[分享] calleng 的汇编日记，Hidden Camera Manager算法（考古系列）（天草算法第五课）-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[分享] calleng 的汇编日记，Hidden Camera Manager算法（考古系列）（天草算法第五课）
发表于: 2024-8-15 02:07 1469
[分享] calleng 的汇编日记，Hidden Camera Manager算法（考古系列）（天草算法第五课）

calleng
2024-8-15 02:07
1469
1，年代久远，看着当年的课程满满回忆。课程虽然差，总觉得我就不该看了最新的课程，10 年了，大势所趋，变化也快。
2，看着 2003 年的 S-demo 录制的动画其实也是一种享受。
特别路边的 D 版 hacker 杂志，附赠的光盘，里面的破解动画。 --特喜欢，为了快乐，和没有曾经跨过去的坎，追求，我喜欢的。不会太差。
--- 小目标，录个 crack 的动画。
3，一上来，这个， 08 年的共享软件，真的难倒我了，看了不下 30 个小时，虽然只有 1 小时的，劣质动画，但是算法选题真的非常有水准。
;我们不用关心杂乱的运算 , 他最终赋值是这样的.
; 首先清零 ,然后初始化, 不用关心这些, 杂乱的计算, 和赋值 , 他最终的赋值 ,是这样的,
; 34 , 是用来和邮箱这个字符串, 进行异或运算的,
; 54, 是用来和这个, 用户名这个字符串, 异或运算, 进行运算的.
; 异或运算以后, 接下来, 计算 ESI 的值. 如果大于 3 , 小于等于 > 3. 那么他就把 ESI 赋值为 19. 否则的话, 他就会保存为原值.
; 更具上面两个异或运算已经得到的数组. 对这个 ebp + eax + 54, 和 ebp + eax + 34 再次进行异或运算. 诸位异或运算. , 并且将结果保存到, EAX + 4 这里面. 保存到上面了,
; 相当于原来的 EAX + 4.
; 新的 eax 加 4, 大小是 20. hex. 对他的第一 , 第 11, 再次进行异或运算. , 以后, 除以 ESI .
; 把值加上 41, 保存到 , 计算的数组里面 , 这个注册码里面.
; 0012FB30 2F 71 6C 12 C4 4F 7B 88 /ql...{.
; 45 46 46 43 41 44 42 46 EFFCADBF
;0012FB40 46 47 41 45 45 42 45 47 FGAEEBEG
; 诸位进行异或运算. 除以 ESI , + 41 . ;---> 这就构成一个 16 位的序列号.
; 这节课,内容比较多, 运算非常复杂, 大部分都是异或运算, 但这些异或运算需要对数组进行识别, 对于数组的识别是一个难点.
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
;重新来到, 刚才的代码, 直接按下 界面上的 C , cpu , 界面. 
 
;DRX ---(OD调试器),可以找到 用户 做的所有comment.  所有你在汇编代码后面所做的 注释.可以实现. 
; 课题画外 音, 老师用过, 的 IDA pro 分析过这个 HC.exe
 
 
00425398    .  304C05 54               XOR BYTE PTR SS:[EBP+EAX+54],CL
 
 
 
 
0012FBB0      0F 5F 8A 95 5A 56 22 5D 0F 6B 40 9A 23 A4 61 AB  _姇ZV"]k@??
0012FBC0      ED 94 E7 8B DB 8B 19 D8 C4 0A EB 95 9D D6 73 B3  頂鐙蹕啬.霑澲s?
0012FBD0      87 97 B1 AE E4 FB 12 00 C2 1D 44 00 4C 57 48 00  嚄碑潲.?D.LWH.
0012FBE0      8C 02 CA 00 14 FC 12 00 D1 1F 44 00 8C 02 CA 00  ???.?D.??
0012FBF0      96 00 00 00 00 00 00 00 50 50 42 00 00 00 00 00  ?......PPB.....
0012FC00      39 00 00 00 00 00 00 00 00 00 00 00 48 00 CA 00  9...........H.?
0012FC10      00 00 00 00 00 00 00 00 AB 14 43 00 96 00 00 00  ........?C.?..
0012FC20      00 00 00 00 00 00 00 00 00 00 00 00 96 00 00 00  ............?..
0012FC30      48 00 CA 00 88 FC 12 00 00 00 00 00 C6 FE 43 00  H.?堻.....掐C.
0012FC40      96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ?..............
 
 
 /ql...{.EFFCADBFFGAEEBEG!B..Z5+=
 
 
 
 .text:00425050 55                                            push    ebp
.text:00425051 8D 6C 24 88                                   lea     ebp, [esp-78h]  ; Load Effective Address
.text:00425055 83 EC 78                                      sub     esp, 78h        ; Integer Subtraction
.text:00425058 6A FF                                         push    0FFFFFFFFh
.text:0042505A 68 73 DC 47 00                                push    offset SEH_425050
.text:0042505F 64 A1 00 00 00 00                             mov     eax, large fs:0
.text:00425065 50                                            push    eax
.text:00425066 81 EC AC 00 00 00                             sub     esp, 0ACh       ; Integer Subtraction
.text:0042506C A1 A0 1D 4A 00                                mov     eax, dword_4A1DA0
.text:00425071 33 C5                                         xor     eax, ebp        ; Logical Exclusive OR
.text:00425073 89 45 74                                      mov     [ebp+78h+var_4], eax
.text:00425076 53                                            push    ebx
.text:00425077 56                                            push    esi
.text:00425078 57                                            push    edi
.text:00425079 50                                            push    eax
.text:0042507A 8D 45 F4                                      lea     eax, [ebp+78h+var_84] ; Load Effective Address
.text:0042507D 64 A3 00 00 00 00                             mov     large fs:0, eax
.text:00425083 89 65 F0                                      mov     [ebp+78h+var_88], esp
.text:00425086 8B F1                                         mov     esi, ecx
.text:00425088 6A 00                                         push    0               ; int
.text:0042508A 8D 8E 84 30 01 00                             lea     ecx, [esi+13084h] ; this
.text:00425090 89 75 00                                      mov     [ebp+78h+var_78], esi
.text:00425093                               ;   try {
.text:00425093 C7 45 FC 00 00 00 00                          mov     [ebp+78h+var_7C], 0
.text:0042509A C7 86 50 3D 01 00 01 00 00 00                 mov     dword ptr [esi+13D50h], 1
.text:004250A4 E8 EF 5B 01 00                                call    ?ShowWindow@CWnd@@QAEHH@Z ; Call Procedure
.text:004250A9 8B CE                                         mov     ecx, esi
.text:004250AB E8 D0 77 FE FF                                call    sub_40C880      ; Call Procedure
.text:004250B0 6A 00                                         push    0
.text:004250B2 8D 8D 48 FF FF FF                             lea     ecx, [ebp+78h+var_130] ; Load Effective Address
.text:004250B8 E8 D3 F9 00 00                                call    sub_434A90      ; Call Procedure
.text:004250BD 8D 8D 48 FF FF FF                             lea     ecx, [ebp+78h+var_130] ; this
.text:004250BD                               ;   } // starts at 425093
.text:004250C3                               ;   try {
.text:004250C3 C6 45 FC 01                                   mov     byte ptr [ebp+78h+var_7C], 1
.text:004250C7 E8 19 4F 01 00                                call    ?DoModal@CDialog@@UAEHXZ ; 弹出注册框，并延时，并不马上比较
.text:004250CC 83 F8 01                                      cmp     eax, 1          ; Compare Two Operands
.text:004250CF 0F 85 DF 06 00 00                             jnz     loc_4257B4      ; 跳转到这里
.text:004250D5 8B FE                                         mov     edi, esi
.text:004250D7 8D 87 48 30 01 00                             lea     eax, [edi+13048h] ; Load Effective Address
.text:004250DD 50                                            push    eax
.text:004250DE 8D 8F 44 30 01 00                             lea     ecx, [edi+13044h] ; Load Effective Address
.text:004250E4 51                                            push    ecx
.text:004250E5 8D 97 40 30 01 00                             lea     edx, [edi+13040h] ; Load Effective Address
.text:004250EB 52                                            push    edx
.text:004250EC 8D 87 3C 30 01 00                             lea     eax, [edi+1303Ch] ; Load Effective Address
.text:004250F2 50                                            push    eax
.text:004250F3 8D 8D 48 FF FF FF                             lea     ecx, [ebp+78h+var_130] ; Load Effective Address
.text:004250F9 E8 E2 F6 00 00                                call    sub_4347E0      ; Call Procedure
.text:004250FE 68 1C 28 48 00                                push    offset Str      ; Str
.text:00425103 8D 4D E4                                      lea     ecx, [ebp+78h+Str2] ; Load Effective Address
.text:00425106 E8 55 D4 FD FF                                call    sub_402560      ; Call Procedure
.text:00425106                               ;   } // starts at 4250C3
.text:0042510B                               ;   try {
.text:0042510B C6 45 FC 02                                   mov     byte ptr [ebp+78h+var_7C], 2
.text:0042510F C7 45 EC 00 00 00 00                          mov     [ebp+78h+var_8C], 0
; ------------------     清零-------------------------> 大小是20 ; ------------------     清零-------------------------> 大小是20 ; ------------------ 
.text:00425116 33 C0                                         xor     eax, eax        ; ------------------     清零-------------------------> 大小是20 
.text:00425118
.text:00425118                               loc_425118:                             ; CODE XREF: sub_425050+DD↓j
.text:00425118 83 F8 20                                      cmp     eax, 20h        ; 比较 eax 寄存器的值与 0x20hex ( 32十进制 ) 进行比较，循环会继续进行直到 eax 的值达到或超过 0x20。
.text:00425118                                                                       ;
.text:00425118                                                                       ;     for ( i = 0; i < 32; ++i )
.text:00425118                                                                       ;     {
.text:00425118                                                                       ;       v72[i] = 0;
.text:00425118                                                                       ;       v71[i] = 0;
.text:00425118                                                                       ;       *((_BYTE *)&v70[1] + i) = 0;
.text:00425118                                                                       ;     }
.text:00425118                                                                       ;
.text:00425118                                                                       ; ------》
.text:0042511B 7D 12                                         jge     short loc_42512F ; 如果 eax 的值大于或等于 0x20，跳转到 loc_42512F 结束循环。
.text:0042511D C6 44 05 54 00                                mov     byte ptr [ebp+eax+84], 0 ;   对一个数组进行初始化【 0 写入内存地址 [ebp + eax + 78h + var_24]。这个操作将一个变量清零，内存地址由基址寄存器 ebp 和偏移量 eax + 78h + var_24 计算得出。】
.text:00425122 C6 44 05 34 00                                mov     byte ptr [ebp+eax+52], 0 ; 每次循环以后 他 加一，【将 0 写入内存地址 [ebp + eax + 78h + var_44]，对另一个变量进行清零。】
.text:00425127 C6 44 05 04 00                                mov     byte ptr [ebp+eax+4], 0 ; 每次循环以后 他 加一 【: 将 0 写入内存地址 [ebp + eax + 78h + var_74]，对第三个变量进行清零。】
.text:0042512C 40                                            inc     eax             ; 将 eax 寄存器的值加一。
.text:0042512D EB E9                                         jmp     short loc_425118 ; 跳转回到 loc_425118 处，继续循环。
 
 
012FB10  02 00 00 00 8C 02 A9 01     
 
00 00 00 00 00 00 00 00  ................
012FB20  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
012FB30  00 00 00 00 00 00 00 00    // 24  --> 72 , 48* 6* 8
 
                  80 FB 12 00 00 00 00 00  ................
012FB40  64 FC 12 00 A1 00 00 00  
 
                  00 00 00 00 00 00 00 00  d...............
012FB50  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
012FB60  00 00 00 00 00 00 00 00   // 72
 
                      00 00 00 00 00 00 00 00  ................
012FB70  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
012FB80  00 00 00 00 00 00 00 00   // 104 ----> 最后的部分清零
 
                  42 50 D2 37 9C FB 12 00  ........BP......
012FB90  C2 1D 44 00 4C 57 48 00  8C 02 A9 01 CC FB 12 00  ..D.LWH.........
012FBA0  D1 1F 44 00 8C 02 A9 01  96 00 00 00 00 00 00 00  ..D.............
 
     ; -----------------------; ------------------     清零-------------------------> 大小是10 ----- -------以后的操作可能只会对这60个byte 进行操作.-----------------------------------
 
.text:0042512F                               ; ---------------------------------------------------------------------------
.text:0042512F
.text:0042512F                               loc_42512F:                             ; CODE XREF: sub_425050+CB↑j
.text:0042512F 33 C0                                         xor     eax, eax        ; ，执行了一次循环来初始化一个数组的部分
.text:00425131
.text:00425131                               loc_425131:                             ; CODE XREF: sub_425050+EC↓j
.text:00425131 83 F8 10                                      cmp     eax, 10h        ;
.text:00425131                                                                       ;     for ( j = 0; j < 16; ++j )
.text:00425131                                                                       ;       *((_BYTE *)&v70[9] + j) = 0;
.text:00425131                                                                       ;
.text:00425131                                                                       ; 比较 eax 寄存器的值与 0x10 (16)，也就是说，循环会继续进行直到 eax 的值达到或超过 0x10。
.text:00425134 7D 08                                         jge     short loc_42513E ; 如果 eax 的值大于或等于 0x10，跳转到 loc_42513E 结束循环。
.text:00425136 C6 44 05 24 00                                mov     byte ptr [ebp+eax+36], 0 ; 将 0 写入内存地址 [ebp + eax + 78h + var_54]，对一个变量进行清零。
.text:0042513B 40                                            inc     eax             ; 将 eax 寄存器的值加一。
.text:0042513C EB F3                                         jmp     short loc_425131 ;  跳转回到 loc_425131 处，继续循环。
 
   ; -------------------   ; --------------------------------- 初始化-----------------------------------------------------
.text:0042513E
.text:0042513E                               loc_42513E:                             ; CODE XREF: sub_425050+E4↑j
.text:0042513E 8B B7 3C 30 01 00                             mov     esi, [edi+1303Ch] ; 初始化
.text:00425144 B0 0F                                         mov     al, 15          ; //------> 用户名 crack ， ESI
.text:00425146 88 45 54                                      mov     [ebp+84], al
.text:00425149 88 45 5C                                      mov     [ebp+92], al
.text:0042514C B0 8B                                         mov     al, 8Bh
.text:0042514E B1 3B                                         mov     cl, 3Bh ; ';'
.text:00425150 88 45 3E                                      mov     [ebp+78h+var_3A], al
.text:00425153 88 45 67                                      mov     [ebp+78h+var_11], al
.text:00425156 88 45 69                                      mov     [ebp+78h+var_F], al
.text:00425159 81 C7 3C 30 01 00                             add     edi, 1303Ch     ; Add
.text:0042515F B0 EB                                         mov     al, 0EBh
.text:00425161 B2 B2                                         mov     dl, 0B2h
.text:00425163 88 4D 38                                      mov     [ebp+78h+var_40], cl
.text:00425166 88 4D 46                                      mov     [ebp+78h+var_32], cl
.text:00425169 88 45 4C                                      mov     [ebp+78h+var_2C], al
.text:0042516C 88 45 6E                                      mov     [ebp+78h+var_A], al
.text:0042516F 88 4D 53                                      mov     [ebp+78h+var_25], cl
.text:00425172 8B 4E F0                                      mov     ecx, [esi-10h]
.text:00425175 83 EE 10                                      sub     esi, 10h        ; Integer Subtraction
.text:00425178 B0 87                                         mov     al, 87h
.text:0042517A 88 55 42                                      mov     [ebp+78h+var_36], dl
.text:0042517D 88 55 44                                      mov     [ebp+78h+var_34], dl
.text:00425180 8B 11                                         mov     edx, [ecx]
.text:00425182 B3 94                                         mov     bl, 94h
.text:00425184 88 45 4E                                      mov     [ebp+78h+var_2A], al
.text:00425187 88 45 4F                                      mov     [ebp+78h+var_29], al
.text:0042518A 8B 42 10                                      mov     eax, [edx+10h]
.text:0042518D C6 45 34 13                                   mov     [ebp+78h+var_44], 13h
.text:00425191 C6 45 55 5F                                   mov     [ebp+78h+var_23], 5Fh ; '_'
.text:00425195 C6 45 35 77                                   mov     [ebp+78h+var_43], 77h ; 'w'
.text:00425199 C6 45 56 8A                                   mov     [ebp+78h+var_22], 8Ah
.text:0042519D C6 45 36 82                                   mov     [ebp+78h+var_42], 82h
.text:004251A1 C6 45 57 95                                   mov     [ebp+78h+var_21], 95h
.text:004251A5 C6 45 37 75                                   mov     [ebp+78h+var_41], 75h ; 'u'
.text:004251A9 C6 45 58 5A                                   mov     [ebp+78h+var_20], 5Ah ; 'Z'
.text:004251AD C6 45 59 56                                   mov     [ebp+78h+var_1F], 56h ; 'V'
.text:004251B1 C6 45 39 59                                   mov     [ebp+78h+var_3F], 59h ; 'Y'
.text:004251B5 C6 45 5A 22                                   mov     [ebp+78h+var_1E], 22h ; '"'
.text:004251B9 C6 45 3A 47                                   mov     [ebp+78h+var_3E], 47h ; 'G'
.text:004251BD C6 45 5B 5D                                   mov     [ebp+78h+var_1D], 5Dh ; ']'
.text:004251C1 C6 45 3B 58                                   mov     [ebp+78h+var_3D], 58h ; 'X'
.text:004251C5 C6 45 3C 9E                                   mov     [ebp+78h+var_3C], 9Eh
.text:004251C9 C6 45 5D 6B                                   mov     [ebp+78h+var_1B], 6Bh ; 'k'
.text:004251CD C6 45 3D 27                                   mov     [ebp+78h+var_3B], 27h ; '''
.text:004251D1 C6 45 5E 40                                   mov     [ebp+78h+var_1A], 40h ; '@'
.text:004251D5 C6 45 5F 9A                                   mov     [ebp+78h+var_19], 9Ah
.text:004251D9 88 5D 3F                                      mov     [ebp+78h+var_39], bl
.text:004251DC C6 45 60 23                                   mov     [ebp+78h+var_18], 23h ; '#'
.text:004251E0 C6 45 40 BF                                   mov     [ebp+78h+var_38], 0BFh
.text:004251E4 C6 45 61 A4                                   mov     [ebp+78h+var_17], 0A4h
.text:004251E8 C6 45 41 11                                   mov     [ebp+78h+var_37], 11h
.text:004251EC C6 45 62 61                                   mov     [ebp+78h+var_16], 61h ; 'a'
.text:004251F0 C6 45 63 AB                                   mov     [ebp+78h+var_15], 0ABh
.text:004251F4 C6 45 43 7F                                   mov     [ebp+78h+var_35], 7Fh
.text:004251F8 C6 45 64 ED                                   mov     [ebp+78h+var_14], 0EDh
.text:004251FC 88 5D 65                                      mov     [ebp+78h+var_13], bl
.text:004251FF C6 45 45 B7                                   mov     [ebp+78h+var_33], 0B7h
.text:00425203 C6 45 66 E7                                   mov     [ebp+78h+var_12], 0E7h
.text:00425207 C6 45 47 B9                                   mov     [ebp+78h+var_31], 0B9h
.text:0042520B C6 45 68 DB                                   mov     [ebp+78h+var_10], 0DBh
.text:0042520F C6 45 48 8F                                   mov     [ebp+78h+var_30], 8Fh
.text:00425213 C6 45 49 C5                                   mov     [ebp+78h+var_2F], 0C5h
.text:00425217 C6 45 6A 19                                   mov     [ebp+78h+var_E], 25
.text:0042521B C6 45 4A 70                                   mov     [ebp+78h+var_2E], 70h ; 'p'
.text:0042521F C6 45 6B D8                                   mov     [ebp+78h+var_D], 0D8h
.text:00425223 C6 45 4B 3A                                   mov     [ebp+78h+var_2D], 3Ah ; ':'
.text:00425227 C6 45 6C C4                                   mov     [ebp+78h+var_C], 0C4h
.text:0042522B C6 45 6D 0A                                   mov     [ebp+78h+var_B], 0Ah
.text:0042522F C6 45 4D 7B                                   mov     [ebp+78h+var_2B], 7Bh ; '{'
.text:00425233 C6 45 6F 95                                   mov     [ebp+78h+var_9], 95h
.text:00425237 C6 45 70 9D                                   mov     [ebp+78h+var_8], 9Dh
.text:0042523B C6 45 50 59                                   mov     [ebp+78h+var_28], 59h ; 'Y'
.text:0042523F C6 45 71 D6                                   mov     [ebp+78h+var_7], 0D6h
.text:00425243 C6 45 51 99                                   mov     [ebp+78h+var_27], 99h
.text:00425247 C6 45 72 73                                   mov     [ebp+78h+var_6], 73h ; 's'
.text:0042524B C6 45 52 08                                   mov     [ebp+78h+var_26], 8
.text:0042524F C6 45 73 B3                                   mov     [ebp+78h+var_5], 0B3h
.text:00425253 FF D0                                         call    eax             ; Indirect Call Near Procedure
.text:00425255 83 7E 0C 00                                   cmp     dword ptr [esi+0Ch], 0 ; Compare Two Operands
.text:00425259 8D 4E 0C                                      lea     ecx, [esi+0Ch]  ; Load Effective Address
.text:0042525C 7C 11                                         jl      short loc_42526F ; Jump if Less (SF!=OF)
.text:0042525E 3B 06                                         cmp     eax, [esi]      ; Compare Two Operands
.text:00425260 75 0D                                         jnz     short loc_42526F ; 在这里跳转
.text:00425262 8B DE                                         mov     ebx, esi
.text:00425264 BA 01 00 00 00                                mov     edx, 1
.text:00425269 F0 0F C1 11                                   lock xadd [ecx], edx    ; t<-dest; dest<-src+dest; src<-t
.text:0042526D EB 35                                         jmp     short loc_4252A4 ; // 在这里跳， 3个 位置的 分别的 32bit 的空间，赋值了。
 
012FB10  02 00 00 00 8C 02 A9 01     
 
00 00 00 00 00 00 00 00  ................
012FB20  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
012FB30  00 00 00 00 00 00 00 00    // 24  --> 72 , 48* 6* 8
 
                  80 FB 12 00 00 00 00 00  ................
012FB40  64 FC 12 00 A1 00 00 00  
 
                  00 00 00 00 00 00 00 00  d...............
012FB50  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
012FB60  00 00 00 00 00 00 00 00   // 72
 
                      00 00 00 00 00 00 00 00  ................
012FB70  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
012FB80  00 00 00 00 00 00 00 00   // 104 ----> 最后的部分清零
 
                  42 50 D2 37 9C FB 12 00  ........BP......
012FB90  C2 1D 44 00 4C 57 48 00  8C 02 A9 01 CC FB 12 00  ..D.LWH.........
012FBA0  D1 1F 44 00 8C 02 A9 01  96 00 00 00 00 00 00 00  ..D.............
;--------- > 这是我的做的
 
 
[eax+04]0012FB10  02 00 00 00 8C 02 A9 01  00 00 00 00 00 00 00 00  ................
[eax+14]0012FB20  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
 
[eax+24]0012FB30  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
 
[eax+34]0012FB40  00 00 00 00 00 00 00 00  
 
                           13 77 82 75 3B 59 47 58  .........w.u;YGX    ;---------------- 初始化最后的结果是这两行
[eax+44]0012FB50  9E 27 8B 94 BF 11 B2 7F  B2 B7 3B B9 8F C5 70 3A  .'........;....:
 
[eax+54]0012FB60  EB 7B 87 87 59 99 08 3B  0F 5F 8A 95 5A 56 22 5D  ....Y..;._..ZV"]   ;---------------- 初始化最后的结果是这两行
[eax+64]0012FB70  0F 6B 40 9A 23 A4 61 AB  ED 94 E7 8B DB 8B 19 D8  .k@.#.a.....ۋ ..
 
[eax+74]0012FB80  C4 0A EB 95 9D D6 73 B3 
 
 
                       42 50 D2 37 9C FB 12 00  ..땝  ...BP......
[eax+84]0012FB90  C2 1D 44 00 4C 57 48 00  8C 02 A9 01 CC FB 12 00  ..D.LWH.........
[eax+94]0012FBA0  D1 1F 44 00 8C 02 A9 01  96 00 00 00 00 00 00 00  ..D.............
[eax+104]0012FBB0  50 50 42 00 00 00 00 00  39 00 00 00 00 00 00 00  PPB.....9.......
; ---------------------> 这里是 天草做的.
 
.text:0042526F                               ; ---------------------------------------------------------------------------
.text:0042526F
.text:0042526F                               loc_42526F:                             ; CODE XREF: sub_425050+20C↑j
.text:0042526F                                                                       ; sub_425050+210↑j
.text:0042526F 8B 4E 04                                      mov     ecx, [esi+4]
.text:00425272 8B 10                                         mov     edx, [eax]
.text:00425274 8B 12                                         mov     edx, [edx]
.text:00425276 6A 01                                         push    1
.text:00425278 51                                            push    ecx
.text:00425279 8B C8                                         mov     ecx, eax
.text:0042527B FF D2                                         call    edx             ; Indirect Call Near Procedure
.text:0042527D 8B D8                                         mov     ebx, eax
.text:0042527F 85 DB                                         test    ebx, ebx        ; Logical Compare
.text:00425281 75 05                                         jnz     short loc_425288 ; Jump if Not Zero (ZF=0)
.text:00425283 E8 A8 BF FD FF                                call    sub_401230      ; Call Procedure
.text:00425288                               ; ---------------------------------------------------------------------------
.text:00425288
.text:00425288                               loc_425288:                             ; CODE XREF: sub_425050+231↑j
.text:00425288 8B 46 04                                      mov     eax, [esi+4]
.text:0042528B 89 43 04                                      mov     [ebx+4], eax
.text:0042528E 8B 46 04                                      mov     eax, [esi+4]
.text:00425291 40                                            inc     eax             ; Increment by 1
.text:00425292 50                                            push    eax             ; SourceSize
.text:00425293 83 C6 10                                      add     esi, 10h        ; Add
.text:00425296 56                                            push    esi             ; Source
.text:00425297 50                                            push    eax             ; DestinationSize
.text:00425298 8D 4B 10                                      lea     ecx, [ebx+10h]  ; Load Effective Address
.text:0042529B 51                                            push    ecx             ; Destination
.text:0042529C E8 67 F9 03 00                                call    _memcpy_s       ; Call Procedure
.text:004252A1 83 C4 10                                      add     esp, 10h        ; Add
.text:004252A4
.text:004252A4                               loc_4252A4:                             ; CODE XREF: sub_425050+21D↑j
.text:004252A4 83 C3 10                                      add     ebx, 10h        ; Add
.text:004252A7 89 5D DC                                      mov     [ebp+78h+Source], ebx
.text:004252AA 8B 45 00                                      mov     eax, [ebp+78h+var_78]
.text:004252AD 8B B0 40 30 01 00                             mov     esi, [eax+13040h] ; ------------》  calleng@gmail.com
.text:004252B3 8B 4E F0                                      mov     ecx, [esi-10h]
.text:004252B6 8B 11                                         mov     edx, [ecx]
.text:004252B8 05 40 30 01 00                                add     eax, 13040h     ; Add
.text:004252BD 83 EE 10                                      sub     esi, 10h        ; Integer Subtraction
.text:004252C0 89 45 E8                                      mov     [ebp+78h+var_90], eax
.text:004252C3 8B 42 10                                      mov     eax, [edx+10h]
.text:004252C3                               ;   } // starts at 42510B
.text:004252C6                               ;   try {
.text:004252C6 C6 45 FC 03                                   mov     byte ptr [ebp+78h+var_7C], 3
.text:004252CA FF D0                                         call    eax             ; Indirect Call Near Procedure
.text:004252CC 83 7E 0C 00                                   cmp     dword ptr [esi+0Ch], 0 ; Compare Two Operands
.text:004252D0 8D 4E 0C                                      lea     ecx, [esi+0Ch]  ; Load Effective Address
.text:004252D3 7C 11                                         jl      short loc_4252E6 ; Jump if Less (SF!=OF)
.text:004252D5 3B 06                                         cmp     eax, [esi]      ; Compare Two Operands
.text:004252D7 75 0D                                         jnz     short loc_4252E6 ; Jump if Not Zero (ZF=0)
.text:004252D9 8B DE                                         mov     ebx, esi
.text:004252DB BA 01 00 00 00                                mov     edx, 1
.text:004252E0 F0 0F C1 11                                   lock xadd [ecx], edx    ; t<-dest; dest<-src+dest; src<-t
.text:004252E4 EB 35                                         jmp     short loc_42531B ; // ---------------------------》 这里发生跳转
.text:004252E6                               ; ---------------------------------------------------------------------------
.text:004252E6
.text:004252E6                               loc_4252E6:                             ; CODE XREF: sub_425050+283↑j
.text:004252E6                                                                       ; sub_425050+287↑j
.text:004252E6 8B 4E 04                                      mov     ecx, [esi+4]
.text:004252E9 8B 10                                         mov     edx, [eax]
.text:004252EB 8B 12                                         mov     edx, [edx]
.text:004252ED 6A 01                                         push    1
.text:004252EF 51                                            push    ecx
.text:004252F0 8B C8                                         mov     ecx, eax
.text:004252F2 FF D2                                         call    edx             ; Indirect Call Near Procedure
.text:004252F4 8B D8                                         mov     ebx, eax
.text:004252F6 85 DB                                         test    ebx, ebx        ; Logical Compare
.text:004252F8 75 05                                         jnz     short loc_4252FF ; Jump if Not Zero (ZF=0)
.text:004252FA E8 31 BF FD FF                                call    sub_401230      ; Call Procedure
; ------------------------------ ---字符串连接 --------------------------------------------------------------
.text:004252FF
.text:004252FF                               loc_4252FF:                             ; CODE XREF: sub_425050+2A8↑j
.text:004252FF 8B 46 04                                      mov     eax, [esi+4]
.text:00425302 89 43 04                                      mov     [ebx+4], eax
.text:00425305 8B 46 04                                      mov     eax, [esi+4]
.text:00425308 40                                            inc     eax             ; Increment by 1
.text:00425309 50                                            push    eax             ; SourceSize
.text:0042530A 83 C6 10                                      add     esi, 10h        ; Add
.text:0042530D 56                                            push    esi             ; Source
.text:0042530E 50                                            push    eax             ; DestinationSize
.text:0042530F 8D 4B 10                                      lea     ecx, [ebx+10h]  ; Load Effective Address
.text:00425312 51                                            push    ecx             ; Destination
.text:00425313 E8 F0 F8 03 00                                call    _memcpy_s       ; Call Procedure
.text:00425318 83 C4 10                                      add     esp, 10h        ; 字符串连接
.text:0042531B
.text:0042531B                               loc_42531B:                             ; CODE XREF: sub_425050+294↑j
.text:0042531B 83 C3 10                                      add     ebx, 10h        ; Add
.text:0042531E 89 5D E0                                      mov     [ebp+78h+var_98], ebx
.text:00425321 8B 75 00                                      mov     esi, [ebp+78h+var_78]
.text:00425324 8B 86 48 30 01 00                             mov     eax, [esi+13048h] ; 出现在 EAX 中----------------》数量--》 ASCII “256”
.text:0042532A 8B 48 F4                                      mov     ecx, [eax-0Ch]  ; --》 hex 内存窗口跟随
.text:0042532D 81 C6 48 30 01 00                             add     esi, 13048h     ; Add
.text:00425333 51                                            push    ecx             ; DestinationSize
.text:00425334 50                                            push    eax             ; Str
.text:00425335 8B CF                                         mov     ecx, edi
.text:00425335                               ;   } // starts at 4252C6
.text:00425337                               ;   try {
.text:00425337 C6 45 FC 04                                   mov     byte ptr [ebp+78h+var_7C], 4
.text:0042533B E8 80 C7 FD FF                                call    sub_401AC0      ; Call Procedure
.text:00425340 8B 5D E8                                      mov     ebx, [ebp+78h+var_90] ;     //    EAX 直接用户名 + 数量  crack256
.text:00425343 53                                            push    ebx  
.text:00425344 8D 55 E8                                      lea     edx, [ebp+78h+var_90] ; Load Effective Address
.text:00425347 56                                            push    esi
.text:00425348 52                                            push    edx
.text:00425349 E8 82 C9 FD FF                                call    sub_401CD0      ;       //    直接数量 +  邮箱   256calleng@gmail.com
.text:0042534E 83 C4 0C                                      add     esp, 0Ch        ; Add
.text:00425351 50                                            push    eax
.text:00425352 8B CB                                         mov     ecx, ebx
.text:00425352                               ;   } // starts at 425337
.text:00425354                               ;   try {
.text:00425354 C6 45 FC 05                                   mov     byte ptr [ebp+78h+var_7C], 5
.text:00425358 E8 93 C8 FD FF                                call    sub_401BF0      ; Call Procedure
.text:0042535D 8B 45 E8                                      mov     eax, [ebp+78h+var_90]
.text:00425360 83 C0 F0                                      add     eax, 0FFFFFFF0h ; Add
.text:00425360                               ;   } // starts at 425354
.text:00425363                               ;   try {
.text:00425363 C6 45 FC 04                                   mov     byte ptr [ebp+78h+var_7C], 4
.text:00425367 8D 48 0C                                      lea     ecx, [eax+0Ch]  ; Load Effective Address
.text:0042536A 83 CA FF                                      or      edx, 0FFFFFFFFh ; Logical Inclusive OR
.text:0042536D F0 0F C1 11                                   lock xadd [ecx], edx    ; t<-dest; dest<-src+dest; src<-t
.text:00425371 4A                                            dec     edx             ; Decrement by 1
.text:00425372 85 D2                                         test    edx, edx        ; Logical Compare
.text:00425374 7F 0A                                         jg      short loc_425380 ; Jump if Greater (ZF=0 & SF=OF)
.text:00425376 8B 08                                         mov     ecx, [eax]
.text:00425378 8B 11                                         mov     edx, [ecx]
.text:0042537A 50                                            push    eax
.text:0042537B 8B 42 04                                      mov     eax, [edx+4]
.text:0042537E FF D0                                         call    eax             ; Indirect Call Near Procedure
.text:00425380
.text:00425380                               loc_425380:                             ; CODE XREF: sub_425050+324↑j
.text:00425380 8B 75 EC                                      mov     esi, [ebp+78h+var_8C]
.text:00425383 33 C0                                         xor     eax, eax        ; Logical Exclusive OR
;--------------------------------<用户名的异或运算>------------------------------------------------------------------------ 这是一个循环体,进行计算!
.text:00425385
.text:00425385                               loc_425385:                             ; CODE XREF: sub_425050+35A↓j
.text:00425385 8B 0F                                         mov     ecx, [edi]      ; crack256
.text:00425387 3B 41 F4                                      cmp     eax, [ecx-0Ch]  ; Compare Two Operands
.text:0042538A 7D 2A                                         jge     short loc_4253B6 ; // ----------》 下断 ，F2
.text:0042538C 85 C0                                         test    eax, eax        ; Logical Compare
.text:0042538E 7C 1C                                         jl      short loc_4253AC ; // ----------》 下断 ，F2
.text:00425390 3B 41 F4                                      cmp     eax, [ecx-0Ch]  ; Compare Two Operands
.text:00425393 7F 17                                         jg      short loc_4253AC ; // ----------》 下断 ，F2
.text:00425395 8A 0C 01                                      mov     cl, [ecx+eax]   ; ----》 取 ASCII “Crack256” 的 第 i 个字符
.text:00425398 30 4C 05 54                                   xor     [ebp+eax+84], cl ;  -----》 发生异或运算  --------------------> 将两个 ASCII 码 发生异或运算!  array( eax+84 )
.text:0042539C 8B 0F                                         mov     ecx, [edi]
.text:0042539E 3B 41 F4                                      cmp     eax, [ecx-0Ch]  ; ecx--0ch 是长度
.text:004253A1 7F 09                                         jg      short loc_4253AC ; // ----------》 下断 ，F2
.text:004253A3 0F B6 14 01                                   movzx   edx, byte ptr [ecx+eax] ; Move with Zero-Extend
.text:004253A7 03 F2                                         add     esi, edx        ; Add
.text:004253A9 40                                            inc     eax             ; Increment by 1
.text:004253AA EB D9                                         jmp     short loc_425385 ; ---------》 循环的次数，就是字符串的长度
.text:004253AC                               ; ----------------<邮箱的异或运算>--------------------------------------------------------------------------------------------------
.text:004253AC
.text:004253AC                               loc_4253AC:                             ; CODE XREF: sub_425050+33E↑j
.text:004253AC                                                                       ; sub_425050+343↑j ...
.text:004253AC 68 57 00 07 80                                push    80070057h       ; // ----------》 下断 ，F2
.text:004253B1 E8 FA BC FD FF                                call    sub_4010B0      ; // ------------------》 这里程序可能会跑飞
.text:004253B6                               ; ---------------------------------------------------------------------------
.text:004253B6
.text:004253B6                               loc_4253B6:                             ; CODE XREF: sub_425050+33A↑j
.text:004253B6 8B 5D 00                                      mov     ebx, [ebp+78h+var_78] ; // ----------》 下断 ，F2
.text:004253B9 33 C0                                         xor     eax, eax        ; Logical Exclusive OR
.text:004253BB EB 03                                         jmp     short loc_4253C0 ; 256calleng@gmail。com
.text:004253BB                               ; ---------------------------------------------------------------------------
.text:004253BD 8D 49 00                                      align 10h
.text:004253C0
.text:004253C0                               loc_4253C0:                             ; CODE XREF: sub_425050+36B↑j
.text:004253C0                                                                       ; sub_425050+39D↓j
.text:004253C0 8B 8B 40 30 01 00                             mov     ecx, [ebx+13040h] ; 256calleng@gmail。com
.text:004253C6 3B 41 F4                                      cmp     eax, [ecx-0Ch]  ; Compare Two Operands
.text:004253C9 7D 24                                         jge     short loc_4253EF ; Jump if Greater or Equal (SF=OF)
.text:004253CB 85 C0                                         test    eax, eax        ; Logical Compare
.text:004253CD 7C DD                                         jl      short loc_4253AC ; // ----------》 下断 ，F2
.text:004253CF 3B 41 F4                                      cmp     eax, [ecx-0Ch]  ; 0ch, 0c后面h代表是16进制------>   12【十进制】
.text:004253D2 7F D8                                         jg      short loc_4253AC ; // ----------》 下断 ，F2
.text:004253D4 8A 0C 01                                      mov     cl, [ecx+eax]   ; ---------》 逐个取字符
.text:004253D7 30 4C 05 34                                   xor     [ebp+eax+52], cl ; Logical Exclusive OR
.text:004253DB 8B 8B 40 30 01 00                             mov     ecx, [ebx+13040h] ;  calleng@gmail.com
.text:004253E1 3B 41 F4                                      cmp     eax, [ecx-12]   ; Compare Two Operands
.text:004253E4 7F C6                                         jg      short loc_4253AC ; // ----------》 下断 ，F2
.text:004253E6 0F B6 14 01                                   movzx   edx, byte ptr [ecx+eax] ; Move with Zero-Extend
.text:004253EA 03 F2                                         add     esi, edx        ; Add
.text:004253EC 40                                            inc     eax             ; Increment by 1
.text:004253ED EB D1                                         jmp     short loc_4253C0 ; 256calleng@gmail。com
.text:004253EF                               ; ---------------------------------------------------------------------------
.text:004253EF
.text:004253EF                               loc_4253EF:                             ; CODE XREF: sub_425050+379↑j
.text:004253EF B8 1F 85 EB 51                                mov     eax, 51EB851Fh
.text:004253F4 F7 E6                                         mul     esi             ; Unsigned Multiplication of AL or AX
.text:004253F6 C1 EA 03                                      shr     edx, 3          ; Shift Logical Right
.text:004253F9 6B D2 E7                                      imul    edx, -19h       ; Signed Multiply
.text:004253FC 03 F2                                         add     esi, edx        ; Add
.text:004253FE 83 FE 03                                      cmp     esi, 3          ; Compare Two Operands
.text:00425401 73 05                                         jnb     short loc_425408 ; Jump if Not Below (CF=0)
.text:00425403 BE 19 00 00 00                                mov     esi, 19h
.text:00425408
.text:00425408                               loc_425408:                             ; CODE XREF: sub_425050+3B1↑j
.text:00425408 33 C0                                         xor     eax, eax        ; Logical Exclusive OR
.text:0042540A 8D 9B 00 00 00 00                             lea     ebx, [ebx+0]    ; Load Effective Address
.text:00425410
.text:00425410                               loc_425410:                             ; CODE XREF: sub_425050+3D2↓j
.text:00425410 83 F8 20                                      cmp     eax, 20h ; ' '  ; ；--------------》 这里的结构体，还是要把这里的数据 全部填充完毕
.text:00425413 7D 0F                                         jge     short loc_425424 ; Jump if Greater or Equal (SF=OF)
.text:00425415 8A 4C 05 34                                   mov     cl, [ebp+eax+52]
.text:00425419 32 4C 05 54                                   xor     cl, [ebp+eax+84] ; Logical Exclusive OR
.text:0042541D 40                                            inc     eax             ; 这是注释
.text:0042541E 88 4C 05 03                                   mov     [ebp+eax+3], cl
.text:00425422 EB EC                                         jmp     short loc_425410 ; ；--------------》 这里的结构体，还是要把这里的数据 全部填充完毕
 
0012FB10  04 00 00 00 8C 02 A9 01  
                       4D 6F 5F E0 6B 51 3C 56  ........Mo_...<V
0012FB20  FF 2B 8B 69 F1 D4 BA B8  71 40 B3 5F 54 4E 69 E2  .+.i....q@._TNi.   ;  最后的 XOR 的值
0012FB30  2F 71 6C 12 C4 4F 7B 88  
                   00 00 00 00 00 00 00 00  /ql...{.........
 
 
.text:00425424                               ; ---------------------------------------------------------------------------
.text:00425424
.text:00425424                               loc_425424:                             ; CODE XREF: sub_425050+3C3↑j
.text:00425424 33 C9                                         xor     ecx, ecx        ; Logical Exclusive OR
.text:00425426
.text:00425426                               loc_425426:                             ; CODE XREF: sub_425050+3F3↓j
.text:00425426 83 F9 10                                      cmp     ecx, 16         ; Compare Two Operands
.text:00425429 7D 1A                                         jge     short loc_425445 ; Jump if Greater or Equal (SF=OF)
.text:0042542B 0F B6 54 0D 04                                movzx   edx, byte ptr [ebp+ecx+4] ; Move with Zero-Extend
.text:00425430 0F B6 44 0D 14                                movzx   eax, byte ptr [ebp+ecx+20] ; ebp+ecx+20 ------》 只有等到循环完成后， 才是，真实的位置--》注册码 --》 开始的位置
.text:00425435 33 C2                                         xor     eax, edx        ; Logical Exclusive OR
.text:00425437 33 D2                                         xor     edx, edx        ; Logical Exclusive OR
.text:00425439 F7 F6                                         div     esi             ; Unsigned Divide
.text:0042543B 80 C2 41                                      add     dl, 41h ; 'A'   ; Add
.text:0042543E 88 54 0D 24                                   mov     [ebp+ecx+36], dl ; [ebp+ecx+36] ------》 只有等到循环完成后， 才是，真实的位置--》注册码 --》 结束的位置
.text:00425442 41                                            inc     ecx             ; Increment by 1
.text:00425443 EB E1                                         jmp     short loc_425426 ; Jump
 
0012FB30  2F 71 6C 12 C4 4F 7B 88    /ql...{.
      45 46 46 43 41 44 42 46    EFFCADBF
0012FB40  46 47 41 45 45 42 45 47    FGAEEBEG     
      21 42 B4 16 5A 35 2B 3D    !B..Z5+=
     
 
.text:00425445                               ; --------------------------------------------------------------------------- 已经跟踪到 和正确的 序列号!!
.text:00425445
.text:00425445                               loc_425445:                             ; CODE XREF: sub_425050+3D9↑j
.text:00425445 33 F6                                         xor     esi, esi        ; Logical Exclusive OR
.text:00425447
.text:00425447                               loc_425447:                             ; CODE XREF: sub_425050+443↓j
.text:00425447 83 FE 10                                      cmp     esi, 10h        ;  -----——》 结构体 大小是 10
.text:0042544A 7D 49                                         jge     short loc_425495 ; 比较正码，和假 码的位置
.text:0042544A                                                                       ; EFFCADBFFGAEEBEG
.text:0042544C 0F B6 44 35 24                                movzx   eax, byte ptr [ebp+esi+36] ; Move with Zero-Extend
.text:00425451 6A 01                                         push    1               ; Size
.text:00425453 50                                            push    eax             ; char
.text:00425454 8D 4D EC                                      lea     ecx, [ebp-20]   ; Load Effective Address
.text:00425457 E8 B4 67 FE FF                                call    sub_40BC10      ; Call Procedure
.text:0042545C 8B 00                                         mov     eax, [eax]
.text:0042545E 8B 48 F4                                      mov     ecx, [eax-12]
.text:00425461 51                                            push    ecx             ; DestinationSize
.text:00425462 50                                            push    eax             ; Str
.text:00425463 8D 4D E4                                      lea     ecx, [ebp-28]   ; Load Effective Address
.text:00425463                               ;   } // starts at 425363
.text:00425466                               ;   try {
.text:00425466 C6 45 FC 06                                   mov     byte ptr [ebp-4], 6
.text:0042546A E8 51 C6 FD FF                                call    sub_401AC0      ; Call Procedure
.text:0042546F 8B 45 EC                                      mov     eax, [ebp-20]
.text:00425472 83 C0 F0                                      add     eax, 0FFFFFFF0h ; Add
.text:00425472                               ;   } // starts at 425466
.text:00425475                               ;   try {
.text:00425475 C6 45 FC 04                                   mov     byte ptr [ebp-4], 4
.text:00425479 8D 48 0C                                      lea     ecx, [eax+12]   ; Load Effective Address
.text:0042547C 83 CA FF                                      or      edx, 0FFFFFFFFh ; Logical Inclusive OR
.text:0042547F F0 0F C1 11                                   lock xadd [ecx], edx    ; t<-dest; dest<-src+dest; src<-t
.text:00425483 4A                                            dec     edx             ; Decrement by 1
.text:00425484 85 D2                                         test    edx, edx        ; Logical Compare
.text:00425486 7F 0A                                         jg      short loc_425492 ; Jump if Greater (ZF=0 & SF=OF)
.text:00425488 8B 08                                         mov     ecx, [eax]
.text:0042548A 8B 11                                         mov     edx, [ecx]
.text:0042548C 50                                            push    eax
.text:0042548D 8B 42 04                                      mov     eax, [edx+4]
.text:00425490 FF D0                                         call    eax             ; Indirect Call Near Procedure
.text:00425492
.text:00425492                               loc_425492:                             ; CODE XREF: sub_425050+436↑j
.text:00425492 46                                            inc     esi             ; Increment by 1
.text:00425493 EB B2                                         jmp     short loc_425447 ;  -----——》 结构体 大小是 10
.text:00425495                               ; ---------------------------------------------------------------------------
.text:00425495
.text:00425495                               loc_425495:                             ; CODE XREF: sub_425050+3FA↑j
.text:00425495 8B 4D E4                                      mov     ecx, [ebp-28]   ; 比较正码，和假 码的位置
.text:00425495                                                                       ; EFFCADBFFGAEEBEG
.text:00425498 33 C0                                         xor     eax, eax        ; Logical Exclusive OR
.text:0042549A 85 C9                                         test    ecx, ecx        ; Logical Compare
.text:0042549C 0F 95 C0                                      setnz   al              ; Set Byte if Not Zero (ZF=0)
.text:0042549F 85 C0                                         test    eax, eax        ; Logical Compare
.text:004254A1 75 0A                                         jnz     short loc_4254AD ; -------》  发生跳转
.text:004254A3 68 05 40 00 80                                push    80004005h
.text:004254A8 E8 03 BC FD FF                                call    sub_4010B0      ; Call Procedure
.text:004254AD                               ; ---------------------------------------------------------------------------
.text:004254AD
.text:004254AD                               loc_4254AD:                             ; CODE XREF: sub_425050+451↑j
.text:004254AD 8B 83 44 30 01 00                             mov     eax, [ebx+13044h] ; 比较真假注册码  --》 来自 EAX 的 fake 注册码 0987654321abcdef
.text:004254B3 51                                            push    ecx             ; Str2
.text:004254B4 50                                            push    eax             ; Str1
.text:004254B5 E8 37 F7 03 00                                call    __mbscmp        ; --------------》  strcmp 字符串比较函数
.text:004254BA 83 C4 08                                      add     esp, 8          ; Add
.text:004254BD 85 C0                                         test    eax, eax        ; Logical Compare
.text:004254BF 0F 94 C0                                      setz    al              ; Set Byte if Zero (ZF=1)
.text:004254C2 84 C0                                         test    al, al          ; Logical Compare
.text:004254C4 0F 84 66 02 00 00                             jz      loc_425730      ; ----关键跳转----》 如果 值 =  0，   ZF 指针等于 1 ，就跳
.text:004254CA 8B 83 48 30 01 00                             mov     eax, [ebx+13048h]
.text:004254D0 50                                            push    eax             ; String
.text:004254D1 E8 A2 07 04 00                                call    _atoi           ; Call Procedure
.text:004254D6 83 C4 04                                      add     esp, 4          ; Add
.text:004254D9 8B F0                                         mov     esi, eax
.text:004254DB C7 83 30 30 01 00 01 00 00 00                 mov     dword ptr [ebx+13030h], 1
.text:004254E5
.text:004254E5                               loc_4254E5:                             ; CODE XREF: sub_425050+4AD↓j
.text:004254E5 8B 83 C0 00 00 00                             mov     eax, [ebx+0C0h]
.text:004254EB 3B C6                                         cmp     eax, esi        ; Compare Two Operands
.text:004254ED 7E 10                                         jle     short loc_4254FF ; Jump if Less or Equal (ZF=1 | SF!=OF)
.text:004254EF 48                                            dec     eax             ; Decrement by 1
.text:004254F0 8B CB                                         mov     ecx, ebx
.text:004254F2 89 83 34 30 01 00                             mov     [ebx+13034h], eax
.text:004254F8 E8 C3 C5 FF FF                                call    sub_421AC0      ; Call Procedure
.text:004254FD EB E6                                         jmp     short loc_4254E5 ; Jump
.text:004254FF                               ; ---------------------------------------------------------------------------
.text:004254FF
.text:004254FF                               loc_4254FF:                             ; CODE XREF: sub_425050+49D↑j
.text:004254FF 8D 8B 48 30 01 00                             lea     ecx, [ebx+13048h] ; Load Effective Address
.text:00425505 51                                            push    ecx             ; int
.text:00425506 8D 55 E8                                      lea     edx, [ebp+78h+var_90] ; Load Effective Address
.text:00425509 68 E8 50 48 00                                push    offset aOleansoftHidde ; 激活成功
.text:0042550E 52                                            push    edx             ; int
.text:0042550F C7 83 30 30 01 00 00 00 00 00                 mov     dword ptr [ebx+13030h], 0
.text:00425519 E8 42 C9 FD FF                                call    sub_401E60      ; Call Procedure
.text:0042551E 83 C4 0C                                      add     esp, 0Ch        ; Add
.text:00425521 68 D4 50 48 00                                push    offset aEmployeesPcs ; " employees PCs"
.text:00425526 50                                            push    eax             ; int
.text:00425527 8D 45 EC                                      lea     eax, [ebp+78h+var_8C] ; Load Effective Address
.text:0042552A 50                                            push    eax             ; int
.text:0042552A                               ;   } // starts at 425475
.text:0042552B                               ;   try {
.text:0042552B C6 45 FC 07                                   mov     byte ptr [ebp+78h+var_7C], 7
.text:0042552F E8 5C C8 FD FF                                call    sub_401D90      ; Call Procedure
.text:00425534 83 C4 0C                                      add     esp, 0Ch        ; Add
.text:00425537 8B 30                                         mov     esi, [eax]
.text:00425537                               ;   } // starts at 42552B
.text:00425539                               ;   try {
.text:00425539 C6 45 FC 08                                   mov     byte ptr [ebp+78h+var_7C], 8
.text:0042553D E8 E6 6A 01 00                                call    ?AfxGetModuleState@@YGPAVAFX_MODULE_STATE@@XZ ; Call Procedure
.text:00425542 8B 40 04                                      mov     eax, [eax+4]
.text:00425545 8B 48 20                                      mov     ecx, [eax+20h]  ; this
.text:00425548 56                                            push    esi             ; char *
.text:00425549 E8 A8 56 01 00                                call    ?SetWindowTextA@CWnd@@QAEXPBD@Z ; Call Procedure
.text:0042554E 8B 45 EC                                      mov     eax, [ebp+78h+var_8C]
.text:00425551 83 C0 F0                                      add     eax, 0FFFFFFF0h ; Add
.text:00425551                               ;   } // starts at 425539
.text:00425554                               ;   try {
.text:00425554 C6 45 FC 07                                   mov     byte ptr [ebp+78h+var_7C], 7
.text:00425558 8D 48 0C                                      lea     ecx, [eax+0Ch]  ; Load Effective Address
.text:0042555B 83 CA FF                                      or      edx, 0FFFFFFFFh ; Logical Inclusive OR
.text:0042555E F0 0F C1 11                                   lock xadd [ecx], edx    ; t<-dest; dest<-src+dest; src<-t
.text:00425562 4A                                            dec     edx             ; Decrement by 1
.text:00425563 85 D2                                         test    edx, edx        ; Logical Compare
.text:00425565 7F 0A                                         jg      short loc_425571 ; Jump if Greater (ZF=0 & SF=OF)
.text:00425567 8B 08                                         mov     ecx, [eax]
.text:00425569 8B 11                                         mov     edx, [ecx]
.text:0042556B 50                                            push    eax
.text:0042556C 8B 42 04                                      mov     eax, [edx+4]
.text:0042556F FF D0                                         call    eax             ; Indirect Call Near Procedure
.text:00425571
.text:00425571                               loc_425571:                             ; CODE XREF: sub_425050+515↑j
.text:00425571 8B 45 E8                                      mov     eax, [ebp+78h+var_90]
.text:00425574 83 C0 F0                                      add     eax, 0FFFFFFF0h ; Add
.text:00425574                               ;   } // starts at 425554
.text:00425577                               ;   try {
.text:00425577 C6 45 FC 04                                   mov     byte ptr [ebp+78h+var_7C], 4
.text:0042557B 8D 48 0C                                      lea     ecx, [eax+0Ch]  ; Load Effective Address
.text:0042557E 83 CA FF                                      or      edx, 0FFFFFFFFh ; Logical Inclusive OR
.text:00425581 F0 0F C1 11                                   lock xadd [ecx], edx    ; t<-dest; dest<-src+dest; src<-t
.text:00425585 4A                                            dec     edx             ; Decrement by 1
.text:00425586 85 D2                                         test    edx, edx        ; Logical Compare
.text:00425588 7F 0A                                         jg      short loc_425594 ; Jump if Greater (ZF=0 & SF=OF)
.text:0042558A 8B 08                                         mov     ecx, [eax]
.text:0042558C 8B 11                                         mov     edx, [ecx]
.text:0042558E 50                                            push    eax
.text:0042558F 8B 42 04                                      mov     eax, [edx+4]
.text:00425592 FF D0                                         call    eax             ; Indirect Call Near Procedure
.text:00425594
.text:00425594                               loc_425594:                             ; CODE XREF: sub_425050+538↑j
.text:00425594 6A 00                                         push    0               ; unsigned int
.text:00425596 6A 00                                         push    0               ; uType
.text:00425598 68 9C 50 48 00                                push    offset aFullVersionAct ; "Full version activation has been succes"...
.text:0042559D E8 AD D7 01 00                                call    ?AfxMessageBox@@YGHPBDII@Z ; Call Procedure
.text:004255A2 6A 00                                         push    0               ; int
.text:004255A4 8D 8B 6C 37 01 00                             lea     ecx, [ebx+1376Ch] ; this
.text:004255AA E8 E9 56 01 00                                call    ?ShowWindow@CWnd@@QAEHH@Z ; Call Procedure
.text:004255AF 8B 55 DC                                      mov     edx, [ebp+78h+Source]
.text:004255B2 8B BB 3C 30 01 00                             mov     edi, [ebx+1303Ch]
.text:004255B8 8D 83 3C 30 01 00                             lea     eax, [ebx+1303Ch] ; Load Effective Address
.text:004255BE 8D 72 F0                                      lea     esi, [edx-10h]  ; Load Effective Address
.text:004255C1 83 EF 10                                      sub     edi, 10h        ; Integer Subtraction
.text:004255C4 3B F7                                         cmp     esi, edi        ; Compare Two Operands
.text:004255C6 0F 84 A1 00 00 00                             jz      loc_42566D      ; Jump if Zero (ZF=1)
.text:004255CC 83 7F 0C 00                                   cmp     dword ptr [edi+0Ch], 0 ; Compare Two Operands
.text:004255D0 0F 8C 8B 00 00 00                             jl      loc_425661      ; Jump if Less (SF!=OF)
.text:004255D6 8B 0E                                         mov     ecx, [esi]
.text:004255D8 3B 0F                                         cmp     ecx, [edi]      ; Compare Two Operands
.text:004255DA 0F 85 81 00 00 00                             jnz     loc_425661      ; Jump if Not Zero (ZF=0)
.text:004255E0 8B 11                                         mov     edx, [ecx]
.text:004255E2 8B 42 10                                      mov     eax, [edx+10h]
.text:004255E5 FF D0                                         call    eax             ; Indirect Call Near Procedure
.text:004255E7 83 7E 0C 00                                   cmp     dword ptr [esi+0Ch], 0 ; Compare Two Operands
.text:004255EB 8D 4E 0C                                      lea     ecx, [esi+0Ch]  ; Load Effective Address
.text:004255EE 7C 11                                         jl      short loc_425601 ; Jump if Less (SF!=OF)
.text:004255F0 3B 06                                         cmp     eax, [esi]      ; Compare Two Operands
.text:004255F2 75 0D                                         jnz     short loc_425601 ; Jump if Not Zero (ZF=0)
.text:004255F4 8B DE                                         mov     ebx, esi
.text:004255F6 BA 01 00 00 00                                mov     edx, 1
.text:004255FB F0 0F C1 11                                   lock xadd [ecx], edx    ; t<-dest; dest<-src+dest; src<-t
.text:004255FF EB 35                                         jmp     short loc_425636 ; Jump
.text:00425601                               ; ---------------------------------------------------------------------------
.text:00425601
.text:00425601                               loc_425601:                             ; CODE XREF: sub_425050+59E↑j
.text:00425601                                                                       ; sub_425050+5A2↑j
.text:00425601 8B 4E 04                                      mov     ecx, [esi+4]
.text:00425604 8B 10                                         mov     edx, [eax]
.text:00425606 8B 12                                         mov     edx, [edx]
.text:00425608 6A 01                                         push    1
.text:0042560A 51                                            push    ecx
.text:0042560B 8B C8                                         mov     ecx, eax
.text:0042560D FF D2                                         call    edx             ; Indirect Call Near Procedure
.text:0042560F 8B D8                                         mov     ebx, eax
.text:00425611 85 DB                                         test    ebx, ebx        ; Logical Compare
.text:00425613 75 05                                         jnz     short loc_42561A ; Jump if Not Zero (ZF=0)
.text:00425615 E8 16 BC FD FF                                call    sub_401230      ; Call Procedure
.text:0042561A                               ; ---------------------------------------------------------------------------
.text:0042561A
.text:0042561A                               loc_42561A:                             ; CODE XREF: sub_425050+5C3↑j
.text:0042561A 8B 46 04                                      mov     eax, [esi+4]
.text:0042561D 89 43 04                                      mov     [ebx+4], eax
.text:00425620 8B 46 04                                      mov     eax, [esi+4]
.text:00425623 40                                            inc     eax             ; Increment by 1
.text:00425624 50                                            push    eax             ; SourceSize
.text:00425625 83 C6 10                                      add     esi, 10h        ; Add
.text:00425628 56                                            push    esi             ; Source
.text:00425629 50                                            push    eax             ; DestinationSize
.text:0042562A 8D 4B 10                                      lea     ecx, [ebx+10h]  ; Load Effective Address
.text:0042562D 51                                            push    ecx             ; Destination
.text:0042562E E8 D5 F5 03 00                                call    _memcpy_s       ; Call Procedure
.text:00425633 83 C4 10                                      add     esp, 10h        ; Add
.text:00425636
.text:00425636                               loc_425636:                             ; CODE XREF: sub_425050+5AF↑j
.text:00425636 8D 47 0C                                      lea     eax, [edi+0Ch]  ; Load Effective Address
.text:00425639 83 CA FF                                      or      edx, 0FFFFFFFFh ; Logical Inclusive OR
.text:0042563C F0 0F C1 10                                   lock xadd [eax], edx    ; t<-dest; dest<-src+dest; src<-t
.text:00425640 4A                                            dec     edx             ; Decrement by 1
.text:00425641 85 D2                                         test    edx, edx        ; Logical Compare
.text:00425643 7F 0A                                         jg      short loc_42564F ; Jump if Greater (ZF=0 & SF=OF)
.text:00425645 8B 0F                                         mov     ecx, [edi]
.text:00425647 8B 01                                         mov     eax, [ecx]
.text:00425649 8B 50 04                                      mov     edx, [eax+4]
.text:0042564C 57                                            push    edi
.text:0042564D FF D2                                         call    edx             ; Indirect Call Near Procedure
.text:0042564F
.text:0042564F                               loc_42564F:                             ; CODE XREF: sub_425050+5F3↑j
.text:0042564F 8B 45 00                                      mov     eax, [ebp+78h+var_78]
.text:00425652 83 C3 10                                      add     ebx, 10h        ; Add
.text:00425655 05 3C 30 01 00                                add     eax, 1303Ch     ; Add
.text:0042565A 89 18                                         mov     [eax], ebx
.text:0042565C 8B 5D 00                                      mov     ebx, [ebp+78h+var_78]
.text:0042565F EB 0C                                         jmp     short loc_42566D ; Jump
.text:00425661                               ; ---------------------------------------------------------------------------
.text:00425661
.text:00425661                               loc_425661:                             ; CODE XREF: sub_425050+580↑j
.text:00425661                                                                       ; sub_425050+58A↑j
.text:00425661 8B 4A F4                                      mov     ecx, [edx-0Ch]
.text:00425664 51                                            push    ecx             ; SourceSize
.text:00425665 52                                            push    edx             ; Source
.text:00425666 8B C8                                         mov     ecx, eax
.text:00425668 E8 C3 C1 FD FF                                call    sub_401830      ; Call Procedure
.text:0042566D
.text:0042566D                               loc_42566D:                             ; CODE XREF: sub_425050+576↑j
.text:0042566D                                                                       ; sub_425050+60F↑j
.text:0042566D 8B 75 E0                                      mov     esi, [ebp+78h+var_98]
.text:00425670 8B BB 40 30 01 00                             mov     edi, [ebx+13040h]
.text:00425676 8D 83 40 30 01 00                             lea     eax, [ebx+13040h] ; Load Effective Address
.text:0042567C 83 C6 F0                                      add     esi, 0FFFFFFF0h ; Add
.text:0042567F 83 EF 10                                      sub     edi, 10h        ; Integer Subtraction
.text:00425682 3B F7                                         cmp     esi, edi        ; Compare Two Operands
.text:00425684 0F 84 B8 00 00 00                             jz      loc_425742      ; Jump if Zero (ZF=1)
.text:0042568A 83 7F 0C 00                                   cmp     dword ptr [edi+0Ch], 0 ; Compare Two Operands
.text:0042568E 0F 8C 8B 00 00 00                             jl      loc_42571F      ; Jump if Less (SF!=OF)
.text:00425694 8B 0E                                         mov     ecx, [esi]
.text:00425696 3B 0F                                         cmp     ecx, [edi]      ; Compare Two Operands
.text:00425698 0F 85 81 00 00 00                             jnz     loc_42571F      ; Jump if Not Zero (ZF=0)
.text:0042569E 8B 01                                         mov     eax, [ecx]
.text:004256A0 8B 50 10                                      mov     edx, [eax+10h]
.text:004256A3 FF D2                                         call    edx             ; Indirect Call Near Procedure
.text:004256A5 83 7E 0C 00                                   cmp     dword ptr [esi+0Ch], 0 ; Compare Two Operands
.text:004256A9 8D 4E 0C                                      lea     ecx, [esi+0Ch]  ; Load Effective Address
.text:004256AC 7C 11                                         jl      short loc_4256BF ; Jump if Less (SF!=OF)
.text:004256AE 3B 06                                         cmp     eax, [esi]      ; Compare Two Operands
.text:004256B0 75 0D                                         jnz     short loc_4256BF ; Jump if Not Zero (ZF=0)
.text:004256B2 8B DE                                         mov     ebx, esi
.text:004256B4 B8 01 00 00 00                                mov     eax, 1
.text:004256B9 F0 0F C1 01                                   lock xadd [ecx], eax    ; t<-dest; dest<-src+dest; src<-t
.text:004256BD EB 35                                         jmp     short loc_4256F4 ; Jump
.text:004256BF                               ; ---------------------------------------------------------------------------
.text:004256BF
.text:004256BF                               loc_4256BF:                             ; CODE XREF: sub_425050+65C↑j
.text:004256BF                                                                       ; sub_425050+660↑j
.text:004256BF 8B 4E 04                                      mov     ecx, [esi+4]
.text:004256C2 8B 10                                         mov     edx, [eax]
.text:004256C4 8B 12                                         mov     edx, [edx]
.text:004256C6 6A 01                                         push    1
.text:004256C8 51                                            push    ecx
.text:004256C9 8B C8                                         mov     ecx, eax
.text:004256CB FF D2                                         call    edx             ; Indirect Call Near Procedure
.text:004256CD 8B D8                                         mov     ebx, eax
.text:004256CF 85 DB                                         test    ebx, ebx        ; Logical Compare
.text:004256D1 75 05                                         jnz     short loc_4256D8 ; Jump if Not Zero (ZF=0)
.text:004256D3 E8 58 BB FD FF                                call    sub_401230      ; Call Procedure
.text:004256D8                               ; ---------------------------------------------------------------------------
.text:004256D8
.text:004256D8                               loc_4256D8:                             ; CODE XREF: sub_425050+681↑j
.text:004256D8 8B 46 04                                      mov     eax, [esi+4]
.text:004256DB 89 43 04                                      mov     [ebx+4], eax
.text:004256DE 8B 46 04                                      mov     eax, [esi+4]
.text:004256E1 40                                            inc     eax             ; Increment by 1
.text:004256E2 50                                            push    eax             ; SourceSize
.text:004256E3 83 C6 10                                      add     esi, 10h        ; Add
.text:004256E6 56                                            push    esi             ; Source
.text:004256E7 50                                            push    eax             ; DestinationSize
.text:004256E8 8D 4B 10                                      lea     ecx, [ebx+10h]  ; Load Effective Address
.text:004256EB 51                                            push    ecx             ; Destination
.text:004256EC E8 17 F5 03 00                                call    _memcpy_s       ; Call Procedure
.text:004256F1 83 C4 10                                      add     esp, 10h        ; Add
.text:004256F4
.text:004256F4                               loc_4256F4:                             ; CODE XREF: sub_425050+66D↑j
.text:004256F4 8D 47 0C                                      lea     eax, [edi+0Ch]  ; Load Effective Address
.text:004256F7 83 CA FF                                      or      edx, 0FFFFFFFFh ; Logical Inclusive OR
.text:004256FA F0 0F C1 10                                   lock xadd [eax], edx    ; t<-dest; dest<-src+dest; src<-t
.text:004256FE 4A                                            dec     edx             ; Decrement by 1
.text:004256FF 85 D2                                         test    edx, edx        ; Logical Compare
.text:00425701 7F 0A                                         jg      short loc_42570D ; Jump if Greater (ZF=0 & SF=OF)
.text:00425703 8B 0F                                         mov     ecx, [edi]
.text:00425705 8B 01                                         mov     eax, [ecx]
.text:00425707 8B 50 04                                      mov     edx, [eax+4]
.text:0042570A 57                                            push    edi
.text:0042570B FF D2                                         call    edx             ; Indirect Call Near Procedure
.text:0042570D
.text:0042570D                               loc_42570D:                             ; CODE XREF: sub_425050+6B1↑j
.text:0042570D 8B 45 00                                      mov     eax, [ebp+78h+var_78]
.text:00425710 83 C3 10                                      add     ebx, 10h        ; Add
.text:00425713 05 40 30 01 00                                add     eax, 13040h     ; Add
.text:00425718 89 18                                         mov     [eax], ebx
.text:0042571A 8B 5D 00                                      mov     ebx, [ebp+78h+var_78]
.text:0042571D EB 23                                         jmp     short loc_425742 ; Jump
.text:0042571F                               ; ---------------------------------------------------------------------------
.text:0042571F
.text:0042571F                               loc_42571F:                             ; CODE XREF: sub_425050+63E↑j
.text:0042571F                                                                       ; sub_425050+648↑j
.text:0042571F 8B 55 E0                                      mov     edx, [ebp+78h+var_98]
.text:00425722 8B 4A F4                                      mov     ecx, [edx-0Ch]
.text:00425725 51                                            push    ecx             ; SourceSize
.text:00425726 52                                            push    edx             ; Source
.text:00425727 8B C8                                         mov     ecx, eax
.text:00425729 E8 02 C1 FD FF                                call    sub_401830      ; Call Procedure
.text:0042572E EB 12                                         jmp     short loc_425742 ; Jump
.text:00425730                               ; ---------------------------------------------------------------------------
.text:00425730
.text:00425730                               loc_425730:                             ; CODE XREF: sub_425050+474↑j
.text:00425730 6A 00                                         push    0               ; unsigned int
.text:00425732 6A 00                                         push    0               ; uType
.text:00425734 68 80 50 48 00                                push    offset aWrongKeyPlease ; "Wrong key! Please try again"
.text:00425739 E8 11 D6 01 00                                call    ?AfxMessageBox@@YGHPBDII@Z ; Call Procedure
.text:0042573E 33 C0                                         xor     eax, eax        ; Logical Exclusive OR
.text:00425740 74 09                                         jz      short loc_42574B ; Jump if Zero (ZF=1)
.text:00425742
.text:00425742                               loc_425742:                             ; CODE XREF: sub_425050+634↑j
.text:00425742                                                                       ; sub_425050+6CD↑j ...
.text:00425742 D9 05 44 4B 48 00                             fld     ds:flt_484B44   ; Load Real
.text:00425748 D9 5B 58                                      fstp    dword ptr [ebx+58h] ; Store Real and Pop
.text:0042574B
.text:0042574B                               loc_42574B:                             ; CODE XREF: sub_425050+6F0↑j
.text:0042574B 8B 45 E0                                      mov     eax, [ebp+78h+var_98]
.text:0042574E 83 C0 F0                                      add     eax, 0FFFFFFF0h ; Add
.text:0042574E                               ;   } // starts at 425577
.text:00425751                               ;   try {
.text:00425751 C6 45 FC 03                                   mov     byte ptr [ebp+78h+var_7C], 3
.text:00425755 8D 48 0C                                      lea     ecx, [eax+0Ch]  ; Load Effective Address
.text:00425758 83 CA FF                                      or      edx, 0FFFFFFFFh ; Logical Inclusive OR
.text:0042575B F0 0F C1 11                                   lock xadd [ecx], edx    ; t<-dest; dest<-src+dest; src<-t
.text:0042575F 4A                                            dec     edx             ; Decrement by 1
.text:00425760 85 D2                                         test    edx, edx        ; Logical Compare
.text:00425762 7F 0A                                         jg      short loc_42576E ; Jump if Greater (ZF=0 & SF=OF)
.text:00425764 8B 08                                         mov     ecx, [eax]
.text:00425766 8B 11                                         mov     edx, [ecx]
.text:00425768 50                                            push    eax
.text:00425769 8B 42 04                                      mov     eax, [edx+4]
.text:0042576C FF D0                                         call    eax             ; Indirect Call Near Procedure
.text:0042576E
.text:0042576E                               loc_42576E:                             ; CODE XREF: sub_425050+712↑j
.text:0042576E 8B 45 DC                                      mov     eax, [ebp+78h+Source]
.text:00425771 83 C0 F0                                      add     eax, 0FFFFFFF0h ; Add
.text:00425771                               ;   } // starts at 425751
.text:00425774                               ;   try {
.text:00425774 C6 45 FC 02                                   mov     byte ptr [ebp+78h+var_7C], 2
.text:00425778 8D 48 0C                                      lea     ecx, [eax+0Ch]  ; Load Effective Address
.text:0042577B 83 CA FF                                      or      edx, 0FFFFFFFFh ; Logical Inclusive OR
.text:0042577E F0 0F C1 11                                   lock xadd [ecx], edx    ; t<-dest; dest<-src+dest; src<-t
.text:00425782 4A                                            dec     edx             ; Decrement by 1
.text:00425783 85 D2                                         test    edx, edx        ; Logical Compare
.text:00425785 7F 0A                                         jg      short loc_425791 ; Jump if Greater (ZF=0 & SF=OF)
.text:00425787 8B 08                                         mov     ecx, [eax]
.text:00425789 8B 11                                         mov     edx, [ecx]
.text:0042578B 50                                            push    eax
.text:0042578C 8B 42 04                                      mov     eax, [edx+4]
.text:0042578F FF D0                                         call    eax             ; Indirect Call Near Procedure
.text:00425791
.text:00425791                               loc_425791:                             ; CODE XREF: sub_425050+735↑j
.text:00425791 8B 45 E4                                      mov     eax, [ebp+78h+Str2]
.text:00425794 83 C0 F0                                      add     eax, 0FFFFFFF0h ; Add
.text:00425794                               ;   } // starts at 425774
.text:00425797                               ;   try {
.text:00425797 C6 45 FC 01                                   mov     byte ptr [ebp+78h+var_7C], 1
.text:0042579B 8D 48 0C                                      lea     ecx, [eax+0Ch]  ; Load Effective Address
.text:0042579E 83 CA FF                                      or      edx, 0FFFFFFFFh ; Logical Inclusive OR
.text:004257A1 F0 0F C1 11                                   lock xadd [ecx], edx    ; t<-dest; dest<-src+dest; src<-t
.text:004257A5 4A                                            dec     edx             ; Decrement by 1
.text:004257A6 85 D2                                         test    edx, edx        ; Logical Compare
.text:004257A8 7F 0A                                         jg      short loc_4257B4 ; 跳转到这里
.text:004257AA 8B 08                                         mov     ecx, [eax]
.text:004257AC 8B 11                                         mov     edx, [ecx]
.text:004257AE 50                                            push    eax
.text:004257AF 8B 42 04                                      mov     eax, [edx+4]
.text:004257B2 FF D0                                         call    eax             ; Indirect Call Near Procedure
.text:004257B4
.text:004257B4                               loc_4257B4:                             ; CODE XREF: sub_425050+7F↑j
.text:004257B4                                                                       ; sub_425050+758↑j
.text:004257B4 8B 4D 00                                      mov     ecx, [ebp+78h+var_78] ; 跳转到这里
.text:004257B7 C7 81 50 3D 01 00 00 00 00 00                 mov     dword ptr [ecx+13D50h], 0
.text:004257C1 8D 8D 48 FF FF FF                             lea     ecx, [ebp+78h+var_130] ; Load Effective Address
.text:004257C1                               ;   } // starts at 425797
.text:004257C7                               ;   try {
.text:004257C7 C6 45 FC 00                                   mov     byte ptr [ebp+78h+var_7C], 0
.text:004257CB E8 D0 EC 00 00                                call    loc_4344A0      ; Call Procedure
.text:004257D0
.text:004257D0                               loc_4257D0:                             ; CODE XREF: sub_425050+7B1↓j
.text:004257D0                                                                       ; DATA XREF: sub_425050+7AC↓o
.text:004257D0 8B 4D F4                                      mov     ecx, [ebp+78h+var_84]
.text:004257D3 64 89 0D 00 00 00 00                          mov     large fs:0, ecx
.text:004257DA 59                                            pop     ecx
.text:004257DB 5F                                            pop     edi
.text:004257DC 5E                                            pop     esi
.text:004257DD 5B                                            pop     ebx
.text:004257DE 8B 4D 74                                      mov     ecx, [ebp+78h+var_4]
.text:004257E1 33 CD                                         xor     ecx, ebp        ; Logical Exclusive OR
.text:004257E3 E8 84 FC 03 00                                call    sub_46546C      ; Call Procedure
.text:004257E8 83 C5 78                                      add     ebp, 78h ; 'x'  ; Add
.text:004257EB 8B E5                                         mov     esp, ebp
.text:004257ED 5D                                            pop     ebp
.text:004257EE C3                                            retn                    ; Return Near from Procedure