00402873 \. C2 0C00 retn 0C
呵呵,我在这个CrackMe中耍了一些小技巧,由于它都是对称算法,许多代码都是用C++类形式写的,也就是说在加密算法附近,肯定是解密算
法。
第一个小技巧,找unknown1的反相变换,上面这段程序向上翻一翻,看见:
00402700 /$ 53 push ebx
00402701 |. 55 push ebp
00402702 |. 56 push esi
00402703 |. 57 push edi
00402704 |. 8B7C24 1C mov edi, [esp+1C]
00402708 |. 33C0 xor eax, eax
0040270A |. 8BCF mov ecx, edi
0040270C |. 8B7424 18 mov esi, [esp+18]
00402710 |. C74424 18 02000000 mov dword ptr [esp+18], 2
00402718 |. 8901 mov [ecx], eax
0040271A |. 8941 04 mov [ecx+4], eax
0040271D |. 8941 08 mov [ecx+8], eax
00402720 |. 8941 0C mov [ecx+C], eax
00402723 |. 8B4C24 14 mov ecx, [esp+14]
00402727 |. 2BCE sub ecx, esi
00402729 |. 33D2 xor edx, edx
0040272B |. 894C24 1C mov [esp+1C], ecx
0040272F |. EB 0E jmp short 0040273F
00402731 |> 8B4C24 1C /mov ecx, [esp+1C]
00402735 |. 33D2 |xor edx, edx
00402737 |. 33C0 |xor eax, eax
00402739 |. EB 04 |jmp short 0040273F
0040273B |> 8B4C24 1C |/mov ecx, [esp+1C]
0040273F |> 8B1C31 mov ebx, [ecx+esi]
00402742 |. 83F8 20 ||cmp eax, 20
00402745 |. 8BCA ||mov ecx, edx
00402747 |. 7D 2A ||jge short 00402773
00402749 |. D3EB ||shr ebx, cl
0040274B |. 8B2E ||mov ebp, [esi]
0040274D |. B9 1F000000 ||mov ecx, 1F
00402752 |. 2BC8 ||sub ecx, eax
00402754 |. C1E3 1F ||shl ebx, 1F
00402757 |. D3EB ||shr ebx, cl
00402759 |. 8BCA ||mov ecx, edx
0040275B |. D3ED ||shr ebp, cl
0040275D |. B9 1E000000 ||mov ecx, 1E
00402762 |. 2BC8 ||sub ecx, eax
00402764 |. C1E5 1F ||shl ebp, 1F
00402767 |. D3ED ||shr ebp, cl
00402769 |. 8B0F ||mov ecx, [edi]
0040276B |. 0BDD ||or ebx, ebp
0040276D |. 0BCB ||or ecx, ebx
0040276F |. 890F ||mov [edi], ecx
00402771 |. EB 2A ||jmp short 0040279D
00402773 |> D3EB ||shr ebx, cl
00402775 |. 8B2E ||mov ebp, [esi]
00402777 |. B9 3F000000 ||mov ecx, 3F
0040277C |. 2BC8 ||sub ecx, eax
0040277E |. C1E3 1F ||shl ebx, 1F
00402781 |. D3EB ||shr ebx, cl
00402783 |. 8BCA ||mov ecx, edx
00402785 |. D3ED ||shr ebp, cl
00402787 |. B9 3E000000 ||mov ecx, 3E
0040278C |. 2BC8 ||sub ecx, eax
0040278E |. C1E5 1F ||shl ebp, 1F
00402791 |. D3ED ||shr ebp, cl
00402793 |. 8B4F 04 ||mov ecx, [edi+4]
00402796 |. 0BDD ||or ebx, ebp
00402798 |. 0BCB ||or ecx, ebx
0040279A |. 894F 04 ||mov [edi+4], ecx
0040279D |> 83C0 02 ||add eax, 2
004027A0 |. 42 ||inc edx
004027A1 |. 83F8 40 ||cmp eax, 40
004027A4 |.^ 7C 95 |\jl short 0040273B
004027A6 |. 8B4424 18 |mov eax, [esp+18]
004027AA |. 83C6 04 |add esi, 4
004027AD |. 83C7 08 |add edi, 8
004027B0 |. 48 |dec eax
004027B1 |. 894424 18 |mov [esp+18], eax
004027B5 |.^ 0F85 76FFFFFF \jnz 00402731
004027BB |. 5F pop edi
004027BC |. 5E pop esi
004027BD |. 5D pop ebp
004027BE |. 5B pop ebx
004027BF \. C2 0C00 retn 0C
发现这两段惊人的对称,呵呵,后面会有更多的好奇的地方。用IDA抓下代码生成,写一段程序进行验证,果真是unknown1的逆函数。好先留着
。
我把这两个函数叫做:
void _stdcall sub_serail_trans(serial,key,plain); //serial key plain
void _stdcall sub_trans_serial(key,plain,serial); //key plain serial
[类DES part]
进入类DES的加密,为什么叫它类DES的加密算法,请听我慢慢道来。
0040F5D0 /$ 8B4C24 0C mov ecx, [esp+C] ; 加密
0040F5D4 |. 81EC 80000000 sub esp, 80
0040F5DA |. 8D4424 00 lea eax, [esp]
0040F5DE |. 53 push ebx
0040F5DF |. 55 push ebp
0040F5E0 |. 56 push esi
0040F5E1 |. 57 push edi
0040F5E2 |. 50 push eax
0040F5E3 |. 51 push ecx
0040F5E4 |. E8 97F0FFFF call 0040E680 //进入知道这里初始化subkey
0040F5E9 |. 8B8424 9C000000 mov eax, [esp+9C]
0040F5F0 |. 8BB424 90000000 mov esi, [esp+90]
0040F5F7 |. 83C4 08 add esp, 8
0040F5FA |. 8B50 04 mov edx, [eax+4]
0040F5FD |. 8B00 mov eax, [eax]
0040F5FF |. 8BCA mov ecx, edx
0040F601 |. C1E1 1C shl ecx, 1C
0040F604 |. C1EA 04 shr edx, 4
0040F607 |. 0BCA or ecx, edx
0040F609 |. 8BD0 mov edx, eax
0040F60B |. 33D1 xor edx, ecx
0040F60D |. 81E2 0F0F0F0F and edx, 0F0F0F0F
0040F613 |. 33C2 xor eax, edx
0040F615 |. 33D1 xor edx, ecx
0040F617 |. 8BCA mov ecx, edx
0040F619 |. C1E1 14 shl ecx, 14
0040F61C |. C1EA 0C shr edx, 0C
0040F61F |. 0BCA or ecx, edx
0040F621 |. 8BD0 mov edx, eax
0040F623 |. 33D1 xor edx, ecx
0040F625 |. 81E2 0000FFFF and edx, FFFF0000
0040F62B |. 33C2 xor eax, edx
0040F62D |. 33D1 xor edx, ecx
0040F62F |. 8BCA mov ecx, edx
0040F631 |. C1E9 12 shr ecx, 12
0040F634 |. C1E2 0E shl edx, 0E
0040F637 |. 0BCA or ecx, edx
0040F639 |. 8BD0 mov edx, eax
0040F63B |. 33D1 xor edx, ecx
0040F63D |. 81E2 33333333 and edx, 33333333
0040F643 |. 33C2 xor eax, edx
0040F645 |. 33D1 xor edx, ecx
0040F647 |. 8BCA mov ecx, edx
0040F649 |. C1E9 16 shr ecx, 16
0040F64C |. C1E2 0A shl edx, 0A
0040F64F |. 0BCA or ecx, edx
0040F651 |. 8BD0 mov edx, eax
0040F653 |. 33D1 xor edx, ecx
0040F655 |. 81E2 00FF00FF and edx, FF00FF00
0040F65B |. 33C2 xor eax, edx
0040F65D |. 33D1 xor edx, ecx
0040F65F |. 8BFA mov edi, edx
0040F661 |. 8BD8 mov ebx, eax
0040F663 |. C1E7 17 shl edi, 17
0040F666 |. C1EA 09 shr edx, 9
0040F669 |. 0BFA or edi, edx
0040F66B |. 33DF xor ebx, edi
0040F66D |. 81E3 55555555 and ebx, 55555555
0040F673 |. 8BD3 mov edx, ebx
0040F675 |. 33DF xor ebx, edi
0040F677 |. 33D0 xor edx, eax
0040F679 |. 8BCA mov ecx, edx
0040F67B |. 03D2 add edx, edx
0040F67D |. C1E9 1F shr ecx, 1F
0040F680 |. 0BCA or ecx, edx
0040F682 |. 8BD1 mov edx, ecx
0040F684 |. 8BC1 mov eax, ecx
0040F686 |. C1EA 04 shr edx, 4
0040F689 |. 83E0 03 and eax, 3
0040F68C |. 81E2 3F3F3F0F and edx, 0F3F3F3F
上面都是DES的置换计算等
0040F692 |. C1E0 1C shl eax, 1C
0040F695 |. 0BD0 or edx, eax
0040F697 |. 8B8424 8C000000 mov eax, [esp+8C]
0040F69E |. 33F1 xor esi, ecx
0040F6A0 |. 25 3F3F3F3F and eax, 3F3F3F3F
0040F6A5 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F6AB |. 33D0 xor edx, eax
0040F6AD |. 8BC6 mov eax, esi
0040F6AF |. 8BFE mov edi, esi
0040F6B1 |. C1E8 18 shr eax, 18
0040F6B4 |. C1EF 10 shr edi, 10
0040F6B7 |. 81E7 FF000000 and edi, 0FF
0040F6BD |. 8B0485 00714500 mov eax, [eax*4+457100] //SBox 可以看出一共有8个Sbox 每个64 DWORD
0040F6C4 |. 8B2CBD 006F4500 mov ebp, [edi*4+456F00]
0040F6CB |. 8BFE mov edi, esi
0040F6CD |. C1EF 08 shr edi, 8
0040F6D0 |. 81E7 FF000000 and edi, 0FF
0040F6D6 |. 0BC5 or eax, ebp
0040F6D8 |. 81E6 FF000000 and esi, 0FF
0040F6DE |. 8B2CBD 006D4500 mov ebp, [edi*4+456D00]
0040F6E5 |. 8BFA mov edi, edx
0040F6E7 |. C1EF 18 shr edi, 18
0040F6EA |. 0BC5 or eax, ebp
0040F6EC |. 8B2CBD 00724500 mov ebp, [edi*4+457200]
0040F6F3 |. 8BFA mov edi, edx
0040F6F5 |. C1EF 10 shr edi, 10
0040F6F8 |. 81E7 FF000000 and edi, 0FF
0040F6FE |. 0BC5 or eax, ebp
0040F700 |. 8B2CBD 00704500 mov ebp, [edi*4+457000]
0040F707 |. 8BFA mov edi, edx
0040F709 |. C1EF 08 shr edi, 8
0040F70C |. 81E7 FF000000 and edi, 0FF
0040F712 |. 0BC5 or eax, ebp
0040F714 |. 81E2 FF000000 and edx, 0FF
0040F71A |. 8B2CBD 006E4500 mov ebp, [edi*4+456E00]
0040F721 |. 8B3C95 006C4500 mov edi, [edx*4+456C00]
0040F728 |. 0BC5 or eax, ebp
0040F72A |. 0BC7 or eax, edi
0040F72C |. 8B3CB5 006B4500 mov edi, [esi*4+456B00]
0040F733 |. 8BD3 mov edx, ebx
0040F735 |. 8D349D 00000000 lea esi, [ebx*4]
0040F73C |. C1EA 1E shr edx, 1E
0040F73F |. 0BC7 or eax, edi
0040F741 |. 0BD6 or edx, esi
0040F743 |. 33C2 xor eax, edx
0040F745 |. 8BD0 mov edx, eax
0040F747 |. 8BF0 mov esi, eax
0040F749 |. C1EA 04 shr edx, 4
0040F74C |. 83E6 03 and esi, 3
0040F74F |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040F755 |. C1E6 1C shl esi, 1C
0040F758 |. 0BD6 or edx, esi
0040F75A |. 8BB424 84000000 mov esi, [esp+84]
0040F761 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F767 |. 33D6 xor edx, esi
0040F769 |. 8BB424 80000000 mov esi, [esp+80]
0040F770 |. 33F0 xor esi, eax
0040F772 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F778 |. 8BDE mov ebx, esi
0040F77A |. 8BFE mov edi, esi
0040F77C |. C1EB 10 shr ebx, 10
0040F77F |. 81E3 FF000000 and ebx, 0FF
0040F785 |. C1EF 18 shr edi, 18
0040F788 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040F78F |. 8BDE mov ebx, esi
0040F791 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040F798 |. 81E6 FF000000 and esi, 0FF
0040F79E |. C1EB 08 shr ebx, 8
0040F7A1 |. 81E3 FF000000 and ebx, 0FF
0040F7A7 |. 0BFD or edi, ebp
0040F7A9 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040F7B0 |. 8BDA mov ebx, edx
0040F7B2 |. C1EB 18 shr ebx, 18
0040F7B5 |. 0BFD or edi, ebp
0040F7B7 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040F7BE |. 8BDA mov ebx, edx
0040F7C0 |. C1EB 10 shr ebx, 10
0040F7C3 |. 81E3 FF000000 and ebx, 0FF
0040F7C9 |. 0BFD or edi, ebp
0040F7CB |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040F7D2 |. 8BDA mov ebx, edx
0040F7D4 |. C1EB 08 shr ebx, 8
0040F7D7 |. 81E3 FF000000 and ebx, 0FF
0040F7DD |. 0BFD or edi, ebp
0040F7DF |. 81E2 FF000000 and edx, 0FF
0040F7E5 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040F7EC |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040F7F3 |. 0BFD or edi, ebp
0040F7F5 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040F7FC |. 0BFB or edi, ebx
0040F7FE |. 0BFD or edi, ebp
0040F800 |. 33CF xor ecx, edi
0040F802 |. 8BD1 mov edx, ecx
0040F804 |. 8BF1 mov esi, ecx
0040F806 |. C1EA 04 shr edx, 4
0040F809 |. 83E6 03 and esi, 3
0040F80C |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040F812 |. C1E6 1C shl esi, 1C
0040F815 |. 0BD6 or edx, esi
0040F817 |. 8B7424 7C mov esi, [esp+7C]
0040F81B |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F821 |. 33D6 xor edx, esi
0040F823 |. 8B7424 78 mov esi, [esp+78]
0040F827 |. 33F1 xor esi, ecx
0040F829 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F82F |. 8BDE mov ebx, esi
0040F831 |. 8BFE mov edi, esi
0040F833 |. C1EB 10 shr ebx, 10
0040F836 |. 81E3 FF000000 and ebx, 0FF
0040F83C |. C1EF 18 shr edi, 18
0040F83F |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040F846 |. 8BDE mov ebx, esi
0040F848 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040F84F |. 81E6 FF000000 and esi, 0FF
0040F855 |. C1EB 08 shr ebx, 8
0040F858 |. 81E3 FF000000 and ebx, 0FF
0040F85E |. 0BFD or edi, ebp
0040F860 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040F867 |. 8BDA mov ebx, edx
0040F869 |. C1EB 18 shr ebx, 18
0040F86C |. 0BFD or edi, ebp
0040F86E |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040F875 |. 8BDA mov ebx, edx
0040F877 |. C1EB 10 shr ebx, 10
0040F87A |. 81E3 FF000000 and ebx, 0FF
0040F880 |. 0BFD or edi, ebp
0040F882 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040F889 |. 8BDA mov ebx, edx
0040F88B |. C1EB 08 shr ebx, 8
0040F88E |. 81E3 FF000000 and ebx, 0FF
0040F894 |. 0BFD or edi, ebp
0040F896 |. 81E2 FF000000 and edx, 0FF
0040F89C |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040F8A3 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040F8AA |. 0BFD or edi, ebp
0040F8AC |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040F8B3 |. 0BFB or edi, ebx
0040F8B5 |. 0BFD or edi, ebp
0040F8B7 |. 33C7 xor eax, edi
0040F8B9 |. 8BD0 mov edx, eax
0040F8BB |. 8BF0 mov esi, eax
0040F8BD |. C1EA 04 shr edx, 4
0040F8C0 |. 83E6 03 and esi, 3
0040F8C3 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040F8C9 |. C1E6 1C shl esi, 1C
0040F8CC |. 0BD6 or edx, esi
0040F8CE |. 8B7424 74 mov esi, [esp+74]
0040F8D2 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F8D8 |. 33D6 xor edx, esi
0040F8DA |. 8B7424 70 mov esi, [esp+70]
0040F8DE |. 33F0 xor esi, eax
0040F8E0 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F8E6 |. 8BDE mov ebx, esi
0040F8E8 |. 8BFE mov edi, esi
0040F8EA |. C1EB 10 shr ebx, 10
0040F8ED |. 81E3 FF000000 and ebx, 0FF
0040F8F3 |. C1EF 18 shr edi, 18
0040F8F6 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040F8FD |. 8BDE mov ebx, esi
0040F8FF |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040F906 |. C1EB 08 shr ebx, 8
0040F909 |. 81E3 FF000000 and ebx, 0FF
0040F90F |. 0BFD or edi, ebp
0040F911 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040F918 |. 8BDA mov ebx, edx
0040F91A |. C1EB 18 shr ebx, 18
0040F91D |. 0BFD or edi, ebp
0040F91F |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040F926 |. 8BDA mov ebx, edx
0040F928 |. C1EB 10 shr ebx, 10
0040F92B |. 0BFD or edi, ebp
0040F92D |. 81E3 FF000000 and ebx, 0FF
0040F933 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040F93A |. 8BDA mov ebx, edx
0040F93C |. 0BFD or edi, ebp
0040F93E |. C1EB 08 shr ebx, 8
0040F941 |. 81E3 FF000000 and ebx, 0FF
0040F947 |. 81E2 FF000000 and edx, 0FF
0040F94D |. 81E6 FF000000 and esi, 0FF
0040F953 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040F95A |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040F961 |. 0BFD or edi, ebp
0040F963 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040F96A |. 0BFB or edi, ebx
0040F96C |. 0BFD or edi, ebp
0040F96E |. 33CF xor ecx, edi
0040F970 |. 8BD1 mov edx, ecx
0040F972 |. 8BF1 mov esi, ecx
0040F974 |. C1EA 04 shr edx, 4
0040F977 |. 83E6 03 and esi, 3
0040F97A |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040F980 |. C1E6 1C shl esi, 1C
0040F983 |. 0BD6 or edx, esi
0040F985 |. 8B7424 6C mov esi, [esp+6C]
0040F989 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F98F |. 33D6 xor edx, esi
0040F991 |. 8B7424 68 mov esi, [esp+68]
0040F995 |. 33F1 xor esi, ecx
0040F997 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F99D |. 8BDE mov ebx, esi
0040F99F |. 8BFE mov edi, esi
0040F9A1 |. C1EB 10 shr ebx, 10
0040F9A4 |. 81E3 FF000000 and ebx, 0FF
0040F9AA |. C1EF 18 shr edi, 18
0040F9AD |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040F9B4 |. 8BDE mov ebx, esi
0040F9B6 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040F9BD |. 81E6 FF000000 and esi, 0FF
0040F9C3 |. C1EB 08 shr ebx, 8
0040F9C6 |. 81E3 FF000000 and ebx, 0FF
0040F9CC |. 0BFD or edi, ebp
0040F9CE |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040F9D5 |. 8BDA mov ebx, edx
0040F9D7 |. C1EB 18 shr ebx, 18
0040F9DA |. 0BFD or edi, ebp
0040F9DC |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040F9E3 |. 8BDA mov ebx, edx
0040F9E5 |. C1EB 10 shr ebx, 10
0040F9E8 |. 81E3 FF000000 and ebx, 0FF
0040F9EE |. 0BFD or edi, ebp
0040F9F0 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040F9F7 |. 8BDA mov ebx, edx
0040F9F9 |. C1EB 08 shr ebx, 8
0040F9FC |. 81E3 FF000000 and ebx, 0FF
0040FA02 |. 0BFD or edi, ebp
0040FA04 |. 81E2 FF000000 and edx, 0FF
0040FA0A |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040FA11 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040FA18 |. 0BFD or edi, ebp
0040FA1A |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040FA21 |. 0BFB or edi, ebx
0040FA23 |. 0BFD or edi, ebp
0040FA25 |. 33C7 xor eax, edi
0040FA27 |. 8BD0 mov edx, eax
0040FA29 |. 8BF0 mov esi, eax
0040FA2B |. C1EA 04 shr edx, 4
0040FA2E |. 83E6 03 and esi, 3
0040FA31 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040FA37 |. C1E6 1C shl esi, 1C
0040FA3A |. 0BD6 or edx, esi
0040FA3C |. 8B7424 64 mov esi, [esp+64]
0040FA40 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FA46 |. 33D6 xor edx, esi
0040FA48 |. 8B7424 60 mov esi, [esp+60]
0040FA4C |. 33F0 xor esi, eax
0040FA4E |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FA54 |. 8BDE mov ebx, esi
0040FA56 |. 8BFE mov edi, esi
0040FA58 |. C1EB 10 shr ebx, 10
0040FA5B |. C1EF 18 shr edi, 18
0040FA5E |. 81E3 FF000000 and ebx, 0FF
0040FA64 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040FA6B |. 0B3C9D 006F4500 or edi, [ebx*4+456F00]
0040FA72 |. 8BDE mov ebx, esi
0040FA74 |. 81E6 FF000000 and esi, 0FF
0040FA7A |. C1EB 08 shr ebx, 8
0040FA7D |. 81E3 FF000000 and ebx, 0FF
0040FA83 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040FA8A |. 8BDA mov ebx, edx
0040FA8C |. C1EB 18 shr ebx, 18
0040FA8F |. 0BFD or edi, ebp
0040FA91 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040FA98 |. 8BDA mov ebx, edx
0040FA9A |. C1EB 10 shr ebx, 10
0040FA9D |. 81E3 FF000000 and ebx, 0FF
0040FAA3 |. 0BFD or edi, ebp
0040FAA5 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040FAAC |. 8BDA mov ebx, edx
0040FAAE |. C1EB 08 shr ebx, 8
0040FAB1 |. 81E3 FF000000 and ebx, 0FF
0040FAB7 |. 0BFD or edi, ebp
0040FAB9 |. 81E2 FF000000 and edx, 0FF
0040FABF |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040FAC6 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040FACD |. 0BFD or edi, ebp
0040FACF |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040FAD6 |. 0BFB or edi, ebx
0040FAD8 |. 0BFD or edi, ebp
0040FADA |. 33CF xor ecx, edi
0040FADC |. 8BD1 mov edx, ecx
0040FADE |. 8BF1 mov esi, ecx
0040FAE0 |. C1EA 04 shr edx, 4
0040FAE3 |. 83E6 03 and esi, 3
0040FAE6 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040FAEC |. C1E6 1C shl esi, 1C
0040FAEF |. 0BD6 or edx, esi
0040FAF1 |. 8B7424 5C mov esi, [esp+5C]
0040FAF5 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FAFB |. 33D6 xor edx, esi
0040FAFD |. 8B7424 58 mov esi, [esp+58]
0040FB01 |. 33F1 xor esi, ecx
0040FB03 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FB09 |. 8BDE mov ebx, esi
0040FB0B |. 8BFE mov edi, esi
0040FB0D |. C1EB 10 shr ebx, 10
0040FB10 |. 81E3 FF000000 and ebx, 0FF
0040FB16 |. C1EF 18 shr edi, 18
0040FB19 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040FB20 |. 8BDE mov ebx, esi
0040FB22 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040FB29 |. 81E6 FF000000 and esi, 0FF
0040FB2F |. C1EB 08 shr ebx, 8
0040FB32 |. 81E3 FF000000 and ebx, 0FF
0040FB38 |. 0BFD or edi, ebp
0040FB3A |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040FB41 |. 8BDA mov ebx, edx
0040FB43 |. C1EB 18 shr ebx, 18
0040FB46 |. 0BFD or edi, ebp
0040FB48 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040FB4F |. 8BDA mov ebx, edx
0040FB51 |. C1EB 10 shr ebx, 10
0040FB54 |. 81E3 FF000000 and ebx, 0FF
0040FB5A |. 0BFD or edi, ebp
0040FB5C |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040FB63 |. 8BDA mov ebx, edx
0040FB65 |. C1EB 08 shr ebx, 8
0040FB68 |. 81E3 FF000000 and ebx, 0FF
0040FB6E |. 0BFD or edi, ebp
0040FB70 |. 81E2 FF000000 and edx, 0FF
0040FB76 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040FB7D |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040FB84 |. 0BFD or edi, ebp
0040FB86 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040FB8D |. 0BFB or edi, ebx
0040FB8F |. 0BFD or edi, ebp
0040FB91 |. 33C7 xor eax, edi
0040FB93 |. 8BD0 mov edx, eax
0040FB95 |. 8BF0 mov esi, eax
0040FB97 |. C1EA 04 shr edx, 4
0040FB9A |. 83E6 03 and esi, 3
0040FB9D |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040FBA3 |. C1E6 1C shl esi, 1C
0040FBA6 |. 0BD6 or edx, esi
0040FBA8 |. 8B7424 54 mov esi, [esp+54]
0040FBAC |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FBB2 |. 33D6 xor edx, esi
0040FBB4 |. 8B7424 50 mov esi, [esp+50]
0040FBB8 |. 33F0 xor esi, eax
0040FBBA |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FBC0 |. 8BDE mov ebx, esi
0040FBC2 |. 8BFE mov edi, esi
0040FBC4 |. C1EB 10 shr ebx, 10
0040FBC7 |. 81E3 FF000000 and ebx, 0FF
0040FBCD |. C1EF 18 shr edi, 18
0040FBD0 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040FBD7 |. 8BDE mov ebx, esi
0040FBD9 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040FBE0 |. 81E6 FF000000 and esi, 0FF
0040FBE6 |. C1EB 08 shr ebx, 8
0040FBE9 |. 81E3 FF000000 and ebx, 0FF
0040FBEF |. 0BFD or edi, ebp
0040FBF1 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040FBF8 |. 8BDA mov ebx, edx
0040FBFA |. C1EB 18 shr ebx, 18
0040FBFD |. 0BFD or edi, ebp
0040FBFF |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040FC06 |. 8BDA mov ebx, edx
0040FC08 |. C1EB 10 shr ebx, 10
0040FC0B |. 81E3 FF000000 and ebx, 0FF
0040FC11 |. 0BFD or edi, ebp
0040FC13 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040FC1A |. 8BDA mov ebx, edx
0040FC1C |. C1EB 08 shr ebx, 8
0040FC1F |. 81E3 FF000000 and ebx, 0FF
0040FC25 |. 0BFD or edi, ebp
0040FC27 |. 81E2 FF000000 and edx, 0FF
0040FC2D |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040FC34 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040FC3B |. 0BFD or edi, ebp
0040FC3D |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040FC44 |. 0BFB or edi, ebx
0040FC46 |. 0BFD or edi, ebp
0040FC48 |. 33CF xor ecx, edi
0040FC4A |. 8BD1 mov edx, ecx
0040FC4C |. 8BF1 mov esi, ecx
0040FC4E |. C1EA 04 shr edx, 4
0040FC51 |. 83E6 03 and esi, 3
0040FC54 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040FC5A |. C1E6 1C shl esi, 1C
0040FC5D |. 0BD6 or edx, esi
0040FC5F |. 8B7424 4C mov esi, [esp+4C]
0040FC63 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FC69 |. 33D6 xor edx, esi
0040FC6B |. 8B7424 48 mov esi, [esp+48]
0040FC6F |. 33F1 xor esi, ecx
0040FC71 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FC77 |. 8BDE mov ebx, esi
0040FC79 |. 8BFE mov edi, esi
0040FC7B |. C1EB 10 shr ebx, 10
0040FC7E |. 81E3 FF000000 and ebx, 0FF
0040FC84 |. C1EF 18 shr edi, 18
0040FC87 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040FC8E |. 8BDE mov ebx, esi
0040FC90 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040FC97 |. C1EB 08 shr ebx, 8
0040FC9A |. 81E3 FF000000 and ebx, 0FF
0040FCA0 |. 0BFD or edi, ebp
0040FCA2 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040FCA9 |. 8BDA mov ebx, edx
0040FCAB |. C1EB 18 shr ebx, 18
0040FCAE |. 0BFD or edi, ebp
0040FCB0 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040FCB7 |. 8BDA mov ebx, edx
0040FCB9 |. C1EB 10 shr ebx, 10
0040FCBC |. 81E3 FF000000 and ebx, 0FF
0040FCC2 |. 0BFD or edi, ebp
0040FCC4 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040FCCB |. 8BDA mov ebx, edx
0040FCCD |. C1EB 08 shr ebx, 8
0040FCD0 |. 81E3 FF000000 and ebx, 0FF
0040FCD6 |. 0BFD or edi, ebp
0040FCD8 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040FCDF |. 0BFD or edi, ebp
0040FCE1 |. 81E2 FF000000 and edx, 0FF
0040FCE7 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040FCEE |. 81E6 FF000000 and esi, 0FF
0040FCF4 |. 0BFB or edi, ebx
0040FCF6 |. 0B3CB5 006B4500 or edi, [esi*4+456B00]
0040FCFD |. 33C7 xor eax, edi
0040FCFF |. 8BD0 mov edx, eax
0040FD01 |. 8BF0 mov esi, eax
0040FD03 |. C1EA 04 shr edx, 4
0040FD06 |. 83E6 03 and esi, 3
0040FD09 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040FD0F |. C1E6 1C shl esi, 1C
0040FD12 |. 0BD6 or edx, esi
0040FD14 |. 8B7424 44 mov esi, [esp+44]
0040FD18 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FD1E |. 33D6 xor edx, esi
0040FD20 |. 8B7424 40 mov esi, [esp+40]
0040FD24 |. 33F0 xor esi, eax
0040FD26 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FD2C |. 8BDE mov ebx, esi
0040FD2E |. 8BFE mov edi, esi
0040FD30 |. C1EB 10 shr ebx, 10
0040FD33 |. 81E3 FF000000 and ebx, 0FF
0040FD39 |. C1EF 18 shr edi, 18
0040FD3C |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040FD43 |. 8BDE mov ebx, esi
0040FD45 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040FD4C |. 81E6 FF000000 and esi, 0FF
0040FD52 |. C1EB 08 shr ebx, 8
0040FD55 |. 81E3 FF000000 and ebx, 0FF
0040FD5B |. 0BFD or edi, ebp
0040FD5D |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040FD64 |. 8BDA mov ebx, edx
0040FD66 |. C1EB 18 shr ebx, 18
0040FD69 |. 0BFD or edi, ebp
0040FD6B |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040FD72 |. 8BDA mov ebx, edx
0040FD74 |. C1EB 10 shr ebx, 10
0040FD77 |. 81E3 FF000000 and ebx, 0FF
0040FD7D |. 0BFD or edi, ebp
0040FD7F |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040FD86 |. 8BDA mov ebx, edx
0040FD88 |. C1EB 08 shr ebx, 8
0040FD8B |. 81E3 FF000000 and ebx, 0FF
0040FD91 |. 0BFD or edi, ebp
0040FD93 |. 81E2 FF000000 and edx, 0FF
0040FD99 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040FDA0 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040FDA7 |. 0BFD or edi, ebp
0040FDA9 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040FDB0 |. 0BFB or edi, ebx
0040FDB2 |. 0BFD or edi, ebp
0040FDB4 |. 33CF xor ecx, edi
0040FDB6 |. 8BD1 mov edx, ecx
0040FDB8 |. 8BF1 mov esi, ecx
0040FDBA |. C1EA 04 shr edx, 4
0040FDBD |. 83E6 03 and esi, 3
0040FDC0 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040FDC6 |. C1E6 1C shl esi, 1C
0040FDC9 |. 0BD6 or edx, esi
0040FDCB |. 8B7424 3C mov esi, [esp+3C]
0040FDCF |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FDD5 |. 33D6 xor edx, esi
0040FDD7 |. 8B7424 38 mov esi, [esp+38]
0040FDDB |. 33F1 xor esi, ecx
0040FDDD |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FDE3 |. 8BDE mov ebx, esi
0040FDE5 |. 8BFE mov edi, esi
0040FDE7 |. C1EB 10 shr ebx, 10
0040FDEA |. 81E3 FF000000 and ebx, 0FF
0040FDF0 |. C1EF 18 shr edi, 18
0040FDF3 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040FDFA |. 8BDE mov ebx, esi
0040FDFC |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040FE03 |. C1EB 08 shr ebx, 8
0040FE06 |. 81E3 FF000000 and ebx, 0FF
0040FE0C |. 0BFD or edi, ebp
0040FE0E |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040FE15 |. 8BDA mov ebx, edx
0040FE17 |. 0BFD or edi, ebp
0040FE19 |. C1EB 18 shr ebx, 18
0040FE1C |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040FE23 |. 8BDA mov ebx, edx
0040FE25 |. 0BFD or edi, ebp
0040FE27 |. C1EB 10 shr ebx, 10
0040FE2A |. 81E3 FF000000 and ebx, 0FF
0040FE30 |. 81E6 FF000000 and esi, 0FF
0040FE36 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040FE3D |. 8BDA mov ebx, edx
0040FE3F |. C1EB 08 shr ebx, 8
0040FE42 |. 81E3 FF000000 and ebx, 0FF
0040FE48 |. 0BFD or edi, ebp
0040FE4A |. 81E2 FF000000 and edx, 0FF
0040FE50 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040FE57 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040FE5E |. 0BFD or edi, ebp
0040FE60 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040FE67 |. 0BFB or edi, ebx
0040FE69 |. 0BFD or edi, ebp
0040FE6B |. 33C7 xor eax, edi
0040FE6D |. 8BD0 mov edx, eax
0040FE6F |. 8BF0 mov esi, eax
0040FE71 |. C1EA 04 shr edx, 4
0040FE74 |. 83E6 03 and esi, 3
0040FE77 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040FE7D |. C1E6 1C shl esi, 1C
0040FE80 |. 0BD6 or edx, esi
0040FE82 |. 8B7424 34 mov esi, [esp+34]
0040FE86 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FE8C |. 33D6 xor edx, esi
0040FE8E |. 8B7424 30 mov esi, [esp+30]
0040FE92 |. 33F0 xor esi, eax
0040FE94 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FE9A |. 8BDE mov ebx, esi
0040FE9C |. 8BFE mov edi, esi
0040FE9E |. C1EB 10 shr ebx, 10
0040FEA1 |. 81E3 FF000000 and ebx, 0FF
0040FEA7 |. C1EF 18 shr edi, 18
0040FEAA |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040FEB1 |. 8BDE mov ebx, esi
0040FEB3 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040FEBA |. 81E6 FF000000 and esi, 0FF
0040FEC0 |. C1EB 08 shr ebx, 8
0040FEC3 |. 81E3 FF000000 and ebx, 0FF
0040FEC9 |. 0BFD or edi, ebp
0040FECB |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040FED2 |. 8BDA mov ebx, edx
0040FED4 |. C1EB 18 shr ebx, 18
0040FED7 |. 0BFD or edi, ebp
0040FED9 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040FEE0 |. 8BDA mov ebx, edx
0040FEE2 |. C1EB 10 shr ebx, 10
0040FEE5 |. 81E3 FF000000 and ebx, 0FF
0040FEEB |. 0BFD or edi, ebp
0040FEED |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040FEF4 |. 8BDA mov ebx, edx
0040FEF6 |. C1EB 08 shr ebx, 8
0040FEF9 |. 81E3 FF000000 and ebx, 0FF
0040FEFF |. 0BFD or edi, ebp
0040FF01 |. 81E2 FF000000 and edx, 0FF
0040FF07 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040FF0E |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040FF15 |. 0BFD or edi, ebp
0040FF17 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040FF1E |. 0BFB or edi, ebx
0040FF20 |. 0BFD or edi, ebp
0040FF22 |. 33CF xor ecx, edi
0040FF24 |. 8BD1 mov edx, ecx
0040FF26 |. 8BF1 mov esi, ecx
0040FF28 |. C1EA 04 shr edx, 4
0040FF2B |. 83E6 03 and esi, 3
0040FF2E |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040FF34 |. C1E6 1C shl esi, 1C
0040FF37 |. 0BD6 or edx, esi
0040FF39 |. 8B7424 2C mov esi, [esp+2C]
0040FF3D |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FF43 |. 33D6 xor edx, esi
0040FF45 |. 8B7424 28 mov esi, [esp+28]
0040FF49 |. 33F1 xor esi, ecx
0040FF4B |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FF51 |. 8BFE mov edi, esi
0040FF53 |. 8BDE mov ebx, esi
0040FF55 |. C1EF 18 shr edi, 18
0040FF58 |. C1EB 10 shr ebx, 10
0040FF5B |. 81E3 FF000000 and ebx, 0FF
0040FF61 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040FF68 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040FF6F |. 8BDE mov ebx, esi
0040FF71 |. C1EB 08 shr ebx, 8
0040FF74 |. 81E3 FF000000 and ebx, 0FF
0040FF7A |. 0BFD or edi, ebp
0040FF7C |. 81E6 FF000000 and esi, 0FF
0040FF82 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040FF89 |. 8BDA mov ebx, edx
0040FF8B |. C1EB 18 shr ebx, 18
0040FF8E |. 0BFD or edi, ebp
0040FF90 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040FF97 |. 8BDA mov ebx, edx
0040FF99 |. C1EB 10 shr ebx, 10
0040FF9C |. 81E3 FF000000 and ebx, 0FF
0040FFA2 |. 0BFD or edi, ebp
0040FFA4 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040FFAB |. 8BDA mov ebx, edx
0040FFAD |. C1EB 08 shr ebx, 8
0040FFB0 |. 81E3 FF000000 and ebx, 0FF
0040FFB6 |. 0BFD or edi, ebp
0040FFB8 |. 81E2 FF000000 and edx, 0FF
0040FFBE |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040FFC5 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040FFCC |. 0BFD or edi, ebp
0040FFCE |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040FFD5 |. 0BFB or edi, ebx
0040FFD7 |. 0BFD or edi, ebp
0040FFD9 |. 33C7 xor eax, edi
0040FFDB |. 8BD0 mov edx, eax
0040FFDD |. 8BF0 mov esi, eax
0040FFDF |. C1EA 04 shr edx, 4
0040FFE2 |. 83E6 03 and esi, 3
0040FFE5 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040FFEB |. C1E6 1C shl esi, 1C
0040FFEE |. 0BD6 or edx, esi
0040FFF0 |. 8B7424 24 mov esi, [esp+24]
0040FFF4 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040FFFA |. 33D6 xor edx, esi
0040FFFC |. 8B7424 20 mov esi, [esp+20]
00410000 |. 33F0 xor esi, eax
00410002 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
00410008 |. 8BDE mov ebx, esi
0041000A |. 8BFE mov edi, esi
0041000C |. C1EB 10 shr ebx, 10
0041000F |. 81E3 FF000000 and ebx, 0FF
00410015 |. C1EF 18 shr edi, 18
00410018 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0041001F |. 8BDE mov ebx, esi
00410021 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
00410028 |. 81E6 FF000000 and esi, 0FF
0041002E |. C1EB 08 shr ebx, 8
00410031 |. 81E3 FF000000 and ebx, 0FF
00410037 |. 0BFD or edi, ebp
00410039 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
00410040 |. 8BDA mov ebx, edx
00410042 |. C1EB 18 shr ebx, 18
00410045 |. 0BFD or edi, ebp
00410047 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0041004E |. 8BDA mov ebx, edx
00410050 |. C1EB 10 shr ebx, 10
00410053 |. 81E3 FF000000 and ebx, 0FF
00410059 |. 0BFD or edi, ebp
0041005B |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
00410062 |. 8BDA mov ebx, edx
00410064 |. C1EB 08 shr ebx, 8
00410067 |. 81E3 FF000000 and ebx, 0FF
0041006D |. 0BFD or edi, ebp
0041006F |. 81E2 FF000000 and edx, 0FF
00410075 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0041007C |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
00410083 |. 0BFD or edi, ebp
00410085 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0041008C |. 0BFB or edi, ebx
0041008E |. 0BFD or edi, ebp
00410090 |. 33CF xor ecx, edi
00410092 |. 8BD1 mov edx, ecx
00410094 |. C1EA 04 shr edx, 4
00410097 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0041009D |. 8BF1 mov esi, ecx
0041009F |. 83E6 03 and esi, 3
004100A2 |. C1E6 1C shl esi, 1C
004100A5 |. 0BD6 or edx, esi
004100A7 |. 8B7424 1C mov esi, [esp+1C]
004100AB |. 81E6 3F3F3F3F and esi, 3F3F3F3F
004100B1 |. 33D6 xor edx, esi
004100B3 |. 8B7424 18 mov esi, [esp+18]
004100B7 |. 33F1 xor esi, ecx
004100B9 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
004100BF |. 8BDE mov ebx, esi
004100C1 |. 8BFE mov edi, esi
004100C3 |. C1EB 10 shr ebx, 10
004100C6 |. 81E3 FF000000 and ebx, 0FF
004100CC |. C1EF 18 shr edi, 18
004100CF |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
004100D6 |. 8BDE mov ebx, esi
004100D8 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
004100DF |. 81E6 FF000000 and esi, 0FF
004100E5 |. C1EB 08 shr ebx, 8
004100E8 |. 81E3 FF000000 and ebx, 0FF
004100EE |. 0BFD or edi, ebp
004100F0 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
004100F7 |. 8BDA mov ebx, edx
004100F9 |. C1EB 18 shr ebx, 18
004100FC |. 0BFD or edi, ebp
004100FE |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
00410105 |. 8BDA mov ebx, edx
00410107 |. C1EB 10 shr ebx, 10
0041010A |. 81E3 FF000000 and ebx, 0FF
00410110 |. 0BFD or edi, ebp
00410112 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
00410119 |. 8BDA mov ebx, edx
0041011B |. C1EB 08 shr ebx, 8
0041011E |. 81E3 FF000000 and ebx, 0FF
00410124 |. 0BFD or edi, ebp
00410126 |. 81E2 FF000000 and edx, 0FF
0041012C |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
00410133 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0041013A |. 0BFD or edi, ebp
0041013C |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
00410143 |. 0BFB or edi, ebx
00410145 |. 0BFD or edi, ebp
00410147 |. 33C7 xor eax, edi
00410149 |. 8BD0 mov edx, eax
0041014B |. 8BF0 mov esi, eax
0041014D |. C1EA 04 shr edx, 4
00410150 |. 83E6 03 and esi, 3
00410153 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
00410159 |. C1E6 1C shl esi, 1C
0041015C |. 0BD6 or edx, esi
0041015E |. 8B7424 14 mov esi, [esp+14]
00410162 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
00410168 |. 33D6 xor edx, esi
0041016A |. 8B7424 10 mov esi, [esp+10]
0041016E |. 33F0 xor esi, eax
00410170 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
00410176 |. 8BDE mov ebx, esi
00410178 |. 8BFE mov edi, esi
0041017A |. C1EB 10 shr ebx, 10
0041017D |. 81E3 FF000000 and ebx, 0FF
00410183 |. C1EF 18 shr edi, 18
00410186 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0041018D |. 8BDE mov ebx, esi
0041018F |. 8B3CBD 00714500 mov edi, [edi*4+457100]
00410196 |. C1EB 08 shr ebx, 8
00410199 |. 81E3 FF000000 and ebx, 0FF
0041019F |. 0BFD or edi, ebp
004101A1 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
004101A8 |. 8BDA mov ebx, edx
004101AA |. C1EB 18 shr ebx, 18
004101AD |. 0BFD or edi, ebp
004101AF |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
004101B6 |. 8BDA mov ebx, edx
004101B8 |. C1EB 10 shr ebx, 10
004101BB |. 81E3 FF000000 and ebx, 0FF
004101C1 |. 0BFD or edi, ebp
004101C3 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
004101CA |. 8BDA mov ebx, edx
004101CC |. 0BFD or edi, ebp
004101CE |. C1EB 08 shr ebx, 8
004101D1 |. 81E3 FF000000 and ebx, 0FF
004101D7 |. 81E2 FF000000 and edx, 0FF
004101DD |. 81E6 FF000000 and esi, 0FF
004101E3 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
004101EA |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
004101F1 |. 8B14B5 006B4500 mov edx, [esi*4+456B00]
004101F8 |. 0BFD or edi, ebp
004101FA |. 0BFB or edi, ebx
004101FC |. 0BFA or edi, edx
004101FE |. 8BD0 mov edx, eax
00410200 |. C1E2 1F shl edx, 1F
00410203 |. D1E8 shr eax, 1
00410205 |. 33CF xor ecx, edi
00410207 |. 0BD0 or edx, eax
00410209 |. 8BC1 mov eax, ecx
0041020B |. 5F pop edi
0041020C |. C1E0 1E shl eax, 1E
0041020F |. C1E9 02 shr ecx, 2
00410212 |. 0BC1 or eax, ecx
以下是类DES的逆置换
00410214 |. 8BC8 mov ecx, eax
00410216 |. 33CA xor ecx, edx
00410218 |. 81E1 55555555 and ecx, 55555555
0041021E |. 33D1 xor edx, ecx
00410220 |. 33C8 xor ecx, eax
00410222 |. 8BC1 mov eax, ecx
00410224 |. C1E8 17 shr eax, 17
00410227 |. C1E1 09 shl ecx, 9
0041022A |. 0BC1 or eax, ecx
0041022C |. 8BC8 mov ecx, eax
0041022E |. 33CA xor ecx, edx
00410230 |. 81E1 00FF00FF and ecx, FF00FF00
00410236 |. 33D1 xor edx, ecx
00410238 |. 33C8 xor ecx, eax
0041023A |. 8BC1 mov eax, ecx
0041023C |. C1E0 16 shl eax, 16
0041023F |. C1E9 0A shr ecx, 0A
00410242 |. 0BC1 or eax, ecx
00410244 |. 8BC8 mov ecx, eax
00410246 |. 33CA xor ecx, edx
00410248 |. 81E1 33333333 and ecx, 33333333
0041024E |. 33D1 xor edx, ecx
00410250 |. 33C8 xor ecx, eax
00410252 |. 8BC1 mov eax, ecx
00410254 |. C1E0 12 shl eax, 12
00410257 |. C1E9 0E shr ecx, 0E
0041025A |. 0BC1 or eax, ecx
0041025C |. 8BC8 mov ecx, eax
0041025E |. 33CA xor ecx, edx
00410260 |. 81E1 0000FFFF and ecx, FFFF0000
00410266 |. 33D1 xor edx, ecx
00410268 |. 33C8 xor ecx, eax
0041026A |. 8BC1 mov eax, ecx
0041026C |. C1E8 14 shr eax, 14
0041026F |. C1E1 0C shl ecx, 0C
00410272 |. 0BC1 or eax, ecx
00410274 |. 8BC8 mov ecx, eax
00410276 |. 33CA xor ecx, edx
00410278 |. 81E1 0F0F0F0F and ecx, 0F0F0F0F
0041027E |. 8BF1 mov esi, ecx
00410280 |. 33C8 xor ecx, eax
00410282 |. 33F2 xor esi, edx
00410284 |. 8B9424 94000000 mov edx, [esp+94]
0041028B |. 8BC1 mov eax, ecx
0041028D |. C1E8 1C shr eax, 1C
00410290 |. C1E1 04 shl ecx, 4
00410293 |. 8932 mov [edx], esi
00410295 |. 0BC1 or eax, ecx
00410297 |. 5E pop esi
00410298 |. 5D pop ebp
00410299 |. 8942 04 mov [edx+4], eax
0041029C |. 5B pop ebx
0041029D |. 81C4 80000000 add esp, 80
004102A3 \. C3 retn
随便拿一个SBox 64DWORD来看
00456B00 00 02 82 00 00 00 02 00 00 00 80 80 00 02 82 80 .?.....?.?
00456B10 00 00 80 00 00 02 02 80 00 00 02 80 00 00 80 80 ..?.?.?.?
00456B20 00 02 02 80 00 02 82 00 00 00 82 00 00 02 00 80 .??..?..?
00456B30 00 02 80 80 00 00 80 00 00 00 00 00 00 00 02 80 .?..?......?
00456B40 00 00 02 00 00 00 00 80 00 02 80 00 00 02 02 00 ......??..
00456B50 00 02 82 80 00 00 82 00 00 02 00 80 00 02 80 00 .?..?..??
00456B60 00 00 00 80 00 02 00 00 00 02 02 00 00 00 82 80 ...?......?
00456B70 00 02 00 00 00 02 80 80 00 00 82 80 00 00 00 00 ....?..?....
00456B80 00 00 00 00 00 02 82 80 00 02 80 00 00 00 02 80 .....?.?..?
00456B90 00 02 82 00 00 00 02 00 00 02 00 80 00 02 80 00 .?.....??
00456BA0 00 00 82 80 00 02 00 00 00 02 02 00 00 00 80 80 ..?.......?
00456BB0 00 02 02 80 00 00 00 80 00 00 80 80 00 00 82 00 .?..?.?..?
00456BC0 00 02 82 80 00 02 02 00 00 00 82 00 00 02 80 80 .?....?.?
00456BD0 00 00 80 00 00 02 00 80 00 00 02 80 00 00 00 00 ..?..?.?...
00456BE0 00 00 02 00 00 00 80 00 00 02 80 80 00 02 82 00 .....?.?.?
00456BF0 00 00 00 80 00 00 82 80 00 02 00 00 00 02 02 80 ...?.?....?
发现和DES惊人相似,它有DES的置换,逆置换,和f函数,但是它却不是DES,呵呵,伤心。
还是用刚才的那招找解密部分。
0040E8F0 /$ 8B4C24 0C mov ecx, [esp+C]
0040E8F4 |. 81EC 80000000 sub esp, 80
0040E8FA |. 8D4424 00 lea eax, [esp]
0040E8FE |. 53 push ebx
0040E8FF |. 55 push ebp
0040E900 |. 56 push esi
0040E901 |. 57 push edi
0040E902 |. 50 push eax
0040E903 |. 51 push ecx
0040E904 |. E8 77FDFFFF call 0040E680
0040E909 |. 8B8424 9C000000 mov eax, [esp+9C]
0040E910 |. 8B7424 18 mov esi, [esp+18]
0040E914 |. 83C4 08 add esp, 8
0040E917 |. 8B50 04 mov edx, [eax+4]
0040E91A |. 8B00 mov eax, [eax]
0040E91C |. 8BCA mov ecx, edx
0040E91E |. C1E1 1C shl ecx, 1C
0040E921 |. C1EA 04 shr edx, 4
0040E924 |. 0BCA or ecx, edx
0040E926 |. 8BD0 mov edx, eax
0040E928 |. 33D1 xor edx, ecx
0040E92A |. 81E2 0F0F0F0F and edx, 0F0F0F0F
0040E930 |. 33C2 xor eax, edx
0040E932 |. 33D1 xor edx, ecx
0040E934 |. 8BCA mov ecx, edx
0040E936 |. C1E1 14 shl ecx, 14
0040E939 |. C1EA 0C shr edx, 0C
0040E93C |. 0BCA or ecx, edx
0040E93E |. 8BD0 mov edx, eax
0040E940 |. 33D1 xor edx, ecx
0040E942 |. 81E2 0000FFFF and edx, FFFF0000
0040E948 |. 33C2 xor eax, edx
0040E94A |. 33D1 xor edx, ecx
0040E94C |. 8BCA mov ecx, edx
0040E94E |. C1E9 12 shr ecx, 12
0040E951 |. C1E2 0E shl edx, 0E
0040E954 |. 0BCA or ecx, edx
0040E956 |. 8BD0 mov edx, eax
0040E958 |. 33D1 xor edx, ecx
0040E95A |. 81E2 33333333 and edx, 33333333
0040E960 |. 33C2 xor eax, edx
0040E962 |. 33D1 xor edx, ecx
0040E964 |. 8BCA mov ecx, edx
0040E966 |. C1E9 16 shr ecx, 16
0040E969 |. C1E2 0A shl edx, 0A
0040E96C |. 0BCA or ecx, edx
0040E96E |. 8BD0 mov edx, eax
0040E970 |. 33D1 xor edx, ecx
0040E972 |. 81E2 00FF00FF and edx, FF00FF00
0040E978 |. 33C2 xor eax, edx
0040E97A |. 33D1 xor edx, ecx
0040E97C |. 8BFA mov edi, edx
0040E97E |. 8BD8 mov ebx, eax
0040E980 |. C1E7 17 shl edi, 17
0040E983 |. C1EA 09 shr edx, 9
0040E986 |. 0BFA or edi, edx
0040E988 |. 33DF xor ebx, edi
0040E98A |. 81E3 55555555 and ebx, 55555555
0040E990 |. 8BD3 mov edx, ebx
0040E992 |. 33DF xor ebx, edi
0040E994 |. 33D0 xor edx, eax
0040E996 |. 8BCA mov ecx, edx
0040E998 |. 03D2 add edx, edx
0040E99A |. C1E9 1F shr ecx, 1F
0040E99D |. 0BCA or ecx, edx
0040E99F |. 8BD1 mov edx, ecx
0040E9A1 |. 8BC1 mov eax, ecx
0040E9A3 |. C1EA 04 shr edx, 4
0040E9A6 |. 83E0 03 and eax, 3
0040E9A9 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040E9AF |. C1E0 1C shl eax, 1C
0040E9B2 |. 0BD0 or edx, eax
0040E9B4 |. 8B4424 14 mov eax, [esp+14]
0040E9B8 |. 33F1 xor esi, ecx
0040E9BA |. 25 3F3F3F3F and eax, 3F3F3F3F
0040E9BF |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040E9C5 |. 33D0 xor edx, eax
0040E9C7 |. 8BC6 mov eax, esi
0040E9C9 |. 8BFE mov edi, esi
0040E9CB |. C1E8 18 shr eax, 18
0040E9CE |. C1EF 10 shr edi, 10
0040E9D1 |. 81E7 FF000000 and edi, 0FF
0040E9D7 |. 8B0485 00714500 mov eax, [eax*4+457100]
0040E9DE |. 8B2CBD 006F4500 mov ebp, [edi*4+456F00]
0040E9E5 |. 8BFE mov edi, esi
0040E9E7 |. C1EF 08 shr edi, 8
0040E9EA |. 81E7 FF000000 and edi, 0FF
0040E9F0 |. 0BC5 or eax, ebp
0040E9F2 |. 81E6 FF000000 and esi, 0FF
0040E9F8 |. 8B2CBD 006D4500 mov ebp, [edi*4+456D00]
0040E9FF |. 8BFA mov edi, edx
0040EA01 |. C1EF 18 shr edi, 18
0040EA04 |. 0BC5 or eax, ebp
0040EA06 |. 8B2CBD 00724500 mov ebp, [edi*4+457200]
0040EA0D |. 8BFA mov edi, edx
0040EA0F |. C1EF 10 shr edi, 10
0040EA12 |. 81E7 FF000000 and edi, 0FF
0040EA18 |. 0BC5 or eax, ebp
0040EA1A |. 8B2CBD 00704500 mov ebp, [edi*4+457000]
0040EA21 |. 8BFA mov edi, edx
0040EA23 |. C1EF 08 shr edi, 8
0040EA26 |. 81E7 FF000000 and edi, 0FF
0040EA2C |. 0BC5 or eax, ebp
0040EA2E |. 81E2 FF000000 and edx, 0FF
0040EA34 |. 8B2CBD 006E4500 mov ebp, [edi*4+456E00]
0040EA3B |. 8B3C95 006C4500 mov edi, [edx*4+456C00]
0040EA42 |. 0BC5 or eax, ebp
0040EA44 |. 0BC7 or eax, edi
0040EA46 |. 8B3CB5 006B4500 mov edi, [esi*4+456B00]
0040EA4D |. 8BD3 mov edx, ebx
0040EA4F |. 8D349D 00000000 lea esi, [ebx*4]
0040EA56 |. C1EA 1E shr edx, 1E
0040EA59 |. 0BC7 or eax, edi
0040EA5B |. 0BD6 or edx, esi
0040EA5D |. 33C2 xor eax, edx
0040EA5F |. 8BD0 mov edx, eax
0040EA61 |. 8BF0 mov esi, eax
0040EA63 |. C1EA 04 shr edx, 4
0040EA66 |. 83E6 03 and esi, 3
0040EA69 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040EA6F |. C1E6 1C shl esi, 1C
0040EA72 |. 0BD6 or edx, esi
0040EA74 |. 8B7424 1C mov esi, [esp+1C]
0040EA78 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040EA7E |. 33D6 xor edx, esi
0040EA80 |. 8B7424 18 mov esi, [esp+18]
0040EA84 |. 33F0 xor esi, eax
0040EA86 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040EA8C |. 8BDE mov ebx, esi
0040EA8E |. 8BFE mov edi, esi
0040EA90 |. C1EB 10 shr ebx, 10
0040EA93 |. 81E3 FF000000 and ebx, 0FF
0040EA99 |. C1EF 18 shr edi, 18
0040EA9C |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040EAA3 |. 8BDE mov ebx, esi
0040EAA5 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040EAAC |. 81E6 FF000000 and esi, 0FF
0040EAB2 |. C1EB 08 shr ebx, 8
0040EAB5 |. 81E3 FF000000 and ebx, 0FF
0040EABB |. 0BFD or edi, ebp
0040EABD |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040EAC4 |. 8BDA mov ebx, edx
0040EAC6 |. C1EB 18 shr ebx, 18
0040EAC9 |. 0BFD or edi, ebp
0040EACB |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040EAD2 |. 8BDA mov ebx, edx
0040EAD4 |. C1EB 10 shr ebx, 10
0040EAD7 |. 81E3 FF000000 and ebx, 0FF
0040EADD |. 0BFD or edi, ebp
0040EADF |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040EAE6 |. 8BDA mov ebx, edx
0040EAE8 |. C1EB 08 shr ebx, 8
0040EAEB |. 81E3 FF000000 and ebx, 0FF
0040EAF1 |. 0BFD or edi, ebp
0040EAF3 |. 81E2 FF000000 and edx, 0FF
0040EAF9 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040EB00 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040EB07 |. 0BFD or edi, ebp
0040EB09 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040EB10 |. 0BFB or edi, ebx
0040EB12 |. 0BFD or edi, ebp
0040EB14 |. 33CF xor ecx, edi
0040EB16 |. 8BD1 mov edx, ecx
0040EB18 |. 8BF1 mov esi, ecx
0040EB1A |. C1EA 04 shr edx, 4
0040EB1D |. 83E6 03 and esi, 3
0040EB20 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040EB26 |. C1E6 1C shl esi, 1C
0040EB29 |. 0BD6 or edx, esi
0040EB2B |. 8B7424 24 mov esi, [esp+24]
0040EB2F |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040EB35 |. 33D6 xor edx, esi
0040EB37 |. 8B7424 20 mov esi, [esp+20]
0040EB3B |. 33F1 xor esi, ecx
0040EB3D |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040EB43 |. 8BDE mov ebx, esi
0040EB45 |. 8BFE mov edi, esi
0040EB47 |. C1EB 10 shr ebx, 10
0040EB4A |. 81E3 FF000000 and ebx, 0FF
0040EB50 |. C1EF 18 shr edi, 18
0040EB53 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040EB5A |. 8BDE mov ebx, esi
0040EB5C |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040EB63 |. 81E6 FF000000 and esi, 0FF
0040EB69 |. C1EB 08 shr ebx, 8
0040EB6C |. 81E3 FF000000 and ebx, 0FF
0040EB72 |. 0BFD or edi, ebp
0040EB74 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040EB7B |. 8BDA mov ebx, edx
0040EB7D |. C1EB 18 shr ebx, 18
0040EB80 |. 0BFD or edi, ebp
0040EB82 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040EB89 |. 8BDA mov ebx, edx
0040EB8B |. C1EB 10 shr ebx, 10
0040EB8E |. 81E3 FF000000 and ebx, 0FF
0040EB94 |. 0BFD or edi, ebp
0040EB96 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040EB9D |. 8BDA mov ebx, edx
0040EB9F |. C1EB 08 shr ebx, 8
0040EBA2 |. 81E3 FF000000 and ebx, 0FF
0040EBA8 |. 0BFD or edi, ebp
0040EBAA |. 81E2 FF000000 and edx, 0FF
0040EBB0 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040EBB7 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040EBBE |. 0BFD or edi, ebp
0040EBC0 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040EBC7 |. 0BFB or edi, ebx
0040EBC9 |. 0BFD or edi, ebp
0040EBCB |. 33C7 xor eax, edi
0040EBCD |. 8BD0 mov edx, eax
0040EBCF |. 8BF0 mov esi, eax
0040EBD1 |. C1EA 04 shr edx, 4
0040EBD4 |. 83E6 03 and esi, 3
0040EBD7 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040EBDD |. C1E6 1C shl esi, 1C
0040EBE0 |. 0BD6 or edx, esi
0040EBE2 |. 8B7424 2C mov esi, [esp+2C]
0040EBE6 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040EBEC |. 33D6 xor edx, esi
0040EBEE |. 8B7424 28 mov esi, [esp+28]
0040EBF2 |. 33F0 xor esi, eax
0040EBF4 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040EBFA |. 8BDE mov ebx, esi
0040EBFC |. 8BFE mov edi, esi
0040EBFE |. C1EB 10 shr ebx, 10
0040EC01 |. 81E3 FF000000 and ebx, 0FF
0040EC07 |. C1EF 18 shr edi, 18
0040EC0A |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040EC11 |. 8BDE mov ebx, esi
0040EC13 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040EC1A |. C1EB 08 shr ebx, 8
0040EC1D |. 81E3 FF000000 and ebx, 0FF
0040EC23 |. 0BFD or edi, ebp
0040EC25 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040EC2C |. 8BDA mov ebx, edx
0040EC2E |. C1EB 18 shr ebx, 18
0040EC31 |. 0BFD or edi, ebp
0040EC33 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040EC3A |. 8BDA mov ebx, edx
0040EC3C |. C1EB 10 shr ebx, 10
0040EC3F |. 0BFD or edi, ebp
0040EC41 |. 81E3 FF000000 and ebx, 0FF
0040EC47 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040EC4E |. 8BDA mov ebx, edx
0040EC50 |. 0BFD or edi, ebp
0040EC52 |. C1EB 08 shr ebx, 8
0040EC55 |. 81E3 FF000000 and ebx, 0FF
0040EC5B |. 81E2 FF000000 and edx, 0FF
0040EC61 |. 81E6 FF000000 and esi, 0FF
0040EC67 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040EC6E |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040EC75 |. 0BFD or edi, ebp
0040EC77 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040EC7E |. 0BFB or edi, ebx
0040EC80 |. 0BFD or edi, ebp
0040EC82 |. 33CF xor ecx, edi
0040EC84 |. 8BD1 mov edx, ecx
0040EC86 |. 8BF1 mov esi, ecx
0040EC88 |. C1EA 04 shr edx, 4
0040EC8B |. 83E6 03 and esi, 3
0040EC8E |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040EC94 |. C1E6 1C shl esi, 1C
0040EC97 |. 0BD6 or edx, esi
0040EC99 |. 8B7424 34 mov esi, [esp+34]
0040EC9D |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040ECA3 |. 33D6 xor edx, esi
0040ECA5 |. 8B7424 30 mov esi, [esp+30]
0040ECA9 |. 33F1 xor esi, ecx
0040ECAB |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040ECB1 |. 8BDE mov ebx, esi
0040ECB3 |. 8BFE mov edi, esi
0040ECB5 |. C1EB 10 shr ebx, 10
0040ECB8 |. 81E3 FF000000 and ebx, 0FF
0040ECBE |. C1EF 18 shr edi, 18
0040ECC1 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040ECC8 |. 8BDE mov ebx, esi
0040ECCA |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040ECD1 |. 81E6 FF000000 and esi, 0FF
0040ECD7 |. C1EB 08 shr ebx, 8
0040ECDA |. 81E3 FF000000 and ebx, 0FF
0040ECE0 |. 0BFD or edi, ebp
0040ECE2 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040ECE9 |. 8BDA mov ebx, edx
0040ECEB |. C1EB 18 shr ebx, 18
0040ECEE |. 0BFD or edi, ebp
0040ECF0 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040ECF7 |. 8BDA mov ebx, edx
0040ECF9 |. C1EB 10 shr ebx, 10
0040ECFC |. 81E3 FF000000 and ebx, 0FF
0040ED02 |. 0BFD or edi, ebp
0040ED04 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040ED0B |. 8BDA mov ebx, edx
0040ED0D |. C1EB 08 shr ebx, 8
0040ED10 |. 81E3 FF000000 and ebx, 0FF
0040ED16 |. 0BFD or edi, ebp
0040ED18 |. 81E2 FF000000 and edx, 0FF
0040ED1E |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040ED25 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040ED2C |. 0BFD or edi, ebp
0040ED2E |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040ED35 |. 0BFB or edi, ebx
0040ED37 |. 0BFD or edi, ebp
0040ED39 |. 33C7 xor eax, edi
0040ED3B |. 8BD0 mov edx, eax
0040ED3D |. 8BF0 mov esi, eax
0040ED3F |. C1EA 04 shr edx, 4
0040ED42 |. 83E6 03 and esi, 3
0040ED45 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040ED4B |. C1E6 1C shl esi, 1C
0040ED4E |. 0BD6 or edx, esi
0040ED50 |. 8B7424 3C mov esi, [esp+3C]
0040ED54 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040ED5A |. 33D6 xor edx, esi
0040ED5C |. 8B7424 38 mov esi, [esp+38]
0040ED60 |. 33F0 xor esi, eax
0040ED62 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040ED68 |. 8BDE mov ebx, esi
0040ED6A |. 8BFE mov edi, esi
0040ED6C |. C1EB 10 shr ebx, 10
0040ED6F |. C1EF 18 shr edi, 18
0040ED72 |. 81E3 FF000000 and ebx, 0FF
0040ED78 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040ED7F |. 0B3C9D 006F4500 or edi, [ebx*4+456F00]
0040ED86 |. 8BDE mov ebx, esi
0040ED88 |. 81E6 FF000000 and esi, 0FF
0040ED8E |. C1EB 08 shr ebx, 8
0040ED91 |. 81E3 FF000000 and ebx, 0FF
0040ED97 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040ED9E |. 8BDA mov ebx, edx
0040EDA0 |. C1EB 18 shr ebx, 18
0040EDA3 |. 0BFD or edi, ebp
0040EDA5 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040EDAC |. 8BDA mov ebx, edx
0040EDAE |. C1EB 10 shr ebx, 10
0040EDB1 |. 81E3 FF000000 and ebx, 0FF
0040EDB7 |. 0BFD or edi, ebp
0040EDB9 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040EDC0 |. 8BDA mov ebx, edx
0040EDC2 |. C1EB 08 shr ebx, 8
0040EDC5 |. 81E3 FF000000 and ebx, 0FF
0040EDCB |. 0BFD or edi, ebp
0040EDCD |. 81E2 FF000000 and edx, 0FF
0040EDD3 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040EDDA |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040EDE1 |. 0BFD or edi, ebp
0040EDE3 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040EDEA |. 0BFB or edi, ebx
0040EDEC |. 0BFD or edi, ebp
0040EDEE |. 33CF xor ecx, edi
0040EDF0 |. 8BD1 mov edx, ecx
0040EDF2 |. 8BF1 mov esi, ecx
0040EDF4 |. C1EA 04 shr edx, 4
0040EDF7 |. 83E6 03 and esi, 3
0040EDFA |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040EE00 |. C1E6 1C shl esi, 1C
0040EE03 |. 0BD6 or edx, esi
0040EE05 |. 8B7424 44 mov esi, [esp+44]
0040EE09 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040EE0F |. 33D6 xor edx, esi
0040EE11 |. 8B7424 40 mov esi, [esp+40]
0040EE15 |. 33F1 xor esi, ecx
0040EE17 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040EE1D |. 8BDE mov ebx, esi
0040EE1F |. 8BFE mov edi, esi
0040EE21 |. C1EB 10 shr ebx, 10
0040EE24 |. 81E3 FF000000 and ebx, 0FF
0040EE2A |. C1EF 18 shr edi, 18
0040EE2D |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040EE34 |. 8BDE mov ebx, esi
0040EE36 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040EE3D |. 81E6 FF000000 and esi, 0FF
0040EE43 |. C1EB 08 shr ebx, 8
0040EE46 |. 81E3 FF000000 and ebx, 0FF
0040EE4C |. 0BFD or edi, ebp
0040EE4E |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040EE55 |. 8BDA mov ebx, edx
0040EE57 |. C1EB 18 shr ebx, 18
0040EE5A |. 0BFD or edi, ebp
0040EE5C |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040EE63 |. 8BDA mov ebx, edx
0040EE65 |. C1EB 10 shr ebx, 10
0040EE68 |. 81E3 FF000000 and ebx, 0FF
0040EE6E |. 0BFD or edi, ebp
0040EE70 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040EE77 |. 8BDA mov ebx, edx
0040EE79 |. C1EB 08 shr ebx, 8
0040EE7C |. 81E3 FF000000 and ebx, 0FF
0040EE82 |. 0BFD or edi, ebp
0040EE84 |. 81E2 FF000000 and edx, 0FF
0040EE8A |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040EE91 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040EE98 |. 0BFD or edi, ebp
0040EE9A |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040EEA1 |. 0BFB or edi, ebx
0040EEA3 |. 0BFD or edi, ebp
0040EEA5 |. 33C7 xor eax, edi
0040EEA7 |. 8BD0 mov edx, eax
0040EEA9 |. 8BF0 mov esi, eax
0040EEAB |. C1EA 04 shr edx, 4
0040EEAE |. 83E6 03 and esi, 3
0040EEB1 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040EEB7 |. C1E6 1C shl esi, 1C
0040EEBA |. 0BD6 or edx, esi
0040EEBC |. 8B7424 4C mov esi, [esp+4C]
0040EEC0 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040EEC6 |. 33D6 xor edx, esi
0040EEC8 |. 8B7424 48 mov esi, [esp+48]
0040EECC |. 33F0 xor esi, eax
0040EECE |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040EED4 |. 8BDE mov ebx, esi
0040EED6 |. 8BFE mov edi, esi
0040EED8 |. C1EB 10 shr ebx, 10
0040EEDB |. 81E3 FF000000 and ebx, 0FF
0040EEE1 |. C1EF 18 shr edi, 18
0040EEE4 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040EEEB |. 8BDE mov ebx, esi
0040EEED |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040EEF4 |. 81E6 FF000000 and esi, 0FF
0040EEFA |. C1EB 08 shr ebx, 8
0040EEFD |. 81E3 FF000000 and ebx, 0FF
0040EF03 |. 0BFD or edi, ebp
0040EF05 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040EF0C |. 8BDA mov ebx, edx
0040EF0E |. C1EB 18 shr ebx, 18
0040EF11 |. 0BFD or edi, ebp
0040EF13 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040EF1A |. 8BDA mov ebx, edx
0040EF1C |. C1EB 10 shr ebx, 10
0040EF1F |. 81E3 FF000000 and ebx, 0FF
0040EF25 |. 0BFD or edi, ebp
0040EF27 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040EF2E |. 8BDA mov ebx, edx
0040EF30 |. C1EB 08 shr ebx, 8
0040EF33 |. 81E3 FF000000 and ebx, 0FF
0040EF39 |. 0BFD or edi, ebp
0040EF3B |. 81E2 FF000000 and edx, 0FF
0040EF41 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040EF48 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040EF4F |. 0BFD or edi, ebp
0040EF51 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040EF58 |. 0BFB or edi, ebx
0040EF5A |. 0BFD or edi, ebp
0040EF5C |. 33CF xor ecx, edi
0040EF5E |. 8BD1 mov edx, ecx
0040EF60 |. 8BF1 mov esi, ecx
0040EF62 |. C1EA 04 shr edx, 4
0040EF65 |. 83E6 03 and esi, 3
0040EF68 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040EF6E |. C1E6 1C shl esi, 1C
0040EF71 |. 0BD6 or edx, esi
0040EF73 |. 8B7424 54 mov esi, [esp+54]
0040EF77 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040EF7D |. 33D6 xor edx, esi
0040EF7F |. 8B7424 50 mov esi, [esp+50]
0040EF83 |. 33F1 xor esi, ecx
0040EF85 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040EF8B |. 8BDE mov ebx, esi
0040EF8D |. 8BFE mov edi, esi
0040EF8F |. C1EB 10 shr ebx, 10
0040EF92 |. 81E3 FF000000 and ebx, 0FF
0040EF98 |. C1EF 18 shr edi, 18
0040EF9B |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040EFA2 |. 8BDE mov ebx, esi
0040EFA4 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040EFAB |. C1EB 08 shr ebx, 8
0040EFAE |. 81E3 FF000000 and ebx, 0FF
0040EFB4 |. 0BFD or edi, ebp
0040EFB6 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040EFBD |. 8BDA mov ebx, edx
0040EFBF |. C1EB 18 shr ebx, 18
0040EFC2 |. 0BFD or edi, ebp
0040EFC4 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040EFCB |. 8BDA mov ebx, edx
0040EFCD |. C1EB 10 shr ebx, 10
0040EFD0 |. 81E3 FF000000 and ebx, 0FF
0040EFD6 |. 0BFD or edi, ebp
0040EFD8 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040EFDF |. 8BDA mov ebx, edx
0040EFE1 |. C1EB 08 shr ebx, 8
0040EFE4 |. 81E3 FF000000 and ebx, 0FF
0040EFEA |. 0BFD or edi, ebp
0040EFEC |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040EFF3 |. 0BFD or edi, ebp
0040EFF5 |. 81E2 FF000000 and edx, 0FF
0040EFFB |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040F002 |. 81E6 FF000000 and esi, 0FF
0040F008 |. 0BFB or edi, ebx
0040F00A |. 0B3CB5 006B4500 or edi, [esi*4+456B00]
0040F011 |. 33C7 xor eax, edi
0040F013 |. 8BD0 mov edx, eax
0040F015 |. 8BF0 mov esi, eax
0040F017 |. C1EA 04 shr edx, 4
0040F01A |. 83E6 03 and esi, 3
0040F01D |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040F023 |. C1E6 1C shl esi, 1C
0040F026 |. 0BD6 or edx, esi
0040F028 |. 8B7424 5C mov esi, [esp+5C]
0040F02C |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F032 |. 33D6 xor edx, esi
0040F034 |. 8B7424 58 mov esi, [esp+58]
0040F038 |. 33F0 xor esi, eax
0040F03A |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F040 |. 8BDE mov ebx, esi
0040F042 |. 8BFE mov edi, esi
0040F044 |. C1EB 10 shr ebx, 10
0040F047 |. 81E3 FF000000 and ebx, 0FF
0040F04D |. C1EF 18 shr edi, 18
0040F050 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040F057 |. 8BDE mov ebx, esi
0040F059 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040F060 |. 81E6 FF000000 and esi, 0FF
0040F066 |. C1EB 08 shr ebx, 8
0040F069 |. 81E3 FF000000 and ebx, 0FF
0040F06F |. 0BFD or edi, ebp
0040F071 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040F078 |. 8BDA mov ebx, edx
0040F07A |. C1EB 18 shr ebx, 18
0040F07D |. 0BFD or edi, ebp
0040F07F |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040F086 |. 8BDA mov ebx, edx
0040F088 |. C1EB 10 shr ebx, 10
0040F08B |. 81E3 FF000000 and ebx, 0FF
0040F091 |. 0BFD or edi, ebp
0040F093 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040F09A |. 8BDA mov ebx, edx
0040F09C |. C1EB 08 shr ebx, 8
0040F09F |. 81E3 FF000000 and ebx, 0FF
0040F0A5 |. 0BFD or edi, ebp
0040F0A7 |. 81E2 FF000000 and edx, 0FF
0040F0AD |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040F0B4 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040F0BB |. 0BFD or edi, ebp
0040F0BD |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040F0C4 |. 0BFB or edi, ebx
0040F0C6 |. 0BFD or edi, ebp
0040F0C8 |. 33CF xor ecx, edi
0040F0CA |. 8BD1 mov edx, ecx
0040F0CC |. 8BF1 mov esi, ecx
0040F0CE |. C1EA 04 shr edx, 4
0040F0D1 |. 83E6 03 and esi, 3
0040F0D4 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040F0DA |. C1E6 1C shl esi, 1C
0040F0DD |. 0BD6 or edx, esi
0040F0DF |. 8B7424 64 mov esi, [esp+64]
0040F0E3 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F0E9 |. 33D6 xor edx, esi
0040F0EB |. 8B7424 60 mov esi, [esp+60]
0040F0EF |. 33F1 xor esi, ecx
0040F0F1 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F0F7 |. 8BDE mov ebx, esi
0040F0F9 |. 8BFE mov edi, esi
0040F0FB |. C1EB 10 shr ebx, 10
0040F0FE |. 81E3 FF000000 and ebx, 0FF
0040F104 |. C1EF 18 shr edi, 18
0040F107 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040F10E |. 8BDE mov ebx, esi
0040F110 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040F117 |. C1EB 08 shr ebx, 8
0040F11A |. 81E3 FF000000 and ebx, 0FF
0040F120 |. 0BFD or edi, ebp
0040F122 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040F129 |. 8BDA mov ebx, edx
0040F12B |. 0BFD or edi, ebp
0040F12D |. C1EB 18 shr ebx, 18
0040F130 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040F137 |. 8BDA mov ebx, edx
0040F139 |. 0BFD or edi, ebp
0040F13B |. C1EB 10 shr ebx, 10
0040F13E |. 81E3 FF000000 and ebx, 0FF
0040F144 |. 81E6 FF000000 and esi, 0FF
0040F14A |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040F151 |. 8BDA mov ebx, edx
0040F153 |. C1EB 08 shr ebx, 8
0040F156 |. 81E3 FF000000 and ebx, 0FF
0040F15C |. 0BFD or edi, ebp
0040F15E |. 81E2 FF000000 and edx, 0FF
0040F164 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040F16B |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040F172 |. 0BFD or edi, ebp
0040F174 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040F17B |. 0BFB or edi, ebx
0040F17D |. 0BFD or edi, ebp
0040F17F |. 33C7 xor eax, edi
0040F181 |. 8BD0 mov edx, eax
0040F183 |. 8BF0 mov esi, eax
0040F185 |. C1EA 04 shr edx, 4
0040F188 |. 83E6 03 and esi, 3
0040F18B |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040F191 |. C1E6 1C shl esi, 1C
0040F194 |. 0BD6 or edx, esi
0040F196 |. 8B7424 6C mov esi, [esp+6C]
0040F19A |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F1A0 |. 33D6 xor edx, esi
0040F1A2 |. 8B7424 68 mov esi, [esp+68]
0040F1A6 |. 33F0 xor esi, eax
0040F1A8 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F1AE |. 8BDE mov ebx, esi
0040F1B0 |. 8BFE mov edi, esi
0040F1B2 |. C1EB 10 shr ebx, 10
0040F1B5 |. 81E3 FF000000 and ebx, 0FF
0040F1BB |. C1EF 18 shr edi, 18
0040F1BE |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040F1C5 |. 8BDE mov ebx, esi
0040F1C7 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040F1CE |. 81E6 FF000000 and esi, 0FF
0040F1D4 |. C1EB 08 shr ebx, 8
0040F1D7 |. 81E3 FF000000 and ebx, 0FF
0040F1DD |. 0BFD or edi, ebp
0040F1DF |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040F1E6 |. 8BDA mov ebx, edx
0040F1E8 |. C1EB 18 shr ebx, 18
0040F1EB |. 0BFD or edi, ebp
0040F1ED |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040F1F4 |. 8BDA mov ebx, edx
0040F1F6 |. C1EB 10 shr ebx, 10
0040F1F9 |. 81E3 FF000000 and ebx, 0FF
0040F1FF |. 0BFD or edi, ebp
0040F201 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040F208 |. 8BDA mov ebx, edx
0040F20A |. C1EB 08 shr ebx, 8
0040F20D |. 81E3 FF000000 and ebx, 0FF
0040F213 |. 0BFD or edi, ebp
0040F215 |. 81E2 FF000000 and edx, 0FF
0040F21B |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040F222 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040F229 |. 0BFD or edi, ebp
0040F22B |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040F232 |. 0BFB or edi, ebx
0040F234 |. 0BFD or edi, ebp
0040F236 |. 33CF xor ecx, edi
0040F238 |. 8BD1 mov edx, ecx
0040F23A |. 8BF1 mov esi, ecx
0040F23C |. C1EA 04 shr edx, 4
0040F23F |. 83E6 03 and esi, 3
0040F242 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040F248 |. C1E6 1C shl esi, 1C
0040F24B |. 0BD6 or edx, esi
0040F24D |. 8B7424 74 mov esi, [esp+74]
0040F251 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F257 |. 33D6 xor edx, esi
0040F259 |. 8B7424 70 mov esi, [esp+70]
0040F25D |. 33F1 xor esi, ecx
0040F25F |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F265 |. 8BFE mov edi, esi
0040F267 |. 8BDE mov ebx, esi
0040F269 |. C1EF 18 shr edi, 18
0040F26C |. C1EB 10 shr ebx, 10
0040F26F |. 81E3 FF000000 and ebx, 0FF
0040F275 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040F27C |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040F283 |. 8BDE mov ebx, esi
0040F285 |. C1EB 08 shr ebx, 8
0040F288 |. 81E3 FF000000 and ebx, 0FF
0040F28E |. 0BFD or edi, ebp
0040F290 |. 81E6 FF000000 and esi, 0FF
0040F296 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040F29D |. 8BDA mov ebx, edx
0040F29F |. C1EB 18 shr ebx, 18
0040F2A2 |. 0BFD or edi, ebp
0040F2A4 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040F2AB |. 8BDA mov ebx, edx
0040F2AD |. C1EB 10 shr ebx, 10
0040F2B0 |. 81E3 FF000000 and ebx, 0FF
0040F2B6 |. 0BFD or edi, ebp
0040F2B8 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040F2BF |. 8BDA mov ebx, edx
0040F2C1 |. C1EB 08 shr ebx, 8
0040F2C4 |. 81E3 FF000000 and ebx, 0FF
0040F2CA |. 0BFD or edi, ebp
0040F2CC |. 81E2 FF000000 and edx, 0FF
0040F2D2 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040F2D9 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040F2E0 |. 0BFD or edi, ebp
0040F2E2 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040F2E9 |. 0BFB or edi, ebx
0040F2EB |. 0BFD or edi, ebp
0040F2ED |. 33C7 xor eax, edi
0040F2EF |. 8BD0 mov edx, eax
0040F2F1 |. 8BF0 mov esi, eax
0040F2F3 |. C1EA 04 shr edx, 4
0040F2F6 |. 83E6 03 and esi, 3
0040F2F9 |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040F2FF |. C1E6 1C shl esi, 1C
0040F302 |. 0BD6 or edx, esi
0040F304 |. 8B7424 7C mov esi, [esp+7C]
0040F308 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F30E |. 33D6 xor edx, esi
0040F310 |. 8B7424 78 mov esi, [esp+78]
0040F314 |. 33F0 xor esi, eax
0040F316 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F31C |. 8BDE mov ebx, esi
0040F31E |. 8BFE mov edi, esi
0040F320 |. C1EB 10 shr ebx, 10
0040F323 |. 81E3 FF000000 and ebx, 0FF
0040F329 |. C1EF 18 shr edi, 18
0040F32C |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040F333 |. 8BDE mov ebx, esi
0040F335 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040F33C |. 81E6 FF000000 and esi, 0FF
0040F342 |. C1EB 08 shr ebx, 8
0040F345 |. 81E3 FF000000 and ebx, 0FF
0040F34B |. 0BFD or edi, ebp
0040F34D |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040F354 |. 8BDA mov ebx, edx
0040F356 |. C1EB 18 shr ebx, 18
0040F359 |. 0BFD or edi, ebp
0040F35B |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040F362 |. 8BDA mov ebx, edx
0040F364 |. C1EB 10 shr ebx, 10
0040F367 |. 81E3 FF000000 and ebx, 0FF
0040F36D |. 0BFD or edi, ebp
0040F36F |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040F376 |. 8BDA mov ebx, edx
0040F378 |. C1EB 08 shr ebx, 8
0040F37B |. 81E3 FF000000 and ebx, 0FF
0040F381 |. 0BFD or edi, ebp
0040F383 |. 81E2 FF000000 and edx, 0FF
0040F389 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040F390 |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040F397 |. 0BFD or edi, ebp
0040F399 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040F3A0 |. 0BFB or edi, ebx
0040F3A2 |. 0BFD or edi, ebp
0040F3A4 |. 33CF xor ecx, edi
0040F3A6 |. 8BD1 mov edx, ecx
0040F3A8 |. C1EA 04 shr edx, 4
0040F3AB |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040F3B1 |. 8BF1 mov esi, ecx
0040F3B3 |. 83E6 03 and esi, 3
0040F3B6 |. C1E6 1C shl esi, 1C
0040F3B9 |. 0BD6 or edx, esi
0040F3BB |. 8BB424 84000000 mov esi, [esp+84]
0040F3C2 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F3C8 |. 33D6 xor edx, esi
0040F3CA |. 8BB424 80000000 mov esi, [esp+80]
0040F3D1 |. 33F1 xor esi, ecx
0040F3D3 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F3D9 |. 8BDE mov ebx, esi
0040F3DB |. 8BFE mov edi, esi
0040F3DD |. C1EB 10 shr ebx, 10
0040F3E0 |. 81E3 FF000000 and ebx, 0FF
0040F3E6 |. C1EF 18 shr edi, 18
0040F3E9 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040F3F0 |. 8BDE mov ebx, esi
0040F3F2 |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040F3F9 |. 81E6 FF000000 and esi, 0FF
0040F3FF |. C1EB 08 shr ebx, 8
0040F402 |. 81E3 FF000000 and ebx, 0FF
0040F408 |. 0BFD or edi, ebp
0040F40A |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040F411 |. 8BDA mov ebx, edx
0040F413 |. C1EB 18 shr ebx, 18
0040F416 |. 0BFD or edi, ebp
0040F418 |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040F41F |. 8BDA mov ebx, edx
0040F421 |. C1EB 10 shr ebx, 10
0040F424 |. 81E3 FF000000 and ebx, 0FF
0040F42A |. 0BFD or edi, ebp
0040F42C |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040F433 |. 8BDA mov ebx, edx
0040F435 |. C1EB 08 shr ebx, 8
0040F438 |. 81E3 FF000000 and ebx, 0FF
0040F43E |. 0BFD or edi, ebp
0040F440 |. 81E2 FF000000 and edx, 0FF
0040F446 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040F44D |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040F454 |. 0BFD or edi, ebp
0040F456 |. 8B2CB5 006B4500 mov ebp, [esi*4+456B00]
0040F45D |. 0BFB or edi, ebx
0040F45F |. 0BFD or edi, ebp
0040F461 |. 33C7 xor eax, edi
0040F463 |. 8BD0 mov edx, eax
0040F465 |. 8BF0 mov esi, eax
0040F467 |. C1EA 04 shr edx, 4
0040F46A |. 83E6 03 and esi, 3
0040F46D |. 81E2 3F3F3F0F and edx, 0F3F3F3F
0040F473 |. C1E6 1C shl esi, 1C
0040F476 |. 0BD6 or edx, esi
0040F478 |. 8BB424 8C000000 mov esi, [esp+8C]
0040F47F |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F485 |. 33D6 xor edx, esi
0040F487 |. 8BB424 88000000 mov esi, [esp+88]
0040F48E |. 33F0 xor esi, eax
0040F490 |. 81E6 3F3F3F3F and esi, 3F3F3F3F
0040F496 |. 8BDE mov ebx, esi
0040F498 |. 8BFE mov edi, esi
0040F49A |. C1EB 10 shr ebx, 10
0040F49D |. 81E3 FF000000 and ebx, 0FF
0040F4A3 |. C1EF 18 shr edi, 18
0040F4A6 |. 8B2C9D 006F4500 mov ebp, [ebx*4+456F00]
0040F4AD |. 8BDE mov ebx, esi
0040F4AF |. 8B3CBD 00714500 mov edi, [edi*4+457100]
0040F4B6 |. C1EB 08 shr ebx, 8
0040F4B9 |. 81E3 FF000000 and ebx, 0FF
0040F4BF |. 0BFD or edi, ebp
0040F4C1 |. 8B2C9D 006D4500 mov ebp, [ebx*4+456D00]
0040F4C8 |. 8BDA mov ebx, edx
0040F4CA |. C1EB 18 shr ebx, 18
0040F4CD |. 0BFD or edi, ebp
0040F4CF |. 8B2C9D 00724500 mov ebp, [ebx*4+457200]
0040F4D6 |. 8BDA mov ebx, edx
0040F4D8 |. C1EB 10 shr ebx, 10
0040F4DB |. 81E3 FF000000 and ebx, 0FF
0040F4E1 |. 0BFD or edi, ebp
0040F4E3 |. 8B2C9D 00704500 mov ebp, [ebx*4+457000]
0040F4EA |. 8BDA mov ebx, edx
0040F4EC |. 0BFD or edi, ebp
0040F4EE |. C1EB 08 shr ebx, 8
0040F4F1 |. 81E3 FF000000 and ebx, 0FF
0040F4F7 |. 81E2 FF000000 and edx, 0FF
0040F4FD |. 81E6 FF000000 and esi, 0FF
0040F503 |. 8B2C9D 006E4500 mov ebp, [ebx*4+456E00]
0040F50A |. 8B1C95 006C4500 mov ebx, [edx*4+456C00]
0040F511 |. 8B14B5 006B4500 mov edx, [esi*4+456B00]
0040F518 |. 0BFD or edi, ebp
0040F51A |. 0BFB or edi, ebx
0040F51C |. 0BFA or edi, edx
0040F51E |. 8BD0 mov edx, eax
0040F520 |. C1E2 1F shl edx, 1F
0040F523 |. D1E8 shr eax, 1
0040F525 |. 33CF xor ecx, edi
0040F527 |. 0BD0 or edx, eax
0040F529 |. 8BC1 mov eax, ecx
0040F52B |. 5F pop edi
0040F52C |. C1E0 1E shl eax, 1E
0040F52F |. C1E9 02 shr ecx, 2
0040F532 |. 0BC1 or eax, ecx
0040F534 |. 8BC8 mov ecx, eax
0040F536 |. 33CA xor ecx, edx
0040F538 |. 81E1 55555555 and ecx, 55555555
0040F53E |. 33D1 xor edx, ecx
0040F540 |. 33C8 xor ecx, eax
0040F542 |. 8BC1 mov eax, ecx
0040F544 |. C1E8 17 shr eax, 17
0040F547 |. C1E1 09 shl ecx, 9
0040F54A |. 0BC1 or eax, ecx
0040F54C |. 8BC8 mov ecx, eax
0040F54E |. 33CA xor ecx, edx
0040F550 |. 81E1 00FF00FF and ecx, FF00FF00
0040F556 |. 33D1 xor edx, ecx
0040F558 |. 33C8 xor ecx, eax
0040F55A |. 8BC1 mov eax, ecx
0040F55C |. C1E0 16 shl eax, 16
0040F55F |. C1E9 0A shr ecx, 0A
0040F562 |. 0BC1 or eax, ecx
0040F564 |. 8BC8 mov ecx, eax
0040F566 |. 33CA xor ecx, edx
0040F568 |. 81E1 33333333 and ecx, 33333333
0040F56E |. 33D1 xor edx, ecx
0040F570 |. 33C8 xor ecx, eax
0040F572 |. 8BC1 mov eax, ecx
0040F574 |. C1E0 12 shl eax, 12
0040F577 |. C1E9 0E shr ecx, 0E
0040F57A |. 0BC1 or eax, ecx
0040F57C |. 8BC8 mov ecx, eax
0040F57E |. 33CA xor ecx, edx
0040F580 |. 81E1 0000FFFF and ecx, FFFF0000
0040F586 |. 33D1 xor edx, ecx
0040F588 |. 33C8 xor ecx, eax
0040F58A |. 8BC1 mov eax, ecx
0040F58C |. C1E8 14 shr eax, 14
0040F58F |. C1E1 0C shl ecx, 0C
0040F592 |. 0BC1 or eax, ecx
0040F594 |. 8BC8 mov ecx, eax
0040F596 |. 33CA xor ecx, edx
0040F598 |. 81E1 0F0F0F0F and ecx, 0F0F0F0F
0040F59E |. 8BF1 mov esi, ecx
0040F5A0 |. 33C8 xor ecx, eax
0040F5A2 |. 33F2 xor esi, edx
0040F5A4 |. 8B9424 94000000 mov edx, [esp+94]
0040F5AB |. 8BC1 mov eax, ecx
0040F5AD |. C1E8 1C shr eax, 1C
0040F5B0 |. C1E1 04 shl ecx, 4
0040F5B3 |. 8932 mov [edx], esi
0040F5B5 |. 0BC1 or eax, ecx
0040F5B7 |. 5E pop esi
0040F5B8 |. 5D pop ebp
0040F5B9 |. 8942 04 mov [edx+4], eax
0040F5BC |. 5B pop ebx
0040F5BD |. 81C4 80000000 add esp, 80
0040F5C3 \. C3 retn
同样用ida抓下来,生成程序验证,留在后面用。
类Des_Encipher(plain,cipher,key)
类Des_Decipher(plain,cipher,key)
[rsa part]
下面是来到RSA部分,呵呵,xyz_119兄弟用了CBigInt,hoho,撞到枪口上了。
分析00401C30,来到
004046F0 /$ 6A FF push -1
004046F2 |. 68 72514400 push 00445172 ; SE 处理程序安装
004046F7 |. 64:A1 00000000 mov eax, fs:[0]
004046FD |. 50 push eax
004046FE |. 64:8925 00000000 mov fs:[0], esp
00404705 |. 81EC 60030000 sub esp, 360
0040470B |. 8D8C24 90000000 lea ecx, [esp+90]
00404712 |. E8 D9CC0000 call 004113F0 ; 构造CBigInt
00404717 |. 8D4C24 00 lea ecx, [esp]
0040471B |. C78424 68030000 000>mov dword ptr [esp+368], 0
00404726 |. E8 C5CC0000 call 004113F0 ; 构造CBigInt
0040472B |. 8D8C24 20010000 lea ecx, [esp+120]
00404732 |. C68424 68030000 01 mov byte ptr [esp+368], 1
0040473A |. E8 B1CC0000 call 004113F0 ; 构造CBigInt
0040473F |. 8D8C24 B0010000 lea ecx, [esp+1B0]
00404746 |. C68424 68030000 02 mov byte ptr [esp+368], 2
0040474E |. E8 9DCC0000 call 004113F0 ; 构造CBigInt
00404753 |. 8D8C24 D0020000 lea ecx, [esp+2D0]
0040475A |. C68424 68030000 03 mov byte ptr [esp+368], 3
00404762 |. E8 89CC0000 call 004113F0 ; 构造CBigInt
00404767 |. 8B8424 74030000 mov eax, [esp+374]
0040476E |. 8B8C24 70030000 mov ecx, [esp+370]
00404775 |. 6A 10 push 10
00404777 |. 6A 00 push 0
00404779 |. 50 push eax
0040477A |. 51 push ecx
0040477B |. C68424 78030000 04 mov byte ptr [esp+378], 4
00404783 |. E8 58FDFFFF call 004044E0
00404788 |. 83C4 0C add esp, 0C
0040478B |. 8D8C24 24010000 lea ecx, [esp+124] ; |
00404792 |. 50 push eax ; |Arg1
00404793 |. E8 D8D40000 call 00411C70 ; \CBigInt::Get(String,HEX) N
00404798 |. 8B9424 7C030000 mov edx, [esp+37C]
0040479F |. 8B8424 78030000 mov eax, [esp+378]
004047A6 |. 6A 10 push 10
004047A8 |. 6A 00 push 0
004047AA |. 52 push edx
004047AB |. 50 push eax
004047AC |. E8 2FFDFFFF call 004044E0
004047B1 |. 83C4 0C add esp, 0C
004047B4 |. 8D8C24 B4010000 lea ecx, [esp+1B4] ; |
004047BB |. 50 push eax ; |Arg1
004047BC |. E8 AFD40000 call 00411C70 ; \CBigInt::Get(String,HEX) E
004047C1 |. 8B8C24 84030000 mov ecx, [esp+384]
004047C8 |. 8B9424 80030000 mov edx, [esp+380]
004047CF |. 6A 10 push 10
004047D1 |. 6A 00 push 0
004047D3 |. 51 push ecx
004047D4 |. 52 push edx
004047D5 |. E8 06FDFFFF call 004044E0
004047DA |. 83C4 0C add esp, 0C
004047DD |. 8D4C24 04 lea ecx, [esp+4] ; |
004047E1 |. 50 push eax ; |Arg1
004047E2 |. E8 89D40000 call 00411C70 ; \CBigInt::Get(String,HEX)
004047E7 |. 8D8424 20010000 lea eax, [esp+120]
004047EE |. 8D8C24 B0010000 lea ecx, [esp+1B0]
004047F5 |. 50 push eax ; /Arg3
004047F6 |. 8D9424 44020000 lea edx, [esp+244] ; |
004047FD |. 51 push ecx ; |Arg2
004047FE |. 52 push edx ; |Arg1
004047FF |. 8D4C24 0C lea ecx, [esp+C] ; |
00404803 |. E8 F8D90000 call 00412200 ; \CBigInt::RSATrns(CBigInt,CBigInt)
00404808 |. 50 push eax
00404809 |. 8D8C24 94000000 lea ecx, [esp+94]
00404810 |. C68424 6C030000 05 mov byte ptr [esp+36C], 5
00404818 |. E8 53CC0000 call 00411470 ; CBigInt::Mov(CBigInt&)
0040481D |. 8D8C24 40020000 lea ecx, [esp+240]
00404824 |. C68424 68030000 04 mov byte ptr [esp+368], 4
0040482C |. E8 DFCB0000 call 00411410 ; 析构
00404831 |. 8B8424 8C030000 mov eax, [esp+38C]
00404838 |. 8B8C24 88030000 mov ecx, [esp+388]
0040483F |. 6A 01 push 1
00404841 |. 50 push eax
00404842 |. 51 push ecx
00404843 |. 6A 10 push 10 ; /Arg1 = 00000010
00404845 |. 8D8C24 A0000000 lea ecx, [esp+A0] ; |
0040484C |. E8 BFD60000 call 00411F10 ; \CBigInt::Put(string& str, unsigned
int system)
00404851 |. 50 push eax ; 上面转换的字符
00404852 |. E8 D9F9FFFF call 00404230
00404857 |. 83C4 10 add esp, 10
0040485A |. C68424 68030000 03 mov byte ptr [esp+368], 3
00404862 |. 8D8C24 D0020000 lea ecx, [esp+2D0]
00404869 |. E8 A2CB0000 call 00411410 ; 析构
0040486E |. 8D8C24 B0010000 lea ecx, [esp+1B0]
00404875 |. C68424 68030000 02 mov byte ptr [esp+368], 2
0040487D |. E8 8ECB0000 call 00411410 ; 析构
00404882 |. 8D8C24 20010000 lea ecx, [esp+120]
00404889 |. C68424 68030000 01 mov byte ptr [esp+368], 1
00404891 |. E8 7ACB0000 call 00411410 ; 析构
00404896 |. 8D4C24 00 lea ecx, [esp]
0040489A |. C68424 68030000 00 mov byte ptr [esp+368], 0
004048A2 |. E8 69CB0000 call 00411410 ; 析构
004048A7 |. 8D8C24 90000000 lea ecx, [esp+90]
004048AE |. C78424 68030000 FFF>mov dword ptr [esp+368], -1
004048B9 |. E8 52CB0000 call 00411410 ; 析构
004048BE |. 8B8C24 60030000 mov ecx, [esp+360]
004048C5 |. 64:890D 00000000 mov fs:[0], ecx
004048CC |. 81C4 6C030000 add esp, 36C
004048D2 \. C3 retn
这些BigInt来自以下的字节。
00402CBD . C64424 48 CA mov byte ptr [esp+48], 0CA ; |
00402CC2 . C64424 49 C4 mov byte ptr [esp+49], 0C4 ; |
00402CC7 . C64424 4A 7C mov byte ptr [esp+4A], 7C ; |
00402CCC . C64424 4B 54 mov byte ptr [esp+4B], 54 ; |
00402CD1 . C64424 4C 52 mov byte ptr [esp+4C], 52 ; |
00402CD6 . C64424 4D 72 mov byte ptr [esp+4D], 72 ; |
00402CDB . C64424 4E 88 mov byte ptr [esp+4E], 88 ; |
00402CE0 . C64424 4F 82 mov byte ptr [esp+4F], 82 ; |
00402CE5 . C64424 50 74 mov byte ptr [esp+50], 74 ; |
00402CEA . C64424 51 B2 mov byte ptr [esp+51], 0B2 ; |
00402CEF . C64424 52 95 mov byte ptr [esp+52], 95 ; |
00402CF4 . C64424 53 A2 mov byte ptr [esp+53], 0A2 ; |
00402CF9 . C64424 54 66 mov byte ptr [esp+54], 66 ; |
00402CFE . C64424 56 A0 mov byte ptr [esp+56], 0A0 ; |
00402D03 . C64424 57 8D mov byte ptr [esp+57], 8D ; |
00402D08 . C64424 24 D4 mov byte ptr [esp+24], 0D4 ; |
00402D0D . C64424 25 D0 mov byte ptr [esp+25], 0D0 ; |
00402D12 . C64424 26 ED mov byte ptr [esp+26], 0ED ; |
00402D17 . C64424 27 36 mov byte ptr [esp+27], 36 ; |
00402D1C . C64424 28 D3 mov byte ptr [esp+28], 0D3 ; |
00402D21 . C64424 29 BC mov byte ptr [esp+29], 0BC ; |
00402D26 . C64424 2A 55 mov byte ptr [esp+2A], 55 ; |
00402D2B . C64424 2B E7 mov byte ptr [esp+2B], 0E7 ; |
00402D30 . C64424 58 6D mov byte ptr [esp+58], 6D ; |
00402D35 . C64424 59 C7 mov byte ptr [esp+59], 0C7 ; |
00402D3A . C64424 5A A8 mov byte ptr [esp+5A], 0A8 ; |
00402D3F . C64424 5B 2F mov byte ptr [esp+5B], 2F ; |
00402D44 . C64424 5C 50 mov byte ptr [esp+5C], 50 ; |
00402D49 . C64424 5D 9F mov byte ptr [esp+5D], 9F ; |
00402D4E . C64424 5E 7E mov byte ptr [esp+5E], 7E ; |
00402D53 . C64424 5F A1 mov byte ptr [esp+5F], 0A1 ; |
00402D58 . C64424 60 AB mov byte ptr [esp+60], 0AB ; |
00402D5D . C64424 61 81 mov byte ptr [esp+61], 81 ; |
00402D62 . C64424 62 60 mov byte ptr [esp+62], 60 ; |
00402D67 . C64424 63 05 mov byte ptr [esp+63], 5 ; |
00402D6C . C64424 64 DC mov byte ptr [esp+64], 0DC ; |
00402D71 . C64424 65 E9 mov byte ptr [esp+65], 0E9 ; |
00402D76 . C64424 66 71 mov byte ptr [esp+66], 71 ; |
第一次RSA
N=CAC47C545272888274B295A266FAA08D
E=D4D0ED36D3BC55E7
M=6DC7A82F509F7EA1AB816005DCE971FA
计算出来的
C=8FBAD9BAD9B2BBB4ED00
去掉头个字节,变成BA D9 BA D9 B2 BB B4 ED 00 (是汉字"嘿嘿不错"),呵呵,xyz兄好逗。
第一步的破击方法
类Des解密(BA D9 BA D9 B2 BB B4 ED)=>8 BYTE 明文
再有Key和明文生成 =>Serial
由于这里Key具有任意性,我选择了nightfox 变换"nigh"|0x11000000=>nigy nigyfox 呵呵
用注册机验证,Serial:DCB461-963736-419D10-951616-F514E2-1F
OK,重启,发现程序起不来,怎么回事?
一步步跟踪,来到:
00401710 . 8B10 mov edx, [eax]
00401712 . 8BC8 mov ecx, eax
00401714 . FF52 18 call [edx+18] ; XYZ_Crac.00402060 F7 进去
00401717 . 85C0 test eax, eax
00401719 75 07 jnz short 00401722 //爆破点,爆掉就OK了
0040171B . 8BCE mov ecx, esi
进入:
00402060 . 6A FF push -1
00402062 . 68 984F4400 push 00444F98 ; SE 处理程序安装
00402067 . 64:A1 00000000 mov eax, fs:[0]
0040206D . 50 push eax
0040206E . 64:8925 00000000 mov fs:[0], esp
00402075 . 83EC 40 sub esp, 40
00402078 . 53 push ebx
00402079 . 55 push ebp
0040207A . 8BE9 mov ebp, ecx
0040207C . 8D4424 08 lea eax, [esp+8]
00402080 . 50 push eax ; 保存地址
00402081 . 6A 04 push 4
00402083 . 8B55 48 mov edx, [ebp+48]
00402086 . 8D4D 4C lea ecx, [ebp+4C]
00402089 . 51 push ecx
0040208A . 52 push edx
0040208B . C64424 1B 00 mov byte ptr [esp+1B], 0
00402090 E8 6BE60000 call 00410700 ; call 4105F0 关键CALL
00402095 . B0 B1 mov al, 0B1
00402097 . 83C4 10 add esp, 10
0040209A . 884424 22 mov [esp+22], al
0040209E . 884424 23 mov [esp+23], al
004020A2 . B0 4C mov al, 4C
004020A4 . B1 17 mov cl, 17
004020A6 . 884424 0F mov [esp+F], al
004020AA . 884424 29 mov [esp+29], al
004020AE . 8D4424 0C lea eax, [esp+C]
004020B2 . B2 F0 mov dl, 0F0
004020B4 . 884C24 1D mov [esp+1D], cl
004020B8 . 884C24 32 mov [esp+32], cl
004020BC . 6A 08 push 8 ; /Arg7 = 00000008
004020BE . 50 push eax ; |Arg6
004020BF . 8D4C24 1C lea ecx, [esp+1C] ; |
004020C3 . 885424 1D mov [esp+1D], dl ; |
004020C7 . 885424 37 mov [esp+37], dl ; |
004020CB . 6A 10 push 10 ; |Arg5 = 00000010
004020CD . 51 push ecx ; |Arg4
004020CE . 8D5424 34 lea edx, [esp+34] ; |
004020D2 . 6A 10 push 10 ; |Arg3 = 00000010
004020D4 . 8D4424 48 lea eax, [esp+48] ; |
004020D8 . 52 push edx ; |Arg2
004020D9 . 50 push eax ; |Arg1
004020DA . 8BCD mov ecx, ebp ; |
004020DC . C64424 30 6E mov byte ptr [esp+30], 6E ; |
004020E1 . C64424 32 DF mov byte ptr [esp+32], 0DF ; |
004020E6 . C64424 33 8E mov byte ptr [esp+33], 8E ; |
004020EB . C64424 34 CF mov byte ptr [esp+34], 0CF ; |
004020F0 . C64424 35 35 mov byte ptr [esp+35], 35 ; |
004020F5 . C64424 36 36 mov byte ptr [esp+36], 36 ; |
004020FA . C64424 37 07 mov byte ptr [esp+37], 7 ; |
004020FF . C64424 38 BB mov byte ptr [esp+38], 0BB ; |
00402104 . C64424 3A B3 mov byte ptr [esp+3A], 0B3 ; |
00402109 . C64424 3B 4F mov byte ptr [esp+3B], 4F ; |
0040210E . C64424 3C 0E mov byte ptr [esp+3C], 0E ; |
00402113 . C64424 3D D7 mov byte ptr [esp+3D], 0D7 ; |
00402118 . C64424 28 65 mov byte ptr [esp+28], 65 ; |
0040211D . C64424 29 F4 mov byte ptr [esp+29], 0F4 ; |
00402122 . C64424 2A 2E mov byte ptr [esp+2A], 2E ; |
00402127 . C64424 2C C6 mov byte ptr [esp+2C], 0C6 ; |
0040212C . C64424 2D F6 mov byte ptr [esp+2D], 0F6 ; |
00402131 . C64424 2E A1 mov byte ptr [esp+2E], 0A1 ; |
00402136 . C64424 2F AB mov byte ptr [esp+2F], 0AB ; |
0040213B . C64424 40 3B mov byte ptr [esp+40], 3B ; |
00402140 . C64424 41 1F mov byte ptr [esp+41], 1F ; |
00402145 . C64424 42 51 mov byte ptr [esp+42], 51 ; |
0040214A . C64424 43 75 mov byte ptr [esp+43], 75 ; |
0040214F . C64424 44 8D mov byte ptr [esp+44], 8D ; |
00402154 . C64424 46 A6 mov byte ptr [esp+46], 0A6 ; |
00402159 . C64424 47 BD mov byte ptr [esp+47], 0BD ; |
0040215E . C64424 48 7F mov byte ptr [esp+48], 7F ; |
00402163 . C64424 49 78 mov byte ptr [esp+49], 78 ; |
00402168 . C64424 4A 0D mov byte ptr [esp+4A], 0D ; |
0040216D . C64424 4C 12 mov byte ptr [esp+4C], 12 ; |
00402172 . C64424 4D 8C mov byte ptr [esp+4D], 8C ; |
00402177 . C64424 4F E6 mov byte ptr [esp+4F], 0E6 ; |
0040217C . E8 AFFAFFFF call 00401C30 ; \RSA
第二次RSA,变换结果是0x78,0x79,0x7A("xyz")
00402181 . 8BD0 mov edx, eax
00402183 . 8D4C24 08 lea ecx, [esp+8]
00402187 . 85C9 test ecx, ecx
00402189 . 74 53 je short 004021DE
0040218B . 56 push esi
0040218C . 57 push edi
0040218D . 8D7C24 10 lea edi, [esp+10]
00402191 . 83C9 FF or ecx, FFFFFFFF
00402194 . 33C0 xor eax, eax
00402196 . F2:AE repne scas byte ptr es:[edi]
00402198 . 8B42 0C mov eax, [edx+C]
0040219B . F7D1 not ecx
0040219D . 49 dec ecx
0040219E . 8BD9 mov ebx, ecx
004021A0 . 8BC8 mov ecx, eax
004021A2 . 3BC3 cmp eax, ebx
004021A4 . 72 02 jb short 004021A8
004021A6 . 8BCB mov ecx, ebx
004021A8 > 8B52 08 mov edx, [edx+8]
004021AB . 8D7C24 10 lea edi, [esp+10]
004021AF . 8BF2 mov esi, edx
004021B1 . 33D2 xor edx, edx
004021B3 . F3:A6 repe cmps byte ptr es:[edi], byt>
加密结果和0x78,0x79,0x7A 0x00("xyz")比较相等才可以。
004021B5 . 5F pop edi
004021B6 . 5E pop esi
004021B7 . 74 05 je short 004021BE
004021B9 . 1BD2 sbb edx, edx
004021BB . 83DA FF sbb edx, -1
004021BE > 85D2 test edx, edx
004021C0 . 75 17 jnz short 004021D9
004021C2 . 3BC3 cmp eax, ebx
004021C4 . 73 0A jnb short 004021D0
004021C6 . 83CA FF or edx, FFFFFFFF
004021C9 . 85D2 test edx, edx
004021CB . 0F95C3 setne bl
004021CE . EB 10 jmp short 004021E0
004021D0 > 33D2 xor edx, edx
004021D2 . 3BC3 cmp eax, ebx
004021D4 . 0F95C2 setne dl
004021D7 . 85D2 test edx, edx
004021D9 > 0F95C3 setne bl
004021DC . EB 02 jmp short 004021E0
004021DE > B3 01 mov bl, 1
004021E0 > 8D4C24 34 lea ecx, [esp+34]
004021E4 . C74424 50 FFFFFFFF mov dword ptr [esp+50], -1
004021EC . E8 8F190000 call 00403B80
004021F1 . 84DB test bl, bl
004021F3 . 74 13 je short 00402208
004021F5 . 5D pop ebp
004021F6 . 33C0 xor eax, eax
004021F8 . 5B pop ebx
004021F9 . 8B4C24 40 mov ecx, [esp+40]
004021FD . 64:890D 00000000 mov fs:[0], ecx
00402204 . 83C4 4C add esp, 4C
00402207 . C3 retn
00402208 > 8B4C24 48 mov ecx, [esp+48]
0040220C . C745 0C 00000000 mov dword ptr [ebp+C], 0
00402213 . 5D pop ebp
00402214 . B8 01000000 mov eax, 1
00402219 . 5B pop ebx
0040221A . 64:890D 00000000 mov fs:[0], ecx
00402221 . 83C4 4C add esp, 4C
00402224 . C3 retn
[unknown2 part]
00410700,发现是一个加密过程key是32位,明密文都是4个BYTE
可以写成
encipher(DWORD key,BYTE* plain,int size=4,BYTE* cipher)
decipher(DWORD key,BYTE* cipher,int size=4,BYTE* plain)
进入
00410700 /$ 6A FF push -1
00410702 |. 68 10594400 push 00445910 ; SE 处理程序安装
00410707 |. 64:A1 00000000 mov eax, fs:[0]
0041070D |. 50 push eax
0041070E |. 64:8925 00000000 mov fs:[0], esp
00410715 |. 83EC 20 sub esp, 20
00410718 |. 8A4424 30 mov al, [esp+30]
0041071C |. 53 push ebx
0041071D |. 55 push ebp
0041071E |. 33DB xor ebx, ebx
00410720 |. 56 push esi
00410721 |. 57 push edi
00410722 |. 884424 20 mov [esp+20], al
00410726 |. 895C24 24 mov [esp+24], ebx
0041072A |. 895C24 28 mov [esp+28], ebx
0041072E |. 895C24 2C mov [esp+2C], ebx
00410732 |. 8B5424 40 mov edx, [esp+40]
00410736 |. 8D4C24 20 lea ecx, [esp+20]
0041073A |. 51 push ecx
0041073B |. 52 push edx
0041073C |. 895C24 40 mov [esp+40], ebx
00410740 |. E8 9BFBFFFF call 004102E0
00410745 |. 8A4424 48 mov al, [esp+48]
00410749 |. 895C24 1C mov [esp+1C], ebx
0041074D |. 884424 18 mov [esp+18], al
00410751 |. 895C24 20 mov [esp+20], ebx
00410755 |. 895C24 24 mov [esp+24], ebx
00410759 |. 8D4C24 18 lea ecx, [esp+18]
0041075D |. 8D5424 28 lea edx, [esp+28]
00410761 |. 51 push ecx
00410762 |. 52 push edx
00410763 |. C64424 48 01 mov byte ptr [esp+48], 1
00410768 |. E8 63FDFFFF call 004104D0
0041076D |. 83C4 10 add esp, 10
00410770 |. E8 DB1F0000 call 00412750
00410775 |. 25 FF000080 and eax, 800000FF
0041077A |. 79 07 jns short 00410783
0041077C |. 48 dec eax
0041077D |. 0D 00FFFFFF or eax, FFFFFF00
00410782 |. 40 inc eax
00410783 |> 8B4C24 48 mov ecx, [esp+48]
00410787 |. 8B7424 14 mov esi, [esp+14]
0041078B |. 884424 40 mov [esp+40], al
0041078F |. 8D51 FF lea edx, [ecx-1]
00410792 |. 3BD3 cmp edx, ebx
00410794 |. 7C 34 jl short 004107CA
00410796 |. 8B6C24 4C mov ebp, [esp+4C]
0041079A |. 8B7C24 44 mov edi, [esp+44]
0041079E |. EB 04 jmp short 004107A4
004107A0 |> 8A4424 40 /mov al, [esp+40]
004107A4 |> 3BD3 cmp edx, ebx
004107A6 |. 8AC8 |mov cl, al
004107A8 |. 74 04 |je short 004107AE
004107AA |. 8A4C3A FF |mov cl, [edx+edi-1]
004107AE |> 81E1 FF000000 |and ecx, 0FF
004107B4 |. 33C0 |xor eax, eax
004107B6 |. 8A043A |mov al, [edx+edi]
004107B9 |. C1E1 04 |shl ecx, 4
004107BC |. 4A |dec edx
004107BD |. 8B4C31 04 |mov ecx, [ecx+esi+4]
004107C1 |. 8A0C08 |mov cl, [eax+ecx]
004107C4 |. 884C2A 01 |mov [edx+ebp+1], cl
004107C8 |.^ 79 D6 \jns short 004107A0
004107CA |> 8B7C24 18 mov edi, [esp+18]
004107CE |. 885C24 38 mov [esp+38], bl
004107D2 |. 3BF7 cmp esi, edi
004107D4 |. 74 33 je short 00410809
004107D6 |. 83C6 04 add esi, 4
004107D9 |> 8B56 04 /mov edx, [esi+4]
004107DC |. 8B06 |mov eax, [esi]
004107DE |. 52 |push edx
004107DF |. 50 |push eax
004107E0 |. 8D4E FC |lea ecx, [esi-4]
004107E3 |. E8 E8010000 |call 004109D0
004107E8 |. 8B06 |mov eax, [esi]
004107EA |. 50 |push eax
004107EB |. E8 C3D50200 |call 0043DDB3
004107F0 |. 891E |mov [esi], ebx
004107F2 |. 895E 04 |mov [esi+4], ebx
004107F5 |. 895E 08 |mov [esi+8], ebx
004107F8 |. 83C6 10 |add esi, 10
004107FB |. 83C4 04 |add esp, 4
004107FE |. 8D4E FC |lea ecx, [esi-4]
00410801 |. 3BCF |cmp ecx, edi
00410803 |.^ 75 D4 \jnz short 004107D9
00410805 |. 8B7424 14 mov esi, [esp+14]
00410809 |> 56 push esi
0041080A |. E8 A4D50200 call 0043DDB3
0041080F |. 8B4424 2C mov eax, [esp+2C]
00410813 |. 8B4C24 28 mov ecx, [esp+28]
00410817 |. 83C4 04 add esp, 4
0041081A |. 3BC8 cmp ecx, eax
0041081C |. 895C24 14 mov [esp+14], ebx
00410820 |. 895C24 18 mov [esp+18], ebx
00410824 |. 895C24 1C mov [esp+1C], ebx
00410828 |. C74424 38 FFFFFFFF mov dword ptr [esp+38], -1
00410830 |. 894424 40 mov [esp+40], eax
00410834 |. 74 3F je short 00410875
00410836 |. 8D71 04 lea esi, [ecx+4]
00410839 |> 8B6E 04 /mov ebp, [esi+4]
0041083C |. 8B3E |mov edi, [esi]
0041083E |. 3BFD |cmp edi, ebp
00410840 |. 74 0E |je short 00410850
00410842 |> 57 |/push edi
00410843 |. E8 28DEFFFF ||call 0040E670
00410848 |. 83C4 04 ||add esp, 4
0041084B |. 47 ||inc edi
0041084C |. 3BFD ||cmp edi, ebp
0041084E |.^ 75 F2 |\jnz short 00410842
00410850 |> 8B16 |mov edx, [esi]
00410852 |. 52 |push edx
00410853 |. E8 5BD50200 |call 0043DDB3
00410858 |. 8B4C24 44 |mov ecx, [esp+44]
0041085C |. 891E |mov [esi], ebx
0041085E |. 895E 04 |mov [esi+4], ebx
00410861 |. 895E 08 |mov [esi+8], ebx
00410864 |. 83C6 10 |add esi, 10
00410867 |. 83C4 04 |add esp, 4
0041086A |. 8D46 FC |lea eax, [esi-4]
0041086D |. 3BC1 |cmp eax, ecx
0041086F |.^ 75 C8 \jnz short 00410839
00410871 |. 8B4C24 24 mov ecx, [esp+24]
00410875 |> 51 push ecx
00410876 |. E8 38D50200 call 0043DDB3
0041087B |. 8B4C24 34 mov ecx, [esp+34]
0041087F |. 83C4 04 add esp, 4
00410882 |. 64:890D 00000000 mov fs:[0], ecx
00410889 |. 5F pop edi
0041088A |. 5E pop esi
0041088B |. 5D pop ebp
0041088C |. 5B pop ebx
0041088D |. 83C4 2C add esp, 2C
00410890 \. C3 retn
用原来的小技巧,发现解密过程在
004105F0 /$ 6A FF push -1
004105F2 |. 68 E8584400 push 004458E8 ; SE 处理程序安装
004105F7 |. 64:A1 00000000 mov eax, fs:[0]
004105FD |. 50 push eax
004105FE |. 64:8925 00000000 mov fs:[0], esp
00410605 |. 83EC 10 sub esp, 10
00410608 |. 8A4424 20 mov al, [esp+20]
0041060C |. 53 push ebx
0041060D |. 55 push ebp
0041060E |. 56 push esi
0041060F |. 33F6 xor esi, esi
00410611 |. 57 push edi
00410612 |. 884424 10 mov [esp+10], al
00410616 |. 897424 14 mov [esp+14], esi
0041061A |. 897424 18 mov [esp+18], esi
0041061E |. 897424 1C mov [esp+1C], esi
00410622 |. 8B5424 30 mov edx, [esp+30]
00410626 |. 8D4C24 10 lea ecx, [esp+10]
0041062A |. 51 push ecx
0041062B |. 52 push edx
0041062C |. 897424 30 mov [esp+30], esi
00410630 |. E8 ABFCFFFF call 004102E0
00410635 |. 83C4 08 add esp, 8
00410638 |. E8 13210000 call 00412750
0041063D |. 25 FF000080 and eax, 800000FF
00410642 |. 79 07 jns short 0041064B
00410644 |. 48 dec eax
00410645 |. 0D 00FFFFFF or eax, FFFFFF00
0041064A |. 40 inc eax
0041064B |> 8B6C24 38 mov ebp, [esp+38]
0041064F |. 8B7C24 14 mov edi, [esp+14]
00410653 |. 33C9 xor ecx, ecx
00410655 |. 3BEE cmp ebp, esi
00410657 |. 884424 30 mov [esp+30], al
0041065B |. 76 36 jbe short 00410693
0041065D |. 8B7424 3C mov esi, [esp+3C]
00410661 |. 8B5C24 34 mov ebx, [esp+34]
00410665 |. EB 04 jmp short 0041066B
00410667 |> 8A4424 30 /mov al, [esp+30]
0041066B |> 85C9 test ecx, ecx
0041066D |. 8AD0 |mov dl, al
0041066F |. 74 04 |je short 00410675
00410671 |. 8A5431 FF |mov dl, [ecx+esi-1]
00410675 |> 81E2 FF000000 |and edx, 0FF
0041067B |. 33C0 |xor eax, eax
0041067D |. 8A0419 |mov al, [ecx+ebx]
00410680 |. C1E2 04 |shl edx, 4
00410683 |. 41 |inc ecx
00410684 |. 8B543A 04 |mov edx, [edx+edi+4]
00410688 |. 3BCD |cmp ecx, ebp
0041068A |. 8A1410 |mov dl, [eax+edx]
0041068D |. 885431 FF |mov [ecx+esi-1], dl
00410691 |.^ 72 D4 \jb short 00410667
00410693 |> 8B4424 18 mov eax, [esp+18]
00410697 |. C74424 28 FFFFFFFF mov dword ptr [esp+28], -1
0041069F |. 3BF8 cmp edi, eax
004106A1 |. 8BE8 mov ebp, eax
004106A3 |. 74 3D je short 004106E2
004106A5 |. 8D77 04 lea esi, [edi+4]
004106A8 |> 8B5E 04 /mov ebx, [esi+4]
004106AB |. 8B3E |mov edi, [esi]
004106AD |. 3BFB |cmp edi, ebx
004106AF |. 74 0E |je short 004106BF
004106B1 |> 57 |/push edi
004106B2 |. E8 B9DFFFFF ||call 0040E670
004106B7 |. 83C4 04 ||add esp, 4
004106BA |. 47 ||inc edi
004106BB |. 3BFB ||cmp edi, ebx
004106BD |.^ 75 F2 |\jnz short 004106B1
004106BF |> 8B06 |mov eax, [esi]
004106C1 |. 50 |push eax
004106C2 |. E8 ECD60200 |call 0043DDB3
004106C7 |. 33C0 |xor eax, eax
004106C9 |. 83C4 04 |add esp, 4
004106CC |. 8906 |mov [esi], eax
004106CE |. 8946 04 |mov [esi+4], eax
004106D1 |. 8946 08 |mov [esi+8], eax
004106D4 |. 83C6 10 |add esi, 10
004106D7 |. 8D4E FC |lea ecx, [esi-4]
004106DA |. 3BCD |cmp ecx, ebp
004106DC |.^ 75 CA \jnz short 004106A8
004106DE |. 8B7C24 14 mov edi, [esp+14]
004106E2 |> 57 push edi
004106E3 |. E8 CBD60200 call 0043DDB3
004106E8 |. 8B4C24 24 mov ecx, [esp+24]
004106EC |. 83C4 04 add esp, 4
004106EF |. 64:890D 00000000 mov fs:[0], ecx
004106F6 |. 5F pop edi
004106F7 |. 5E pop esi
004106F8 |. 5D pop ebp
004106F9 |. 5B pop ebx
004106FA |. 83C4 1C add esp, 1C
004106FD \. C3 retn
还想用ida抓下来,发现涉及的CALL太多,太烦了,于是做起狸猫换太子的勾当。由于加密和解密函数的参数一致性。
00402080 . 50 push eax ; //cipher保存地址
00402081 . 6A 04 push 4 //size=4
00402083 . 8B55 48 mov edx, [ebp+48]
00402086 . 8D4D 4C lea ecx, [ebp+4C]
00402089 . 51 push ecx //plain
0040208A . 52 push edx //key
0040208B . C64424 1B 00 mov byte ptr [esp+1B], 0
00402090 E8 6BE60000 call 00410700 ; call 4105F0 关键CALL
改写00402090代码,换成
00402080 . 50 push eax ; //plain保存地址
00402081 . 6A 04 push 4 //size=4
00402083 . 8B55 48 mov edx, [ebp+48]
00402086 . 8D4D 4C lea ecx, [ebp+4C]
00402089 . 51 push ecx //cipher
0040208A . 52 push edx //key
0040208B . C64424 1B 00 mov byte ptr [esp+1B], 0
00402090 E8 6BE60000 call 4105F0 ; call 4105F0 关键CALL
然后写改加密内容
d ecx 修改成为
0045C3DC 78 79 7A 00 xyz.
运行后,原先地址eax里面就是解密(78 79 7A 00)的明文了。
由于这里的key的随意性,我用了0xBBE5F13E,当然0xBBE5F13E&0x11000000!=0,为什么见前面。
解密的结果是0xB6,0xDD,0x15,0x0E,所以我最早的
B是类DES的密钥={0x3E,0xF1,0xE5,0xBB,0xB6,0xDD,0x15,0x0E};
通过计算得到
A是类DES的明文=类Des解密(BA D9 BA D9 B2 BB B4 ED)=>8 BYTE 明文={42 38 DE AE B8 2F 4D 9C}
再通过unknown1的逆函数得到serial:5C2581-5FB9F6-EDCD94-CFFB59-B321F4-82
【总结】
这个CrackMe很好,玩起来很舒服。谢谢xyz_119兄,也谢谢看到这里的你。
注册机源代码见附件。用到C++/ASM混编。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌
握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
