能力值:
( LV2,RANK:10 )
13 楼
Hi Kiddik ! I think you are on the half of the right way. I am stucking on this target. First when i reversed this target, i also got result as you and i think that it was very strange. And then i found this code which execute real check :
Here is my analysis on version
WinHex 13.9 SR1 :
[B][COLOR="Red"]004D0E2C /$ 55 PUSH EBP ; <== Check on save file[/COLOR][/B]
004D0E2D |. 8BEC MOV EBP,ESP
004D0E2F |. 50 PUSH EAX
004D0E30 |. B8 50000000 MOV EAX,50
004D0E35 |> 81C4 04F0FFFF /ADD ESP,-0FFC
004D0E3B |. 50 |PUSH EAX
004D0E3C |. 48 |DEC EAX
004D0E3D |.^ 75 F6 \JNZ SHORT WinHex.004D0E35
004D0E3F |. 8B45 FC MOV EAX,[LOCAL.1]
004D0E42 |. 81C4 C8FEFFFF ADD ESP,-138
004D0E48 |. 53 PUSH EBX
004D0E49 |. 56 PUSH ESI
004D0E4A |. 57 PUSH EDI
004D0E4B |. 884D FB MOV BYTE PTR SS:[EBP-5],CL
004D0E4E |. 8955 FC MOV [LOCAL.1],EDX
004D0E51 |. 8BD8 MOV EBX,EAX
004D0E53 |. 8B75 08 MOV ESI,[ARG.1]
004D0E56 |. 80BB 38010000 0>CMP BYTE PTR DS:[EBX+138],3
004D0E5D |. 0F85 BA000000 JNZ WinHex.004D0F1D
004D0E63 |. 83BB 3C010000 0>CMP DWORD PTR DS:[EBX+13C],0
004D0E6A |. 75 24 JNZ SHORT WinHex.004D0E90
004D0E6C |. 85F6 TEST ESI,ESI
004D0E6E |. 75 0E JNZ SHORT WinHex.004D0E7E
004D0E70 |. 66:8B83 3201000>MOV AX,WORD PTR DS:[EBX+132]
004D0E77 |. E8 E8920400 CALL WinHex.0051A164
004D0E7C |. 8BF0 MOV ESI,EAX
004D0E7E |> 8A4D FB MOV CL,BYTE PTR SS:[EBP-5]
004D0E81 |. 8B55 FC MOV EDX,[LOCAL.1]
004D0E84 |. 8BC6 MOV EAX,ESI
004D0E86 |. E8 B1B40000 CALL WinHex.004DC33C
004D0E8B |. 8845 FA MOV BYTE PTR SS:[EBP-6],AL
004D0E8E |. EB 74 JMP SHORT WinHex.004D0F04
004D0E90 |> 8B45 FC MOV EAX,[LOCAL.1]
004D0E93 |. E8 8C220400 CALL WinHex.00513124
004D0E98 |. 8945 F4 MOV [LOCAL.3],EAX
004D0E9B |. 837D F4 FF CMP [LOCAL.3],-1
004D0E9F |. 75 15 JNZ SHORT WinHex.004D0EB6
004D0EA1 |. 8B55 FC MOV EDX,[LOCAL.1]
004D0EA4 |. 66:B8 0300 MOV AX,3
004D0EA8 |. E8 370F0400 CALL <WinHex.@Comobj@DispatchInvokeError$qqri>
004D0EAD |. C645 FA 02 MOV BYTE PTR SS:[EBP-6],2
004D0EB1 |. E9 9F040000 JMP WinHex.004D1355
004D0EB6 |> DF6B 18 FILD QWORD PTR DS:[EBX+18]
004D0EB9 |. 83C4 F8 ADD ESP,-8 ; /
004D0EBC |. DF3C24 FISTP QWORD PTR SS:[ESP] ; |Arg1 (8-byte)
004D0EBF |. 9B WAIT ; |
004D0EC0 |. E8 5F470400 CALL WinHex.00515624 ; \WinHex.00515624
004D0EC5 |. 50 PUSH EAX ; /DataSize
004D0EC6 |. 8B83 3C010000 MOV EAX,DWORD PTR DS:[EBX+13C] ; |
004D0ECC |. 50 PUSH EAX ; |Data
004D0ECD |. 8B45 F4 MOV EAX,[LOCAL.3] ; |
004D0ED0 |. 50 PUSH EAX ; |hFile
004D0ED1 |. E8 9A5AF3FF CALL <WinHex._hwrite> ; \_hwrite
004D0ED6 |. 99 CDQ
004D0ED7 |. 3B53 1C CMP EDX,DWORD PTR DS:[EBX+1C]
004D0EDA |. 75 07 JNZ SHORT WinHex.004D0EE3
004D0EDC |. 3B43 18 CMP EAX,DWORD PTR DS:[EBX+18]
004D0EDF |. 73 16 JNB SHORT WinHex.004D0EF7
004D0EE1 |. EB 02 JMP SHORT WinHex.004D0EE5
004D0EE3 |> 7D 12 JGE SHORT WinHex.004D0EF7
004D0EE5 |> 8B55 FC MOV EDX,[LOCAL.1]
004D0EE8 |. 66:B8 0500 MOV AX,5
004D0EEC |. E8 F30E0400 CALL <WinHex.@Comobj@DispatchInvokeError$qqri>
004D0EF1 |. C645 FA 03 MOV BYTE PTR SS:[EBP-6],3
004D0EF5 |. EB 04 JMP SHORT WinHex.004D0EFB
004D0EF7 |> C645 FA 00 MOV BYTE PTR SS:[EBP-6],0
004D0EFB |> 8B45 F4 MOV EAX,[LOCAL.3]
004D0EFE |. 50 PUSH EAX ; /hObject
004D0EFF |. E8 FC55F3FF CALL <WinHex.CloseHandle_0> ; \CloseHandle
004D0F04 |> 834B 40 20 OR DWORD PTR DS:[EBX+40],20
004D0F08 |. 8B53 40 MOV EDX,DWORD PTR DS:[EBX+40]
004D0F0B |. 83CA 20 OR EDX,20
004D0F0E |. A1 F4175400 MOV EAX,DWORD PTR DS:[5417F4]
004D0F13 |. E8 94AD0600 CALL WinHex.0053BCAC
004D0F18 |. E9 38040000 JMP WinHex.004D1355
004D0F1D |> C645 D7 00 MOV BYTE PTR SS:[EBP-29],0
004D0F21 |. 837B 44 00 CMP DWORD PTR DS:[EBX+44],0
004D0F25 |. 75 0D JNZ SHORT WinHex.004D0F34
004D0F27 |. 83BB A8000000 0>CMP DWORD PTR DS:[EBX+A8],0
004D0F2E |. 0F84 16030000 JE WinHex.004D124A
004D0F34 |> C645 FA 01 MOV BYTE PTR SS:[EBP-6],1
004D0F38 |. 8BC3 MOV EAX,EBX
004D0F3A |. 8B90 5C020000 MOV EDX,DWORD PTR DS:[EAX+25C]
004D0F40 |. FF52 10 CALL DWORD PTR DS:[EDX+10]
004D0F43 |. 84C0 TEST AL,AL
004D0F45 |. 0F84 0A040000 JE WinHex.004D1355
004D0F4B |. 8B45 FC MOV EAX,[LOCAL.1]
004D0F4E |. E8 D1210400 CALL WinHex.00513124
004D0F53 |. 8945 F4 MOV [LOCAL.3],EAX
004D0F56 |. 837D F4 FF CMP [LOCAL.3],-1
004D0F5A |. 75 2D JNZ SHORT WinHex.004D0F89
004D0F5C |. E8 3F57F3FF CALL <WinHex.GetLastError_0> ; [GetLastError
004D0F61 |. 8D95 D0FEFFFF LEA EDX,[LOCAL.76]
004D0F67 |. E8 FC2C0400 CALL WinHex.00513C68
004D0F6C |. 6A 00 PUSH 0 ; /Arg1 = 00000000
004D0F6E |. 8D8D D0FEFFFF LEA ECX,[LOCAL.76] ; |
004D0F74 |. 8B55 FC MOV EDX,[LOCAL.1] ; |
004D0F77 |. 66:B8 0300 MOV AX,3 ; |
004D0F7B |. E8 B40E0400 CALL WinHex.00511E34 ; \WinHex.00511E34
004D0F80 |. C645 FA 02 MOV BYTE PTR SS:[EBP-6],2
004D0F84 |. E9 CC030000 JMP WinHex.004D1355
004D0F89 |> 807D FB 00 CMP BYTE PTR SS:[EBP-5],0
004D0F8D |. 74 21 JE SHORT WinHex.004D0FB0
004D0F8F |. 66:B8 2100 MOV AX,21
004D0F93 |. E8 04DB0300 CALL WinHex.0050EA9C
004D0F98 |. 8BD0 MOV EDX,EAX
004D0F9A |. A1 FC215400 MOV EAX,DWORD PTR DS:[5421FC]
004D0F9F |. E8 188C0600 CALL WinHex.00539BBC
004D0FA4 |. A1 FC215400 MOV EAX,DWORD PTR DS:[5421FC]
004D0FA9 |. 33D2 XOR EDX,EDX
004D0FAB |. E8 F41B0400 CALL WinHex.00512BA4
004D0FB0 |> 8B43 18 MOV EAX,DWORD PTR DS:[EBX+18]
004D0FB3 |. 8B53 1C MOV EDX,DWORD PTR DS:[EBX+1C]
004D0FB6 |. 83E8 01 SUB EAX,1
004D0FB9 |. 83DA 00 SBB EDX,0
004D0FBC |. 8985 C8FEFAFF MOV [LOCAL.81998],EAX
004D0FC2 |. 8995 CCFEFAFF MOV [LOCAL.81997],EDX
004D0FC8 |. DFAD C8FEFAFF FILD QWORD PTR SS:[EBP+FFFAFEC8]
004D0FCE |. D835 64134D00 FDIV DWORD PTR DS:[4D1364]
004D0FD4 |. E8 0B1AF3FF CALL <WinHex.@System@@TRUNC$qqrv>
004D0FD9 |. 40 INC EAX
004D0FDA |. 8945 D8 MOV [LOCAL.10],EAX
004D0FDD |. 33C0 XOR EAX,EAX
004D0FDF |. 8945 E8 MOV [LOCAL.6],EAX
004D0FE2 |. 8945 EC MOV [LOCAL.5],EAX
004D0FE5 |. 33C0 XOR EAX,EAX
004D0FE7 |. 8945 E0 MOV [LOCAL.8],EAX
004D0FEA |. 8945 E4 MOV [LOCAL.7],EAX
004D0FED |. 8B45 D8 MOV EAX,[LOCAL.10]
004D0FF0 |. 85C0 TEST EAX,EAX
004D0FF2 |. 0F8E C7010000 JLE WinHex.004D11BF
004D0FF8 |. 8945 D0 MOV [LOCAL.12],EAX
004D0FFB |. C745 DC 0100000>MOV [LOCAL.9],1
004D1002 |> 8B45 DC /MOV EAX,[LOCAL.9]
004D1005 |. 3B45 D8 |CMP EAX,[LOCAL.10]
004D1008 |. 7D 07 |JGE SHORT WinHex.004D1011
004D100A |. BE 00000500 |MOV ESI,50000
004D100F |. EB 34 |JMP SHORT WinHex.004D1045
004D1011 |> 8B43 18 |MOV EAX,DWORD PTR DS:[EBX+18]
004D1014 |. 8B53 1C |MOV EDX,DWORD PTR DS:[EBX+1C]
004D1017 |. 83E8 01 |SUB EAX,1
004D101A |. 83DA 00 |SBB EDX,0
004D101D |. 8985 C8FEFAFF |MOV [LOCAL.81998],EAX
004D1023 |. 8995 CCFEFAFF |MOV [LOCAL.81997],EDX
004D1029 |. DFAD C8FEFAFF |FILD QWORD PTR SS:[EBP+FFFAFEC8]
004D102F |. 83C4 F8 |ADD ESP,-8 ; /
004D1032 |. DF3C24 |FISTP QWORD PTR SS:[ESP] ; |Arg3 (8-byte)
004D1035 |. 9B |WAIT ; |
004D1036 |. 6A 00 |PUSH 0 ; |Arg2 = 00000000
004D1038 |. 68 00000500 |PUSH 50000 ; |Arg1 = 00050000
004D103D |. E8 0E470400 |CALL WinHex.00515750 ; \WinHex.00515750
004D1042 |. 8BF0 |MOV ESI,EAX
004D1044 |. 46 |INC ESI
004D1045 |> 56 |PUSH ESI
004D1046 |. 8D8D D0FEFAFF |LEA ECX,[LOCAL.81996]
004D104C |. 8D55 E8 |LEA EDX,[LOCAL.6]
004D104F |. 8BC3 |MOV EAX,EBX
004D1051 |. 8BB8 5C020000 |MOV EDI,DWORD PTR DS:[EAX+25C]
004D1057 |. FF57 18 |CALL DWORD PTR DS:[EDI+18]
004D105A |. 3BF0 |CMP ESI,EAX
004D105C |. 7E 11 |JLE SHORT WinHex.004D106F
004D105E |. 8B53 0C |MOV EDX,DWORD PTR DS:[EBX+C]
004D1061 |. 66:B8 0200 |MOV AX,2
004D1065 |. E8 4E0D0400 |CALL WinHex.00511DB8
004D106A |. E9 50010000 |JMP WinHex.004D11BF
004D106F |> A1 D8205400 |MOV EAX,DWORD PTR DS:[5420D8]
004D1074 |. 8038 00 |CMP BYTE PTR DS:[EAX],0
004D1077 |. 0F85 83000000 |JNZ WinHex.004D1100
004D107D |. 89B5 C4FEFAFF |MOV [LOCAL.81999],ESI
004D1083 |. DB85 C4FEFAFF |FILD [LOCAL.81999]
004D1089 |. DF6D E0 |FILD QWORD PTR SS:[EBP-20]
004D108C |. DEC1 |FADDP ST(1),ST(0)
004D108E |. D81D 68134D00 |FCOMP DWORD PTR DS:[4D1368]
004D1094 |. DFE0 |FSTSW AX
004D1096 |. 9E |SAHF
004D1097 |. 76 67 |JBE SHORT WinHex.004D1100
004D1099 |. D905 68134D00 |FLD DWORD PTR DS:[4D1368]
004D109F |. DF6D E0 |FILD QWORD PTR SS:[EBP-20]
004D10A2 |. DEE9 |FSUBP ST(1),ST(0)
004D10A4 |. 83C4 F8 |ADD ESP,-8 ; /
004D10A7 |. DF3C24 |FISTP QWORD PTR SS:[ESP] ; |Arg1 (8-byte)
004D10AA |. 9B |WAIT ; |
004D10AB |. E8 74450400 |CALL WinHex.00515624 ; \WinHex.00515624
004D10B0 |. 8BF0 |MOV ESI,EAX
004D10B2 |. C645 D7 01 |MOV BYTE PTR SS:[EBP-29],1
004D10B6 |. 8B43 0C |MOV EAX,DWORD PTR DS:[EBX+C]
004D10B9 |. E8 E6390400 |CALL WinHex.00514AA4
004D10BE |. 50 |PUSH EAX
004D10BF |. 66:B8 0304 |MOV AX,403
004D10C3 |. E8 D4D90300 |CALL WinHex.0050EA9C
004D10C8 |. 5A |POP EDX
004D10C9 |. E8 3A2A0400 |CALL WinHex.00513B08
004D10CE |. 6A 00 |PUSH 0 ; /Arg2 = 00000000
004D10D0 |. 68 C8000000 |PUSH 0C8 ; |Arg1 = 000000C8
004D10D5 |. A1 A8235400 |MOV EAX,DWORD PTR DS:[5423A8] ; |
004D10DA |. E8 F1280400 |CALL WinHex.005139D0 ; \WinHex.005139D0
004D10DF |. 66:B8 4F00 |MOV AX,4F
004D10E3 |. E8 B4D90300 |CALL WinHex.0050EA9C
004D10E8 |. 8BD0 |MOV EDX,EAX
004D10EA |. A1 A8235400 |MOV EAX,DWORD PTR DS:[5423A8]
004D10EF |. E8 78900600 |CALL WinHex.0053A16C
004D10F4 |. A1 A8235400 |MOV EAX,DWORD PTR DS:[5423A8]
004D10F9 |. 33D2 |XOR EDX,EDX
004D10FB |. E8 C8050400 |CALL WinHex.005116C8
004D1100 |> 56 |PUSH ESI ; /DataSize
004D1101 |. 8D85 D0FEFAFF |LEA EAX,[LOCAL.81996] ; |
004D1107 |. 50 |PUSH EAX ; |Data
004D1108 |. 8B45 F4 |MOV EAX,[LOCAL.3] ; |
004D110B |. 50 |PUSH EAX ; |hFile
004D110C |. E8 5F58F3FF |CALL <WinHex._hwrite> ; \_hwrite
004D1111 |. 8985 C4FEFAFF |MOV [LOCAL.81999],EAX
004D1117 |. DB85 C4FEFAFF |FILD [LOCAL.81999]
004D111D |. DF6D E0 |FILD QWORD PTR SS:[EBP-20]
004D1120 |. DEC1 |FADDP ST(1),ST(0)
004D1122 |. DF7D E0 |FISTP QWORD PTR SS:[EBP-20]
004D1125 |. 9B |WAIT
004D1126 |. 3BF0 |CMP ESI,EAX
004D1128 |. 7E 15 |JLE SHORT WinHex.004D113F
004D112A |. 8B55 FC |MOV EDX,[LOCAL.1]
004D112D |. 66:B8 0500 |MOV AX,5
004D1131 |. E8 AE0C0400 |CALL <WinHex.@Comobj@DispatchInvokeError$qqr>
004D1136 |. C645 FA 03 |MOV BYTE PTR SS:[EBP-6],3
004D113A |. E9 80000000 |JMP WinHex.004D11BF
004D113F |> 3BF0 |CMP ESI,EAX
004D1141 |. 75 08 |JNZ SHORT WinHex.004D114B
004D1143 |. 8B45 DC |MOV EAX,[LOCAL.9]
004D1146 |. 3B45 D8 |CMP EAX,[LOCAL.10]
004D1149 |. 74 06 |JE SHORT WinHex.004D1151
004D114B |> 807D D7 00 |CMP BYTE PTR SS:[EBP-29],0
004D114F |. 74 04 |JE SHORT WinHex.004D1155
004D1151 |> C645 FA 00 |MOV BYTE PTR SS:[EBP-6],0
004D1155 |> E8 F2260400 |CALL WinHex.0051384C
004D115A |. A1 28235400 |MOV EAX,DWORD PTR DS:[542328]
004D115F |. 8038 00 |CMP BYTE PTR DS:[EAX],0
004D1162 |. 75 5B |JNZ SHORT WinHex.004D11BF
004D1164 |. 807D D7 00 |CMP BYTE PTR SS:[EBP-29],0
004D1168 |. 75 55 |JNZ SHORT WinHex.004D11BF
004D116A |. 807D FB 00 |CMP BYTE PTR SS:[EBP-5],0
004D116E |. 74 18 |JE SHORT WinHex.004D1188
004D1170 |. DB45 DC |FILD [LOCAL.9]
004D1173 |. DB45 D8 |FILD [LOCAL.10]
004D1176 |. DEF9 |FDIVP ST(1),ST(0)
004D1178 |. D80D 6C134D00 |FMUL DWORD PTR DS:[4D136C]
004D117E |. E8 5518F3FF |CALL <WinHex.@System@@ROUND$qqrv>
004D1183 |. E8 90B00500 |CALL WinHex.0052C218
004D1188 |> 807D 0C 00 |CMP BYTE PTR SS:[EBP+C],0
004D118C |. 74 25 |JE SHORT WinHex.004D11B3
004D118E |. A1 C41C5400 |MOV EAX,DWORD PTR DS:[541CC4]
004D1193 |. DF28 |FILD QWORD PTR DS:[EAX]
004D1195 |. DF6D E0 |FILD QWORD PTR SS:[EBP-20]
004D1198 |. DEC1 |FADDP ST(1),ST(0)
004D119A |. D80D 6C134D00 |FMUL DWORD PTR DS:[4D136C]
004D11A0 |. A1 50175400 |MOV EAX,DWORD PTR DS:[541750]
004D11A5 |. DF28 |FILD QWORD PTR DS:[EAX]
004D11A7 |. DEF9 |FDIVP ST(1),ST(0)
004D11A9 |. E8 2A18F3FF |CALL <WinHex.@System@@ROUND$qqrv>
004D11AE |. E8 65B00500 |CALL WinHex.0052C218
004D11B3 |> FF45 DC |INC [LOCAL.9]
004D11B6 |. FF4D D0 |DEC [LOCAL.12]
004D11B9 |.^ 0F85 43FEFFFF \JNZ WinHex.004D1002
004D11BF |> 8B45 F4 MOV EAX,[LOCAL.3]
004D11C2 |. 50 PUSH EAX ; /hObject
004D11C3 |. E8 3853F3FF CALL <WinHex.CloseHandle_0> ; \CloseHandle
004D11C8 |. 8BC3 MOV EAX,EBX
004D11CA |. 8B90 5C020000 MOV EDX,DWORD PTR DS:[EAX+25C]
004D11D0 |. FF52 14 CALL DWORD PTR DS:[EDX+14]
004D11D3 |. 837B 1C 00 CMP DWORD PTR DS:[EBX+1C],0
004D11D7 |. 75 08 JNZ SHORT WinHex.004D11E1
004D11D9 |. 837B 18 00 CMP DWORD PTR DS:[EBX+18],0
004D11DD |. 76 1A JBE SHORT WinHex.004D11F9
004D11DF |. EB 02 JMP SHORT WinHex.004D11E3
004D11E1 |> 7E 16 JLE SHORT WinHex.004D11F9
004D11E3 |> DF6D E0 FILD QWORD PTR SS:[EBP-20]
004D11E6 |. D81D 70134D00 FCOMP DWORD PTR DS:[4D1370]
004D11EC |. DFE0 FSTSW AX
004D11EE |. 9E SAHF
004D11EF |. 75 08 JNZ SHORT WinHex.004D11F9
004D11F1 |. 8B45 FC MOV EAX,[LOCAL.1]
004D11F4 |. E8 3BAF0600 CALL WinHex.0053C134
004D11F9 |> 807D FB 00 CMP BYTE PTR SS:[EBP-5],0
004D11FD |. 74 05 JE SHORT WinHex.004D1204
004D11FF |. E8 2C1D0400 CALL WinHex.00512F30
004D1204 |> 807D FA 00 CMP BYTE PTR SS:[EBP-6],0
004D1208 |. 0F85 47010000 JNZ WinHex.004D1355
004D120E |. 807D FB 02 CMP BYTE PTR SS:[EBP-5],2
004D1212 |. 0F85 3D010000 JNZ WinHex.004D1355
004D1218 |. 8D83 B8000000 LEA EAX,DWORD PTR DS:[EBX+B8]
004D121E |. E8 0DA60600 CALL WinHex.0053B830
004D1223 |. 33C0 XOR EAX,EAX
004D1225 |. 8983 B8000000 MOV DWORD PTR DS:[EBX+B8],EAX
004D122B |. 33C0 XOR EAX,EAX
004D122D |. 8943 44 MOV DWORD PTR DS:[EBX+44],EAX
004D1230 |. 33C0 XOR EAX,EAX
004D1232 |. 8983 A8000000 MOV DWORD PTR DS:[EBX+A8],EAX
004D1238 |. 8D43 4C LEA EAX,DWORD PTR DS:[EBX+4C]
004D123B |. BA 5C000000 MOV EDX,5C
004D1240 |. E8 475FF3FF CALL <WinHex._System@@Fillchar>
004D1245 |. E9 0B010000 JMP WinHex.004D1355
004D124A |> C645 FA 04 MOV BYTE PTR SS:[EBP-6],4
004D124E |. 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10]
004D1251 |. 8B55 FC MOV EDX,[LOCAL.1]
004D1254 |. E8 0BA70600 CALL WinHex.0053B964
004D1259 |. 85C0 TEST EAX,EAX
004D125B |. 74 16 JE SHORT WinHex.004D1273
004D125D |. 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10]
004D1260 |. 8A4D FB MOV CL,BYTE PTR SS:[EBP-5]
004D1263 |. 8B55 FC MOV EDX,[LOCAL.1]
004D1266 |. E8 D1B00000 CALL WinHex.004DC33C
004D126B |. 84C0 TEST AL,AL
004D126D |. 0F85 E2000000 JNZ WinHex.004D1355
004D1273 |> 80BB 45010000 0>CMP BYTE PTR DS:[EBX+145],0
004D127A |. 0F84 A8000000 JE WinHex.004D1328
[B][COLOR="Red"]004D1280 |. E8 BB390300 CALL WinHex.00504C40 ; <== Trace into[/COLOR][/B]
能力值:
( LV2,RANK:10 )
14 楼
Trace into at
004D1280 :
00504C40 /$ 53 PUSH EBX
00504C41 |. 56 PUSH ESI
00504C42 |. 57 PUSH EDI
00504C43 |. 81C4 04F0FFFF ADD ESP,-0FFC
00504C49 |. 50 PUSH EAX
00504C4A |. 83C4 B4 ADD ESP,-4C
00504C4D |. 33DB XOR EBX,EBX
[B][COLOR="Red"]00504C4F |. 803D C0675400 0>CMP BYTE PTR DS:[5467C0],0 ; <== Note ***[/COLOR][/B]
00504C56 |. 74 07 JE SHORT WinHex.00504C5F
00504C58 |. B3 01 MOV BL,1
00504C5A |. E9 8C010000 JMP WinHex.00504DEB
00504C5F |> 68 027F0000 PUSH 7F02 ; /RsrcName = IDC_WAIT
00504C64 |. 6A 00 PUSH 0 ; |hInst = NULL
00504C66 |. E8 DD22F0FF CALL <WinHex.LoadCursorA> ; \LoadCursorA
00504C6B |. 50 PUSH EAX ; /hCursor
00504C6C |. E8 E723F0FF CALL <WinHex.SetCursor> ; \SetCursor
00504C71 |. 6A 1C PUSH 1C ; /BufSize = 1C (28.)
00504C73 |. 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10] ; |
00504C77 |. 50 PUSH EAX ; |Buffer
00504C78 |. 68 00004000 PUSH WinHex.00400000 ; |Address = WinHex.00400000
00504C7D |. E8 AE1CF0FF CALL <WinHex.VirtualQuery> ; \VirtualQuery
00504C82 |. 54 PUSH ESP ; /pOldProtect
00504C83 |. 6A 40 PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
00504C85 |. 8B4424 20 MOV EAX,DWORD PTR SS:[ESP+20] ; |
00504C89 |. 50 PUSH EAX ; |Size
00504C8A |. 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18] ; |
00504C8E |. 50 PUSH EAX ; |Address
00504C8F |. E8 8C1CF0FF CALL <WinHex.VirtualProtect> ; \VirtualProtect
00504C94 |. 85C0 TEST EAX,EAX
00504C96 |. 0F84 28010000 JE WinHex.00504DC4
[B][COLOR="Red"]00504C9C |. E8 5BFEFFFF CALL WinHex.00504AFC ; <== Trace into[/COLOR][/B]
00504CA1 |. 66:BE 3807 MOV SI,738
00504CA5 |. 0FB7CE MOVZX ECX,SI ; <== ECX = 0x738
00504CA8 |. 8D4424 48 LEA EAX,DWORD PTR SS:[ESP+48]
00504CAC |. 8B15 D00A5400 MOV EDX,DWORD PTR DS:[540AD0] ; WinHex.005043C4
00504CB2 |. E8 01E40000 CALL <WinHex._System@@Move>
00504CB7 |. 8D4424 28 LEA EAX,DWORD PTR SS:[ESP+28]
00504CBB |. BA 20000000 MOV EDX,20
00504CC0 |. E8 C724F0FF CALL <WinHex._System@@Fillchar>
00504CC5 |. BA C4675400 MOV EDX,WinHex.005467C4
00504CCA |. 8D4424 28 LEA EAX,DWORD PTR SS:[ESP+28]
00504CCE |. B9 10000000 MOV ECX,10
00504CD3 |. E8 E0E30000 CALL <WinHex._System@@Move>
能力值:
( LV2,RANK:10 )
15 楼
Now trace into
00504C9C :
00504AFC /$ 53 PUSH EBX
00504AFD |. 83C4 88 ADD ESP,-78
00504B00 |. 8D4424 60 LEA EAX,DWORD PTR SS:[ESP+60]
00504B04 |. B2 09 MOV DL,9
00504B06 |. E8 5974F0FF CALL <WinHex._@@Sha256_Init> ; <== Sha256_Init
00504B0B |. 8B15 78225400 MOV EDX,DWORD PTR DS:[542278] ; <== EDX --> (szName + ... + szAddr1 + ... + szAddr2)
00504B11 |. 8D4424 60 LEA EAX,DWORD PTR SS:[ESP+60]
00504B15 |. B9 CB000000 MOV ECX,0CB ; <== ECX = 0xCB = length of (szName + ... + szAddr1 + ... + szAddr2)
00504B1A |. E8 9575F0FF CALL <WinHex._@@SHA256_Update> ; <== SHA256_Update()
00504B1F |. 8D5424 20 LEA EDX,DWORD PTR SS:[ESP+20]
00504B23 |. 8D4424 60 LEA EAX,DWORD PTR SS:[ESP+60]
00504B27 |. E8 0C77F0FF CALL <WinHex._@@SHA256_Finish> ; <== SHA256_Finish()
00504B2C |. BA D40A5400 MOV EDX,WinHex.00540AD4 ; ASCII 02,"æõ"
00504B31 |. 8BC4 MOV EAX,ESP
00504B33 |. B9 20000000 MOV ECX,20
00504B38 |. E8 7BE50000 CALL <WinHex._System@@Move> ; <== Mov DefString
00504B3D |. 54 PUSH ESP ; /Arg4
00504B3E |. 6A 00 PUSH 0 ; |Arg3 = 00000000
00504B40 |. 6A 00 PUSH 0 ; |Arg2 = 00000000
00504B42 |. 6A 00 PUSH 0 ; |Arg1 = 00000000
00504B44 |. B1 01 MOV CL,1 ; |
00504B46 |. 8B15 E88F5300 MOV EDX,DWORD PTR DS:[538FE8] ; |WinHex.00538FF4
00504B4C |. 33C0 XOR EAX,EAX ; |
00504B4E |. E8 E9450300 CALL WinHex.0053913C ; \<== Call to SHA256(DefString)
00504B53 |. 8BD8 MOV EBX,EAX
00504B55 |. 6A 00 PUSH 0 ; /Arg3 = 00000000
00504B57 |. 6A 00 PUSH 0 ; |Arg2 = 00000000
00504B59 |. 6A 00 PUSH 0 ; |Arg1 = 00000000
00504B5B |. 8D5424 2C LEA EDX,DWORD PTR SS:[ESP+2C] ; |
00504B5F |. B9 20000000 MOV ECX,20 ; |
00504B64 |. 8BC3 MOV EAX,EBX ; |
00504B66 |. E8 2D4A0300 CALL WinHex.00539598 ; \<== Rijndael
00504B6B |. BA 42010000 MOV EDX,142
00504B70 |. 8BC3 MOV EAX,EBX
00504B72 |. E8 21DBEFFF CALL <WinHex.@System@@FreeMem$qqrpv>
00504B77 |. 8BC4 MOV EAX,ESP
00504B79 |. BA 20000000 MOV EDX,20
00504B7E |. E8 0926F0FF CALL <WinHex._System@@Fillchar> ; <== Call to FillChar()
00504B83 |. 8D4424 60 LEA EAX,DWORD PTR SS:[ESP+60]
00504B87 |. B2 09 MOV DL,9
00504B89 |. E8 D673F0FF CALL <WinHex._@@Sha256_Init> ; <== Sha256_Init
00504B8E |. 8D5424 20 LEA EDX,DWORD PTR SS:[ESP+20]
00504B92 |. 8D4424 60 LEA EAX,DWORD PTR SS:[ESP+60]
00504B96 |. B9 20000000 MOV ECX,20
00504B9B |. E8 1475F0FF CALL <WinHex._@@SHA256_Update> ; <== SHA256_Update()
00504BA0 |. 8B15 78225400 MOV EDX,DWORD PTR DS:[542278] ; WinHex.005504F0
00504BA6 |. 81C2 CB000000 ADD EDX,0CB
00504BAC |. 8D4424 60 LEA EAX,DWORD PTR SS:[ESP+60]
00504BB0 |. B9 10000000 MOV ECX,10
00504BB5 |. E8 FA74F0FF CALL <WinHex._@@SHA256_Update> ; <== SHA256_Update()
00504BBA |. 8D5424 40 LEA EDX,DWORD PTR SS:[ESP+40]
00504BBE |. 8D4424 60 LEA EAX,DWORD PTR SS:[ESP+60]
00504BC2 |. E8 7176F0FF CALL <WinHex._@@SHA256_Finish> ; <== SHA256_Finish()
00504BC7 |. 8B15 78225400 MOV EDX,DWORD PTR DS:[542278] ; WinHex.005504F0
00504BCD |. 81C2 DB000000 ADD EDX,0DB
00504BD3 |. B8 C4675400 MOV EAX,WinHex.005467C4
00504BD8 |. B9 10000000 MOV ECX,10
00504BDD |. E8 D6E40000 CALL <WinHex._System@@Move>
00504BE2 |. 8D5424 40 LEA EDX,DWORD PTR SS:[ESP+40]
00504BE6 |. 8BC4 MOV EAX,ESP
00504BE8 |. B9 20000000 MOV ECX,20
00504BED |. E8 C6E40000 CALL <WinHex._System@@Move>
00504BF2 |. 54 PUSH ESP ; /Arg4
00504BF3 |. 6A 00 PUSH 0 ; |Arg3 = 00000000
00504BF5 |. 6A 00 PUSH 0 ; |Arg2 = 00000000
00504BF7 |. 6A 00 PUSH 0 ; |Arg1 = 00000000
00504BF9 |. B1 01 MOV CL,1 ; |
00504BFB |. 8B15 E88F5300 MOV EDX,DWORD PTR DS:[538FE8] ; |WinHex.00538FF4
00504C01 |. 33C0 XOR EAX,EAX ; |
00504C03 |. E8 34450300 CALL WinHex.0053913C ; \<== Call to SHA256()
00504C08 |. 8BD8 MOV EBX,EAX
00504C0A |. 6A 00 PUSH 0 ; /Arg3 = 00000000
00504C0C |. 6A 00 PUSH 0 ; |Arg2 = 00000000
00504C0E |. 6A 00 PUSH 0 ; |Arg1 = 00000000
00504C10 |. BA C4675400 MOV EDX,WinHex.005467C4 ; |
00504C15 |. B9 10000000 MOV ECX,10 ; |
00504C1A |. 8BC3 MOV EAX,EBX ; |
00504C1C |. E8 DB4A0300 CALL WinHex.005396FC ; \WinHex.005396FC
00504C21 |. BA 42010000 MOV EDX,142
00504C26 |. 8BC3 MOV EAX,EBX
00504C28 |. E8 6BDAEFFF CALL <WinHex.@System@@FreeMem$qqrpv>
00504C2D |. 8BC4 MOV EAX,ESP
00504C2F |. BA 20000000 MOV EDX,20
00504C34 |. E8 5325F0FF CALL <WinHex._System@@Fillchar>
00504C39 |. 83C4 78 ADD ESP,78
00504C3C |. 5B POP EBX
00504C3D \. C3 RET
In this Call function :
00504B4E |. E8 E9450300 CALL WinHex.0053913C ; \<== Call to SHA256(DefString)
have function call to RijindaleKeySetup
Hmm this code really very long. Now i am very busy so i don't have time to see it again.
This check code you may be get by load WinHex.exe to Olly, F9 to run, then open file into WinHex, edit and then use Save or Save as feature.
Crem !