可执行文件打开后，提示：Security key not found-软件逆向-看雪-安全社区|安全招聘|kanxue.com

可执行文件打开后，提示：Security key not found

发表于: 2005-8-5 17:27 8419

可执行文件打开后，提示：Security key not found

寂静如风

2005-8-5 17:27

8419

是个可执行文件，双击后提示，Security key not found，照意思是说某KEY没有找到，于是用ODBYDYK打开，能够看见反汇编后的代码，但不是很明白其中的意思，希望大虾们能够解释下！（本人刚学PJ不久，对技术很感兴趣，所以请各位大哥多指教）

504DA000 /$  803D A4E24C50>cmp byte ptr ds:[504CE2A4],0
504DA007 |.  74 07       je short BBB.504DA010
504DA009 |.  800D 94E34C50>or byte ptr ds:[504CE394],1
504DA010 |>  833D 84E24C50>cmp dword ptr ds:[504CE284],0
504DA017 |.  74 07       je short BBB.504DA020
504DA019 |.  800D 94E34C50>or byte ptr ds:[504CE394],8
504DA020 |>  803D 94E34C50>cmp byte ptr ds:[504CE394],0
504DA027 |.  74 38       je short BBB.504DA061
504DA029 |.  A1 6CFB4C50 mov eax,dword ptr ds:[504CFB6C]
504DA02E |.  8A0D 94E34C50 mov cl,byte ptr ds:[504CE394]
504DA034 |.  50          push eax                               ; /Arg8 => 00000000
504DA035 |.  8B15 8CE24C50 mov edx,dword ptr ds:[504CE28C]       ; |
504DA03B |.  51          push ecx                               ; |Arg7
504DA03C |.  A1 88E24C50 mov eax,dword ptr ds:[504CE288]       ; |
504DA041 |.  68 1CE34C50 push BBB.504CE31C                      ; |Arg6 = 504CE31C
504DA046 |.  8B0D 84E24C50 mov ecx,dword ptr ds:[504CE284]       ; |
504DA04C |.  68 A4E24C50 push BBB.504CE2A4                      ; |Arg5 = 504CE2A4 ASCII "???????????"
504DA051 |.  52          push edx                               ; |Arg4 => 1A41A078
504DA052 |.  50          push eax                               ; |Arg3 => F3BA8277
504DA053 |.  51          push ecx                               ; |Arg2 => ABAD7C2A
504DA054 |.  68 7CE24C50 push BBB.504CE27C                      ; |Arg1 = 504CE27C
504DA059 |.  E8 E2180000 call BBB.504DB940                      ; \BBB.504DB940
504DA05E |.  83C4 20    add esp,20
504DA061 \>  C3          retn
504DA062    CC          int3
504DA063    CC          int3
504DA064    CC          int3
504DA065    CC          int3
504DA066    CC          int3
504DA067    CC          int3
504DA068    CC          int3
504DA069    CC          int3
504DA06A    CC          int3
504DA06B    CC          int3
504DA06C    CC          int3
504DA06D    CC          int3
504DA06E    CC          int3
504DA06F    CC          int3
504DA070 /$  56          push esi
504DA071 |.  A1 6CFC4C50 mov eax,dword ptr ds:[504CFC6C]
504DA076 |.  83F8 01    cmp eax,1
504DA079 |.  75 0D       jnz short BBB.504DA088
504DA07B |.  68 A8FC4C50 push BBB.504CFCA8
504DA080 |.  E8 EB840000 call BBB.504E2570
504DA085 |.  0FB7C0       movzx eax,ax
504DA088 |>  50          push eax                               ; /<%04X>
504DA089 |.  68 540C4D50 push BBB.504D0C54                      ; |Format = "E%04X -- "
504DA08E |.  68 88FB4C50 push BBB.504CFB88                      ; |s = BBB.504CFB88
504DA093 |.  FF15 04934D50 call dword ptr ds:[<&USER32.wsprintfA>]  ; \wsprintfA
504DA099 |.  83C4 0C    add esp,0C
504DA09C |.  8DB0 88FB4C50 lea esi,dword ptr ds:[eax+504CFB88]
504DA0A2 |.  8B15 6CFC4C50 mov edx,dword ptr ds:[504CFC6C]
504DA0A8 |.  33C9       xor ecx,ecx
504DA0AA |.  81C2 7B56D14E add edx,4ED1567B
504DA0B0 |>  8BC2       /mov eax,edx
504DA0B2 |.  46          |inc esi
504DA0B3 |.  C1E8 09    |shr eax,9
504DA0B6 |.  41          |inc ecx
504DA0B7 |.  69D2 1D410310 |imul edx,edx,1003411D
504DA0BD |.  05 9310D179 |add eax,79D11093
504DA0C2 |.  33C2       |xor eax,edx
504DA0C4 |.  8BD0       |mov edx,eax
504DA0C6 |.  A1 6CFC4C50 |mov eax,dword ptr ds:[504CFC6C]
504DA0CB |.  8D0480       |lea eax,dword ptr ds:[eax+eax*4]
504DA0CE |.  8D0480       |lea eax,dword ptr ds:[eax+eax*4]
504DA0D1 |.  8A84C1 CDF24C>|mov al,byte ptr ds:[ecx+eax*8+504CF2CD]
504DA0D8 |.  32C2       |xor al,dl
504DA0DA |.  81F9 C8000000 |cmp ecx,0C8
504DA0E0 |.  8846 FF    |mov byte ptr ds:[esi-1],al
504DA0E3 |.^ 7C CB       \jl short BBB.504DA0B0
504DA0E5 |.  B8 88FB4C50 mov eax,BBB.504CFB88
504DA0EA |.  C606 00    mov byte ptr ds:[esi],0
504DA0ED |.  5E          pop esi
504DA0EE \.  C3          retn
504DA0EF    CC          int3
504DA0F0 .  83EC 04    sub esp,4
504DA0F3 .  68 78FC4C50 push BBB.504CFC78                      ; /pLocaltime = BBB.504CFC78
504DA0F8 .  FF15 A8914D50 call dword ptr ds:[<&KERNEL32.GetLocalTi>; \GetLocalTime
504DA0FE .  6A 50       push 50                               ; /BufSize = 50 (80.)
504DA100 .  68 88FB4C50 push BBB.504CFB88                      ; |Buffer = BBB.504CFB88
504DA105 .  68 900C4D50 push BBB.504D0C90                      ; |VarName = "RBSINFO"
504DA10A .  FF15 58924D50 call dword ptr ds:[<&KERNEL32.GetEnviron>; \GetEnvironmentVariableA
504DA110 .  85C0       test eax,eax
504DA112 .  74 66       je short BBB.504DA17A
504DA114 .  8D4424 00    lea eax,dword ptr ss:[esp]
504DA118 .  8D4C24 01    lea ecx,dword ptr ss:[esp+1]
504DA11C .  8D5424 02    lea edx,dword ptr ss:[esp+2]
504DA120 .  50          push eax
504DA121 .  8D4424 07    lea eax,dword ptr ss:[esp+7]
504DA125 .  51          push ecx
504DA126 .  52          push edx
504DA127 .  50          push eax
504DA128 .  68 A8FC4C50 push BBB.504CFCA8
504DA12D .  E8 7E7C0000 call BBB.504E1DB0
504DA132 .  33C0       xor eax,eax
504DA134 .  8A4424 00    mov al,byte ptr ss:[esp]
504DA138 .  50          push eax                               ; /<%d>
504DA139 .  33C0       xor eax,eax                            ; |
504DA13B .  8A4424 05    mov al,byte ptr ss:[esp+5]             ; |
504DA13F .  50          push eax                               ; |<%d>
504DA140 .  33C0       xor eax,eax                            ; |
504DA142 .  8A4424 0A    mov al,byte ptr ss:[esp+A]             ; |
504DA146 .  50          push eax                               ; |<%d>
504DA147 .  33C0       xor eax,eax                            ; |
504DA149 .  8A4424 0F    mov al,byte ptr ss:[esp+F]             ; |
504DA14D .  50          push eax                               ; |<%d>
504DA14E .  68 700C4D50 push BBB.504D0C70                      ; |Format = "RBS32SP : ML-5.3/%d.%d.%d.%d"
504DA153 .  68 88FB4C50 push BBB.504CFB88                      ; |s = BBB.504CFB88
504DA158 .  FF15 04934D50 call dword ptr ds:[<&USER32.wsprintfA>]  ; \wsprintfA
504DA15E .  83C4 18    add esp,18
504DA161 .  6A 40       push 40                               ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
504DA163 .  68 600C4D50 push BBB.504D0C60                      ; |Title = "Version Info..."
504DA168 .  68 88FB4C50 push BBB.504CFB88                      ; |Text = ""
504DA16D .  FF15 00934D50 call dword ptr ds:[<&USER32.GetActiveWin>; |[GetActiveWindow
504DA173 .  50          push eax                               ; |hOwner
504DA174 .  FF15 FC924D50 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
504DA17A >  33C0       xor eax,eax
504DA17C .  83C4 04    add esp,4
504DA17F .  C3          retn
504DA180 .  83EC 04    sub esp,4
504DA183 .  56          push esi
504DA184 .  FF15 C4914D50 call dword ptr ds:[<&KERNEL32.GetVersion>;  kernel32.GetVersion
504DA18A .  25 000000C0 and eax,C0000000
504DA18F .  3D 00000080 cmp eax,80000000
504DA194 .  0F84 86000000 je BBB.504DA220
504DA19A .  FF15 C0914D50 call dword ptr ds:[<&KERNEL32.GetCurrent>; [GetCurrentProcess
504DA1A0 .  8BF0       mov esi,eax
504DA1A2 .  6A 02       push 2                                  ; /Options = DUPLICATE_SAME_ACCESS
504DA1A4 .  6A 01       push 1                                  ; |Inheritable = TRUE
504DA1A6 .  6A 00       push 0                                  ; |Access = 0
504DA1A8 .  68 98FC4C50 push BBB.504CFC98                      ; |phTarget = BBB.504CFC98
504DA1AD .  56          push esi                               ; |hTargetProcess
504DA1AE .  FF15 BC914D50 call dword ptr ds:[<&KERNEL32.GetCurrent>; |[GetCurrentThread
504DA1B4 .  50          push eax                               ; |hSource
504DA1B5 .  56          push esi                               ; |hSourceProcess
504DA1B6 .  FF15 B8914D50 call dword ptr ds:[<&KERNEL32.DuplicateH>; \DuplicateHandle
504DA1BC .  85C0       test eax,eax
504DA1BE .  74 60       je short BBB.504DA220
504DA1C0 .  833D 98FC4C50>cmp dword ptr ds:[504CFC98],0
504DA1C7 .  74 57       je short BBB.504DA220
504DA1C9 .  8D4424 04    lea eax,dword ptr ss:[esp+4]
504DA1CD .  50          push eax                               ; /pThreadId
504DA1CE .  6A 00       push 0                                  ; |CreationFlags = 0
504DA1D0 .  6A 00       push 0                                  ; |pThreadParm = NULL
504DA1D2 .  68 40B24D50 push BBB.504DB240                      ; |ThreadFunction = BBB.504DB240
504DA1D7 .  6A 00       push 0                                  ; |StackSize = 0
504DA1D9 .  6A 00       push 0                                  ; |pSecurity = NULL
504DA1DB .  FF15 B4914D50 call dword ptr ds:[<&KERNEL32.CreateThre>; \CreateThread
504DA1E1 .  85C0       test eax,eax
504DA1E3 .  74 3B       je short BBB.504DA220
504DA1E5 .  C705 9CFC4C50>mov dword ptr ds:[504CFC9C],1
504DA1EF .  68 90B14D50 push BBB.504DB190
504DA1F4 .  68 E8030000 push 3E8
504DA1F9 .  6A 00       push 0
504DA1FB .  6A 00       push 0
504DA1FD .  68 A00C4D50 push BBB.504D0CA0                      ; /ProcNameOrOrdinal = "SetTimer"
504DA202 .  68 980C4D50 push BBB.504D0C98                      ; |/pModule = "USER32"
504DA207 .  FF15 B0914D50 call dword ptr ds:[<&KERNEL32.GetModuleH>; |\GetModuleHandleA
504DA20D .  50          push eax                               ; |hModule
504DA20E .  FF15 AC914D50 call dword ptr ds:[<&KERNEL32.GetProcAdd>; \GetProcAddress
504DA214 .  FFD0       call eax
504DA216 .  5E          pop esi
504DA217 .  A3 74FB4C50 mov dword ptr ds:[504CFB74],eax
504DA21C .  83C4 04    add esp,4
504DA21F .  C3          retn
504DA220 >  68 70B04D50 push BBB.504DB070
504DA225 .  33C0       xor eax,eax
504DA227 .  66:A1 06E04C5>mov ax,word ptr ds:[504CE006]
504DA22D .  8D0C80       lea ecx,dword ptr ds:[eax+eax*4]
504DA230 .  8D1489       lea edx,dword ptr ds:[ecx+ecx*4]
504DA233 .  8D0492       lea eax,dword ptr ds:[edx+edx*4]
504DA236 .  C1E0 03    shl eax,3
504DA239 .  50          push eax
504DA23A .  6A 00       push 0
504DA23C .  6A 00       push 0
504DA23E .  68 A00C4D50 push BBB.504D0CA0                      ; /ProcNameOrOrdinal = "SetTimer"
504DA243 .  68 980C4D50 push BBB.504D0C98                      ; |/pModule = "USER32"
504DA248 .  FF15 B0914D50 call dword ptr ds:[<&KERNEL32.GetModuleH>; |\GetModuleHandleA
504DA24E .  50          push eax                               ; |hModule
504DA24F .  FF15 AC914D50 call dword ptr ds:[<&KERNEL32.GetProcAdd>; \GetProcAddress
504DA255 .  FFD0       call eax
504DA257 .  5E          pop esi
504DA258 .  A3 74FB4C50 mov dword ptr ds:[504CFB74],eax
504DA25D .  83C4 04    add esp,4
504DA260 .  C3          retn
504DA261    CC          int3
504DA262    CC          int3
504DA263    CC          int3
504DA264    CC          int3
504DA265    CC          int3
504DA266    CC          int3
504DA267    CC          int3
504DA268    CC          int3
504DA269    CC          int3
504DA26A    CC          int3
504DA26B    CC          int3
504DA26C    CC          int3
504DA26D    CC          int3
504DA26E    CC          int3
504DA26F    CC          int3
504DA270 .  83EC 18    sub esp,18
504DA273 .  A1 6CFB4C50 mov eax,dword ptr ds:[504CFB6C]
504DA278 .  53          push ebx
504DA279 .  8B48 3C    mov ecx,dword ptr ds:[eax+3C]
504DA27C .  56          push esi
504DA27D .  33DB       xor ebx,ebx
504DA27F .  895C24 10    mov dword ptr ss:[esp+10],ebx
504DA283 .  57          push edi
504DA284 .  894C24 18    mov dword ptr ss:[esp+18],ecx
504DA288 .  55          push ebp
504DA289 .  8B4C24 1C    mov ecx,dword ptr ss:[esp+1C]
504DA28D .  03C8       add ecx,eax
504DA28F .  381D A4E24C50 cmp byte ptr ds:[504CE2A4],bl
504DA295 .  894C24 10    mov dword ptr ss:[esp+10],ecx
504DA299 .  74 07       je short BBB.504DA2A2
504DA29B .  800D 94E34C50>or byte ptr ds:[504CE394],1
504DA2A2 >  833D 84E24C50>cmp dword ptr ds:[504CE284],0
504DA2A9 .  74 07       je short BBB.504DA2B2
504DA2AB .  800D 94E34C50>or byte ptr ds:[504CE394],8
504DA2B2 >  803D 94E34C50>cmp byte ptr ds:[504CE394],0
504DA2B9 .  0F84 C5000000 je BBB.504DA384
504DA2BF .  FF15 C4914D50 call dword ptr ds:[<&KERNEL32.GetVersion>;  kernel32.GetVersion
504DA2C5 .  A9 00000080 test eax,80000000
504DA2CA .  0F85 B4000000 jnz BBB.504DA384
504DA2D0 .  8B0D 6CFB4C50 mov ecx,dword ptr ds:[504CFB6C]
504DA2D6 .  030D 30E14C50 add ecx,dword ptr ds:[504CE130]
504DA2DC .  8379 10 00 cmp dword ptr ds:[ecx+10],0
504DA2E0 .  74 28       je short BBB.504DA30A
504DA2E2 .  33D2       xor edx,edx
504DA2E4 >  3911       cmp dword ptr ds:[ecx],edx
504DA2E6 .  75 1A       jnz short BBB.504DA302
504DA2E8 .  83C3 04    add ebx,4
504DA2EB .  8B41 10    mov eax,dword ptr ds:[ecx+10]
504DA2EE .  0305 6CFB4C50 add eax,dword ptr ds:[504CFB6C]
504DA2F4 .  3910       cmp dword ptr ds:[eax],edx
504DA2F6 .  74 0A       je short BBB.504DA302
504DA2F8 >  83C3 04    add ebx,4
504DA2FB .  83C0 04    add eax,4
504DA2FE .  3910       cmp dword ptr ds:[eax],edx
504DA300 .^ 75 F6       jnz short BBB.504DA2F8
504DA302 >  83C1 14    add ecx,14
504DA305 .  3951 10    cmp dword ptr ds:[ecx+10],edx
504DA308 .^ 75 DA       jnz short BBB.504DA2E4
504DA30A >  85DB       test ebx,ebx
504DA30C .  74 76       je short BBB.504DA384
504DA30E .  53          push ebx                               ; /MemSize
504DA30F .  6A 40       push 40                               ; |Flags = GPTR
504DA311 .  FF15 D4914D50 call dword ptr ds:[<&KERNEL32.GlobalAllo>; \GlobalAlloc
504DA317 .  894424 18    mov dword ptr ss:[esp+18],eax
504DA31B .  85C0       test eax,eax
504DA31D .  75 14       jnz short BBB.504DA333
504DA31F .  33C0       xor eax,eax
504DA321 .  5D          pop ebp
504DA322 .  C705 3C0C4D50>mov dword ptr ds:[504D0C3C],BBB.504D00D0
504DA32C .  5F          pop edi
504DA32D .  5E          pop esi
504DA32E .  5B          pop ebx
504DA32F .  83C4 18    add esp,18
504DA332 .  C3          retn
504DA333 >  8B7424 18    mov esi,dword ptr ss:[esp+18]
504DA337 .  8B15 6CFB4C50 mov edx,dword ptr ds:[504CFB6C]
504DA33D .  0315 30E14C50 add edx,dword ptr ds:[504CE130]
504DA343 .  837A 10 00 cmp dword ptr ds:[edx+10],0
504DA347 .  74 3B       je short BBB.504DA384
504DA349 .  33FF       xor edi,edi
504DA34B >  393A       cmp dword ptr ds:[edx],edi
504DA34D .  75 2D       jnz short BBB.504DA37C
504DA34F .  8BC6       mov eax,esi
504DA351 .  8932       mov dword ptr ds:[edx],esi
504DA353 .  2B05 6CFB4C50 sub eax,dword ptr ds:[504CFB6C]
504DA359 .  8902       mov dword ptr ds:[edx],eax
504DA35B .  8B42 10    mov eax,dword ptr ds:[edx+10]
504DA35E .  0305 6CFB4C50 add eax,dword ptr ds:[504CFB6C]
504DA364 .  3938       cmp dword ptr ds:[eax],edi
504DA366 .  74 0F       je short BBB.504DA377
504DA368 >  8B08       mov ecx,dword ptr ds:[eax]
504DA36A .  83C6 04    add esi,4
504DA36D .  83C0 04    add eax,4
504DA370 .  894E FC    mov dword ptr ds:[esi-4],ecx
504DA373 .  3938       cmp dword ptr ds:[eax],edi
504DA375 .^ 75 F1       jnz short BBB.504DA368
504DA377 >  893E       mov dword ptr ds:[esi],edi
504DA379 .  83C6 04    add esi,4
504DA37C >  83C2 14    add edx,14
504DA37F .  397A 10    cmp dword ptr ds:[edx+10],edi
504DA382 .^ 75 C7       jnz short BBB.504DA34B
504DA384 >  817C24 1C 000>cmp dword ptr ss:[esp+1C],800
504DA38C .  73 64       jnb short BBB.504DA3F2
504DA38E .  8D4424 14    lea eax,dword ptr ss:[esp+14]
504DA392 .  8B0D 6CFB4C50 mov ecx,dword ptr ds:[504CFB6C]
504DA398 .  50          push eax                               ; /pOldProtect
504DA399 .  6A 04       push 4                                  ; |NewProtect = PAGE_READWRITE
504DA39B .  68 00100000 push 1000                               ; |Size = 1000 (4096.)
504DA3A0 .  51          push ecx                               ; |Address => NULL
504DA3A1 .  FF15 CC914D50 call dword ptr ds:[<&KERNEL32.VirtualPro>; \VirtualProtect
504DA3A7 .  8B4C24 10    mov ecx,dword ptr ss:[esp+10]
504DA3AB .  8B91 80000000 mov edx,dword ptr ds:[ecx+80]
504DA3B1 .  8B81 84000000 mov eax,dword ptr ds:[ecx+84]
504DA3B7 .  895424 20    mov dword ptr ss:[esp+20],edx
504DA3BB .  894424 24    mov dword ptr ss:[esp+24],eax
504DA3BF .  8B15 30E14C50 mov edx,dword ptr ds:[504CE130]
504DA3C5 .  8991 80000000 mov dword ptr ds:[ecx+80],edx
504DA3CB .  8D5424 14    lea edx,dword ptr ss:[esp+14]
504DA3CF .  A1 34E14C50 mov eax,dword ptr ds:[504CE134]
504DA3D4 .  52          push edx                               ; /pOldProtect
504DA3D5 .  8981 84000000 mov dword ptr ds:[ecx+84],eax          ; |
504DA3DB .  8B4424 18    mov eax,dword ptr ss:[esp+18]          ; |
504DA3DF .  50          push eax                               ; |NewProtect
504DA3E0 .  8B0D 6CFB4C50 mov ecx,dword ptr ds:[504CFB6C]       ; |
504DA3E6 .  68 00100000 push 1000                               ; |Size = 1000 (4096.)
504DA3EB .  51          push ecx                               ; |Address => NULL
504DA3EC .  FF15 CC914D50 call dword ptr ds:[<&KERNEL32.VirtualPro>; \VirtualProtect
504DA3F2 >  8B1D 6CFB4C50 mov ebx,dword ptr ds:[504CFB6C]
504DA3F8 .  031D 30E14C50 add ebx,dword ptr ds:[504CE130]
504DA3FE .  837B 10 00 cmp dword ptr ds:[ebx+10],0
504DA402 .  74 69       je short BBB.504DA46D
504DA404 .  8B3D AC914D50 mov edi,dword ptr ds:[<&KERNEL32.GetProc>;  kernel32.GetProcAddress
504DA40A >  8B43 0C    mov eax,dword ptr ds:[ebx+C]
504DA40D .  0305 6CFB4C50 add eax,dword ptr ds:[504CFB6C]
504DA413 .  50          push eax                               ; /FileName
504DA414 .  FF15 D0914D50 call dword ptr ds:[<&KERNEL32.LoadLibrar>; \LoadLibraryA
504DA41A .  8BE8       mov ebp,eax
504DA41C .  85ED       test ebp,ebp
504DA41E .  0F84 F8000000 je BBB.504DA51C
504DA424 .  8B73 10    mov esi,dword ptr ds:[ebx+10]
504DA427 .  0335 6CFB4C50 add esi,dword ptr ds:[504CFB6C]
504DA42D .  833E 00    cmp dword ptr ds:[esi],0
504DA430 .  74 32       je short BBB.504DA464
504DA432 >  8B06       mov eax,dword ptr ds:[esi]
504DA434 .  A9 00000080 test eax,80000000
504DA439 .  74 07       je short BBB.504DA442
504DA43B .  25 FFFF0000 and eax,0FFFF
504DA440 .  EB 0C       jmp short BBB.504DA44E
504DA442 >  8B06       mov eax,dword ptr ds:[esi]
504DA444 .  8B0D 6CFB4C50 mov ecx,dword ptr ds:[504CFB6C]
504DA44A .  8D4408 02    lea eax,dword ptr ds:[eax+ecx+2]
504DA44E >  50          push eax
504DA44F .  55          push ebp
504DA450 .  FFD7       call edi
504DA452 .  8906       mov dword ptr ds:[esi],eax
504DA454 .  85C0       test eax,eax
504DA456 .  0F84 D4000000 je BBB.504DA530
504DA45C .  83C6 04    add esi,4
504DA45F .  833E 00    cmp dword ptr ds:[esi],0
504DA462 .^ 75 CE       jnz short BBB.504DA432
504DA464 >  83C3 14    add ebx,14
504DA467 .  837B 10 00 cmp dword ptr ds:[ebx+10],0
504DA46B .^ 75 9D       jnz short BBB.504DA40A
504DA46D >  E8 8EFBFFFF call BBB.504DA000
504DA472 .  817C24 1C 000>cmp dword ptr ss:[esp+1C],800
504DA47A .  73 4D       jnb short BBB.504DA4C9
504DA47C .  8D4424 14    lea eax,dword ptr ss:[esp+14]
504DA480 .  8B0D 6CFB4C50 mov ecx,dword ptr ds:[504CFB6C]
504DA486 .  50          push eax                               ; /pOldProtect
504DA487 .  6A 04       push 4                                  ; |NewProtect = PAGE_READWRITE
504DA489 .  68 00100000 push 1000                               ; |Size = 1000 (4096.)
504DA48E .  51          push ecx                               ; |Address => NULL
504DA48F .  FF15 CC914D50 call dword ptr ds:[<&KERNEL32.VirtualPro>; \VirtualProtect
504DA495 .  8B5424 20    mov edx,dword ptr ss:[esp+20]
504DA499 .  8B4C24 10    mov ecx,dword ptr ss:[esp+10]
504DA49D .  8B4424 24    mov eax,dword ptr ss:[esp+24]
504DA4A1 .  8991 80000000 mov dword ptr ds:[ecx+80],edx
504DA4A7 .  8D5424 14    lea edx,dword ptr ss:[esp+14]
504DA4AB .  8981 84000000 mov dword ptr ds:[ecx+84],eax
504DA4B1 .  8B4424 14    mov eax,dword ptr ss:[esp+14]
504DA4B5 .  52          push edx                               ; /pOldProtect
504DA4B6 .  50          push eax                               ; |NewProtect
504DA4B7 .  8B0D 6CFB4C50 mov ecx,dword ptr ds:[504CFB6C]       ; |
504DA4BD .  68 00100000 push 1000                               ; |Size = 1000 (4096.)
504DA4C2 .  51          push ecx                               ; |Address => NULL
504DA4C3 .  FF15 CC914D50 call dword ptr ds:[<&KERNEL32.VirtualPro>; \VirtualProtect
504DA4C9 >  8B15 6CFB4C50 mov edx,dword ptr ds:[504CFB6C]
504DA4CF .  0315 30E14C50 add edx,dword ptr ds:[504CE130]
504DA4D5 .  837A 10 00 cmp dword ptr ds:[edx+10],0
504DA4D9 .  74 25       je short BBB.504DA500
504DA4DB .  33F6       xor esi,esi
504DA4DD >  8B02       mov eax,dword ptr ds:[edx]
504DA4DF .  85C0       test eax,eax
504DA4E1 .  74 15       je short BBB.504DA4F8
504DA4E3 .  0305 6CFB4C50 add eax,dword ptr ds:[504CFB6C]
504DA4E9 .  3930       cmp dword ptr ds:[eax],esi
504DA4EB .  74 09       je short BBB.504DA4F6
504DA4ED >  8930       mov dword ptr ds:[eax],esi
504DA4EF .  83C0 04    add eax,4
504DA4F2 .  3930       cmp dword ptr ds:[eax],esi
504DA4F4 .^ 75 F7       jnz short BBB.504DA4ED
504DA4F6 >  8932       mov dword ptr ds:[edx],esi
504DA4F8 >  83C2 14    add edx,14
504DA4FB .  3972 10    cmp dword ptr ds:[edx+10],esi
504DA4FE .^ 75 DD       jnz short BBB.504DA4DD
504DA500 >  837C24 18 00  cmp dword ptr ss:[esp+18],0
504DA505 .  74 0B       je short BBB.504DA512
504DA507 .  8B4424 18    mov eax,dword ptr ss:[esp+18]
504DA50B .  50          push eax                               ; /hMem
504DA50C .  FF15 C8914D50 call dword ptr ds:[<&KERNEL32.GlobalFree>; \GlobalFree
504DA512 >  33C0       xor eax,eax
504DA514 .  5D          pop ebp
504DA515 .  5F          pop edi
504DA516 .  5E          pop esi
504DA517 .  5B          pop ebx
504DA518 .  83C4 18    add esp,18
504DA51B .  C3          retn
504DA51C >  33C0       xor eax,eax
504DA51E .  5D          pop ebp
504DA51F .  C705 3C0C4D50>mov dword ptr ds:[504D0C3C],BBB.504D00C0
504DA529 .  5F          pop edi
504DA52A .  5E          pop esi
504DA52B .  5B          pop ebx
504DA52C .  83C4 18    add esp,18
504DA52F .  C3          retn
504DA530 >  33C0       xor eax,eax
504DA532 .  5D          pop ebp
504DA533 .  C705 3C0C4D50>mov dword ptr ds:[504D0C3C],BBB.504D00B8
504DA53D .  5F          pop edi
504DA53E .  5E          pop esi
504DA53F .  5B          pop ebx
504DA540 .  83C4 18    add esp,18
504DA543 .  C3          retn
504DA544    CC          int3
504DA545    CC          int3
504DA546    CC          int3
504DA547    CC          int3
504DA548    CC          int3
504DA549    CC          int3
504DA54A    CC          int3
504DA54B    CC          int3
504DA54C    CC          int3
504DA54D    CC          int3
504DA54E    CC          int3
504DA54F    CC          int3
504DA550 .  833D 24E14C50>cmp dword ptr ds:[504CE124],0
504DA557 .  74 31       je short BBB.504DA58A
504DA559 .  FF15 C4914D50 call dword ptr ds:[<&KERNEL32.GetVersion>;  kernel32.GetVersion
504DA55F .  25 000000C0 and eax,C0000000
504DA564 .  3D 00000080 cmp eax,80000000
504DA569 .  74 1F       je short BBB.504DA58A
504DA56B .  68 60FC4C50 push BBB.504CFC60                      ; /pOldProtect = BBB.504CFC60
504DA570 .  A1 28E14C50 mov eax,dword ptr ds:[504CE128]       ; |
504DA575 .  6A 20       push 20                               ; |NewProtect = PAGE_EXECUTE_READ
504DA577 .  50          push eax                               ; |Size => 98D93C8 (160273352.)
504DA578 .  A1 6CFB4C50 mov eax,dword ptr ds:[504CFB6C]       ; |
504DA57D .  0305 24E14C50 add eax,dword ptr ds:[504CE124]       ; |
504DA583 .  50          push eax                               ; |Address
504DA584 .  FF15 CC914D50 call dword ptr ds:[<&KERNEL32.VirtualPro>; \VirtualProtect
504DA58A >  33C0       xor eax,eax
504DA58C .  C3          retn
504DA58D    CC          int3
504DA58E    CC          int3
504DA58F    CC          int3
504DA590 .  A1 70FC4C50 mov eax,dword ptr ds:[504CFC70]
504DA595 .  8B0485 10E04C>mov eax,dword ptr ds:[eax*4+504CE010]
504DA59C .  C3          retn
504DA59D    CC          int3
504DA59E    CC          int3
504DA59F    CC          int3
504DA5A0 .  A1 70FC4C50 mov eax,dword ptr ds:[504CFC70]
504DA5A5 .  8B0485 90E04C>mov eax,dword ptr ds:[eax*4+504CE090]
504DA5AC .  C3          retn
504DA5AD    CC          int3
504DA5AE    CC          int3
504DA5AF    CC          int3
504DA5B0 .  53          push ebx
504DA5B1 .  A1 6CFB4C50 mov eax,dword ptr ds:[504CFB6C]
504DA5B6 .  56          push esi
504DA5B7 .  2B05 1CE14C50 sub eax,dword ptr ds:[504CE11C]
504DA5BD .  57          push edi
504DA5BE .  A3 5CFC4C50 mov dword ptr ds:[504CFC5C],eax
504DA5C3 .  0F84 83000000 je BBB.504DA64C
504DA5C9 .  8B0D 6CFB4C50 mov ecx,dword ptr ds:[504CFB6C]
504DA5CF .  030D 2CE14C50 add ecx,dword ptr ds:[504CE12C]
504DA5D5 .  8379 04 00 cmp dword ptr ds:[ecx+4],0
504DA5D9 .  74 71       je short BBB.504DA64C
504DA5DB .  33D2       xor edx,edx
504DA5DD >  8B41 04    mov eax,dword ptr ds:[ecx+4]
504DA5E0 .  8D71 08    lea esi,dword ptr ds:[ecx+8]
504DA5E3 .  83E8 08    sub eax,8
504DA5E6 .  C1E8 01    shr eax,1
504DA5E9 .  A3 60FC4C50 mov dword ptr ds:[504CFC60],eax
504DA5EE .  8B01       mov eax,dword ptr ds:[ecx]
504DA5F0 .  0305 6CFB4C50 add eax,dword ptr ds:[504CFB6C]
504DA5F6 .  8B1D 60FC4C50 mov ebx,dword ptr ds:[504CFC60]
504DA5FC .  A3 68FC4C50 mov dword ptr ds:[504CFC68],eax
504DA601 .  FF0D 60FC4C50 dec dword ptr ds:[504CFC60]
504DA607 .  85DB       test ebx,ebx
504DA609 .  74 39       je short BBB.504DA644
504DA60B >  66:8B3E    mov di,word ptr ds:[esi]
504DA60E .  66:8BC7    mov ax,di
504DA611 .  80E4 F0    and ah,0F0
504DA614 .  80FC 30    cmp ah,30
504DA617 .  75 19       jnz short BBB.504DA632
504DA619 .  33DB       xor ebx,ebx
504DA61B .  A1 5CFC4C50 mov eax,dword ptr ds:[504CFC5C]
504DA620 .  66:8BDF    mov bx,di
504DA623 .  8B3D 68FC4C50 mov edi,dword ptr ds:[504CFC68]
504DA629 .  81E3 FF0F0000 and ebx,0FFF
504DA62F .  01043B       add dword ptr ds:[ebx+edi],eax
504DA632 >  83C6 02    add esi,2
504DA635 .  A1 60FC4C50 mov eax,dword ptr ds:[504CFC60]
504DA63A .  FF0D 60FC4C50 dec dword ptr ds:[504CFC60]
504DA640 .  85C0       test eax,eax
504DA642 .^ 75 C7       jnz short BBB.504DA60B
504DA644 >  0349 04    add ecx,dword ptr ds:[ecx+4]
504DA647 .  3951 04    cmp dword ptr ds:[ecx+4],edx
504DA64A .^ 75 91       jnz short BBB.504DA5DD
504DA64C >  33C0       xor eax,eax
504DA64E .  5F          pop edi
504DA64F .  5E          pop esi
504DA650 .  5B          pop ebx
504DA651 .  C3          retn
504DA652    CC          int3
504DA653    CC          int3
504DA654    CC          int3
504DA655    CC          int3
504DA656    CC          int3
504DA657    CC          int3
504DA658    CC          int3
504DA659    CC          int3
504DA65A    CC          int3
504DA65B    CC          int3
504DA65C    CC          int3
504DA65D    CC          int3
504DA65E    CC          int3
504DA65F    CC          int3
504DA660 /$  8B4424 08    mov eax,dword ptr ss:[esp+8]
504DA664 |.  25 FFFF0000 and eax,0FFFF
504DA669 |.  3D D4000000 cmp eax,0D4                            ;  Switch (cases 68..28E)
504DA66E |.  7F 08       jg short BBB.504DA678
504DA670 |.  74 20       je short BBB.504DA692
504DA672 |.  83F8 68    cmp eax,68
504DA675 |.  74 10       je short BBB.504DA687
504DA677 |.  C3          retn
504DA678 |>  3D 34020000 cmp eax,234
504DA67D |.  74 25       je short BBB.504DA6A4
504DA67F |.  3D 8E020000 cmp eax,28E
504DA684 |.  74 29       je short BBB.504DA6AF
504DA686 |.  C3          retn
504DA687 |>  8A5424 0C    mov dl,byte ptr ss:[esp+C]             ;  Case 68 of switch 504DA669
504DA68B |.  8B4424 04    mov eax,dword ptr ss:[esp+4]
504DA68F |.  8810       mov byte ptr ds:[eax],dl
504DA691 |.  C3          retn
504DA692 |>  8B4424 04    mov eax,dword ptr ss:[esp+4]          ;  Case D4 of switch 504DA669
504DA696 |.  8B0D 380C4D50 mov ecx,dword ptr ds:[504D0C38]       ;  BBB.504D0C38
504DA69C |.  8B5424 0C    mov edx,dword ptr ss:[esp+C]
504DA6A0 |.  891481       mov dword ptr ds:[ecx+eax*4],edx
504DA6A3 |.  C3          retn
504DA6A4 |>  8B5424 0C    mov edx,dword ptr ss:[esp+C]          ;  Case 234 of switch 504DA669
504DA6A8 |.  8B4424 04    mov eax,dword ptr ss:[esp+4]
504DA6AC |.  8910       mov dword ptr ds:[eax],edx
504DA6AE |.  C3          retn
504DA6AF |>  8B5424 0C    mov edx,dword ptr ss:[esp+C]          ;  Case 28E of switch 504DA669
504DA6B3 |.  8B4424 04    mov eax,dword ptr ss:[esp+4]
504DA6B7 |.  66:8910    mov word ptr ds:[eax],dx
504DA6BA \.  C3          retn
504DA6BB    CC          int3
504DA6BC    CC          int3
504DA6BD    CC          int3
504DA6BE    CC          int3
504DA6BF    CC          int3
504DA6C0 /$  8B4424 08    mov eax,dword ptr ss:[esp+8]
504DA6C4 |.  25 FFFF0000 and eax,0FFFF
504DA6C9 |.  3D D4000000 cmp eax,0D4                            ;  Switch (cases 68..3D5)
504DA6CE |.  7F 0A       jg short BBB.504DA6DA
504DA6D0 |.  74 29       je short BBB.504DA6FB
504DA6D2 |.  83F8 68    cmp eax,68
504DA6D5 |.  74 1B       je short BBB.504DA6F2
504DA6D7 |.  33C0       xor eax,eax
504DA6D9 |.  C3          retn
504DA6DA |>  3D 34020000 cmp eax,234
504DA6DF |.  74 27       je short BBB.504DA708
504DA6E1 |.  3D 8E020000 cmp eax,28E
504DA6E6 |.  74 27       je short BBB.504DA70F
504DA6E8 |.  3D D5030000 cmp eax,3D5
504DA6ED |.  74 2A       je short BBB.504DA719
504DA6EF |.  33C0       xor eax,eax
504DA6F1 |.  C3          retn
504DA6F2 |>  33C0       xor eax,eax                            ;  Case 68 of switch 504DA6C9
504DA6F4 |.  8B4C24 04    mov ecx,dword ptr ss:[esp+4]
504DA6F8 |.  8A01       mov al,byte ptr ds:[ecx]
504DA6FA |.  C3          retn
504DA6FB |>  A1 380C4D50 mov eax,dword ptr ds:[504D0C38]       ;  Case D4 of switch 504DA6C9
504DA700 |.  8B4C24 04    mov ecx,dword ptr ss:[esp+4]
504DA704 |.  8B0488       mov eax,dword ptr ds:[eax+ecx*4]
504DA707 |.  C3          retn
504DA708 |>  8B4C24 04    mov ecx,dword ptr ss:[esp+4]          ;  Case 234 of switch 504DA6C9
504DA70C |.  8B01       mov eax,dword ptr ds:[ecx]
504DA70E |.  C3          retn
504DA70F |>  33C0       xor eax,eax                            ;  Case 28E of switch 504DA6C9
504DA711 |.  8B4C24 04    mov ecx,dword ptr ss:[esp+4]
504DA715 |.  66:8B01    mov ax,word ptr ds:[ecx]
504DA718 |.  C3          retn
504DA719 |>  8B4424 04    mov eax,dword ptr ss:[esp+4]          ;  Case 3D5 of switch 504DA6C9
504DA71D \.  C3          retn
504DA71E    CC          int3
504DA71F    CC          int3
504DA720 .  56          push esi
504DA721 .  A1 64FC4C50 mov eax,dword ptr ds:[504CFC64]
504DA726 .  C1E0 02    shl eax,2
504DA729 .  57          push edi
504DA72A .  BF 3CE14C50 mov edi,BBB.504CE13C
504DA72F .  B9 05000000 mov ecx,5
504DA734 .  8DB480 3CE14C>lea esi,dword ptr ds:[eax+eax*4+504CE13C>
504DA73B .  F3:A5       rep movs dword ptr es:[edi],dword ptr ds>
504DA73D .  A1 6CFB4C50 mov eax,dword ptr ds:[504CFB6C]
504DA742 .  8B0D 40E14C50 mov ecx,dword ptr ds:[504CE140]
504DA748 .  0305 3CE14C50 add eax,dword ptr ds:[504CE13C]
504DA74E .  51          push ecx                               ; /DataSize => 4907D198 (1225249176.)
504DA74F .  50          push eax                               ; |DataAddress
504DA750 .  A3 68FC4C50 mov dword ptr ds:[504CFC68],eax       ; |
504DA755 .  890D 60FC4C50 mov dword ptr ds:[504CFC60],ecx       ; |
504DA75B .  FF15 D8914D50 call dword ptr ds:[<&KERNEL32.IsBadWrite>; \IsBadWritePtr
504DA761 .  5F          pop edi
504DA762 .  5E          pop esi
504DA763 .  C3          retn
504DA764    CC          int3
504DA765    CC          int3
504DA766    CC          int3
504DA767    CC          int3
504DA768    CC          int3
504DA769    CC          int3
504DA76A    CC          int3
504DA76B    CC          int3
504DA76C    CC          int3
504DA76D    CC          int3
504DA76E    CC          int3
504DA76F    CC          int3
504DA770 B>/$  833D 80FB4C50>cmp dword ptr ds:[504CFB80],0
504DA777 |.  53          push ebx
504DA778 |.  56          push esi
504DA779 |.  57          push edi
504DA77A |.  55          push ebp
504DA77B |.  0F85 29070000 jnz BBB.504DAEAA
504DA781 |.  FF05 80FB4C50 inc dword ptr ds:[504CFB80]
504DA787 |.  BE 04000000 mov esi,4
504DA78C |.  BF FCFFFFFF mov edi,-4
504DA791 |.  FF15 E4914D50 call dword ptr ds:[<&KERNEL32.GetTickCou>; [GetTickCount
504DA797 |.  BB 08000000 mov ebx,8
504DA79C |.  0105 E4884D50 add dword ptr ds:[504D88E4],eax
504DA7A2 |.  FF15 E0914D50 call dword ptr ds:[<&KERNEL32.GetCurrent>; [GetCurrentProcessId
504DA7A8 |.  3105 E4884D50 xor dword ptr ds:[504D88E4],eax
504DA7AE |.  810D E4884D50>or dword ptr ds:[504D88E4],200001
504DA7B8 |.  8125 E4884D50>and dword ptr ds:[504D88E4],3FFFFFFF
504DA7C2 |>  A1 3C0C4D50 /mov eax,dword ptr ds:[504D0C3C]       ;  Default case of switch 504DA7F7
504DA7C7 |.  8B0D 3C0C4D50 |mov ecx,dword ptr ds:[504D0C3C]       ;  BBB.504D0B08
504DA7CD |.  66:8B00    |mov ax,word ptr ds:[eax]
504DA7D0 |.  66:A3 480C4D5>|mov word ptr ds:[504D0C48],ax
504DA7D6 |.  66:8B51 02 |mov dx,word ptr ds:[ecx+2]
504DA7DA |.  66:8915 4C0C4>|mov word ptr ds:[504D0C4C],dx
504DA7E1 |.  8B41 04    |mov eax,dword ptr ds:[ecx+4]
504DA7E4 |.  A3 400C4D50 |mov dword ptr ds:[504D0C40],eax
504DA7E9 |.  011D 3C0C4D50 |add dword ptr ds:[504D0C3C],ebx
504DA7EF |.  33C0       |xor eax,eax
504DA7F1 |.  66:A1 480C4D5>|mov ax,word ptr ds:[504D0C48]
504DA7F7 |.  3D 42030000 |cmp eax,342                            ;  Switch (cases E4..FB52)
504DA7FC |.  7F 13       |jg short BBB.504DA811
504DA7FE |.  0F84 C6010000 |je BBB.504DA9CA
504DA804 |.  3D E4000000 |cmp eax,0E4
504DA809 |.  0F84 81010000 |je BBB.504DA990
504DA80F |.^ EB B1       |jmp short BBB.504DA7C2
504DA811 |>  3D 04070000 |cmp eax,704
504DA816 |.  7F 13       |jg short BBB.504DA82B
504DA818 |.  0F84 19020000 |je BBB.504DAA37
504DA81E |.  3D 11060000 |cmp eax,611
504DA823 |.  0F84 BD010000 |je BBB.504DA9E6
504DA829 |.^ EB 97       |jmp short BBB.504DA7C2
504DA82B |>  3D 92100000 |cmp eax,1092
504DA830 |.  7F 16       |jg short BBB.504DA848
504DA832 |.  0F84 33020000 |je BBB.504DAA6B
504DA838 |.  3D 6F090000 |cmp eax,96F
504DA83D |.  0F84 02060000 |je BBB.504DAE45
504DA843 |.^ E9 7AFFFFFF |jmp BBB.504DA7C2
504DA848 |>  3D 92190000 |cmp eax,1992
504DA84D |.  7F 16       |jg short BBB.504DA865
504DA84F |.  0F84 62020000 |je BBB.504DAAB7
504DA855 |.  3D 09110000 |cmp eax,1109
504DA85A |.  0F84 2E020000 |je BBB.504DAA8E
504DA860 |.^ E9 5DFFFFFF |jmp BBB.504DA7C2
504DA865 |>  3D 45220000 |cmp eax,2245
504DA86A |.  7F 16       |jg short BBB.504DA882
504DA86C |.  0F84 87020000 |je BBB.504DAAF9
504DA872 |.  3D 441A0000 |cmp eax,1A44
504DA877 |.  0F84 63020000 |je BBB.504DAAE0
504DA87D |.^ E9 40FFFFFF |jmp BBB.504DA7C2
504DA882 |>  3D 45330000 |cmp eax,3345
504DA887 |.  7F 16       |jg short BBB.504DA89F
504DA889 |.  0F84 B0020000 |je BBB.504DAB3F
504DA88F |.  3D B7220000 |cmp eax,22B7
504DA894 |.  0F84 82020000 |je BBB.504DAB1C
504DA89A |.^ E9 23FFFFFF |jmp BBB.504DA7C2
504DA89F |>  3D 11520000 |cmp eax,5211
504DA8A4 |.  7F 16       |jg short BBB.504DA8BC
504DA8A6 |.  0F84 EA020000 |je BBB.504DAB96
504DA8AC |.  3D C83D0000 |cmp eax,3DC8
504DA8B1 |.  0F84 AB020000 |je BBB.504DAB62
504DA8B7 |.^ E9 06FFFFFF |jmp BBB.504DA7C2
504DA8BC |>  3D 4D650000 |cmp eax,654D
504DA8C1 |.  7F 16       |jg short BBB.504DA8D9
504DA8C3 |.  0F84 F0020000 |je BBB.504DABB9
504DA8C9 |.  3D 10590000 |cmp eax,5910
504DA8CE |.  0F84 02050000 |je BBB.504DADD6
504DA8D4 |.^ E9 E9FEFFFF |jmp BBB.504DA7C2
504DA8D9 |>  3D 8A690000 |cmp eax,698A
504DA8DE |.  7F 16       |jg short BBB.504DA8F6
504DA8E0 |.  0F84 36030000 |je BBB.504DAC1C
504DA8E6 |.  3D AB650000 |cmp eax,65AB
504DA8EB |.  0F84 EB020000 |je BBB.504DABDC
504DA8F1 |.^ E9 CCFEFFFF |jmp BBB.504DA7C2
504DA8F6 |>  3D BB740000 |cmp eax,74BB
504DA8FB |.  7F 16       |jg short BBB.504DA913
504DA8FD |.  0F84 87030000 |je BBB.504DAC8A
504DA903 |.  3D 23710000 |cmp eax,7123
504DA908 |.  0F84 2B030000 |je BBB.504DAC39
504DA90E |.^ E9 AFFEFFFF |jmp BBB.504DA7C2
504DA913 |>  3D 04910000 |cmp eax,9104
504DA918 |.  7F 16       |jg short BBB.504DA930
504DA91A |.  0F84 CD030000 |je BBB.504DACED
504DA920 |.  3D 09810000 |cmp eax,8109
504DA925 |.  0F84 82030000 |je BBB.504DACAD
504DA92B |.^ E9 92FEFFFF |jmp BBB.504DA7C2
504DA930 |>  3D 61AA0000 |cmp eax,0AA61
504DA935 |.  7F 16       |jg short BBB.504DA94D
504DA937 |.  0F84 0C040000 |je BBB.504DAD49
504DA93D |.  3D 739B0000 |cmp eax,9B73
504DA942 |.  0F84 CB030000 |je BBB.504DAD13
504DA948 |.^ E9 75FEFFFF |jmp BBB.504DA7C2
504DA94D |>  3D 51BA0000 |cmp eax,0BA51
504DA952 |.  7F 16       |jg short BBB.504DA96A
504DA954 |.  0F84 4E040000 |je BBB.504DADA8
504DA95A |.  3D 23B30000 |cmp eax,0B323
504DA95F |.  0F84 16040000 |je BBB.504DAD7B
504DA965 |.^ E9 58FEFFFF |jmp BBB.504DA7C2
504DA96A |>  3D D7BE0000 |cmp eax,0BED7
504DA96F |.  0F84 4E040000 |je BBB.504DADC3
504DA975 |.  3D 03CD0000 |cmp eax,0CD03
504DA97A |.  0F84 65040000 |je BBB.504DADE5
504DA980 |.  3D 52FB0000 |cmp eax,0FB52
504DA985 |.  0F84 88040000 |je BBB.504DAE13
504DA98B |.^ E9 32FEFFFF |jmp BBB.504DA7C2
504DA990 |>  8B2D 380C4D50 |mov ebp,dword ptr ds:[504D0C38]       ;  BBB.504D0C38; Case E4 of switch 504DA7F7
504DA996 |.  A1 380C4D50 |mov eax,dword ptr ds:[504D0C38]
504DA99B |.  83C5 14    |add ebp,14
504DA99E |.  8B08       |mov ecx,dword ptr ds:[eax]
504DA9A0 |.  51          |push ecx
504DA9A1 |.  8B50 04    |mov edx,dword ptr ds:[eax+4]
504DA9A4 |.  52          |push edx
504DA9A5 |.  8B48 08    |mov ecx,dword ptr ds:[eax+8]
504DA9A8 |.  51          |push ecx
504DA9A9 |.  8B50 0C    |mov edx,dword ptr ds:[eax+C]
504DA9AC |.  52          |push edx
504DA9AD |.  8B48 10    |mov ecx,dword ptr ds:[eax+10]
504DA9B0 |.  51          |push ecx
504DA9B1 |.  8B55 00    |mov edx,dword ptr ss:[ebp]
504DA9B4 |.  52          |push edx
504DA9B5 |.  FF15 400C4D50 |call dword ptr ds:[504D0C40]
504DA9BB |.  8945 00    |mov dword ptr ss:[ebp],eax
504DA9BE |.  8305 380C4D50>|add dword ptr ds:[504D0C38],14
504DA9C5 |.^ E9 F8FDFFFF |jmp BBB.504DA7C2
504DA9CA |>  8B15 400C4D50 |mov edx,dword ptr ds:[504D0C40]       ;  Case 342 of switch 504DA7F7
504DA9D0 |.  33C0       |xor eax,eax
504DA9D2 |.  66:A1 4C0C4D5>|mov ax,word ptr ds:[504D0C4C]
504DA9D8 |.  8B0D 380C4D50 |mov ecx,dword ptr ds:[504D0C38]       ;  BBB.504D0C38
504DA9DE |.  891481       |mov dword ptr ds:[ecx+eax*4],edx
504DA9E1 |.^ E9 DCFDFFFF |jmp BBB.504DA7C2
504DA9E6 |>  33C0       |xor eax,eax                            ;  Case 611 of switch 504DA7F7
504DA9E8 |.  66:A1 4C0C4D5>|mov ax,word ptr ds:[504D0C4C]
504DA9EE |.  83F8 68    |cmp eax,68
504DA9F1 |.  74 09       |je short BBB.504DA9FC
504DA9F3 |.  3D 8E020000 |cmp eax,28E
504DA9F8 |.  74 0F       |je short BBB.504DAA09
504DA9FA |.  EB 18       |jmp short BBB.504DAA14
504DA9FC |>  A1 380C4D50 |mov eax,dword ptr ds:[504D0C38]
504DAA01 |.  8120 FF000000 |and dword ptr ds:[eax],0FF
504DAA07 |.  EB 0B       |jmp short BBB.504DAA14
504DAA09 |>  A1 380C4D50 |mov eax,dword ptr ds:[504D0C38]
504DAA0E |.  8120 FFFF0000 |and dword ptr ds:[eax],0FFFF
504DAA14 |>  A1 380C4D50 |mov eax,dword ptr ds:[504D0C38]
504DAA19 |.  0135 380C4D50 |add dword ptr ds:[504D0C38],esi
504DAA1F |.  8338 00    |cmp dword ptr ds:[eax],0
504DAA22 |.^ 0F84 9AFDFFFF |je BBB.504DA7C2
504DAA28 |.  A1 400C4D50 |mov eax,dword ptr ds:[504D0C40]
504DAA2D |.  A3 3C0C4D50 |mov dword ptr ds:[504D0C3C],eax
504DAA32 |.^ E9 8BFDFFFF |jmp BBB.504DA7C2
504DAA37 |>  66:A1 4C0C4D5>|mov ax,word ptr ds:[504D0C4C]          ;  Case 704 of switch 504DA7F7
504DAA3D |.  8B0D 400C4D50 |mov ecx,dword ptr ds:[504D0C40]
504DAA43 |.  50          |push eax
504DAA44 |.  51          |push ecx
504DAA45 |.  E8 76FCFFFF |call BBB.504DA6C0
504DAA4A |.  66:8B0D 4C0C4>|mov cx,word ptr ds:[504D0C4C]
504DAA51 |.  83C4 08    |add esp,8
504DAA54 |.  40          |inc eax
504DAA55 |.  8B15 400C4D50 |mov edx,dword ptr ds:[504D0C40]
504DAA5B |.  50          |push eax
504DAA5C |.  51          |push ecx
504DAA5D |.  52          |push edx
504DAA5E |.  E8 FDFBFFFF |call BBB.504DA660
504DAA63 |.  83C4 0C    |add esp,0C
504DAA66 |.^ E9 57FDFFFF |jmp BBB.504DA7C2
504DAA6B |>  66:A1 4C0C4D5>|mov ax,word ptr ds:[504D0C4C]          ;  Case 1092 of switch 504DA7F7
504DAA71 |.  8B0D 400C4D50 |mov ecx,dword ptr ds:[504D0C40]
504DAA77 |.  50          |push eax
504DAA78 |.  51          |push ecx
504DAA79 |.  E8 42FCFFFF |call BBB.504DA6C0
504DAA7E |.  83C4 08    |add esp,8
504DAA81 |.  8B0D 380C4D50 |mov ecx,dword ptr ds:[504D0C38]       ;  BBB.504D0C38
504DAA87 |.  0101       |add dword ptr ds:[ecx],eax
504DAA89 |.^ E9 34FDFFFF |jmp BBB.504DA7C2
504DAA8E |>  8B2D 380C4D50 |mov ebp,dword ptr ds:[504D0C38]       ;  BBB.504D0C38; Case 1109 of switch 504DA7F7
504DAA94 |.  A1 380C4D50 |mov eax,dword ptr ds:[504D0C38]
504DAA99 |.  83C5 04    |add ebp,4
504DAA9C |.  8B08       |mov ecx,dword ptr ds:[eax]
504DAA9E |.  51          |push ecx
504DAA9F |.  8B55 00    |mov edx,dword ptr ss:[ebp]
504DAAA2 |.  52          |push edx
504DAAA3 |.  FF15 400C4D50 |call dword ptr ds:[504D0C40]
504DAAA9 |.  8945 00    |mov dword ptr ss:[ebp],eax
504DAAAC |.  0135 380C4D50 |add dword ptr ds:[504D0C38],esi
504DAAB2 |.^ E9 0BFDFFFF |jmp BBB.504DA7C2
504DAAB7 |>  66:8B15 4C0C4>|mov dx,word ptr ds:[504D0C4C]          ;  Case 1992 of switch 504DA7F7
504DAABE |.  A1 380C4D50 |mov eax,dword ptr ds:[504D0C38]
504DAAC3 |.  8B08       |mov ecx,dword ptr ds:[eax]
504DAAC5 |.  A1 400C4D50 |mov eax,dword ptr ds:[504D0C40]
504DAACA |.  51          |push ecx
504DAACB |.  52          |push edx
504DAACC |.  50          |push eax
504DAACD |.  E8 8EFBFFFF |call BBB.504DA660
504DAAD2 |.  83C4 0C    |add esp,0C
504DAAD5 |.  0135 380C4D50 |add dword ptr ds:[504D0C38],esi
504DAADB |.^ E9 E2FCFFFF |jmp BBB.504DA7C2
504DAAE0 |>  013D 380C4D50 |add dword ptr ds:[504D0C38],edi       ;  Case 1A44 of switch 504DA7F7
504DAAE6 |.  FF15 400C4D50 |call dword ptr ds:[504D0C40]
504DAAEC |.  8B0D 380C4D50 |mov ecx,dword ptr ds:[504D0C38]       ;  BBB.504D0C38
504DAAF2 |.  8901       |mov dword ptr ds:[ecx],eax
504DAAF4 |.^ E9 C9FCFFFF |jmp BBB.504DA7C2
504DAAF9 |>  A1 380C4D50 |mov eax,dword ptr ds:[504D0C38]       ;  Case 2245 of switch 504DA7F7
504DAAFE |.  8B08       |mov ecx,dword ptr ds:[eax]
504DAB00 |.  33C0       |xor eax,eax
504DAB02 |.  66:A1 4C0C4D5>|mov ax,word ptr ds:[504D0C4C]
504DAB08 |.  890D 3C0C4D50 |mov dword ptr ds:[504D0C3C],ecx
504DAB0E |.  C1E0 02    |shl eax,2
504DAB11 |.  0105 380C4D50 |add dword ptr ds:[504D0C38],eax
504DAB17 |.^ E9 A6FCFFFF |jmp BBB.504DA7C2
504DAB1C |>  66:A1 4C0C4D5>|mov ax,word ptr ds:[504D0C4C]          ;  Case 22B7 of switch 504DA7F7
504DAB22 |.  8B0D 400C4D50 |mov ecx,dword ptr ds:[504D0C40]
504DAB28 |.  50          |push eax
504DAB29 |.  51          |push ecx
504DAB2A |.  E8 91FBFFFF |call BBB.504DA6C0
504DAB2F |.  83C4 08    |add esp,8
504DAB32 |.  8B0D 380C4D50 |mov ecx,dword ptr ds:[504D0C38]       ;  BBB.504D0C38
504DAB38 |.  2901       |sub dword ptr ds:[ecx],eax
504DAB3A |.^ E9 83FCFFFF |jmp BBB.504DA7C2
504DAB3F |>  66:A1 4C0C4D5>|mov ax,word ptr ds:[504D0C4C]          ;  Case 3345 of switch 504DA7F7
504DAB45 |.  8B0D 400C4D50 |mov ecx,dword ptr ds:[504D0C40]
504DAB4B |.  50          |push eax
504DAB4C |.  51          |push ecx
504DAB4D |.  E8 6EFBFFFF |call BBB.504DA6C0
504DAB52 |.  83C4 08    |add esp,8
504DAB55 |.  8B0D 380C4D50 |mov ecx,dword ptr ds:[504D0C38]       ;  BBB.504D0C38
504DAB5B |.  2101       |and dword ptr ds:[ecx],eax
504DAB5D |.^ E9 60FCFFFF |jmp BBB.504DA7C2
504DAB62 |>  66:A1 4C0C4D5>|mov ax,word ptr ds:[504D0C4C]          ;  Case 3DC8 of switch 504DA7F7
504DAB68 |.  8B0D 400C4D50 |mov ecx,dword ptr ds:[504D0C40]
504DAB6E |.  50          |push eax
504DAB6F |.  51          |push ecx
504DAB70 |.  E8 4BFBFFFF |call BBB.504DA6C0
504DAB75 |.  66:8B0D 4C0C4>|mov cx,word ptr ds:[504D0C4C]
504DAB7C |.  83C4 08    |add esp,8
504DAB7F |.  48          |dec eax
504DAB80 |.  8B15 400C4D50 |mov edx,dword ptr ds:[504D0C40]
504DAB86 |.  50          |push eax
504DAB87 |.  51          |push ecx
504DAB88 |.  52          |push edx
504DAB89 |.  E8 D2FAFFFF |call BBB.504DA660
504DAB8E |.  83C4 0C    |add esp,0C
504DAB91 |.^ E9 2CFCFFFF |jmp BBB.504DA7C2
504DAB96 |>  66:8B15 4C0C4>|mov dx,word ptr ds:[504D0C4C]          ;  Case 5211 of switch 504DA7F7
504DAB9D |.  A1 380C4D50 |mov eax,dword ptr ds:[504D0C38]
504DABA2 |.  8B08       |mov ecx,dword ptr ds:[eax]
504DABA4 |.  A1 400C4D50 |mov eax,dword ptr ds:[504D0C40]
504DABA9 |.  51          |push ecx
504DABAA |.  52          |push edx
504DABAB |.  50          |push eax
504DABAC |.  E8 AFFAFFFF |call BBB.504DA660
504DABB1 |.  83C4 0C    |add esp,0C
504DABB4 |.^ E9 09FCFFFF |jmp BBB.504DA7C2
504DABB9 |>  66:A1 4C0C4D5>|mov ax,word ptr ds:[504D0C4C]          ;  Case 654D of switch 504DA7F7
504DABBF |.  8B0D 400C4D50 |mov ecx,dword ptr ds:[504D0C40]
504DABC5 |.  50          |push eax
504DABC6 |.  51          |push ecx
504DABC7 |.  E8 F4FAFFFF |call BBB.504DA6C0
504DABCC |.  83C4 08    |add esp,8
504DABCF |.  8B0D 380C4D50 |mov ecx,dword ptr ds:[504D0C38]       ;  BBB.504D0C38
504DABD5 |.  0901       |or dword ptr ds:[ecx],eax
504DABD7 |.^ E9 E6FBFFFF |jmp BBB.504DA7C2
504DABDC |>  A1 380C4D50 |mov eax,dword ptr ds:[504D0C38]       ;  Case 65AB of switch 504DA7F7
504DABE1 |.  33C9       |xor ecx,ecx
504DABE3 |.  66:8B0D 4C0C4>|mov cx,word ptr ds:[504D0C4C]
504DABEA |.  0135 380C4D50 |add dword ptr ds:[504D0C38],esi
504DABF0 |.  3B08       |cmp ecx,dword ptr ds:[eax]
504DABF2 |.^ 0F84 CAFBFFFF |je BBB.504DA7C2
504DABF8 |.  A1 3C0C4D50 |mov eax,dword ptr ds:[504D0C3C]
504DABFD |.  013D 380C4D50 |add dword ptr ds:[504D0C38],edi
504DAC03 |.  8B0D 380C4D50 |mov ecx,dword ptr ds:[504D0C38]       ;  BBB.504D0C38
504DAC09 |.  8901       |mov dword ptr ds:[ecx],eax
504DAC0B |.  8B15 400C4D50 |mov edx,dword ptr ds:[504D0C40]
504DAC11 |.  8915 3C0C4D50 |mov dword ptr ds:[504D0C3C],edx
504DAC17 |.^ E9 A6FBFFFF |jmp BBB.504DA7C2
504DAC1C |>  66:A1 4C0C4D5>|mov ax,word ptr ds:[504D0C4C]          ;  Case 698A of switch 504DA7F7
504DAC22 |.  6A 00       |push 0
504DAC24 |.  50          |push eax
504DAC25 |.  8B0D 400C4D50 |mov ecx,dword ptr ds:[504D0C40]
504DAC2B |.  51          |push ecx
504DAC2C |.  E8 2FFAFFFF |call BBB.504DA660
504DAC31 |.  83C4 0C    |add esp,0C
504DAC34 |.^ E9 89FBFFFF |jmp BBB.504DA7C2
504DAC39 |>  33C0       |xor eax,eax                            ;  Case 7123 of switch 504DA7F7
504DAC3B |.  66:A1 4C0C4D5>|mov ax,word ptr ds:[504D0C4C]
504DAC41 |.  83F8 68    |cmp eax,68
504DAC44 |.  74 09       |je short BBB.504DAC4F
504DAC46 |.  3D 8E020000 |cmp eax,28E
504DAC4B |.  74 0F       |je short BBB.504DAC5C
504DAC4D |.  EB 18       |jmp short BBB.504DAC67
504DAC4F |>  A1 380C4D50 |mov eax,dword ptr ds:[504D0C38]
504DAC54 |.  8120 FF000000 |and dword ptr ds:[eax],0FF
504DAC5A |.  EB 0B       |jmp short BBB.504DAC67
504DAC5C |>  A1 380C4D50 |mov eax,dword ptr ds:[504D0C38]
504DAC61 |.  8120 FFFF0000 |and dword ptr ds:[eax],0FFFF
504DAC67 |>  A1 380C4D50 |mov eax,dword ptr ds:[504D0C38]
504DAC6C |.  0135 380C4D50 |add dword ptr ds:[504D0C38],esi
504DAC72 |.  8338 00    |cmp dword ptr ds:[eax],0
504DAC75 |.^ 0F85 47FBFFFF |jnz BBB.504DA7C2
504DAC7B |.  A1 400C4D50 |mov eax,dword ptr ds:[504D0C40]
504DAC80 |.  A3 3C0C4D50 |mov dword ptr ds:[504D0C3C],eax
504DAC85 |.^ E9 38FBFFFF |jmp BBB.504DA7C2
504DAC8A |>  66:A1 4C0C4D5>|mov ax,word ptr ds:[504D0C4C]          ;  Case 74BB of switch 504DA7F7
504DAC90 |.  8B0D 400C4D50 |mov ecx,dword ptr ds:[504D0C40]
504DAC96 |.  50          |push eax
504DAC97 |.  51          |push ecx
504DAC98 |.  E8 23FAFFFF |call BBB.504DA6C0
504DAC9D |.  83C4 08    |add esp,8
504DACA0 |.  8B0D 380C4D50 |mov ecx,dword ptr ds:[504D0C38]       ;  BBB.504D0C38
504DACA6 |.  3101       |xor dword ptr ds:[ecx],eax
504DACA8 |.^ E9 15FBFFFF |jmp BBB.504DA7C2
504DACAD |>  A1 380C4D50 |mov eax,dword ptr ds:[504D0C38]       ;  Case 8109 of switch 504DA7F7
504DACB2 |.  33C9       |xor ecx,ecx
504DACB4 |.  66:8B0D 4C0C4>|mov cx,word ptr ds:[504D0C4C]
504DACBB |.  0135 380C4D50 |add dword ptr ds:[504D0C38],esi
504DACC1 |.  3B08       |cmp ecx,dword ptr ds:[eax]
504DACC3 |.^ 0F85 F9FAFFFF |jnz BBB.504DA7C2
504DACC9 |.  A1 3C0C4D50 |mov eax,dword ptr ds:[504D0C3C]
504DACCE |.  013D 380C4D50 |add dword ptr ds:[504D0C38],edi
504DACD4 |.  8B0D 380C4D50 |mov ecx,dword ptr ds:[504D0C38]       ;  BBB.504D0C38
504DACDA |.  8901       |mov dword ptr ds:[ecx],eax
504DACDC |.  8B15 400C4D50 |mov edx,dword ptr ds:[504D0C40]
504DACE2 |.  8915 3C0C4D50 |mov dword ptr ds:[504D0C3C],edx
504DACE8 |.^ E9 D5FAFFFF |jmp BBB.504DA7C2
504DACED |>  66:A1 4C0C4D5>|mov ax,word ptr ds:[504D0C4C]          ;  Case 9104 of switch 504DA7F7
504DACF3 |.  8B0D 400C4D50 |mov ecx,dword ptr ds:[504D0C40]
504DACF9 |.  50          |push eax
504DACFA |.  51          |push ecx
504DACFB |.  E8 C0F9FFFF |call BBB.504DA6C0
504DAD00 |.  83C4 08    |add esp,8
504DAD03 |.  8B0D 380C4D50 |mov ecx,dword ptr ds:[504D0C38]       ;  BBB.504D0C38
504DAD09 |.  0FAF01       |imul eax,dword ptr ds:[ecx]
504DAD0C |.  8901       |mov dword ptr ds:[ecx],eax
504DAD0E |.^ E9 AFFAFFFF |jmp BBB.504DA7C2
504DAD13 |>  8B2D 380C4D50 |mov ebp,dword ptr ds:[504D0C38]       ;  BBB.504D0C38; Case 9B73 of switch 504DA7F7
504DAD19 |.  A1 380C4D50 |mov eax,dword ptr ds:[504D0C38]
504DAD1E |.  83C5 10    |add ebp,10
504DAD21 |.  8B08       |mov ecx,dword ptr ds:[eax]
504DAD23 |.  51          |push ecx
504DAD24 |.  8B50 04    |mov edx,dword ptr ds:[eax+4]
504DAD27 |.  52          |push edx
504DAD28 |.  8B48 08    |mov ecx,dword ptr ds:[eax+8]
504DAD2B |.  51          |push ecx
504DAD2C |.  8B50 0C    |mov edx,dword ptr ds:[eax+C]
504DAD2F |.  52          |push edx
504DAD30 |.  8B4D 00    |mov ecx,dword ptr ss:[ebp]
504DAD33 |.  51          |push ecx
504DAD34 |.  FF15 400C4D50 |call dword ptr ds:[504D0C40]
504DAD3A |.  8945 00    |mov dword ptr ss:[ebp],eax
504DAD3D |.  8305 380C4D50>|add dword ptr ds:[504D0C38],10
504DAD44 |.^ E9 79FAFFFF |jmp BBB.504DA7C2
504DAD49 |>  8B2D 380C4D50 |mov ebp,dword ptr ds:[504D0C38]       ;  BBB.504D0C38; Case AA61 of switch 504DA7F7
504DAD4F |.  A1 380C4D50 |mov eax,dword ptr ds:[504D0C38]
504DAD54 |.  83C5 0C    |add ebp,0C
504DAD57 |.  8B08       |mov ecx,dword ptr ds:[eax]
504DAD59 |.  51          |push ecx
504DAD5A |.  8B50 04    |mov edx,dword ptr ds:[eax+4]
504DAD5D |.  52          |push edx
504DAD5E |.  8B48 08    |mov ecx,dword ptr ds:[eax+8]
504DAD61 |.  51          |push ecx
504DAD62 |.  8B55 00    |mov edx,dword ptr ss:[ebp]
504DAD65 |.  52          |push edx
504DAD66 |.  FF15 400C4D50 |call dword ptr ds:[504D0C40]
504DAD6C |.  8945 00    |mov dword ptr ss:[ebp],eax
504DAD6F |.  8305 380C4D50>|add dword ptr ds:[504D0C38],0C
504DAD76 |.^ E9 47FAFFFF |jmp BBB.504DA7C2
504DAD7B |>  8B2D 380C4D50 |mov ebp,dword ptr ds:[504D0C38]       ;  BBB.504D0C38; Case B323 of switch 504DA7F7
504DAD81 |.  A1 380C4D50 |mov eax,dword ptr ds:[504D0C38]
504DAD86 |.  83C5 08    |add ebp,8
504DAD89 |.  8B08       |mov ecx,dword ptr ds:[eax]
504DAD8B |.  51          |push ecx
504DAD8C |.  8B50 04    |mov edx,dword ptr ds:[eax+4]
504DAD8F |.  52          |push edx
504DAD90 |.  8B4D 00    |mov ecx,dword ptr ss:[ebp]
504DAD93 |.  51          |push ecx
504DAD94 |.  FF15 400C4D50 |call dword ptr ds:[504D0C40]
504DAD9A |.  8945 00    |mov dword ptr ss:[ebp],eax
504DAD9D |.  011D 380C4D50 |add dword ptr ds:[504D0C38],ebx
504DADA3 |.^ E9 1AFAFFFF |jmp BBB.504DA7C2
504DADA8 |>  A1 380C4D50 |mov eax,dword ptr ds:[504D0C38]       ;  Case BA51 of switch 504DA7F7
504DADAD |.  8B08       |mov ecx,dword ptr ds:[eax]
504DADAF |.  51          |push ecx
504DADB0 |.  FF15 400C4D50 |call dword ptr ds:[504D0C40]
504DADB6 |.  8B0D 380C4D50 |mov ecx,dword ptr ds:[504D0C38]       ;  BBB.504D0C38
504DADBC |.  8901       |mov dword ptr ds:[ecx],eax
504DADBE |.^ E9 FFF9FFFF |jmp BBB.504DA7C2
504DADC3 |>  A1 3C0C4D50 |mov eax,dword ptr ds:[504D0C3C]       ;  Case BED7 of switch 504DA7F7
504DADC8 |.  013D 380C4D50 |add dword ptr ds:[504D0C38],edi
504DADCE |.  8B0D 380C4D50 |mov ecx,dword ptr ds:[504D0C38]       ;  BBB.504D0C38
504DADD4 |.  8901       |mov dword ptr ds:[ecx],eax
504DADD6 |>  A1 400C4D50 |mov eax,dword ptr ds:[504D0C40]       ;  Case 5910 of switch 504DA7F7
504DADDB |.  A3 3C0C4D50 |mov dword ptr ds:[504D0C3C],eax
504DADE0 |.^ E9 DDF9FFFF |jmp BBB.504DA7C2
504DADE5 |>  66:A1 4C0C4D5>|mov ax,word ptr ds:[504D0C4C]          ;  Case CD03 of switch 504DA7F7
504DADEB |.  8B0D 400C4D50 |mov ecx,dword ptr ds:[504D0C40]
504DADF1 |.  50          |push eax
504DADF2 |.  51          |push ecx
504DADF3 |.  E8 C8F8FFFF |call BBB.504DA6C0
504DADF8 |.  013D 380C4D50 |add dword ptr ds:[504D0C38],edi
504DADFE |.  8B0D 380C4D50 |mov ecx,dword ptr ds:[504D0C38]       ;  BBB.504D0C38
504DAE04 |.  83C4 08    |add esp,8
504DAE07 |.  A3 400C4D50 |mov dword ptr ds:[504D0C40],eax
504DAE0C |.  8901       |mov dword ptr ds:[ecx],eax
504DAE0E |.^ E9 AFF9FFFF |jmp BBB.504DA7C2
504DAE13 |>  66:8B0D 4C0C4>|mov cx,word ptr ds:[504D0C4C]          ;  Case FB52 of switch 504DA7F7
504DAE1A |.  A1 380C4D50 |mov eax,dword ptr ds:[504D0C38]
504DAE1F |.  51          |push ecx
504DAE20 |.  8B28       |mov ebp,dword ptr ds:[eax]
504DAE22 |.  A1 400C4D50 |mov eax,dword ptr ds:[504D0C40]
504DAE27 |.  50          |push eax
504DAE28 |.  E8 93F8FFFF |call BBB.504DA6C0
504DAE2D |.  83C4 08    |add esp,8
504DAE30 |.  8BC8       |mov ecx,eax
504DAE32 |.  8BC5       |mov eax,ebp
504DAE34 |.  2BD2       |sub edx,edx
504DAE36 |.  F7F1       |div ecx
504DAE38 |.  8B15 380C4D50 |mov edx,dword ptr ds:[504D0C38]       ;  BBB.504D0C38
504DAE3E |.  8902       |mov dword ptr ds:[edx],eax
504DAE40 |.^ E9 7DF9FFFF \jmp BBB.504DA7C2
504DAE45 |>  33C0       xor eax,eax                            ;  Case 96F of switch 504DA7F7
504DAE47 |.  66:A1 4C0C4D5>mov ax,word ptr ds:[504D0C4C]
504DAE4D |.  A3 6CFC4C50 mov dword ptr ds:[504CFC6C],eax
504DAE52 |.  83F8 0A    cmp eax,0A                            ;  Switch (cases 0..A)
504DAE55 |.  77 0F       ja short BBB.504DAE66
504DAE57 |.  33C9       xor ecx,ecx
504DAE59 |.  8A88 DCAE4D50 mov cl,byte ptr ds:[eax+504DAEDC]
504DAE5F |.  FF248D C8AE4D>jmp dword ptr ds:[ecx*4+504DAEC8]
504DAE66 |>  C705 6CFC4C50>mov dword ptr ds:[504CFC6C],2          ;  Default case of switch 504DAE52
504DAE70 |>  66:8125 04E04>and word ptr ds:[504CE004],0FFFE       ;  Case 2 of switch 504DAE52
504DAE79 |>  68 10200000 push 2010                               ;  Cases 1,3,4,5,6,7,8,9,A of switch 504DAE52
504DAE7E |.  E8 EDF1FFFF call BBB.504DA070
504DAE83 |.  50          push eax
504DAE84 |.  E8 970A0000 call BBB.504DB920

从504DAE84进入看看得到下面的代码：

504DB920 /$  8B4424 08    mov eax,dword ptr ss:[esp+8]
504DB924 |.  8B4C24 04    mov ecx,dword ptr ss:[esp+4]
504DB928 |.  50          push eax                               ; /Style
504DB929 |.  68 94E24C50 push BBB.504CE294                      ; |Title = "bbb.exe"
504DB92E |.  51          push ecx                               ; |Text
504DB92F |.  FF15 00934D50 call dword ptr ds:[<&USER32.GetActiveWin>; |[GetActiveWindow
504DB935 |.  50          push eax                               ; |hOwner
504DB936 |.  FF15 FC924D50 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
504DB93C \.  C3          retn

继续跟进，504DB936。又看到了下面的代码！

77D504EA U>  8BFF          mov edi,edi
77D504EC    55             push ebp
77D504ED    8BEC          mov ebp,esp
77D504EF    833D BC04D777 0>cmp dword ptr ds:[77D704BC],0
77D504F6    74 24          je short USER32.77D5051C
77D504F8    64:A1 18000000  mov eax,dword ptr fs:[18]
77D504FE    6A 00          push 0
77D50500    FF70 24       push dword ptr ds:[eax+24]
77D50503    68 240BD777    push USER32.77D70B24
77D50508    FF15 C812D177 call dword ptr ds:[<&KERNEL32.Interlocke>; kernel32.InterlockedCompareExchange
77D5050E    85C0          test eax,eax
77D50510    75 0A          jnz short USER32.77D5051C
77D50512    C705 200BD777 0>mov dword ptr ds:[77D70B20],1
77D5051C    6A 00          push 0
77D5051E    FF75 14       push dword ptr ss:[ebp+14]
77D50521    FF75 10       push dword ptr ss:[ebp+10]
77D50524    FF75 0C       push dword ptr ss:[ebp+C]
77D50527    FF75 08       push dword ptr ss:[ebp+8]
77D5052A    E8 2D000000    call USER32.MessageBoxExA
77D5052F    5D             pop ebp
77D50530    C2 1000       retn 10

小弟不是很明白，请各位大哥指教。如果需要这个可执行文件，可以提供，不过还请大虾贴出过程，让我们一起提高。

[培训]科锐逆向工程师培训第53期2025年7月8日开班！

收藏・0

免费・0

支持

最新回复 (11)
寂静如风雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 219 粉丝 0 关注私信	寂静如风 2 楼忘记说了，这个软件是有加密狗的，我有他的狗的驱动程序，是圣天诺的！ 2005-8-5 19:21 0
china 雪币： 4735 活跃值： (5398) 能力值： (RANK：215 ) 在线值：发帖 73 回帖 1999 粉丝 10 关注私信	china 5 3 楼 super pro看开发手册，我也不会解。 2005-8-5 20:36 0
寂静如风雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 219 粉丝 0 关注私信	寂静如风 4 楼哪位有开发手册阿！共享下！ 2005-8-5 20:53 0
寂静如风雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 219 粉丝 0 关注私信	寂静如风 5 楼各位大哥，都没有意见发布吗？ 2005-8-6 19:23 0
hmimys 雪币： 239 活跃值： (544) 能力值： ( LV6，RANK：90 ) 在线值：发帖 8 回帖 356 粉丝 1 关注私信	hmimys 2 6 楼如果是动态连接库： bp RNBOsproFindFirstUnit eax返回0即可如果是静态连接库：用SIG找函数了当然后面要做的还有很多！看看开发手册先的说！ 2005-8-7 07:37 0
nbw 雪币： 339 活跃值： (1510) 能力值： ( LV13，RANK：970 ) 在线值：发帖 141 回帖 2842 粉丝 24 关注私信	nbw 24 7 楼最初由 hmimys 发布如果是动态连接库： bp RNBOsproFindFirstUnit eax返回0即可如果是静态连接库：用SIG找函数了 ........ 大虾又出来了？ 2005-8-7 12:30 0
dalao 雪币： 1866 活跃值： (95) 能力值： ( LV4，RANK：50 ) 在线值：发帖 34 回帖 260 粉丝 5 关注私信	dalao 1 8 楼应该是外壳！很简单的！但必须有狗才能解！看看以前的文章！ 2005-8-7 13:47 0
寂静如风雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 219 粉丝 0 关注私信	寂静如风 9 楼我是个新手，看我的注册时间就知道了，来论坛的时间不长，所以还需要大家的支持和帮助，先谢谢了，对了，大老，你说以前的文章，我怎么找不到？？是你写的精华吗？ 2005-8-7 19:39 0
ikki 雪币： 270 活跃值： (176) 能力值： ( LV12，RANK：370 ) 在线值：发帖 17 回帖 316 粉丝 1 关注私信	ikki 9 10 楼圣天诺的只要有狗,还是简单的 2005-8-7 20:45 0
寂静如风雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 219 粉丝 0 关注私信	寂静如风 11 楼 ?简单？？？我看一点都不简单，而且大老说还有狗壳！ 2005-9-25 21:52 0
lei_z_r 雪币： 211 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 149 粉丝 1 关注私信	lei_z_r 12 楼是狗壳，有狗比较容易，无狗无解。 2005-9-26 00:06 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

寂静如风

发帖

219

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (11)
寂静如风雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 219 粉丝 0 关注私信	寂静如风 2 楼忘记说了，这个软件是有加密狗的，我有他的狗的驱动程序，是圣天诺的！ 2005-8-5 19:21 0
china 雪币： 4735 活跃值： (5398) 能力值： (RANK：215 ) 在线值：发帖 73 回帖 1999 粉丝 10 关注私信	china 5 3 楼 super pro看开发手册，我也不会解。 2005-8-5 20:36 0
寂静如风雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 219 粉丝 0 关注私信	寂静如风 4 楼哪位有开发手册阿！共享下！ 2005-8-5 20:53 0
寂静如风雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 219 粉丝 0 关注私信	寂静如风 5 楼各位大哥，都没有意见发布吗？ 2005-8-6 19:23 0
hmimys 雪币： 239 活跃值： (544) 能力值： ( LV6，RANK：90 ) 在线值：发帖 8 回帖 356 粉丝 1 关注私信	hmimys 2 6 楼如果是动态连接库： bp RNBOsproFindFirstUnit eax返回0即可如果是静态连接库：用SIG找函数了当然后面要做的还有很多！看看开发手册先的说！ 2005-8-7 07:37 0
nbw 雪币： 339 活跃值： (1510) 能力值： ( LV13，RANK：970 ) 在线值：发帖 141 回帖 2842 粉丝 24 关注私信	nbw 24 7 楼最初由 hmimys 发布如果是动态连接库： bp RNBOsproFindFirstUnit eax返回0即可如果是静态连接库：用SIG找函数了 ........ 大虾又出来了？ 2005-8-7 12:30 0
dalao 雪币： 1866 活跃值： (95) 能力值： ( LV4，RANK：50 ) 在线值：发帖 34 回帖 260 粉丝 5 关注私信	dalao 1 8 楼应该是外壳！很简单的！但必须有狗才能解！看看以前的文章！ 2005-8-7 13:47 0
寂静如风雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 219 粉丝 0 关注私信	寂静如风 9 楼我是个新手，看我的注册时间就知道了，来论坛的时间不长，所以还需要大家的支持和帮助，先谢谢了，对了，大老，你说以前的文章，我怎么找不到？？是你写的精华吗？ 2005-8-7 19:39 0
ikki 雪币： 270 活跃值： (176) 能力值： ( LV12，RANK：370 ) 在线值：发帖 17 回帖 316 粉丝 1 关注私信	ikki 9 10 楼圣天诺的只要有狗,还是简单的 2005-8-7 20:45 0
寂静如风雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 219 粉丝 0 关注私信	寂静如风 11 楼 ?简单？？？我看一点都不简单，而且大老说还有狗壳！ 2005-9-25 21:52 0
lei_z_r 雪币： 211 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 149 粉丝 1 关注私信	lei_z_r 12 楼是狗壳，有狗比较容易，无狗无解。 2005-9-26 00:06 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复