偶是真的 真的很想学啊~
偶有几个真的很想问的问题 不知道哪位老大帮下忙啦?
1、PEID里的EP具体是指什么?和OLLYDBG的OEP是一样的?
2、能拿以下这个.EXE文件说说么?
扫描出Microsoft Visual C++ 7.0 [Overlay](个人认为是假的)
入口点:00003DD7
文件偏移:00003DD7
链接器信息 7.10
EP区段:
名称 偏移 大小 偏移 大小 标志
.text 00001000 000069b8 00001000 000069b8 60000020
.rdata 00008000 00001958 00008000 00001958 40000040
.data 0000a000 00001538 0000a000 00001538 c0000040
.rsrc 0000c000 00002238 0000c000 00002238 40000040
.idata2 0000F000 00001000 0000E400 00000A00 C0000040(显示4.03未加壳)
CAVE信息 RVA 偏移 大小
.text 000079bf 000079bf 00000041
.rdata 0000995f 0000995f 000000A1
.data 0000A3A1 0000A3A1 0000125F
.rsrc 0000E238 0000E238 000001C5
.idata2 0000F69C 0000EA9C 00000364 (有问题的是.idata2发生偏移)
.idata2的disassemble
0040F000: 0000 ADD [EAX], AL
0040F002: 0000 ADD [EAX], AL
0040F004: 0000 ADD [EAX], AL
0040F006: 0000 ADD [EAX], AL
0040F008: 0000 ADD [EAX], AL
0040F00A: 0000 ADD [EAX], AL
0040F00C: 78F0 JS 40EFFE
0040F00E: 0000 ADD [EAX], AL
0040F010: 008000000000 ADD [EAX], AL
0040F016: 0000 ADD [EAX], AL
0040F018: 0000 ADD [EAX], AL
0040F01A: 0000 ADD [EAX], AL
0040F01C: 0000 ADD [EAX], AL
0040F01E: 0000 ADD [EAX], AL
0040F020: E5F0 IN EAX, F0
0040F022: 0000 ADD [EAX], AL
0040F024: 1C80 SBB AL, 80
0040F026: 0000 ADD [EAX], AL
0040F028: 0000 ADD [EAX], AL
0040F02A: 0000 ADD [EAX], AL
0040F02C: 0000 ADD [EAX], AL
0040F02E: 0000 ADD [EAX], AL
0040F030: 0000 ADD [EAX], AL
0040F032: 0000 ADD [EAX], AL
0040F034: D0F4 INVALID
0040F036: 0000 ADD [EAX], AL
0040F038: 0C81 OR AL, 81
0040F03A: 0000 ADD [EAX], AL
0040F03C: 0000 ADD [EAX], AL
0040F03E: 0000 ADD [EAX], AL
0040F040: 0000 ADD [EAX], AL
0040F042: 0000 ADD [EAX], AL
0040F044: 0000 ADD [EAX], AL
0040F046: 0000 ADD [EAX], AL
0040F048: EC IN AL, DX
0040F049: F4 HLT
0040F04A: 0000 ADD [EAX], AL
0040F04C: 1481 ADC AL, 81
0040F04E: 0000 ADD [EAX], AL
0040F050: 0000 ADD [EAX], AL
0040F052: 0000 ADD [EAX], AL
0040F054: 0000 ADD [EAX], AL
0040F056: 0000 ADD [EAX], AL
0040F058: 0000 ADD [EAX], AL
0040F05A: 0000 ADD [EAX], AL
0040F05C: 01F6 ADD ESI, ESI
0040F05E: 0000 ADD [EAX], AL
0040F060: 5C POP ESP
0040F061: 810000000000 ADD [EAX], 00000000
0040F067: 0000 ADD [EAX], AL
0040F069: 0000 ADD [EAX], AL
0040F06B: 0000 ADD [EAX], AL
0040F06D: 0000 ADD [EAX], AL
0040F06F: 0000 ADD [EAX], AL
0040F071: 0000 ADD [EAX], AL
0040F073: 0000 ADD [EAX], AL
0040F075: 0000 ADD [EAX], AL
0040F077: 004144 ADD [ECX+44], AL
0040F07A: 56 PUSH ESI
0040F07B: 41 INC ECX
0040F07C: 50 PUSH EAX
0040F07D: 49 DEC ECX
0040F07E: 3332 XOR ESI, [EDX]
0040F080: 2E646C INSB
0040F083: 6C INSB
0040F084: 00CE ADD DH, CL
0040F086: 015265 ADD [EDX+65], EDX
0040F089: 6743 INC EBX
0040F08B: 7265 JB 40F0F2
0040F08D: 61 POPAD
0040F08E: 7465 JZ 40F0F5
0040F090: 4B DEC EBX
0040F091: 657941 JNS 40F0D5
0040F094: 00FB ADD BL, BH
0040F096: 015265 ADD [EDX+65], EDX
0040F099: 6753 PUSH EBX
0040F09B: 657456 JZ 40F0F4
0040F09E: 61 POPAD
0040F09F: 6C INSB
0040F0A0: 7565 JNZ 40F107
0040F0A2: 45 INC EBP
0040F0A3: 7841 JS 40F0E6
0040F0A5: 00E4 ADD AH, AH
0040F0A7: 015265 ADD [EDX+65], EDX
0040F0AA: 674F DEC EDI
0040F0AC: 7065 JO 40F113
0040F0AE: 6E OUTSB
0040F0AF: 4B DEC EBX
0040F0B0: 657945 JNS 40F0F8
0040F0B3: 7841 JS 40F0F6
0040F0B5: 00EE ADD DH, CH
0040F0B7: 015265 ADD [EDX+65], EDX
0040F0BA: 6751 PUSH ECX
0040F0BC: 7565 JNZ 40F123
0040F0BE: 7279 JB 40F139
0040F0C0: 56 PUSH ESI
0040F0C1: 61 POPAD
0040F0C2: 6C INSB
0040F0C3: 7565 JNZ 40F12A
0040F0C5: 45 INC EBP
0040F0C6: 7841 JS 40F109
0040F0C8: 00CB ADD BL, CL
0040F0CA: 015265 ADD [EDX+65], EDX
0040F0CD: 6743 INC EBX
0040F0CF: 6C INSB
0040F0D0: 6F OUTSD
0040F0D1: 7365 JNB 40F138
0040F0D3: 4B DEC EBX
0040F0D4: 657900 JNS 40F0D7
0040F0D7: E301 JECXZ 40F0DA
0040F0D9: 52 PUSH EDX
0040F0DA: 65674F DEC EDI
0040F0DD: 7065 JO 40F144
0040F0DF: 6E OUTSB
0040F0E0: 4B DEC EBX
0040F0E1: 657941 JNS 40F125
0040F0E4: 006B65 ADD [EBX+65], CH
0040F0E7: 726E JB 40F157
0040F0E9: 656C INSB
0040F0EB: 3332 XOR ESI, [EDX]
0040F0ED: 2E646C INSB
0040F0F0: 6C INSB
0040F0F1: 0032 ADD [EDX], DH
0040F0F3: 00436C ADD [EBX+6C], AL
0040F0F6: 6F OUTSD
0040F0F7: 7365 JNB 40F15E
0040F0F9: 48 DEC EAX
0040F0FA: 61 POPAD
0040F0FB: 6E OUTSB
0040F0FC: 646C INSB
0040F0FE: 65005000 ADD GS:[EAX], DL
0040F102: 43 INC EBX
0040F103: 7265 JB 40F16A
0040F105: 61 POPAD
0040F106: 7465 JZ 40F16D
0040F108: 46 INC ESI
0040F109: 696C654100D20147 IMUL EBP, [EBP+*2]
0040F111: 657454 JZ 40F168
0040F114: 69636B436F756E IMUL ESP, [EBX+6B], 6E756F43
0040F11B: 7400 JZ 40F11D
0040F11D: 6D INSD
0040F11E: 004372 ADD [EBX+72], AL
0040F121: 6561 POPAD
0040F123: 7465 JZ 40F18A
0040F125: 54 PUSH ESP
0040F126: 6872656164 PUSH 64616572
0040F12B: 00740147 ADD [ECX+EAX+47], DH
0040F12F: 65744D JZ 40F17F
0040F132: 6F OUTSD
0040F133: 64756C JNZ 40F1A2
0040F136: 6546 INC ESI
0040F138: 696C654E616D6541 IMUL EBP, [EBP+*2]
0040F140: 006901 ADD [ECX+01], CH
0040F143: 47 INC EDI
0040F144: 65744C JZ 40F193
0040F147: 61 POPAD
0040F148: 7374 JNB 40F1BE
0040F14A: 45 INC EBP
0040F14B: 7272 JB 40F1BF
0040F14D: 6F OUTSD
0040F14E: 7200 JB 40F150
0040F150: 4C DEC ESP
0040F151: 004372 ADD [EBX+72], AL
0040F154: 6561 POPAD
0040F156: 7465 JZ 40F1BD
0040F158: 45 INC EBP
0040F159: 7665 JBE 40F1C0
0040F15B: 6E OUTSB
0040F15C: 7441 JZ 40F19F
0040F15E: 00B700457869 ADD [EDI+69784500], DH
0040F164: 7450 JZ 40F1B6
0040F166: 726F JB 40F1D7
0040F168: 636573 ARPL ESP, [EBP+73]
0040F16B: 7300 JNB 40F16D
0040F16D: 7601 JBE 40F170
0040F16F: 47 INC EDI
0040F170: 65744D JZ 40F1C0
0040F173: 6F OUTSD
0040F174: 64756C JNZ 40F1E3
0040F177: 6548 DEC EAX
0040F179: 61 POPAD
0040F17A: 6E OUTSB
0040F17B: 646C INSB
0040F17D: 6541 INC ECX
0040F17F: 000A ADD [EDX], CL
0040F181: 014765 ADD [EDI+65], EAX
0040F184: 7443 JZ 40F1C9
0040F186: 6F OUTSD
0040F187: 6D INSD
0040F188: 6D INSD
0040F189: 61 POPAD
0040F18A: 6E OUTSB
0040F18B: 644C DEC ESP
0040F18D: 696E654100B303 IMUL EBP, [ESI+65], 03B30041
0040F194: 6C INSB
0040F195: 7374 JNB 40F20B
0040F197: 726C JB 40F205
0040F199: 656E OUTSB
0040F19B: 00A7036C7374 ADD [EDI+74736C03], AH
0040F1A1: 7263 JB 40F206
0040F1A3: 6D INSD
0040F1A4: 7000 JO 40F1A6
0040F1A6: 7103 JNO 40F1AB
0040F1A8: 56 PUSH ESI
0040F1A9: 69727475616C50 IMUL ESI, [EDX+74], 506C6175
0040F1B0: 726F JB 40F221
0040F1B2: 7465 JZ 40F219
0040F1B4: 6374006C ARPL ESI, [EAX+EAX+6C]
0040F1B8: 014765 ADD [EDI+65], EAX
0040F1BB: 744C JZ 40F209
0040F1BD: 6F OUTSD
0040F1BE: 63616C ARPL ESP, [ECX+6C]
0040F1C1: 6549 DEC ECX
0040F1C3: 6E OUTSB
0040F1C4: 666F OUTSW
0040F1C6: 41 INC ECX
0040F1C7: 00820044656C ADD [EDX+6C654400], AL
0040F1CD: 657465 JZ 40F235
0040F1D0: 46 INC ESI
0040F1D1: 696C654100B00147 IMUL EBP, [EBP+*2]
0040F1D9: 657453 JZ 40F22F
0040F1DC: 7472 JZ 40F250
0040F1DE: 696E6754797065 IMUL EBP, [ESI+67], 65707954
0040F1E5: 41 INC ECX
0040F1E6: 0035024C434D ADD [4D434C02], DH
0040F1EC: 61 POPAD
0040F1ED: 7053 JO 40F242
0040F1EF: 7472 JZ 40F263
0040F1F1: 696E6757006502 IMUL EBP, [ESI+67], 02650057
0040F1F8: 4D DEC EBP
0040F1F9: 756C JNZ 40F267
0040F1FB: 7469 JZ 40F266
0040F1FD: 42 INC EDX
0040F1FE: 7974 JNS 40F274
0040F200: 6554 PUSH ESP
0040F202: 6F OUTSD
0040F203: 57 PUSH EDI
0040F204: 6964654368617200 IMUL ESP, [EBP+*2]
0040F20C: 3402 XOR AL, 02
0040F20E: 4C DEC ESP
0040F20F: 43 INC EBX
0040F210: 4D DEC EBP
0040F211: 61 POPAD
0040F212: 7053 JO 40F267
0040F214: 7472 JZ 40F288
0040F216: 696E674100BE01 IMUL EBP, [ESI+67], 01BE0041
0040F21D: 47 INC EDI
0040F21E: 657453 JZ 40F274
0040F221: 7973 JNS 40F296
0040F223: 7465 JZ 40F28A
0040F225: 6D INSD
0040F226: 54 PUSH ESP
0040F227: 696D6541734669 IMUL EBP, [EBP+65], 69467341
0040F22E: 6C INSB
0040F22F: 6554 PUSH ESP
0040F231: 696D65003D0147 IMUL EBP, [EBP+65], 47013D00
0040F238: 657443 JZ 40F27E
0040F23B: 7572 JNZ 40F2AF
0040F23D: 7265 JB 40F2A4
0040F23F: 6E OUTSB
0040F240: 7450 JZ 40F292
0040F242: 726F JB 40F2B3
0040F244: 636573 ARPL ESP, [EBP+73]
0040F247: 7349 JNB 40F292
0040F249: 64003F ADD FS:[EDI], BH
0040F24C: 014765 ADD [EDI+65], EAX
0040F24F: 7443 JZ 40F294
0040F251: 7572 JNZ 40F2C5
0040F253: 7265 JB 40F2BA
0040F255: 6E OUTSB
0040F256: 7454 JZ 40F2AC
0040F258: 6872656164 PUSH 64616572
0040F25D: 49 DEC ECX
0040F25E: 64009202517565 ADD FS:[EDX+65755102], DL
0040F265: 7279 JB 40F2E0
0040F267: 50 PUSH EAX
0040F268: 657266 JB 40F2D1
0040F26B: 6F OUTSD
0040F26C: 726D JB 40F2DB
0040F26E: 61 POPAD
0040F26F: 6E OUTSB
0040F270: 636543 ARPL ESP, [EBP+43]
0040F273: 6F OUTSD
0040F274: 756E JNZ 40F2E4
0040F276: 7465 JZ 40F2DD
0040F278: 7200 JB 40F27A
0040F27A: 0F024865 LAR ECX, [EAX+65]
0040F27E: 61 POPAD
0040F27F: 7053 JO 40F2D4
0040F281: 697A6500730356 IMUL EDI, [EDX+65], 56037300
0040F288: 69727475616C51 IMUL ESI, [EDX+74], 516C6175
0040F28F: 7565 JNZ 40F2F6
0040F291: 7279 JB 40F30C
0040F293: 001B ADD [EBX], BL
0040F295: 02496E ADD CL, [ECX+6E]
0040F298: 7465 JZ 40F2FF
0040F29A: 726C JB 40F308
0040F29C: 6F OUTSD
0040F29D: 636B65 ARPL EBP, [EBX+65]
0040F2A0: 6445 INC EBP
0040F2A2: 7863 JS 40F307
0040F2A4: 68616E6765 PUSH 65676E61
0040F2A9: 00C5 ADD CH, AL
0040F2AB: 025274 ADD DL, [EDX+74]
0040F2AE: 6C INSB
0040F2AF: 55 PUSH EBP
0040F2B0: 6E OUTSB
0040F2B1: 7769 JNBE 40F31C
0040F2B3: 6E OUTSB
0040F2B4: 64000D02486561 ADD FS:[61654802], CL
0040F2BB: 7052 JO 40F30F
0040F2BD: 6541 INC ECX
0040F2BF: 6C INSB
0040F2C0: 6C INSB
0040F2C1: 6F OUTSD
0040F2C2: 6300 ARPL EAX, [EAX]
0040F2C4: 6B0356 IMUL EAX, [EBX], 56
0040F2C7: 69727475616C41 IMUL ESI, [EDX+74], 416C6175
0040F2CE: 6C INSB
0040F2CF: 6C INSB
0040F2D0: 6F OUTSD
0040F2D1: 6300 ARPL EAX, [EAX]
0040F2D3: 3A01 CMP AL, [ECX]
0040F2D5: 47 INC EDI
0040F2D6: 657443 JZ 40F31C
0040F2D9: 7572 JNZ 40F34D
0040F2DB: 7265 JB 40F342
0040F2DD: 6E OUTSB
0040F2DE: 7444 JZ 40F324
0040F2E0: 69726563746F72 IMUL ESI, [EDX+65], 726F7463
0040F2E7: 7941 JNS 40F32A
0040F2E9: 00AD01476574 ADD [EBP+74654701], CH
0040F2EF: 53 PUSH EBX
0040F2F0: 7461 JZ 40F353
0040F2F2: 7274 JB 40F368
0040F2F4: 7570 JNZ 40F366
0040F2F6: 49 DEC ECX
0040F2F7: 6E OUTSB
0040F2F8: 666F OUTSW
0040F2FA: 41 INC ECX
0040F2FB: 006300 ADD [EBX], AH
0040F2FE: 43 INC EBX
0040F2FF: 7265 JB 40F366
0040F301: 61 POPAD
0040F302: 7465 JZ 40F369
0040F304: 50 PUSH EAX
0040F305: 726F JB 40F376
0040F307: 636573 ARPL ESP, [EBP+73]
0040F30A: 7341 JNB 40F34D
0040F30C: 000E ADD [ESI], CL
0040F30E: 014765 ADD [EDI+65], EAX
0040F311: 7443 JZ 40F356
0040F313: 6F OUTSD
0040F314: 6D INSD
0040F315: 7075 JO 40F38C
0040F317: 7465 JZ 40F37E
0040F319: 724E JB 40F369
0040F31B: 61 POPAD
0040F31C: 6D INSD
0040F31D: 6541 INC ECX
0040F31F: 00DC ADD AH, BL
0040F321: 014765 ADD [EDI+65], EAX
0040F324: 7456 JZ 40F37C
0040F326: 657273 JB 40F39C
0040F329: 696F6E45784100 IMUL EBP, [EDI+6E], 00417845
0040F330: B301 MOV BL, 01
0040F332: 47 INC EDI
0040F333: 657453 JZ 40F389
0040F336: 7472 JZ 40F3AA
0040F338: 696E6754797065 IMUL EBP, [ESI+67], 65707954
0040F33F: 57 PUSH EDI
0040F340: 00AD036C7374 ADD [EBP+74736C03], CH
0040F346: 7263 JB 40F3AB
0040F348: 7079 JO 40F3C3
0040F34A: 0003 ADD [EBX], AL
0040F34C: 024865 ADD CL, [EAX+65]
0040F34F: 61 POPAD
0040F350: 7041 JO 40F393
0040F352: 6C INSB
0040F353: 6C INSB
0040F354: 6F OUTSD
0040F355: 6300 ARPL EAX, [EAX]
0040F357: FE00 INC BYTE PTR [EAX]
0040F359: 47 INC EDI
0040F35A: 657443 JZ 40F3A0
0040F35D: 50 PUSH EAX
0040F35E: 49 DEC ECX
0040F35F: 6E OUTSB
0040F360: 666F OUTSW
0040F362: 008B01476574 ADD [EBX+74654701], CL
0040F368: 4F DEC EDI
0040F369: 45 INC EBP
0040F36A: 4D DEC EBP
0040F36B: 43 INC EBX
0040F36C: 50 PUSH EAX
0040F36D: 00F7 ADD BH, DH
0040F36F: 004765 ADD [EDI+65], AL
0040F372: 7441 JZ 40F3B5
0040F374: 43 INC EBX
0040F375: 50 PUSH EAX
0040F376: 004202 ADD [EDX+02], AL
0040F379: 4C DEC ESP
0040F37A: 6F OUTSD
0040F37B: 61 POPAD
0040F37C: 644C DEC ESP
0040F37E: 69627261727941 IMUL ESP, [EDX+72], 41797261
0040F385: 00B901476574 ADD [ECX+74654701], BH
0040F38B: 53 PUSH EBX
0040F38C: 7973 JNS 40F401
0040F38E: 7465 JZ 40F3F5
0040F390: 6D INSD
0040F391: 49 DEC ECX
0040F392: 6E OUTSB
0040F393: 666F OUTSW
0040F395: 0009 ADD [ECX], CL
0040F397: 024865 ADD CL, [EAX+65]
0040F39A: 61 POPAD
0040F39B: 7046 JO 40F3E3
0040F39D: 7265 JB 40F404
0040F39F: 65006E03 ADD GS:[ESI+03], CH
0040F3A3: 56 PUSH ESI
0040F3A4: 69727475616C46 IMUL ESI, [EDX+74], 466C6175
0040F3AB: 7265 JB 40F412
0040F3AD: 65000502486561 ADD GS:[61654802], AL
0040F3B4: 7043 JO 40F3F9
0040F3B6: 7265 JB 40F41D
0040F3B8: 61 POPAD
0040F3B9: 7465 JZ 40F420
0040F3BB: 0007 ADD [EDI], AL
0040F3BD: 024865 ADD CL, [EAX+65]
0040F3C0: 61 POPAD
0040F3C1: 7044 JO 40F407
0040F3C3: 657374 JNB 40F43A
0040F3C6: 726F JB 40F437
0040F3C8: 7900 JNS 40F3CA
0040F3CA: 5F POP EDI
0040F3CB: 014765 ADD [EDI+65], EAX
0040F3CE: 7446 JZ 40F416
0040F3D0: 696C655479706500 IMUL EBP, [EBP+*2]
0040F3D8: 55 PUSH EBP
0040F3D9: 024C6F63 ADD CL, [EDI+EBP*2+63]
0040F3DD: 6B526573 IMUL EDX, [EDX+65], 73
0040F3E1: 6F OUTSD
0040F3E2: 7572 JNZ 40F456
0040F3E4: 636500 ARPL ESP, [EBP]
0040F3E7: 50 PUSH EAX
0040F3E8: 014765 ADD [EDI+65], EAX
0040F3EB: 7445 JZ 40F432
0040F3ED: 6E OUTSB
0040F3EE: 7669 JBE 40F459
0040F3F0: 726F JB 40F461
0040F3F2: 6E OUTSB
0040F3F3: 6D INSD
0040F3F4: 656E OUTSB
0040F3F6: 7453 JZ 40F44B
0040F3F8: 7472 JZ 40F46C
0040F3FA: 696E677357007F IMUL EBP, [ESI+67], 7F005773
0040F401: 035769 ADD EDX, [EDI+69]
0040F404: 646543 INC EBX
0040F407: 686172546F PUSH 6F547261
0040F40C: 4D DEC EBP
0040F40D: 756C JNZ 40F47B
0040F40F: 7469 JZ 40F47A
0040F411: 42 INC EDX
0040F412: 7974 JNS 40F488
0040F414: 6500F0 ADD AL, DH
0040F417: 004672 ADD [ESI+72], AL
0040F41A: 656545 INC EBP
0040F41D: 6E OUTSB
0040F41E: 7669 JBE 40F489
0040F420: 726F JB 40F491
0040F422: 6E OUTSB
0040F423: 6D INSD
0040F424: 656E OUTSB
0040F426: 7453 JZ 40F47B
0040F428: 7472 JZ 40F49C
0040F42A: 696E6773570098 IMUL EBP, [ESI+67], 98005773
0040F431: 014765 ADD [EDI+65], EAX
0040F434: 7450 JZ 40F486
0040F436: 726F JB 40F4A7
0040F438: 634164 ARPL EAX, [ECX+64]
0040F43B: 647265 JB 40F4A3
0040F43E: 7373 JNB 40F4B3
0040F440: 004703 ADD [EDI+03], AL
0040F443: 54 PUSH ESP
0040F444: 65726D JB 40F4B4
0040F447: 696E6174655072 IMUL EBP, [ESI+61], 72506574
0040F44E: 6F OUTSD
0040F44F: 636573 ARPL ESP, [EBP+73]
0040F452: 7300 JNB 40F454
0040F454: 3C01 CMP AL, 01
0040F456: 47 INC EDI
0040F457: 657443 JZ 40F49D
0040F45A: 7572 JNZ 40F4CE
0040F45C: 7265 JB 40F4C3
0040F45E: 6E OUTSB
0040F45F: 7450 JZ 40F4B1
0040F461: 726F JB 40F4D2
0040F463: 636573 ARPL ESP, [EBP+73]
0040F466: 7300 JNB 40F468
0040F468: 8C03 MOV [EBX], ES
0040F46A: 57 PUSH EDI
0040F46B: 7269 JB 40F4D6
0040F46D: 7465 JZ 40F4D4
0040F46F: 46 INC ESI
0040F470: 696C6500AF014765 IMUL EBP, [EBP+*2]
0040F478: 7453 JZ 40F4CD
0040F47A: 7464 JZ 40F4E0
0040F47C: 48 DEC EAX
0040F47D: 61 POPAD
0040F47E: 6E OUTSB
0040F47F: 646C INSB
0040F481: 65005803 ADD GS:[EAX+03], BL
0040F485: 55 PUSH EBP
0040F486: 6E OUTSB
0040F487: 68616E646C PUSH 6C646E61
0040F48C: 656445 INC EBP
0040F48F: 7863 JS 40F4F4
0040F491: 657074 JO 40F508
0040F494: 696F6E46696C74 IMUL EBP, [EDI+6E], 746C6946
0040F49B: 657200 JB 40F49E
0040F49E: EF OUT DX, EAX
0040F49F: 004672 ADD [ESI+72], AL
0040F4A2: 656545 INC EBP
0040F4A5: 6E OUTSB
0040F4A6: 7669 JBE 40F511
0040F4A8: 726F JB 40F519
0040F4AA: 6E OUTSB
0040F4AB: 6D INSD
0040F4AC: 656E OUTSB
0040F4AE: 7453 JZ 40F503
0040F4B0: 7472 JZ 40F524
0040F4B2: 696E677341004E IMUL EBP, [ESI+67], 4E004173
0040F4B9: 014765 ADD [EDI+65], EAX
0040F4BC: 7445 JZ 40F503
0040F4BE: 6E OUTSB
0040F4BF: 7669 JBE 40F52A
0040F4C1: 726F JB 40F532
0040F4C3: 6E OUTSB
0040F4C4: 6D INSD
0040F4C5: 656E OUTSB
0040F4C7: 7453 JZ 40F51C
0040F4C9: 7472 JZ 40F53D
0040F4CB: 696E6773005348 IMUL EBP, [ESI+67], 48530073
0040F4D2: 45 INC EBP
0040F4D3: 4C DEC ESP
0040F4D4: 4C DEC ESP
0040F4D5: 3332 XOR ESI, [EDX]
0040F4D7: 2E646C INSB
0040F4DA: 6C INSB
0040F4DB: 006701 ADD [EDI+01], AH
0040F4DE: 53 PUSH EBX
0040F4DF: 68656C6C45 PUSH 456C6C65
0040F4E4: 7865 JS 40F54B
0040F4E6: 637574 ARPL ESI, [EBP+74]
0040F4E9: 6541 INC ECX
0040F4EB: 005553 ADD [EBP+53], DL
0040F4EE: 45 INC EBP
0040F4EF: 52 PUSH EDX
0040F4F0: 3332 XOR ESI, [EDX]
0040F4F2: 2E646C INSB
0040F4F5: 6C INSB
0040F4F6: 0013 ADD [EBX], DL
0040F4F8: 014765 ADD [EDI+65], EAX
0040F4FB: 7444 JZ 40F541
0040F4FD: 6C INSB
0040F4FE: 6749 DEC ECX
0040F500: 7465 JZ 40F567
0040F502: 6D INSD
0040F503: 49 DEC ECX
0040F504: 6E OUTSB
0040F505: 7400 JZ 40F507
0040F507: 53 PUSH EBX
0040F508: 025365 ADD DL, [EBX+65]
0040F50B: 7444 JZ 40F551
0040F50D: 6C INSB
0040F50E: 6749 DEC ECX
0040F510: 7465 JZ 40F577
0040F512: 6D INSD
0040F513: 49 DEC ECX
0040F514: 6E OUTSB
0040F515: 7400 JZ 40F517
0040F517: DD01 FLD REAL8 PTR [ECX]
0040F519: 4D DEC EBP
0040F51A: 657373 JNB 40F590
0040F51D: 61 POPAD
0040F51E: 676542 INC EDX
0040F521: 6F OUTSD
0040F522: 7841 JS 40F565
0040F524: 009F00446961 ADD [EDI+61694400], BL
0040F52A: 6C INSB
0040F52B: 6F OUTSD
0040F52C: 6742 INC EDX
0040F52E: 6F OUTSD
0040F52F: 7850 JS 40F581
0040F531: 61 POPAD
0040F532: 7261 JB 40F595
0040F534: 6D INSD
0040F535: 41 INC ECX
0040F536: 0037 ADD [EDI], DH
0040F538: 025365 ADD DL, [EBX+65]
0040F53B: 6E OUTSB
0040F53C: 6444 INC ESP
0040F53E: 6C INSB
0040F53F: 6749 DEC ECX
0040F541: 7465 JZ 40F5A8
0040F543: 6D INSD
0040F544: 4D DEC EBP
0040F545: 657373 JNB 40F5BB
0040F548: 61 POPAD
0040F549: 676541 INC ECX
0040F54C: 00AC0149735769 ADD [ECX+EAX+69577349], CH
0040F553: 6E OUTSB
0040F554: 646F OUTSD
0040F556: 7700 JNBE 40F558
0040F558: 3C02 CMP AL, 02
0040F55A: 53 PUSH EBX
0040F55B: 656E OUTSB
0040F55D: 644D DEC EBP
0040F55F: 657373 JNB 40F5D5
0040F562: 61 POPAD
0040F563: 676541 INC ECX
0040F566: 0012 ADD [EDX], DL
0040F568: 014765 ADD [EDI+65], EAX
0040F56B: 7444 JZ 40F5B1
0040F56D: 6C INSB
0040F56E: 6749 DEC ECX
0040F570: 7465 JZ 40F5D7
0040F572: 6D INSD
0040F573: 003C00 ADD [EAX+EAX], BH
0040F576: 43 INC EBX
0040F577: 6865636B52 PUSH 526B6365
0040F57C: 61 POPAD
0040F57D: 64696F427574746F IMUL EBP, FS:[EDI+42], 6F747475
0040F585: 6E OUTSB
0040F586: 0039 ADD [ECX], BH
0040F588: 004368 ADD [EBX+68], AL
0040F58B: 65636B44 ARPL EBP, GS:[EBX+44]
0040F58F: 6C INSB
0040F590: 6742 INC EDX
0040F592: 7574 JNZ 40F608
0040F594: 746F JZ 40F605
0040F596: 6E OUTSB
0040F597: 00D9 ADD CL, BL
0040F599: 027773 ADD DH, [EDI+73]
0040F59C: 7072 JO 40F610
0040F59E: 696E7466410000 IMUL EBP, [ESI+74], 00004166
0040F5A5: 02506F ADD DL, [EAX+6F]
0040F5A8: 7374 JNB 40F61E
0040F5AA: 4D DEC EBP
0040F5AB: 657373 JNB 40F621
0040F5AE: 61 POPAD
0040F5AF: 676541 INC ECX
0040F5B2: 00540253 ADD [EDX+EAX+53], DL
0040F5B6: 657444 JZ 40F5FD
0040F5B9: 6C INSB
0040F5BA: 6749 DEC ECX
0040F5BC: 7465 JZ 40F623
0040F5BE: 6D INSD
0040F5BF: 54 PUSH ESP
0040F5C0: 657874 JS 40F637
0040F5C3: 41 INC ECX
0040F5C4: 00C7 ADD BH, AL
0040F5C6: 00456E ADD [EBP+6E], AL
0040F5C9: 6444 INC ESP
0040F5CB: 69616C6F6700A4 IMUL ESP, [ECX+6C], A400676F
0040F5D2: 014973 ADD [ECX+73], ECX
0040F5D5: 44 INC ESP
0040F5D6: 6C INSB
0040F5D7: 6742 INC EDX
0040F5D9: 7574 JNZ 40F64F
0040F5DB: 746F JZ 40F64C
0040F5DD: 6E OUTSB
0040F5DE: 43 INC EBX
0040F5DF: 6865636B65 PUSH 656B6365
0040F5E4: 6400BC014C6F6164 ADD FS:[ECX+EAX+64616F4C], BH
0040F5EC: 49 DEC ECX
0040F5ED: 636F6E ARPL EBP, [EDI+6E]
0040F5F0: 41 INC ECX
0040F5F1: 00C5 ADD CH, AL
0040F5F3: 00456E ADD [EBP+6E], AL
0040F5F6: 61 POPAD
0040F5F7: 626C6557 BOUND EBP, [EBP+*2]
0040F5FB: 696E646F770057 IMUL EBP, [ESI+64], 5700776F
0040F602: 53 PUSH EBX
0040F603: 325F33 XOR BL, [EDI+33]
0040F606: 322E XOR CH, [ESI]
0040F608: 646C INSB
0040F60A: 6C INSB
0040F60B: 001400 ADD [EAX+EAX], DL
0040F60E: 7365 JNB 40F675
0040F610: 6E OUTSB
0040F611: 64746F JZ 40F683
0040F614: 00740057 ADD [EAX+EAX+57], DH
0040F618: 53 PUSH EBX
0040F619: 41 INC ECX
0040F61A: 43 INC EBX
0040F61B: 6C INSB
0040F61C: 6561 POPAD
0040F61E: 6E OUTSB
0040F61F: 7570 JNZ 40F691
0040F621: 0003 ADD [EBX], AL
0040F623: 00636C ADD [EBX+6C], AH
0040F626: 6F OUTSD
0040F627: 7365 JNB 40F68E
0040F629: 736F JNB 40F69A
0040F62B: 636B65 ARPL EBP, [EBX+65]
0040F62E: 7400 JZ 40F630
0040F630: 0B00 OR EAX, [EAX]
0040F632: 696E65745F6164 IMUL EBP, [ESI+65], 64615F74
0040F639: 647200 JB 40F63C
0040F63C: 0C00 OR AL, 00
0040F63E: 696E65745F6E74 IMUL EBP, [ESI+65], 746E5F74
0040F645: 6F OUTSD
0040F646: 61 POPAD
0040F647: 0002 ADD [EDX], AL
0040F649: 006269 ADD [EDX+69], AH
0040F64C: 6E OUTSB
0040F64D: 640009 ADD FS:[ECX], CL
0040F650: 006874 ADD [EAX+74], CH
0040F653: 6F OUTSD
0040F654: 6E OUTSB
0040F655: 7300 JNB 40F657
0040F657: 65005753 ADD GS:[EDI+53], DL
0040F65B: 41 INC ECX
0040F65C: 41 INC ECX
0040F65D: 7379 JNB 40F6D8
0040F65F: 6E OUTSB
0040F660: 635365 ARPL EDX, [EBX+65]
0040F663: 6C INSB
0040F664: 6563740017 ARPL ESI, GS:[EAX+EAX+17]
0040F669: 00736F ADD [EBX+6F], DH
0040F66C: 636B65 ARPL EBP, [EBX+65]
0040F66F: 7400 JZ 40F671
0040F671: 7300 JNB 40F673
0040F673: 57 PUSH EDI
0040F674: 53 PUSH EBX
0040F675: 41 INC ECX
0040F676: 53 PUSH EBX
0040F677: 7461 JZ 40F6DA
0040F679: 7274 JB 40F6EF
0040F67B: 7570 JNZ 40F6ED
0040F67D: 0010 ADD [EAX], DL
0040F67F: 007265 ADD [EDX+65], DH
0040F682: 637600 ARPL ESI, [ESI]
0040F685: 3400 XOR AL, 00
0040F687: 67657468 JZ 40F6F3
0040F68B: 6F OUTSD
0040F68C: 7374 JNB 40F702
0040F68E: 62796E BOUND EDI, [ECX+6E]
0040F691: 61 POPAD
0040F692: 6D INSD
0040F693: 650000 ADD GS:[EAX], AL
0040F696: 0000 ADD [EAX], AL
首 字 节:
00403DD7: 6A60 PUSH 00000060
00403DD9: 6848854000 PUSH 00408548
00403DDE: E8810D0000 CALL 00404B64
00403DE3: BF94000000 MOV EDI, 00000094
00403DE8: 8BC7 MOV EAX, EDI
00403DEA: E8D10E0000 CALL 00404CC0
00403DEF: 8965E8 MOV [EBP-18], ESP
00403DF2: 8BF4 MOV ESI, ESP
00403DF4: 893E MOV [ESI], EDI
00403DF6: 56 PUSH ESI
00403DF7: FF15A0804000 CALL [004080A0] ; GetVersionExA
00403DFD: 8B4E10 MOV ECX, [ESI+10]
00403E00: 890DBCA34000 MOV [0040A3BC], ECX
00403E06: 8B4604 MOV EAX, [ESI+04]
00403E09: A3C8A34000 MOV [40A3C8], EAX
00403E0E: 8B5608 MOV EDX, [ESI+08]
00403E11: 8915CCA34000 MOV [0040A3CC], EDX
00403E17: 8B760C MOV ESI, [ESI+0C]
00403E1A: 81E6FF7F0000 AND ESI, 00007FFF
00403E20: 8935C0A34000 MOV [0040A3C0], ESI
00403E26: 83F902 CMP ECX, 00000002
00403E29: 740C JZ 403E37
00403E2B: 81CE00800000 OR ESI, 00008000
00403E31: 8935C0A34000 MOV [0040A3C0], ESI
00403E37: C1E008 SHL EAX, 08
00403E3A: 03C2 ADD EAX, EDX
00403E3C: A3C4A34000 MOV [40A3C4], EAX
00403E41: 33F6 XOR ESI, ESI
00403E43: 56 PUSH ESI
00403E44: 8B3D3C804000 MOV EDI, [0040803C]
00403E4A: FFD7 CALL EDI
00403E4C: 6681384D5A CMP WORD PTR [EAX], 5A4D
00403E51: 751F JNZ 403E72
00403E53: 8B483C MOV ECX, [EAX+3C]
00403E56: 03C8 ADD ECX, EAX
00403E58: 813950450000 CMP [ECX], 00004550
00403E5E: 7512 JNZ 403E72
00403E60: 0FB74118 MOVZX EAX, WORD PTR [ECX+18]
00403E64: 3D0B010000 CMP EAX, 0000010B
00403E69: 741F JZ 403E8A
00403E6B: 3D0B020000 CMP EAX, 0000020B
00403E70: 7405 JZ 403E77
00403E72: 8975E4 MOV [EBP-1C], ESI
00403E75: EB27 JMP 403E9E
00403E77: 83B9840000000E CMP [ECX+00000084], 0000000E
00403E7E: 76F2 JBE 403E72
00403E80: 33C0 XOR EAX, EAX
00403E82: 39B1F8000000 CMP [ECX+000000F8], ESI
00403E88: EB0E JMP 403E98
00403E8A: 8379740E CMP [ECX+74], 0000000E
00403E8E: 76E2 JBE 403E72
00403E90: 33C0 XOR EAX, EAX
00403E92: 39B1E8000000 CMP [ECX+000000E8], ESI
00403E98: 0F95C0 SETNZ AL
00403E9B: 8945E4 MOV [EBP-1C], EAX
00403E9E: 56 PUSH ESI
00403E9F: E86C0C0000 CALL 00404B10
00403EA4: 59 POP ECX
00403EA5: 85C0 TEST EAX, EAX
00403EA7: 7521 JNZ 403ECA
00403EA9: 833DACA3400001 CMP [0040A3AC], 00000001
00403EB0: 7505 JNZ 403EB7
00403EB2: E80E040000 CALL 004042C5
00403EB7: 6A1C PUSH 0000001C
00403EB9: E890020000 CALL 0040414E
00403EBE: 68FF000000 PUSH 000000FF
00403EC3: E8EB000000 CALL 00403FB3
00403EC8: 59 POP ECX
00403EC9: 59 POP ECX
00403ECA: E89F0B0000 CALL 00404A6E
00403ECF: 8975FC MOV [EBP-04], ESI
00403ED2: E8EC090000 CALL 004048C3
00403ED7: 85C0 TEST EAX, EAX
00403ED9: 7D08 JNL 403EE3
00403EDB: 6A1B PUSH 0000001B
00403EDD: E8D0FEFFFF CALL 00403DB2
00403EE2: 59 POP ECX
00403EE3: FF1540804000 CALL [00408040] ; GetCommandLineA
00403EE9: A334B54000 MOV [40B534], EAX
00403EEE: E8AE080000 CALL 004047A1
00403EF3: A3A4A34000 MOV [40A3A4], EAX
00403EF8: E802080000 CALL 004046FF
00403EFD: 85C0 TEST EAX, EAX
00403EFF: 7D08 JNL 403F09
00403F01: 6A08 PUSH 00000008
00403F03: E8AAFEFFFF CALL 00403DB2
00403F08: 59 POP ECX
00403F09: E8BE050000 CALL 004044CC
00403F0E: 85C0 TEST EAX, EAX
00403F10: 7D08 JNL 403F1A
00403F12: 6A09 PUSH 00000009
00403F14: E899FEFFFF CALL 00403DB2
00403F19: 59 POP ECX
00403F1A: 6A01 PUSH 00000001
00403F1C: E8C2000000 CALL 00403FE3
00403F21: 59 POP ECX
00403F22: 8945D8 MOV [EBP-28], EAX
00403F25: 3BC6 CMP EAX, ESI
00403F27: 7407 JZ 403F30
00403F29: 50 PUSH EAX
00403F2A: E883FEFFFF CALL 00403DB2
00403F2F: 59 POP ECX
00403F30: 8975BC MOV [EBP-44], ESI
00403F33: 8D4590 LEA EAX, [EBP-70]
00403F36: 50 PUSH EAX
00403F37: FF1594804000 CALL [00408094] ; GetStartupInfoA
00403F3D: E82D050000 CALL 0040446F
00403F42: 8945E0 MOV [EBP-20], EAX
00403F45: F645BC01 TEST BYTE PTR [EBP-44], 01
00403F49: 7406 JZ 403F51
00403F4B: 0FB745C0 MOVZX EAX, WORD PTR [EBP-40]
00403F4F: EB03 JMP 403F54
00403F51: 6A0A PUSH 0000000A
00403F53: 58 POP EAX
00403F54: 50 PUSH EAX
00403F55: FF75E0 PUSH [EBP-20]
00403F58: 56 PUSH ESI
00403F59: 56 PUSH ESI
00403F5A: FFD7 CALL EDI
00403F5C: 50 PUSH EAX
00403F5D: E89EF3FFFF CALL 00403300
00403F62: 8BF8 MOV EDI, EAX
00403F64: 897DD4 MOV [EBP-2C], EDI
00403F67: 3975E4 CMP [EBP-1C], ESI
00403F6A: 7506 JNZ 403F72
00403F6C: 57 PUSH EDI
00403F6D: E89C010000 CALL 0040410E
00403F72: E8B9010000 CALL 00404130
00403F77: EB2B JMP 403FA4
00403F79: 8B45EC MOV EAX, [EBP-14]
00403F7C: 8B08 MOV ECX, [EAX]
00403F7E: 8B09 MOV ECX, [ECX]
00403F80: 894DDC MOV [EBP-24], ECX
00403F83: 50 PUSH EAX
00403F84: 51 PUSH ECX
00403F85: E874030000 CALL 004042FE
00403F8A: 59 POP ECX
00403F8B: 59 POP ECX
00403F8C: C3 RET
00403F8D: 8B65E8 MOV ESP, [EBP-18]
00403F90: 8B7DDC MOV EDI, [EBP-24]
00403F93: 837DE400 CMP [EBP-1C], 00000000
00403F97: 7506 JNZ 403F9F
00403F99: 57 PUSH EDI
00403F9A: E880010000 CALL 0040411F
00403F9F: E89B010000 CALL 0040413F
00403FA4: 834DFCFF OR [EBP-04], FFFFFFFF
00403FA8: 8BC7 MOV EAX, EDI
00403FAA: 8D6584 LEA ESP, [EBP-7C]
00403FAD: E8ED0B0000 CALL 00404B9F
00403FB2: C3 RET
00403FB3: 6864854000 PUSH 00408564 -> mscoree.dll
00403FB8: FF153C804000 CALL [0040803C] ; GetModuleHandleA
00403FBE: 85C0 TEST EAX, EAX
00403FC0: 7416 JZ 403FD8
00403FC2: 6854854000 PUSH 00408554 -> CorExitProcess
00403FC7: 50 PUSH EAX
00403FC8: FF15E8804000 CALL [004080E8] ; GetProcAddress
00403FCE: 85C0 TEST EAX, EAX
00403FD0: 7406 JZ 403FD8
00403FD2: FF742404 PUSH [ESP+04]
00403FD6: FFD0 CALL EAX
00403FD8: FF742404 PUSH [ESP+04]
00403FDC: FF1538804000 CALL [00408038] ; ExitProcess
00403FE2: CC INT 3
00403FE3: A130B54000 MOV EAX, [40B530]
00403FE8: 85C0 TEST EAX, EAX
00403FEA: 7407 JZ 403FF3
00403FEC: FF742404 PUSH [ESP+04]
00403FF0: FFD0 CALL EAX
00403FF2: 59 POP ECX
00403FF3: 56 PUSH ESI
00403FF4: 57 PUSH EDI
00403FF5: B90CA04000 MOV ECX, 0040A00C
00403FFA: BF18A04000 MOV EDI, 0040A018
00403FFF: 33C0 XOR EAX, EAX
00404001: 3BCF CMP ECX, EDI
00404003: 8BF1 MOV ESI, ECX
00404005: 7317 JNB 40401E
00404007: 85C0 TEST EAX, EAX
00404009: 753F JNZ 40404A
0040400B: 8B0E MOV ECX, [ESI]
0040400D: 85C9 TEST ECX, ECX
0040400F: 7402 JZ 404013
00404011: FFD1 CALL ECX
00404013: 83C604 ADD ESI, 00000004
00404016: 3BF7 CMP ESI, EDI
00404018: 72ED JB 404007
0040401A: 85C0 TEST EAX, EAX
0040401C: 752C JNZ 40404A
0040401E: 68B24A4000 PUSH 00404AB2
00404023: E8570D0000 CALL 00404D7F
00404028: BE00A04000 MOV ESI, 0040A000
0040402D: 8BC6 MOV EAX, ESI
0040402F: BF08A04000 MOV EDI, 0040A008
00404034: 3BC7 CMP EAX, EDI
00404036: 59 POP ECX
00404037: 730F JNB 404048
00404039: 8B06 MOV EAX, [ESI]
0040403B: 85C0 TEST EAX, EAX
0040403D: 7402 JZ 404041
0040403F: FFD0 CALL EAX
00404041: 83C604 ADD ESI, 00000004
00404044: 3BF7 CMP ESI, EDI
00404046: 72F1 JB 404039
00404048: 33C0 XOR EAX, EAX
0040404A: 5F POP EDI
0040404B: 5E POP ESI
0040404C: C3 RET
0040404D: 55 PUSH EBP
0040404E: 8BEC MOV EBP, ESP
00404050: 56 PUSH ESI
00404051: 33F6 XOR ESI, ESI
00404053: 46 INC ESI
00404054: 3935FCA34000 CMP [0040A3FC], ESI
0040405A: 57 PUSH EDI
0040405B: 7510 JNZ 40406D
0040405D: FF7508 PUSH [EBP+08]
00404060: FF15F0804000 CALL [004080F0] ; GetCurrentProcess
00404066: 50 PUSH EAX
00404067: FF15EC804000 CALL [004080EC] ; TerminateProcess
0040406D: 837D0C00 CMP [EBP+0C], 00000000
00404071: 8A4510 MOV AL, [EBP+10]
00404074: 8935F8A34000 MOV [0040A3F8], ESI
0040407A: A2F4A34000 MOV [40A3F4], AL
0040407F: 7552 JNZ 4040D3
00404081: 8B0D28B54000 MOV ECX, [0040B528]
00404087: 85C9 TEST ECX, ECX
00404089: 7429 JZ 4040B4
0040408B: A124B54000 MOV EAX, [40B524]
00404090: 83E804 SUB EAX, 00000004
00404093: 3BC1 CMP EAX, ECX
00404095: EB16 JMP 4040AD
00404097: 8B00 MOV EAX, [EAX]
00404099: 85C0 TEST EAX, EAX
0040409B: 7402 JZ 40409F
0040409D: FFD0 CALL EAX
0040409F: A124B54000 MOV EAX, [40B524]
004040A4: 83E804 SUB EAX, 00000004
004040A7: 3B0528B54000 CMP EAX, [0040B528]
004040AD: A324B54000 MOV [40B524], EAX
004040B2: 73E3 JNB 404097
004040B4: B81CA04000 MOV EAX, 0040A01C
004040B9: BE20A04000 MOV ESI, 0040A020
004040BE: 3BC6 CMP EAX, ESI
004040C0: 8BF8 MOV EDI, EAX
004040C2: 730F JNB 4040D3
004040C4: 8B07 MOV EAX, [EDI]
004040C6: 85C0 TEST EAX, EAX
004040C8: 7402 JZ 4040CC
004040CA: FFD0 CALL EAX
004040CC: 83C704 ADD EDI, 00000004
004040CF: 3BFE CMP EDI, ESI
004040D1: 72F1 JB 4040C4
004040D3: B824A04000 MOV EAX, 0040A024
004040D8: BE28A04000 MOV ESI, 0040A028
004040DD: 3BC6 CMP EAX, ESI
004040DF: 8BF8 MOV EDI, EAX
004040E1: 730F JNB 4040F2
004040E3: 8B07 MOV EAX, [EDI]
004040E5: 85C0 TEST EAX, EAX
004040E7: 7402 JZ 4040EB
004040E9: FFD0 CALL EAX
004040EB: 83C704 ADD EDI, 00000004
004040EE: 3BFE CMP EDI, ESI
004040F0: 72F1 JB 4040E3
004040F2: 837D1000 CMP [EBP+10], 00000000
004040F6: 5F POP EDI
004040F7: 5E POP ESI
004040F8: 7512 JNZ 40410C
004040FA: FF7508 PUSH [EBP+08]
004040FD: C705FCA3400001000000 MOV [0040A3FC], 00000001
00404107: E8A7FEFFFF CALL 00403FB3
0040410C: 5D POP EBP
0040410D: C3 RET
0040410E: 6A00 PUSH 00000000
00404110: 6A00 PUSH 00000000
00404112: FF74240C PUSH [ESP+0C]
00404116: E832FFFFFF CALL 0040404D
0040411B: 83C40C ADD ESP, 0000000C
0040411E: C3 RET
0040411F: 6A00 PUSH 00000000
00404121: 6A01 PUSH 00000001
00404123: FF74240C PUSH [ESP+0C]
00404127: E821FFFFFF CALL 0040404D
0040412C: 83C40C ADD ESP, 0000000C
0040412F: C3 RET
00404130: 6A01 PUSH 00000001
00404132: 6A00 PUSH 00000000
00404134: 6A00 PUSH 00000000
00404136: E812FFFFFF CALL 0040404D
0040413B: 83C40C ADD ESP, 0000000C
0040413E: C3 RET
0040413F: 6A01 PUSH 00000001
00404141: 6A01 PUSH 00000001
00404143: 6A00 PUSH 00000000
00404145: E803FFFFFF CALL 0040404D
0040414A: 83C40C ADD ESP, 0000000C
0040414D: C3 RET
0040414E: 55 PUSH EBP
0040414F: 8DAC2474FFFFFF LEA EBP, [ESP-0000008C]
00404156: 81EC0C010000 SUB ESP, 0000010C
0040415C: A170A24000 MOV EAX, [40A270]
00404161: 8B8D94000000 MOV ECX, [EBP+00000094]
00404167: 53 PUSH EBX
00404168: 56 PUSH ESI
00404169: 898588000000 MOV [EBP+00000088], EAX
0040416F: 33D2 XOR EDX, EDX
00404171: 57 PUSH EDI
00404172: 33C0 XOR EAX, EAX
00404174: 3B0CC540A14000 CMP ECX, [EAX*8+0040A140]
0040417B: 7406 JZ 404183
0040417D: 40 INC EAX
0040417E: 83F813 CMP EAX, 00000013
00404181: 72F1 JB 404174
00404183: 8BF0 MOV ESI, EAX
00404185: C1E603 SHL ESI, 03
00404188: 3B8E40A14000 CMP ECX, [ESI+0040A140]
0040418E: 0F8515010000 JNZ 004042A9
00404194: A1ACA34000 MOV EAX, [40A3AC]
00404199: 83F801 CMP EAX, 00000001
0040419C: 0F84DF000000 JZ 00404281
004041A2: 3BC2 CMP EAX, EDX
004041A4: 750D JNZ 4041B3
004041A6: 833D3CA1400001 CMP [0040A13C], 00000001
004041AD: 0F84CE000000 JZ 00404281
004041B3: 81F9FC000000 CMP ECX, 000000FC
004041B9: 0F84EA000000 JZ 004042A9
004041BF: 6804010000 PUSH 00000104
004041C4: 8D4580 LEA EAX, [EBP-80]
004041C7: 50 PUSH EAX
004041C8: 52 PUSH EDX
004041C9: 889584000000 MOV [EBP+00000084], DL
004041CF: FF152C804000 CALL [0040802C] ; GetModuleFileNameA
004041D5: 85C0 TEST EAX, EAX
004041D7: 7510 JNZ 4041E9
004041D9: 8D4580 LEA EAX, [EBP-80]
004041DC: 6864894000 PUSH 00408964 -> <program name unknown>
004041E1: 50 PUSH EAX
004041E2: E8D90C0000 CALL 00404EC0
004041E7: 59 POP ECX
004041E8: 59 POP ECX
004041E9: 8D7D80 LEA EDI, [EBP-80]
004041EC: 8BC7 MOV EAX, EDI
004041EE: 50 PUSH EAX
004041EF: E8FC0E0000 CALL 004050F0
004041F4: 40 INC EAX
004041F5: 83F83C CMP EAX, 0000003C
004041F8: 59 POP ECX
004041F9: 7622 JBE 40421D
004041FB: 8BC7 MOV EAX, EDI
004041FD: 50 PUSH EAX
004041FE: E8ED0E0000 CALL 004050F0
00404203: 8BF8 MOV EDI, EAX
00404205: 8D4580 LEA EAX, [EBP-80]
00404208: 83E83B SUB EAX, 0000003B
0040420B: 6A03 PUSH 00000003
0040420D: 03F8 ADD EDI, EAX
0040420F: 6860894000 PUSH 00408960
00404214: 57 PUSH EDI
00404215: E8A60D0000 CALL 00404FC0
0040421A: 83C410 ADD ESP, 00000010
0040421D: 57 PUSH EDI
0040421E: E8CD0E0000 CALL 004050F0
00404223: FFB644A14000 PUSH [ESI+0040A144]
00404229: 8BD8 MOV EBX, EAX
0040422B: E8C00E0000 CALL 004050F0
00404230: 8D44031C LEA EAX, [EBX+EAX+1C]
00404234: 59 POP ECX
00404235: 83C003 ADD EAX, 00000003
00404238: 59 POP ECX
00404239: 83E0FC AND EAX, FFFFFFFC
0040423C: E87F0A0000 CALL 00404CC0
00404241: 8BDC MOV EBX, ESP
00404243: 6844894000 PUSH 00408944 -> Runtime Error!\n\nProgram:
00404248: 53 PUSH EBX
00404249: E8720C0000 CALL 00404EC0
0040424E: 57 PUSH EDI
0040424F: 53 PUSH EBX
00404250: E87B0C0000 CALL 00404ED0
00404255: 6840894000 PUSH 00408940
0040425A: 53 PUSH EBX
0040425B: E8700C0000 CALL 00404ED0
00404260: FFB644A14000 PUSH [ESI+0040A144]
00404266: 53 PUSH EBX
00404267: E8640C0000 CALL 00404ED0
0040426C: 6810200100 PUSH 00012010
00404271: 6818894000 PUSH 00408918 -> Microsoft Visual C++ Runtime Library
00404276: 53 PUSH EBX
00404277: E83D0B0000 CALL 00404DB9
0040427C: 83C42C ADD ESP, 0000002C
0040427F: EB28 JMP 4042A9
00404281: 52 PUSH EDX
00404282: 8D8594000000 LEA EAX, [EBP+00000094]
00404288: 50 PUSH EAX
00404289: 8DB644A14000 LEA ESI, [ESI+0040A144]
0040428F: FF36 PUSH [ESI]
00404291: E85A0E0000 CALL 004050F0
00404296: 59 POP ECX
00404297: 50 PUSH EAX
00404298: FF36 PUSH [ESI]
0040429A: 6AF4 PUSH FFFFFFF4
0040429C: FF15F8804000 CALL [004080F8] ; GetStdHandle
004042A2: 50 PUSH EAX
004042A3: FF15F4804000 CALL [004080F4] ; WriteFile
004042A9: 8DA574FFFFFF LEA ESP, [EBP-0000008C]
004042AF: 8B8D88000000 MOV ECX, [EBP+00000088]
004042B5: E8F20E0000 CALL 004051AC
004042BA: 5F POP EDI
004042BB: 5E POP ESI
004042BC: 5B POP EBX
004042BD: 81C58C000000 ADD EBP, 0000008C
004042C3: C9 LEAVE
004042C4: C3 RET
004042C5: A1ACA34000 MOV EAX, [40A3AC]
004042CA: 83F801 CMP EAX, 00000001
004042CD: 740D JZ 4042DC
004042CF: 85C0 TEST EAX, EAX
004042D1: 752A JNZ 4042FD
004042D3: 833D3CA1400001 CMP [0040A13C], 00000001
004042DA: 7521 JNZ 4042FD
004042DC: 68FC000000 PUSH 000000FC
004042E1: E868FEFFFF CALL 0040414E
004042E6: A100A44000 MOV EAX, [40A400]
004042EB: 85C0 TEST EAX, EAX
004042ED: 59 POP ECX
004042EE: 7402 JZ 4042F2
004042F0: FFD0 CALL EAX
004042F2: 68FF000000 PUSH 000000FF
004042F7: E852FEFFFF CALL 0040414E
004042FC: 59 POP ECX
004042FD: C3 RET
004042FE: 55 PUSH EBP
004042FF: 8BEC MOV EBP, ESP
00404301: 8B5508 MOV EDX, [EBP+08]
00404304: A158A24000 MOV EAX, [40A258]
00404309: 53 PUSH EBX
0040430A: B9D8A14000 MOV ECX, 0040A1D8
0040430F: 56 PUSH ESI
00404310: 3911 CMP [ECX], EDX
00404312: 7411 JZ 404325
00404314: 8D3440 LEA ESI, [EAX+EAX*2]
00404317: 83C10C ADD ECX, 0000000C
0040431A: 8D34B5D8A14000 LEA ESI, [ESI*4+0040A1D8]
00404321: 3BCE CMP ECX, ESI
00404323: 72EB JB 404310
00404325: 8D0440 LEA EAX, [EAX+EAX*2]
00404328: 8D0485D8A14000 LEA EAX, [EAX*4+0040A1D8]
0040432F: 3BC8 CMP ECX, EAX
00404331: 7304 JNB 404337
00404333: 3911 CMP [ECX], EDX
00404335: 7402 JZ 404339
00404337: 33C9 XOR ECX, ECX
00404339: 85C9 TEST ECX, ECX
0040433B: 0F8421010000 JZ 00404462
00404341: 8B5908 MOV EBX, [ECX+08]
00404344: 85DB TEST EBX, EBX
00404346: 0F8416010000 JZ 00404462
0040434C: 83FB05 CMP EBX, 00000005
0040434F: 750C JNZ 40435D
00404351: 83610800 AND [ECX+08], 00000000
00404355: 33C0 XOR EAX, EAX
00404357: 40 INC EAX
00404358: E90E010000 JMP 0040446B
0040435D: 83FB01 CMP EBX, 00000001
00404360: 0F84F7000000 JZ 0040445D
00404366: A104A44000 MOV EAX, [40A404]
0040436B: 894508 MOV [EBP+08], EAX
0040436E: 8B450C MOV EAX, [EBP+0C]
00404371: A304A44000 MOV [40A404], EAX
00404376: 8B4104 MOV EAX, [ECX+04]
00404379: 83F808 CMP EAX, 00000008
0040437C: 0F85CB000000 JNZ 0040444D
00404382: A150A24000 MOV EAX, [40A250]
00404387: 8B1554A24000 MOV EDX, [0040A254]
0040438D: 03D0 ADD EDX, EAX
0040438F: 3BC2 CMP EAX, EDX
00404391: 7D15 JNL 4043A8
00404393: 8D3440 LEA ESI, [EAX+EAX*2]
00404396: 8D34B5E0A14000 LEA ESI, [ESI*4+0040A1E0]
0040439D: 2BD0 SUB EDX, EAX
0040439F: 832600 AND [ESI], 00000000
004043A2: 83C60C ADD ESI, 0000000C
004043A5: 4A DEC EDX
004043A6: 75F7 JNZ 40439F
004043A8: 8B09 MOV ECX, [ECX]
004043AA: 81F98E0000C0 CMP ECX, C000008E
004043B0: 8B355CA24000 MOV ESI, [0040A25C]
004043B6: 750C JNZ 4043C4
004043B8: C7055CA2400083000000 MOV [0040A25C], 00000083
004043C2: EB76 JMP 40443A
004043C4: 81F9900000C0 CMP ECX, C0000090
004043CA: 750C JNZ 4043D8
004043CC: C7055CA2400081000000 MOV [0040A25C], 00000081
004043D6: EB62 JMP 40443A
004043D8: 81F9910000C0 CMP ECX, C0000091
004043DE: 750C JNZ 4043EC
004043E0: C7055CA2400084000000 MOV [0040A25C], 00000084
004043EA: EB4E JMP 40443A
004043EC: 81F9930000C0 CMP ECX, C0000093
004043F2: 750C JNZ 404400
004043F4: C7055CA2400085000000 MOV [0040A25C], 00000085
004043FE: EB3A JMP 40443A
00404400: 81F98D0000C0 CMP ECX, C000008D
00404406: 750C JNZ 404414
00404408: C7055CA2400082000000 MOV [0040A25C], 00000082
00404412: EB26 JMP 40443A
00404414: 81F98F0000C0 CMP ECX, C000008F
0040441A: 750C JNZ 404428
0040441C: C7055CA2400086000000 MOV [0040A25C], 00000086
00404426: EB12 JMP 40443A
00404428: 81F9920000C0 CMP ECX, C0000092
0040442E: 750A JNZ 40443A
00404430: C7055CA240008A000000 MOV [0040A25C], 0000008A
0040443A: FF355CA24000 PUSH [0040A25C]
00404440: 6A08 PUSH 00000008
00404442: FFD3 CALL EBX
00404444: 59 POP ECX
00404445: 89355CA24000 MOV [0040A25C], ESI
0040444B: EB07 JMP 404454
0040444D: 83610800 AND [ECX+08], 00000000
00404451: 50 PUSH EAX
00404452: FFD3 CALL EBX
00404454: 8B4508 MOV EAX, [EBP+08]
00404457: 59 POP ECX
00404458: A304A44000 MOV [40A404], EAX
0040445D: 83C8FF OR EAX, FFFFFFFF
00404460: EB09 JMP 40446B
00404462: FF750C PUSH [EBP+0C]
00404465: FF15FC804000 CALL [004080FC] ; UnhandledExceptionFilter
0040446B: 5E POP ESI
0040446C: 5B POP EBX
0040446D: 5D POP EBP
0040446E: C3 RET
0040446F: 56 PUSH ESI
00404470: 57 PUSH EDI
00404471: 33FF XOR EDI, EDI
00404473: 393D2CB54000 CMP [0040B52C], EDI
00404479: 7505 JNZ 404480
0040447B: E848110000 CALL 004055C8
00404480: 8B3534B54000 MOV ESI, [0040B534]
00404486: 85F6 TEST ESI, ESI
00404488: 7505 JNZ 40448F
0040448A: BE90814000 MOV ESI, 00408190
0040448F: 8A06 MOV AL, [ESI]
00404491: 3C20 CMP AL, 20
00404493: 7708 JNBE 40449D
00404495: 84C0 TEST AL, AL
00404497: 742E JZ 4044C7
00404499: 85FF TEST EDI, EDI
0040449B: 7424 JZ 4044C1
0040449D: 3C22 CMP AL, 22
0040449F: 7509 JNZ 4044AA
004044A1: 33C9 XOR ECX, ECX
004044A3: 85FF TEST EDI, EDI
004044A5: 0F94C1 SETZ CL
004044A8: 8BF9 MOV EDI, ECX
004044AA: 0FB6C0 MOVZX EAX, AL
004044AD: 50 PUSH EAX
004044AE: E83A0D0000 CALL 004051ED
004044B3: 85C0 TEST EAX, EAX
004044B5: 59 POP ECX
004044B6: 7401 JZ 4044B9
004044B8: 46 INC ESI
004044B9: 46 INC ESI
004044BA: EBD3 JMP 40448F
004044BC: 3C20 CMP AL, 20
004044BE: 7707 JNBE 4044C7
004044C0: 46 INC ESI
004044C1: 8A06 MOV AL, [ESI]
004044C3: 84C0 TEST AL, AL
004044C5: 75F5 JNZ 4044BC
004044C7: 5F POP EDI
004044C8: 8BC6 MOV EAX, ESI
004044CA: 5E POP ESI
004044CB: C3 RET
004044CC: 53 PUSH EBX
004044CD: 33DB XOR EBX, EBX
004044CF: 391D2CB54000 CMP [0040B52C], EBX
004044D5: 56 PUSH ESI
004044D6: 57 PUSH EDI
004044D7: 7505 JNZ 4044DE
004044D9: E8EA100000 CALL 004055C8
004044DE: 8B35A4A34000 MOV ESI, [0040A3A4]
004044E4: 33FF XOR EDI, EDI
004044E6: 3BF3 CMP ESI, EBX
004044E8: 7512 JNZ 4044FC
004044EA: EB30 JMP 40451C
004044EC: 3C3D CMP AL, 3D
004044EE: 7401 JZ 4044F1
004044F0: 47 INC EDI
004044F1: 56 PUSH ESI
004044F2: E8F90B0000 CALL 004050F0
004044F7: 59 POP ECX
004044F8: 8D740601 LEA ESI, [ESI+EAX+01]
004044FC: 8A06 MOV AL, [ESI]
004044FE: 3AC3 CMP AL, BL
00404500: 75EA JNZ 4044EC
00404502: 8D04BD04000000 LEA EAX, [EDI*4+00000004]
00404509: 50 PUSH EAX
0040450A: E881110000 CALL 00405690
0040450F: 8BF8 MOV EDI, EAX
00404511: 3BFB CMP EDI, EBX
00404513: 59 POP ECX
00404514: 893DDCA34000 MOV [0040A3DC], EDI
0040451A: 7505 JNZ 404521
0040451C: 83C8FF OR EAX, FFFFFFFF
0040451F: EB58 JMP 404579
00404521: 8B35A4A34000 MOV ESI, [0040A3A4]
00404527: 55 PUSH EBP
00404528: EB2A JMP 404554
0040452A: 56 PUSH ESI
0040452B: E8C00B0000 CALL 004050F0
00404530: 8BE8 MOV EBP, EAX
00404532: 45 INC EBP
00404533: 803E3D CMP BYTE PTR [ESI], 3D
00404536: 59 POP ECX
00404537: 7419 JZ 404552
00404539: 55 PUSH EBP
0040453A: E851110000 CALL 00405690
0040453F: 3BC3 CMP EAX, EBX
00404541: 59 POP ECX
00404542: 8907 MOV [EDI], EAX
00404544: 7437 JZ 40457D
00404546: 56 PUSH ESI
00404547: 50 PUSH EAX
00404548: E873090000 CALL 00404EC0
0040454D: 59 POP ECX
0040454E: 59 POP ECX
0040454F: 83C704 ADD EDI, 00000004
00404552: 03F5 ADD ESI, EBP
00404554: 381E CMP [ESI], BL
00404556: 75D2 JNZ 40452A
00404558: FF35A4A34000 PUSH [0040A3A4]
0040455E: E883100000 CALL 004055E6
00404563: 891DA4A34000 MOV [0040A3A4], EBX
00404569: 891F MOV [EDI], EBX
0040456B: C70520B5400001000000 MOV [0040B520], 00000001
00404575: 33C0 XOR EAX, EAX
00404577: 59 POP ECX
00404578: 5D POP EBP
00404579: 5F POP EDI
0040457A: 5E POP ESI
0040457B: 5B POP EBX
0040457C: C3 RET
0040457D: FF35DCA34000 PUSH [0040A3DC]
00404583: E85E100000 CALL 004055E6
00404588: 891DDCA34000 MOV [0040A3DC], EBX
0040458E: 83C8FF OR EAX, FFFFFFFF
00404591: EBE4 JMP 404577
00404593: 55 PUSH EBP
00404594: 8BEC MOV EBP, ESP
00404596: 51 PUSH ECX
00404597: 53 PUSH EBX
00404598: 8B5D0C MOV EBX, [EBP+0C]
0040459B: 33D2 XOR EDX, EDX
0040459D: 395508 CMP [EBP+08], EDX
004045A0: 57 PUSH EDI
004045A1: 8916 MOV [ESI], EDX
004045A3: 8BF9 MOV EDI, ECX
004045A5: C70301000000 MOV [EBX], 00000001
004045AB: 7409 JZ 4045B6
004045AD: 8B4D08 MOV ECX, [EBP+08]
004045B0: 83450804 ADD [EBP+08], 00000004
004045B4: 8939 MOV [ECX], EDI
004045B6: 803822 CMP BYTE PTR [EAX], 22
004045B9: 750E JNZ 4045C9
004045BB: 33C9 XOR ECX, ECX
004045BD: 85D2 TEST EDX, EDX
004045BF: 0F94C1 SETZ CL
004045C2: 40 INC EAX
004045C3: 8BD1 MOV EDX, ECX
004045C5: B122 MOV CL, 22
004045C7: EB2D JMP 4045F6
004045C9: FF06 INC [ESI]
004045CB: 85FF TEST EDI, EDI
004045CD: 7405 JZ 4045D4
004045CF: 8A08 MOV CL, [EAX]
004045D1: 880F MOV [EDI], CL
004045D3: 47 INC EDI
004045D4: 8A08 MOV CL, [EAX]
004045D6: 0FB6D9 MOVZX EBX, CL
004045D9: 40 INC EAX
004045DA: F683E1B1400004 TEST BYTE PTR [EBX+0040B1E1], 04
004045E1: 740C JZ 4045EF
004045E3: FF06 INC [ESI]
004045E5: 85FF TEST EDI, EDI
004045E7: 7405 JZ 4045EE
004045E9: 8A18 MOV BL, [EAX]
004045EB: 881F MOV [EDI], BL
004045ED: 47 INC EDI
004045EE: 40 INC EAX
004045EF: 84C9 TEST CL, CL
004045F1: 8B5D0C MOV EBX, [EBP+0C]
004045F4: 7432 JZ 404628
004045F6: 85D2 TEST EDX, EDX
004045F8: 75BC JNZ 4045B6
004045FA: 80F920 CMP CL, 20
004045FD: 7405 JZ 404604
004045FF: 80F909 CMP CL, 09
00404602: 75B2 JNZ 4045B6
00404604: 85FF TEST EDI, EDI
00404606: 7404 JZ 40460C
00404608: C647FF00 MOV BYTE PTR [EDI-01], 00
0040460C: 8365FC00 AND [EBP-04], 00000000
00404610: 803800 CMP BYTE PTR [EAX], 00
00404613: 0F84D6000000 JZ 004046EF
00404619: 8A08 MOV CL, [EAX]
0040461B: 80F920 CMP CL, 20
0040461E: 7405 JZ 404625
00404620: 80F909 CMP CL, 09
00404623: 7506 JNZ 40462B
00404625: 40 INC EAX
00404626: EBF1 JMP 404619
00404628: 48 DEC EAX
00404629: EBE1 JMP 40460C
0040462B: 803800 CMP BYTE PTR [EAX], 00
0040462E: 0F84BB000000 JZ 004046EF
00404634: 837D0800 CMP [EBP+08], 00000000
00404638: 7409 JZ 404643
0040463A: 8B4D08 MOV ECX, [EBP+08]
0040463D: 83450804 ADD [EBP+08], 00000004
00404641: 8939 MOV [ECX], EDI
00404643: FF03 INC [EBX]
00404645: 33DB XOR EBX, EBX
00404647: 43 INC EBX
00404648: 33D2 XOR EDX, EDX
0040464A: EB02 JMP 40464E
0040464C: 40 INC EAX
0040464D: 42 INC EDX
0040464E: 80385C CMP BYTE PTR [EAX], 5C
00404651: 74F9 JZ 40464C
00404653: 803822 CMP BYTE PTR [EAX], 22
00404656: 7526 JNZ 40467E
00404658: F6C201 TEST DL, 01
0040465B: 751F JNZ 40467C
0040465D: 837DFC00 CMP [EBP-04], 00000000
00404661: 740C JZ 40466F
00404663: 8D4801 LEA ECX, [EAX+01]
00404666: 803922 CMP BYTE PTR [ECX], 22
00404669: 7504 JNZ 40466F
0040466B: 8BC1 MOV EAX, ECX
0040466D: EB02 JMP 404671
0040466F: 33DB XOR EBX, EBX
00404671: 33C9 XOR ECX, ECX
00404673: 394DFC CMP [EBP-04], ECX
00404676: 0F94C1 SETZ CL
00404679: 894DFC MOV [EBP-04], ECX
0040467C: D1EA SHR EDX, 01
0040467E: 85D2 TEST EDX, EDX
00404680: 740D JZ 40468F
00404682: 85FF TEST EDI, EDI
00404684: 7404 JZ 40468A
00404686: C6075C MOV BYTE PTR [EDI], 5C
00404689: 47 INC EDI
0040468A: FF06 INC [ESI]
0040468C: 4A DEC EDX
0040468D: 75F3 JNZ 404682
0040468F: 8A08 MOV CL, [EAX]
00404691: 84C9 TEST CL, CL
00404693: 7448 JZ 4046DD
00404695: 837DFC00 CMP [EBP-04], 00000000
00404699: 750A JNZ 4046A5
0040469B: 80F920 CMP CL, 20
0040469E: 743D JZ 4046DD
004046A0: 80F909 CMP CL, 09
004046A3: 7438 JZ 4046DD
004046A5: 85DB TEST EBX, EBX
004046A7: 742E JZ 4046D7
004046A9: 85FF TEST EDI, EDI
004046AB: 7419 JZ 4046C6
004046AD: 0FB6D1 MOVZX EDX, CL
004046B0: F682E1B1400004 TEST BYTE PTR [EDX+0040B1E1], 04
004046B7: 7406 JZ 4046BF
004046B9: 880F MOV [EDI], CL
004046BB: 47 INC EDI
004046BC: 40 INC EAX
004046BD: FF06 INC [ESI]
004046BF: 8A08 MOV CL, [EAX]
004046C1: 880F MOV [EDI], CL
004046C3: 47 INC EDI
004046C4: EB0F JMP 4046D5
004046C6: 0FB6C9 MOVZX ECX, CL
004046C9: F681E1B1400004 TEST BYTE PTR [ECX+0040B1E1], 04
004046D0: 7403 JZ 4046D5
004046D2: 40 INC EAX
004046D3: FF06 INC [ESI]
004046D5: FF06 INC [ESI]
004046D7: 40 INC EAX
004046D8: E968FFFFFF JMP 00404645
004046DD: 85FF TEST EDI, EDI
004046DF: 7404 JZ 4046E5
004046E1: C60700 MOV BYTE PTR [EDI], 00
004046E4: 47 INC EDI
004046E5: FF06 INC [ESI]
004046E7: 8B5D0C MOV EBX, [EBP+0C]
004046EA: E921FFFFFF JMP 00404610
004046EF: 8B4508 MOV EAX, [EBP+08]
004046F2: 85C0 TEST EAX, EAX
004046F4: 7403 JZ 4046F9
004046F6: 832000 AND [EAX], 00000000
004046F9: FF03 INC [EBX]
004046FB: 5F POP EDI
004046FC: 5B POP EBX
004046FD: C9 LEAVE
004046FE: C3 RET
004046FF: 55 PUSH EBP
00404700: 8BEC MOV EBP, ESP
00404702: 51 PUSH ECX
00404703: 51 PUSH ECX
00404704: 53 PUSH EBX
00404705: 56 PUSH ESI
00404706: 57 PUSH EDI
00404707: 33FF XOR EDI, EDI
00404709: 393D2CB54000 CMP [0040B52C], EDI
0040470F: 7505 JNZ 404716
00404711: E8B20E0000 CALL 004055C8
00404716: 6804010000 PUSH 00000104
0040471B: BE08A44000 MOV ESI, 0040A408
00404720: 56 PUSH ESI
00404721: 57 PUSH EDI
00404722: C6050CA5400000 MOV BYTE PTR [0040A50C], 00
00404729: FF152C804000 CALL [0040802C] ; GetModuleFileNameA
0040472F: A134B54000 MOV EAX, [40B534]
00404734: 3BC7 CMP EAX, EDI
00404736: 8935ECA34000 MOV [0040A3EC], ESI
0040473C: 7407 JZ 404745
0040473E: 803800 CMP BYTE PTR [EAX], 00
00404741: 8BD8 MOV EBX, EAX
00404743: 7502 JNZ 404747
00404745: 8BDE MOV EBX, ESI
00404747: 8D45FC LEA EAX, [EBP-04]
0040474A: 50 PUSH EAX
0040474B: 57 PUSH EDI
0040474C: 8D75F8 LEA ESI, [EBP-08]
0040474F: 33C9 XOR ECX, ECX
00404751: 8BC3 MOV EAX, EBX
00404753: E83BFEFFFF CALL 00404593
00404758: 8B75FC MOV ESI, [EBP-04]
0040475B: 8B45F8 MOV EAX, [EBP-08]
0040475E: C1E602 SHL ESI, 02
00404761: 03C6 ADD EAX, ESI
00404763: 50 PUSH EAX
00404764: E8270F0000 CALL 00405690
00404769: 8BF8 MOV EDI, EAX
0040476B: 83C40C ADD ESP, 0000000C
0040476E: 85FF TEST EDI, EDI
00404770: 7505 JNZ 404777
00404772: 83C8FF OR EAX, FFFFFFFF
00404775: EB25 JMP 40479C
00404777: 8D45FC LEA EAX, [EBP-04]
0040477A: 50 PUSH EAX
0040477B: 8D0C3E LEA ECX, [ESI+EDI]
0040477E: 57 PUSH EDI
0040477F: 8D75F8 LEA ESI, [EBP-08]
00404782: 8BC3 MOV EAX, EBX
00404784: E80AFEFFFF CALL 00404593
00404789: 8B45FC MOV EAX, [EBP-04]
0040478C: 48 DEC EAX
0040478D: 59 POP ECX
0040478E: A3D0A34000 MOV [40A3D0], EAX
00404793: 59 POP ECX
00404794: 893DD4A34000 MOV [0040A3D4], EDI
0040479A: 33C0 XOR EAX, EAX
0040479C: 5F POP EDI
0040479D: 5E POP ESI
0040479E: 5B POP EBX
0040479F: C9 LEAVE
004047A0: C3 RET
004047A1: 51 PUSH ECX
004047A2: 51 PUSH ECX
004047A3: A110A54000 MOV EAX, [40A510]
004047A8: 53 PUSH EBX
004047A9: 55 PUSH EBP
004047AA: 56 PUSH ESI
004047AB: 57 PUSH EDI
004047AC: 8B3DDC804000 MOV EDI, [004080DC]
004047B2: 33DB XOR EBX, EBX
004047B4: 33F6 XOR ESI, ESI
004047B6: 3BC3 CMP EAX, EBX
004047B8: 6A02 PUSH 00000002
004047BA: 5D POP EBP
004047BB: 752D JNZ 4047EA
004047BD: FFD7 CALL EDI
004047BF: 8BF0 MOV ESI, EAX
004047C1: 3BF3 CMP ESI, EBX
004047C3: 740C JZ 4047D1
004047C5: C70510A5400001000000 MOV [0040A510], 00000001
004047CF: EB1E JMP 4047EF
004047D1: FF1530804000 CALL [00408030] ; GetLastError
004047D7: 83F878 CMP EAX, 00000078
004047DA: 7509 JNZ 4047E5
004047DC: 8BC5 MOV EAX, EBP
004047DE: A310A54000 MOV [40A510], EAX
004047E3: EB05 JMP 4047EA
004047E5: A110A54000 MOV EAX, [40A510]
004047EA: 83F801 CMP EAX, 00000001
004047ED: 757D JNZ 40486C
004047EF: 3BF3 CMP ESI, EBX
004047F1: 7508 JNZ 4047FB
004047F3: FFD7 CALL EDI
004047F5: 8BF0 MOV ESI, EAX
004047F7: 3BF3 CMP ESI, EBX
004047F9: 7479 JZ 404874
004047FB: 66391E CMP [ESI], BX
004047FE: 8BC6 MOV EAX, ESI
00404800: 740E JZ 404810
00404802: 03C5 ADD EAX, EBP
00404804: 663918 CMP [EAX], BX
00404807: 75F9 JNZ 404802
00404809: 03C5 ADD EAX, EBP
0040480B: 663918 CMP [EAX], BX
0040480E: 75F2 JNZ 404802
00404810: 8B3DE0804000 MOV EDI, [004080E0]
00404816: 53 PUSH EBX
00404817: 53 PUSH EBX
00404818: 53 PUSH EBX
00404819: 2BC6 SUB EAX, ESI
0040481B: 53 PUSH EBX
0040481C: D1F8 SAR EAX, 01
0040481E: 40 INC EAX
0040481F: 50 PUSH EAX
00404820: 56 PUSH ESI
00404821: 53 PUSH EBX
00404822: 53 PUSH EBX
00404823: 89442434 MOV [ESP+34], EAX
00404827: FFD7 CALL EDI
00404829: 8BE8 MOV EBP, EAX
0040482B: 3BEB CMP EBP, EBX
0040482D: 7432 JZ 404861
0040482F: 55 PUSH EBP
00404830: E85B0E0000 CALL 00405690
00404835: 3BC3 CMP EAX, EBX
00404837: 59 POP ECX
00404838: 89442410 MOV [ESP+10], EAX
0040483C: 7423 JZ 404861
0040483E: 53 PUSH EBX
0040483F: 53 PUSH EBX
00404840: 55 PUSH EBP
00404841: 50 PUSH EAX
00404842: FF742424 PUSH [ESP+24]
00404846: 56 PUSH ESI
00404847: 53 PUSH EBX
00404848: 53 PUSH EBX
00404849: FFD7 CALL EDI
0040484B: 85C0 TEST EAX, EAX
0040484D: 750E JNZ 40485D
0040484F: FF742410 PUSH [ESP+10]
00404853: E88E0D0000 CALL 004055E6
00404858: 59 POP ECX
00404859: 895C2410 MOV [ESP+10], EBX
0040485D: 8B5C2410 MOV EBX, [ESP+10]
00404861: 56 PUSH ESI
00404862: FF15E4804000 CALL [004080E4] ; FreeEnvironmentStringsW
00404868: 8BC3 MOV EAX, EBX
0040486A: EB50 JMP 4048BC
0040486C: 3BC5 CMP EAX, EBP
0040486E: 7408 JZ 404878
00404870: 3BC3 CMP EAX, EBX
00404872: 7404 JZ 404878
00404874: 33C0 XOR EAX, EAX
00404876: EB44 JMP 4048BC
00404878: FF1504814000 CALL [00408104] ; GetEnvironmentStrings
0040487E: 8BF0 MOV ESI, EAX
00404880: 3BF3 CMP ESI, EBX
00404882: 74F0 JZ 404874
00404884: 381E CMP [ESI], BL
00404886: 740A JZ 404892
00404888: 40 INC EAX
00404889: 3818 CMP [EAX], BL
0040488B: 75FB JNZ 404888
0040488D: 40 INC EAX
0040488E: 3818 CMP [EAX], BL
00404890: 75F6 JNZ 404888
00404892: 2BC6 SUB EAX, ESI
00404894: 40 INC EAX
00404895: 8BE8 MOV EBP, EAX
00404897: 55 PUSH EBP
00404898: E8F30D0000 CALL 00405690
0040489D: 8BF8 MOV EDI, EAX
0040489F: 3BFB CMP EDI, EBX
004048A1: 59 POP ECX
004048A2: 7504 JNZ 4048A8
004048A4: 33FF XOR EDI, EDI
004048A6: EB0B JMP 4048B3
004048A8: 55 PUSH EBP
004048A9: 56 PUSH ESI
004048AA: 57 PUSH EDI
004048AB: E8000E0000 CALL 004056B0
004048B0: 83C40C ADD ESP, 0000000C
004048B3: 56 PUSH ESI
004048B4: FF1500814000 CALL [00408100] ; FreeEnvironmentStringsA
004048BA: 8BC7 MOV EAX, EDI
004048BC: 5F POP EDI
004048BD: 5E POP ESI
004048BE: 5D POP EBP
004048BF: 5B POP EBX
004048C0: 59 POP ECX
004048C1: 59 POP ECX
004048C2: C3 RET
004048C3: 83EC44 SUB ESP, 00000044
004048C6: 6800010000 PUSH 00000100
004048CB: E8C00D0000 CALL 00405690
004048D0: 85C0 TEST EAX, EAX
004048D2: 59 POP ECX
004048D3: 7508 JNZ 4048DD
004048D5: 83C8FF OR EAX, FFFFFFFF
004048D8: E98D010000 JMP 00404A6A
004048DD: A320B44000 MOV [40B420], EAX
004048E2: C70508B4400020000000 MOV [0040B408], 00000020
004048EC: 8D8800010000 LEA ECX, [EAX+00000100]
004048F2: EB1A JMP 40490E
004048F4: 8308FF OR [EAX], FFFFFFFF
004048F7: C6400400 MOV BYTE PTR [EAX+04], 00
004048FB: C640050A MOV BYTE PTR [EAX+05], 0A
004048FF: 8B0D20B44000 MOV ECX, [0040B420]
00404905: 83C008 ADD EAX, 00000008
00404908: 81C100010000 ADD ECX, 00000100
0040490E: 3BC1 CMP EAX, ECX
00404910: 72E2 JB 4048F4
00404912: 53 PUSH EBX
00404913: 56 PUSH ESI
00404914: 57 PUSH EDI
00404915: 8D44240C LEA EAX, [ESP+0C]
00404919: 50 PUSH EAX
0040491A: FF1594804000 CALL [00408094] ; GetStartupInfoA
00404920: 66837C243E00 CMP WORD PTR [ESP+3E], 0000
00404926: 0F84C7000000 JZ 004049F3
0040492C: 8B442440 MOV EAX, [ESP+40]
00404930: 85C0 TEST EAX, EAX
00404932: 0F84BB000000 JZ 004049F3
00404938: 8B30 MOV ESI, [EAX]
0040493A: 55 PUSH EBP
0040493B: 8D6804 LEA EBP, [EAX+04]
0040493E: B800080000 MOV EAX, 00000800
00404943: 3BF0 CMP ESI, EAX
00404945: 8D1C2E LEA EBX, [ESI+EBP]
00404948: 7C02 JL 40494C
0040494A: 8BF0 MOV ESI, EAX
0040494C: 393508B44000 CMP [0040B408], ESI
00404952: 7D52 JNL 4049A6
00404954: BF24B44000 MOV EDI, 0040B424
00404959: 6800010000 PUSH 00000100
0040495E: E82D0D0000 CALL 00405690
00404963: 85C0 TEST EAX, EAX
00404965: 59 POP ECX
00404966: 7438 JZ 4049A0
00404968: 830508B4400020 ADD [0040B408], 00000020
0040496F: 8907 MOV [EDI], EAX
00404971: 8D8800010000 LEA ECX, [EAX+00000100]
00404977: EB16 JMP 40498F
00404979: 8308FF OR [EAX], FFFFFFFF
0040497C: C6400400 MOV BYTE PTR [EAX+04], 00
00404980: C640050A MOV BYTE PTR [EAX+05], 0A
00404984: 8B0F MOV ECX, [EDI]
00404986: 83C008 ADD EAX, 00000008
00404989: 81C100010000 ADD ECX, 00000100
0040498F: 3BC1 CMP EAX, ECX
00404991: 72E6 JB 404979
00404993: 83C704 ADD EDI, 00000004
00404996: 393508B44000 CMP [0040B408], ESI
0040499C: 7CBB JL 404959
0040499E: EB06 JMP 4049A6
004049A0: 8B3508B44000 MOV ESI, [0040B408]
004049A6: 33FF XOR EDI, EDI
004049A8: 85F6 TEST ESI, ESI
004049AA: 7E46 JLE 4049F2
004049AC: 8B03 MOV EAX, [EBX]
004049AE: 83F8FF CMP EAX, FFFFFFFF
004049B1: 7436 JZ 4049E9
004049B3: 8A4D00 MOV CL, [EBP]
004049B6: F6C101 TEST CL, 01
004049B9: 742E JZ 4049E9
004049BB: F6C108 TEST CL, 08
004049BE: 750B JNZ 4049CB
004049C0: 50 PUSH EAX
004049C1: FF15D4804000 CALL [004080D4] ; GetFileType
004049C7: 85C0 TEST EAX, EAX
004049C9: 741E JZ 4049E9
004049CB: 8BC7 MOV EAX, EDI
004049CD: C1F805 SAR EAX, 05
004049D0: 8B048520B44000 MOV EAX, [EAX*4+0040B420]
004049D7: 8BCF MOV ECX, EDI
004049D9: 83E11F AND ECX, 0000001F
004049DC: 8D04C8 LEA EAX, [EAX+ECX*8]
004049DF: 8B0B MOV ECX, [EBX]
004049E1: 8908 MOV [EAX], ECX
004049E3: 8A4D00 MOV CL, [EBP]
004049E6: 884804 MOV [EAX+04], CL
004049E9: 47 INC EDI
004049EA: 45 INC EBP
004049EB: 83C304 ADD EBX, 00000004
004049EE: 3BFE CMP EDI, ESI
004049F0: 7CBA JL 4049AC
004049F2: 5D POP EBP
004049F3: 33DB XOR EBX, EBX
004049F5: A120B44000 MOV EAX, [40B420]
004049FA: 8D34D8 LEA ESI, [EAX+EBX*8]
004049FD: 833EFF CMP [ESI], FFFFFFFF
00404A00: 754D JNZ 404A4F
00404A02: 85DB TEST EBX, EBX
00404A04: C6460481 MOV BYTE PTR [ESI+04], 81
00404A08: 7505 JNZ 404A0F
00404A0A: 6AF6 PUSH FFFFFFF6
00404A0C: 58 POP EAX
00404A0D: EB0A JMP 404A19
00404A0F: 8BC3 MOV EAX, EBX
00404A11: 48 DEC EAX
00404A12: F7D8 NEG EAX
00404A14: 1BC0 SBB EAX, EAX
00404A16: 83C0F5 ADD EAX, FFFFFFF5
00404A19: 50 PUSH EAX
00404A1A: FF15F8804000 CALL [004080F8] ; GetStdHandle
00404A20: 8BF8 MOV EDI, EAX
00404A22: 83FFFF CMP EDI, FFFFFFFF
00404A25: 7417 JZ 404A3E
00404A27: 57 PUSH EDI
00404A28: FF15D4804000 CALL [004080D4] ; GetFileType
00404A2E: 85C0 TEST EAX, EAX
00404A30: 740C JZ 404A3E
00404A32: 25FF000000 AND EAX, 000000FF
00404A37: 83F802 CMP EAX, 00000002
00404A3A: 893E MOV [ESI], EDI
00404A3C: 7506 JNZ 404A44
00404A3E: 804E0440 OR BYTE PTR [ESI+04], 40
00404A42: EB0F JMP 404A53
00404A44: 83F803 CMP EAX, 00000003
00404A47: 750A JNZ 404A53
00404A49: 804E0408 OR BYTE PTR [ESI+04], 08
00404A4D: EB04 JMP 404A53
00404A4F: 804E0480 OR BYTE PTR [ESI+04], FFFFFF80
00404A53: 43 INC EBX
00404A54: 83FB03 CMP EBX, 00000003
00404A57: 7C9C JL 4049F5
00404A59: FF3508B44000 PUSH [0040B408]
00404A5F: FF15D8804000 CALL [004080D8] ; LockResource
00404A65: 5F POP EDI
00404A66: 5E POP ESI
00404A67: 33C0 XOR EAX, EAX
00404A69: 5B POP EBX
00404A6A: 83C444 ADD ESP, 00000044
00404A6D: C3 RET
00404A6E: 6A0C PUSH 0000000C
00404A70: 6880894000 PUSH 00408980
00404A75: E8EA000000 CALL 00404B64
00404A7A: C745E47C914000 MOV [EBP-1C], 0040917C
00404A81: 817DE47C914000 CMP [EBP-1C], 0040917C
00404A88: 7322 JNB 404AAC
00404A8A: 8365FC00 AND [EBP-04], 00000000
00404A8E: 8B45E4 MOV EAX, [EBP-1C]
00404A91: 8B00 MOV EAX, [EAX]
00404A93: 85C0 TEST EAX, EAX
00404A95: 740B JZ 404AA2
00404A97: FFD0 CALL EAX
00404A99: EB07 JMP 404AA2
00404A9B: 33C0 XOR EAX, EAX
00404A9D: 40 INC EAX
00404A9E: C3 RET
00404A9F: 8B65E8 MOV ESP, [EBP-18]
00404AA2: 834DFCFF OR [EBP-04], FFFFFFFF
00404AA6: 8345E404 ADD [EBP-1C], 00000004
00404AAA: EBD5 JMP 404A81
00404AAC: E8EE000000 CALL 00404B9F
00404AB1: C3 RET
00404AB2: 6A0C PUSH 0000000C
00404AB4: 6890894000 PUSH 00408990
00404AB9: E8A6000000 CALL 00404B64
00404ABE: C745E484914000 MOV [EBP-1C], 00409184
00404AC5: 817DE484914000 CMP [EBP-1C], 00409184
00404ACC: 7322 JNB 404AF0
00404ACE: 8365FC00 AND [EBP-04], 00000000
00404AD2: 8B45E4 MOV EAX, [EBP-1C]
00404AD5: 8B00 MOV EAX, [EAX]
00404AD7: 85C0 TEST EAX, EAX
00404AD9: 740B JZ 404AE6
00404ADB: FFD0 CALL EAX
00404ADD: EB07 JMP 404AE6
00404ADF: 33C0 XOR EAX, EAX
00404AE1: 40 INC EAX
00404AE2: C3 RET
00404AE3: 8B65E8 MOV ESP, [EBP-18]
00404AE6: 834DFCFF OR [EBP-04], FFFFFFFF
00404AEA: 8345E404 ADD [EBP-1C], 00000004
00404AEE: EBD5 JMP 404AC5
00404AF0: E8AA000000 CALL 00404B9F
00404AF5: C3 RET
00404AF6: 833DBCA3400002 CMP [0040A3BC], 00000002
00404AFD: 750D JNZ 404B0C
00404AFF: 833DC8A3400005 CMP [0040A3C8], 00000005
00404B06: 7204 JB 404B0C
00404B08: 33C0 XOR EAX, EAX
00404B0A: 40 INC EAX
00404B0B: C3 RET
00404B0C: 6A03 PUSH 00000003
00404B0E: 58 POP EAX
00404B0F: C3 RET
00404B10: 33C0 XOR EAX, EAX
00404B12: 39442404 CMP [ESP+04], EAX
00404B16: 6A00 PUSH 00000000
00404B18: 0F94C0 SETZ AL
00404B1B: 6800100000 PUSH 00001000
00404B20: 50 PUSH EAX
00404B21: FF15CC804000 CALL [004080CC] ; HeapCreate
00404B27: 85C0 TEST EAX, EAX
00404B29: A300B44000 MOV [40B400], EAX
00404B2E: 742A JZ 404B5A
00404B30: E8C1FFFFFF CALL 00404AF6
00404B35: 83F803 CMP EAX, 00000003
00404B38: A304B44000 MOV [40B404], EAX
00404B3D: 751E JNZ 404B5D
00404B3F: 68F8030000 PUSH 000003F8
00404B44: E8A40E0000 CALL 004059ED
00404B49: 85C0 TEST EAX, EAX
00404B4B: 59 POP ECX
00404B4C: 750F JNZ 404B5D
00404B4E: FF3500B44000 PUSH [0040B400]
00404B54: FF15D0804000 CALL [004080D0] ; HeapDestroy
00404B5A: 33C0 XOR EAX, EAX
00404B5C: C3 RET
00404B5D: 33C0 XOR EAX, EAX
00404B5F: 40 INC EAX
00404B60: C3 RET
00404B61: CC INT 3
00404B62: CC INT 3
00404B63: CC INT 3
00404B64: 68B84B4000 PUSH 00404BB8
00404B69: 64A100000000 MOV EAX, FS:[00]
00404B6F: 50 PUSH EAX
00404B70: 8B442410 MOV EAX, [ESP+10]
00404B74: 896C2410 MOV [ESP+10], EBP
00404B78: 8D6C2410 LEA EBP, [ESP+10]
00404B7C: 2BE0 SUB ESP, EAX
00404B7E: 53 PUSH EBX
00404B7F: 56 PUSH ESI
00404B80: 57 PUSH EDI
00404B81: 8B45F8 MOV EAX, [EBP-08]
00404B84: 8965E8 MOV [EBP-18], ESP
00404B87: 50 PUSH EAX
00404B88: 8B45FC MOV EAX, [EBP-04]
00404B8B: C745FCFFFFFFFF MOV [EBP-04], FFFFFFFF
00404B92: 8945F8 MOV [EBP-08], EAX
00404B95: 8D45F0 LEA EAX, [EBP-10]
00404B98: 64A300000000 MOV FS:[00], EAX
00404B9E: C3 RET
00404B9F: 8B4DF0 MOV ECX, [EBP-10]
00404BA2: 64890D00000000 MOV FS:[00000000], ECX
00404BA9: 59 POP ECX
00404BAA: 5F POP EDI
00404BAB: 5E POP ESI
00404BAC: 5B POP EBX
00404BAD: C9 LEAVE
00404BAE: 51 PUSH ECX
00404BAF: C3 RET
00404BB0: 56 PUSH ESI
00404BB1: 43 INC EBX
00404BB2: 3230 XOR DH, [EAX]
00404BB4: 58 POP EAX
00404BB5: 43 INC EBX
00404BB6: 3030 XOR [EAX], DH
00404BB8: 55 PUSH EBP
00404BB9: 8BEC MOV EBP, ESP
00404BBB: 83EC08 SUB ESP, 00000008
00404BBE: 53 PUSH EBX
00404BBF: 56 PUSH ESI
00404BC0: 57 PUSH EDI
00404BC1: 55 PUSH EBP
00404BC2: FC CLD
00404BC3: 8B5D0C MOV EBX, [EBP+0C]
00404BC6: 8B4508 MOV EAX, [EBP+08]
00404BC9: F7400406000000 TEST [EAX+04], 00000006
00404BD0: 0F85AB000000 JNZ 00404C81
00404BD6: 8945F8 MOV [EBP-08], EAX
00404BD9: 8B4510 MOV EAX, [EBP+10]
00404BDC: 8945FC MOV [EBP-04], EAX
00404BDF: 8D45F8 LEA EAX, [EBP-08]
00404BE2: 8943FC MOV [EBX-04], EAX
00404BE5: 8B730C MOV ESI, [EBX+0C]
00404BE8: 8B7B08 MOV EDI, [EBX+08]
00404BEB: 53 PUSH EBX
00404BEC: E80D1A0000 CALL 004065FE
00404BF1: 83C404 ADD ESP, 00000004
00404BF4: 0BC0 OR EAX, EAX
00404BF6: 747B JZ 404C73
00404BF8: 83FEFF CMP ESI, FFFFFFFF
00404BFB: 747D JZ 404C7A
00404BFD: 8D0C76 LEA ECX, [ESI+ESI*2]
00404C00: 8B448F04 MOV EAX, [EDI+ECX*4+04]
00404C04: 0BC0 OR EAX, EAX
00404C06: 7459 JZ 404C61
00404C08: 56 PUSH ESI
00404C09: 55 PUSH EBP
00404C0A: 8D6B10 LEA EBP, [EBX+10]
00404C0D: 33DB XOR EBX, EBX
00404C0F: 33C9 XOR ECX, ECX
00404C11: 33D2 XOR EDX, EDX
00404C13: 33F6 XOR ESI, ESI
00404C15: 33FF XOR EDI, EDI
00404C17: FFD0 CALL EAX
00404C19: 5D POP EBP
00404C1A: 5E POP ESI
00404C1B: 8B5D0C MOV EBX, [EBP+0C]
00404C1E: 0BC0 OR EAX, EAX
00404C20: 743F JZ 404C61
00404C22: 7848 JS 404C6C
00404C24: 8B7B08 MOV EDI, [EBX+08]
00404C27: 53 PUSH EBX
00404C28: E8E3180000 CALL 00406510
00404C2D: 83C404 ADD ESP, 00000004
00404C30: 8D6B10 LEA EBP, [EBX+10]
00404C33: 56 PUSH ESI
00404C34: 53 PUSH EBX
00404C35: E818190000 CALL 00406552
00404C3A: 83C408 ADD ESP, 00000008
00404C3D: 8D0C76 LEA ECX, [ESI+ESI*2]
00404C40: 6A01 PUSH 00000001
00404C42: 8B448F08 MOV EAX, [EDI+ECX*4+08]
00404C46: E89B190000 CALL 004065E6
00404C4B: 8B048F MOV EAX, [EDI+ECX*4]
00404C4E: 89430C MOV [EBX+0C], EAX
00404C51: 8B448F08 MOV EAX, [EDI+ECX*4+08]
00404C55: 33DB XOR EBX, EBX
00404C57: 33C9 XOR ECX, ECX
00404C59: 33D2 XOR EDX, EDX
00404C5B: 33F6 XOR ESI, ESI
00404C5D: 33FF XOR EDI, EDI
00404C5F: FFD0 CALL EAX
00404C61: 8B7B08 MOV EDI, [EBX+08]
00404C64: 8D0C76 LEA ECX, [ESI+ESI*2]
00404C67: 8B348F MOV ESI, [EDI+ECX*4]
00404C6A: EB8C JMP 404BF8
00404C6C: B800000000 MOV EAX, 00000000
00404C71: EB23 JMP 404C96
00404C73: 8B4508 MOV EAX, [EBP+08]
00404C76: 83480408 OR [EAX+04], 00000008
00404C7A: B801000000 MOV EAX, 00000001
00404C7F: EB15 JMP 404C96
00404C81: 55 PUSH EBP
00404C82: 8D6B10 LEA EBP, [EBX+10]
00404C85: 6AFF PUSH FFFFFFFF
00404C87: 53 PUSH EBX
00404C88: E8C5180000 CALL 00406552
00404C8D: 83C408 ADD ESP, 00000008
00404C90: 5D POP EBP
00404C91: B801000000 MOV EAX, 00000001
00404C96: 5D POP EBP
00404C97: 5F POP EDI
00404C98: 5E POP ESI
00404C99: 5B POP EBX
00404C9A: 8BE5 MOV ESP, EBP
00404C9C: 5D POP EBP
00404C9D: C3 RET
00404C9E: 55 PUSH EBP
00404C9F: 8B4C2408 MOV ECX, [ESP+08]
00404CA3: 8B29 MOV EBP, [ECX]
00404CA5: 8B411C MOV EAX, [ECX+1C]
00404CA8: 50 PUSH EAX
00404CA9: 8B4118 MOV EAX, [ECX+18]
00404CAC: 50 PUSH EAX
00404CAD: E8A0180000 CALL 00406552
00404CB2: 83C408 ADD ESP, 00000008
00404CB5: 5D POP EBP
00404CB6: C20400 RETN 0004
00404CB9: CC INT 3
00404CBA: CC INT 3
00404CBB: CC INT 3
00404CBC: CC INT 3
00404CBD: CC INT 3
00404CBE: CC INT 3
00404CBF: CC INT 3
00404CC0: 3D00100000 CMP EAX, 00001000
00404CC5: 730E JNB 404CD5
00404CC7: F7D8 NEG EAX
00404CC9: 03C4 ADD EAX, ESP
00404CCB: 83C004 ADD EAX, 00000004
00404CCE: 8500 TEST EAX, [EAX]
00404CD0: 94 XCHG ESP, EAX
00404CD1: 8B00 MOV EAX, [EAX]
00404CD3: 50 PUSH EAX
00404CD4: C3 RET
00404CD5: 51 PUSH ECX
00404CD6: 8D4C2408 LEA ECX, [ESP+08]
00404CDA: 81E900100000 SUB ECX, 00001000
00404CE0: 2D00100000 SUB EAX, 00001000
00404CE5: 8501 TEST EAX, [ECX]
00404CE7: 3D00100000 CMP EAX, 00001000
00404CEC: 73EC JNB 404CDA
00404CEE: 2BC8 SUB ECX, EAX
00404CF0: 8BC4 MOV EAX, ESP
00404CF2: 8501 TEST EAX, [ECX]
00404CF4: 8BE1 MOV ESP, ECX
00404CF6: 8B08 MOV ECX, [EAX]
00404CF8: 8B4004 MOV EAX, [EAX+04]
00404CFB: 50 PUSH EAX
00404CFC: C3 RET
00404CFD: 56 PUSH ESI
00404CFE: FF3528B54000 PUSH [0040B528]
00404D04: E8801C0000 CALL 00406989
00404D09: 59 POP ECX
00404D0A: 8B0D24B54000 MOV ECX, [0040B524]
00404D10: 8BF0 MOV ESI, EAX
00404D12: A128B54000 MOV EAX, [40B528]
00404D17: 8BD1 MOV EDX, ECX
00404D19: 2BD0 SUB EDX, EAX
00404D1B: 83C204 ADD EDX, 00000004
00404D1E: 3BF2 CMP ESI, EDX
00404D20: 734E JNB 404D70
00404D22: B900080000 MOV ECX, 00000800
00404D27: 3BF1 CMP ESI, ECX
00404D29: 7302 JNB 404D2D
00404D2B: 8BCE MOV ECX, ESI
00404D2D: 03CE ADD ECX, ESI
00404D2F: 51 PUSH ECX
00404D30: 50 PUSH EAX
00404D31: E8F11A0000 CALL 00406827
00404D36: 85C0 TEST EAX, EAX
00404D38: 59 POP ECX
00404D39: 59 POP ECX
00404D3A: 7517 JNZ 404D53
00404D3C: 83C610 ADD ESI, 00000010
00404D3F: 56 PUSH ESI
00404D40: FF3528B54000 PUSH [0040B528]
00404D46: E8DC1A0000 CALL 00406827
00404D4B: 85C0 TEST EAX, EAX
00404D4D: 59 POP ECX
00404D4E: 59 POP ECX
00404D4F: 7502 JNZ 404D53
00404D51: 5E POP ESI
00404D52: C3 RET
00404D53: 8B0D24B54000 MOV ECX, [0040B524]
00404D59: 2B0D28B54000 SUB ECX, [0040B528]
00404D5F: A328B54000 MOV [40B528], EAX
00404D64: C1F902 SAR ECX, 02
00404D67: 8D0C88 LEA ECX, [EAX+ECX*4]
00404D6A: 890D24B54000 MOV [0040B524], ECX
00404D70: 8B442408 MOV EAX, [ESP+08]
00404D74: 8901 MOV [ECX], EAX
00404D76: 830524B5400004 ADD [0040B524], 00000004
00404D7D: 5E POP ESI
00404D7E: C3 RET
00404D7F: FF742404 PUSH [ESP+04]
00404D83: E875FFFFFF CALL 00404CFD
00404D88: F7D8 NEG EAX
00404D8A: 1BC0 SBB EAX, EAX
00404D8C: F7D8 NEG EAX
00404D8E: 59 POP ECX
00404D8F: 48 DEC EAX
00404D90: C3 RET
00404D91: 6880000000 PUSH 00000080
00404D96: E8F5080000 CALL 00405690
00404D9B: 85C0 TEST EAX, EAX
00404D9D: 59 POP ECX
00404D9E: A328B54000 MOV [40B528], EAX
00404DA3: 7504 JNZ 404DA9
00404DA5: 6A18 PUSH 00000018
00404DA7: 58 POP EAX
00404DA8: C3 RET
00404DA9: 832000 AND [EAX], 00000000
00404DAC: A128B54000 MOV EAX, [40B528]
00404DB1: A324B54000 MOV [40B524], EAX
00404DB6: 33C0 XOR EAX, EAX
00404DB8: C3 RET
00404DB9: 55 PUSH EBP
00404DBA: 8BEC MOV EBP, ESP
00404DBC: 83EC10 SUB ESP, 00000010
00404DBF: 53 PUSH EBX
00404DC0: 33DB XOR EBX, EBX
00404DC2: 391D14A54000 CMP [0040A514], EBX
00404DC8: 56 PUSH ESI
00404DC9: 57 PUSH EDI
00404DCA: 756D JNZ 404E39
00404DCC: 68008A4000 PUSH 00408A00 -> user32.dll
00404DD1: FF15BC804000 CALL [004080BC] ; LoadLibraryA
PE详情:
入口点:00003DD7 子系统:0002
映像地址:00400000 区段数量:0005
映像大小:00010000 时间*:45D268B8
代码基址:00001000 头部大小:00001000
数据基址:00008000 特性:010F
区段校正:00001000 校验和:00000000
文件校正:00000200 可选头部大小:00E0
幻数:010B RVA与大小的数量:00000010
RVA 大小
导出表: 00000000 00000000
导入表: 0000F000 00000078
资源: 0000C000 00002238
TLS表: 00000000 00000000
调试: 00000000 00000000
看在小弟这么诚恳的份上,帮帮小弟吧?先谢谢了
