要如何改才能跳过 DialogBoxParamW 使用反汇编功能?
0127CF0C 0127D7F0UNICODE "C:\Users\Administrator.DESKTOP-8JRMERI\Desktop\HeliumHexEditor\HeliumLicenses\2019_07_04_06_04_35.li"软件在这里
https://www.52pojie.cn/thread-984828-1-1.html
我用的 32位版本。
0127CF10 72AF5170RETURN to HexContr.72AF5170
堆栈中看到了关键的两句
===================================
7229BD1B|.50 push eax ; /pLocaltime = NULL
7229BD1C|.FF15 F0624172 call dword ptr ds:[<&KERNEL32.GetLocalTi>; \GetLocalTime
7229BD22|.8DB5 ACF4FFFF lea esi,
7229BD28|.E8 E3BBFCFF call HexContr.72267910
7229BD2D|.6A 07 push 7
7229BD2F|.8D85 D0F8FFFF lea eax,
7229BD35|.B9 F4364872 mov ecx, HexContr.724836F4 ;UNICODE "4oYgT/Plh4Jue/)j+Lx4CFbe"
7229BD3A|.E8 0190F0FF call HexContr.721A4D40
7229BD3F|.0FB795 A4F4FF>movzx edx, word ptr ss:
7229BD46|.0FB785 A2F4FF>movzx eax, word ptr ss:
7229BD4D|.8D8D D0F8FFFF lea ecx,
7229BD53|.51 push ecx
7229BD54|.0FB78D A0F4FF>movzx ecx, word ptr ss:
7229BD5B|.52 push edx
7229BD5C|.0FB795 9EF4FF>movzx edx, word ptr ss:
7229BD63|.50 push eax
7229BD64|.0FB785 9AF4FF>movzx eax, word ptr ss:
7229BD6B|.51 push ecx
7229BD6C|.0FB78D 98F4FF>movzx ecx, word ptr ss:
7229BD73|.52 push edx
7229BD74|.8B95 ACF4FFFF mov edx,
7229BD7A|.50 push eax
7229BD7B|.51 push ecx
7229BD7C|.52 push edx
7229BD7D|.68 28374872 push HexContr.72483728 ;XXXX-XXXX 显然 像是格式
7229BD82|.8D85 D0FCFFFF lea eax,
7229BD88|.68 04010000 push 104
7229BD8D|.50 push eax
7229BD8E|.E8 02A60100 call HexContr.722B6395
7229BD93|.83C4 30 add esp, 30
7229BD96|.8DBD D0FCFFFF lea edi,
7229BD9C|.E8 9F94F2FF call HexContr.721C5240
7229BDA1|.85C0 test eax, eax
7229BDA3|.75 39 jnz short HexContr.7229BDDE
7229BDA5|>8D8D D0FCFFFF lea ecx,
7229BDAB|.51 push ecx
7229BDAC|.68 70374872 push HexContr.72483770 ;UNICODE "Error creating file %s"
7229BDB1|.8D95 D0F4FFFF lea edx,
7229BDB7|.68 00020000 push 200
7229BDBC|.52 push edx
7229BDBD|.E8 D3A50100 call HexContr.722B6395
7229BDC2|.8B8D CCF4FFFF mov ecx,
7229BDC8|.8B01 mov eax, dword ptr ds:
7229BDCA|.8B40 64 mov eax, dword ptr ds:
7229BDCD|.83C4 10 add esp, 10
7229BDD0|.8D95 D0F4FFFF lea edx,
7229BDD6|.52 push edx
7229BDD7|.FFD0 call eax
7229BDD9|.E9 63020000 jmp HexContr.7229C041
7229BDDE|>8B85 7CF4FFFF mov eax,
7229BDE4|.8D8D C0F4FFFF lea ecx,
7229BDEA|.51 push ecx ; /Arg7 = 00000001
7229BDEB|.8B8D 78F4FFFF mov ecx, ; |
7229BDF1|.8D95 C8F4FFFF lea edx, ; |
7229BDF7|.52 push edx ; |Arg6 = 00000000
7229BDF8|.53 push ebx ; |Arg5 = 000E0786
7229BDF9|.6A 02 push 2 ; |Arg4 = 00000002
7229BDFB|.50 push eax ; |Arg3 = 00000000
7229BDFC|.51 push ecx ; |Arg2 = 00000001
7229BDFD|.8D95 5CF4FFFF lea edx, ; |
7229BE03|.52 push edx ; |Arg1 = 00000000
7229BE04|.E8 5778F0FF call HexContr.721A3660 ; \HexContr.721A3660
7229BE09|.8BB5 70F4FFFF mov esi,
7229BE0F|.6A 04 push 4
7229BE11|.8D85 D0F8FFFF lea eax,
7229BE17|.B9 A0374872 mov ecx, HexContr.724837A0 ;UNICODE "3Wt*[.%6ZTGfPWklPZ4jXeOwr+z>SfLV>>z`m?r|o-H)zNOD6nfe[eg"
7229BE1C|.89B5 C8F4FFFF mov , esi
7229BE22|.E8 198FF0FF call HexContr.721A4D40 ;F7
7229BE27|.8D85 D0F8FFFF lea eax, ; |
7229BE2D|.50 push eax ; |Arg2 = 00000000
7229BE2E|.56 push esi ; |Arg1 = 00000000
7229BE2F|.E8 7AA70100 call HexContr.722B65AE ; \这里得F7
7229BE34|.83C4 0C add esp, 0C
7229BE37|.3BC3 cmp eax, ebx
7229BE39|.74 22 je short HexContr.7229BE5D ;我们先改下这里
7229BE3B|.EB 03 jmp short HexContr.7229BE40
7229BE3D| 8D49 00 lea ecx, dword ptr ds:
7229BE40|>8D8D D0F8FFFF /lea ecx,
7229BE46|.8BF8 |mov edi, eax
7229BE48|.51 |push ecx ; /Arg2 = 00000001
7229BE49|.83C0 02 |add eax, 2 ; |
7229BE4C|.50 |push eax ; |Arg1 = 00000000
7229BE4D|.E8 5CA70100 |call HexContr.722B65AE ; \HexContr.722B65AE
7229BE52|.83C4 08 |add esp, 8
7229BE55|.3BC3 |cmp eax, ebx
7229BE57|.^ 75 E7 \jnz short HexContr.7229BE40
7229BE59|.3BFB cmp edi, ebx
7229BE5B|.75 19 jnz short HexContr.7229BE76 ;貌似修改这里
7229BE5D|>8B8D CCF4FFFF mov ecx,
7229BE63|.8B11 mov edx, dword ptr ds:
7229BE65|.8B52 64 mov edx, dword ptr ds:
7229BE68|.8D85 D8FEFFFF lea eax,
7229BE6E|.50 push eax
7229BE6F|.FFD2 call edx
7229BE71|.E9 CB010000 jmp HexContr.7229C041
7229BE76|>6A 06 push 6
7229BE78|.8D85 D0F8FFFF lea eax,
7229BE7E|.B9 10384872 mov ecx, HexContr.72483810 ;UNICODE "e+DKS,S Hc_UZjTy2f{^i6t!+[?G'1QrIEeX!Dn,xy#s<TWRgsh>M_+D"
7229BE83|.E8 B88EF0FF call HexContr.721A4D40
7229BE88|.8D85 D0F8FFFF lea eax, ; |
7229BE8E|.50 push eax ; |Arg2 = 00000000
7229BE8F|.57 push edi ; |Arg1 = 00000000
7229BE90|.E8 19A70100 call HexContr.722B65AE ; \HexContr.722B65AE
====================================
72278660/.55 push ebp
72278661|.8BEC mov ebp, esp
72278663|.83E4 F8 and esp, FFFFFFF8
72278666|.81EC 140C0000 sub esp, 0C14
7227866C|.A1 40804A72 mov eax, dword ptr ds:
72278671|.33C4 xor eax, esp
72278673|.898424 100C00>mov dword ptr ss:, eax
7227867A|.0FB745 08 movzx eax, word ptr ss:
7227867E|.3D F8040000 cmp eax, 4F8 ;Switch (cases 3EB..5EE)
72278683|.53 push ebx
72278684|.56 push esi
72278685|.8B75 0C mov esi,
72278688|.57 push edi
72278689|.8BF9 mov edi, ecx
7227868B|.897C24 10 mov dword ptr ss:, edi
7227868F|.0F8F E8050000 jg HexContr.72278C7D
72278695|.0F84 C1050000 je HexContr.72278C5C
7227869B|.2D EB030000 sub eax, 3EB
722786A0|.3D EB000000 cmp eax, 0EB
722786A5|.0F87 71040000 ja HexContr.72278B1C
722786AB|.0FB680 D88D27>movzx eax, byte ptr ds:
722786B2|.FF2485 288D27>jmp dword ptr ds: ;HexContr.72278AE8
722786B9|>8B87 84020000 mov eax, dword ptr ds: ;Case 415 of switch 7227867E
722786BF|.8B57 F8 mov edx, dword ptr ds:
722786C2|.8B52 04 mov edx, dword ptr ds:
722786C5|.50 push eax
722786C6|.8B87 40020000 mov eax, dword ptr ds:
722786CC|.8D4F F8 lea ecx, dword ptr ds:
722786CF|.50 push eax
722786D0|.8B87 1C020000 mov eax, dword ptr ds:
722786D6|.50 push eax
722786D7|.FFD2 call edx
722786D9|.E9 33040000 jmp HexContr.72278B11
722786DE|>8B97 94020000 mov edx, dword ptr ds: ;Case 416 of switch 7227867E
722786E4|.8B47 F8 mov eax, dword ptr ds:
722786E7|.8B40 04 mov eax, dword ptr ds:
722786EA|.52 push edx
722786EB|.8B97 44020000 mov edx, dword ptr ds:
722786F1|.8D4F F8 lea ecx, dword ptr ds:
722786F4|.52 push edx
722786F5|.8B97 1C020000 mov edx, dword ptr ds:
722786FB|.52 push edx
722786FC|.FFD0 call eax
722786FE|.E9 0E040000 jmp HexContr.72278B11
72278703|>8B47 38 mov eax, dword ptr ds: ;Case 41C of switch 7227867E
72278706|.8B08 mov ecx, dword ptr ds:
72278708|.8B51 40 mov edx, dword ptr ds:
7227870B|.50 push eax
7227870C|.FFD2 call edx
7227870E|.E9 FE030000 jmp HexContr.72278B11
72278713|>8D4F E0 lea ecx, dword ptr ds: ;Case 417 of switch 7227867E
72278716|.E8 352D0000 call HexContr.7227B450
7227871B|.E9 FC030000 jmp HexContr.72278B1C
72278720|>8B47 70 mov eax, dword ptr ds: ;Case 3F7 of switch 7227867E
72278723|.85C0 test eax, eax
72278725|.0F84 E6030000 je HexContr.72278B11
7227872B|.8B40 04 mov eax, dword ptr ds:
7227872E|.50 push eax ; /Arg1 = 00000000
7227872F|.8D47 E0 lea eax, dword ptr ds: ; |
72278732|.E8 B98A0000 call HexContr.722811F0 ; \HexContr.722811F0
72278737|.E9 D5030000 jmp HexContr.72278B11
7227873C|>8B47 70 mov eax, dword ptr ds: ;Case 3F8 of switch 7227867E
7227873F|.85C0 test eax, eax
72278741|.0F84 CA030000 je HexContr.72278B11
72278747|.8B70 04 mov esi, dword ptr ds:
7227874A|.85F6 test esi, esi
7227874C|.0F84 BF030000 je HexContr.72278B11
72278752|.8B86 A8000000 mov eax, dword ptr ds:
72278758|.85C0 test eax, eax
7227875A|.0F84 B1030000 je HexContr.72278B11
72278760|.83B8 24090000>cmp dword ptr ds:, 0
72278767|.0F84 A4030000 je HexContr.72278B11
7227876D|.E8 1E9EF9FF call HexContr.72212590
72278772|.8BFE mov edi, esi
72278774|.E8 F73EFFFF call HexContr.7226C670
72278779|.8B86 A8000000 mov eax, dword ptr ds:
7227877F|.85C0 test eax, eax
72278781|.0F84 86030000 je HexContr.72278B0D
72278787|.83B8 24090000>cmp dword ptr ds:, 0
7227878E|.0F84 79030000 je HexContr.72278B0D
72278794|.83B8 3C090000>cmp dword ptr ds:, 0
7227879B|.0F84 6C030000 je HexContr.72278B0D
722787A1|.8BB6 A0000000 mov esi, dword ptr ds:
722787A7|.85F6 test esi, esi
722787A9|.0F84 5E030000 je HexContr.72278B0D
722787AF|.6A 01 push 1 ; /Erase = TRUE
722787B1|.6A 00 push 0 ; |pRect = NULL
722787B3|.56 push esi ; |hWnd = NULL
722787B4|.FF15 E8654172 call dword ptr ds:[<&USER32.InvalidateRe>; \InvalidateRect
722787BA|.E9 4E030000 jmp HexContr.72278B0D
722787BF|>8B47 70 mov eax, dword ptr ds: ;Case 3F9 of switch 7227867E
722787C2|.85C0 test eax, eax
722787C4|.0F84 47030000 je HexContr.72278B11
722787CA|.8B48 04 mov ecx, dword ptr ds:
722787CD|.6A 00 push 0 ; /Arg3 = 00000000
722787CF|.6A 00 push 0 ; |Arg2 = 00000000
722787D1|.51 push ecx ; |Arg1 = 00000001
722787D2|.8D47 E0 lea eax, dword ptr ds: ; |
722787D5|.E8 16DEFFFF call HexContr.722765F0 ; \HexContr.722765F0
722787DA|.E9 32030000 jmp HexContr.72278B11
722787DF|>8B4F 70 mov ecx, dword ptr ds: ;Case 3FA of switch 7227867E
722787E2|.8D5F E0 lea ebx, dword ptr ds:
722787E5|.85C9 test ecx, ecx
722787E7|.75 1B jnz short HexContr.72278804
722787E9|.8B53 28 mov edx, dword ptr ds:
722787EC|.6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
722787EE|.68 08AD4572 push HexContr.7245AD08 ; |Title = "Error"
722787F3|.68 58B54772 push HexContr.7247B558 ; |Text = "No Hex document selected !..Please select a document first."
722787F8|.52 push edx ; |hOwner = NULL
722787F9|.FF15 E0644172 call dword ptr ds:[<&USER32.MessageBoxW>>; \MessageBoxW
722787FF|.E9 18030000 jmp HexContr.72278B1C
72278804|>E8 F72D0000 call HexContr.7227B600
72278809|.E9 0E030000 jmp HexContr.72278B1C
7227880E|>8B47 70 mov eax, dword ptr ds: ;Case 3FC of switch 7227867E
72278811|.85C0 test eax, eax
72278813|.0F84 F8020000 je HexContr.72278B11
72278819|.8B40 04 mov eax, dword ptr ds:
7227881C|.85C0 test eax, eax
7227881E|.0F84 ED020000 je HexContr.72278B11
72278824|.8D4F E0 lea ecx, dword ptr ds:
72278827|.51 push ecx ; /Arg1 = 00000001
72278828|.8BF0 mov esi, eax ; |
7227882A|.E8 41E3FFFF call HexContr.72276B70 ; \HexContr.72276B70
7227882F|.E9 DD020000 jmp HexContr.72278B11
72278834|>8B5F 70 mov ebx, dword ptr ds: ;Case 3FB of switch 7227867E
72278837|.85DB test ebx, ebx
72278839|.0F84 D2020000 je HexContr.72278B11
7227883F|.837B 04 00 cmp dword ptr ds:, 0
72278843|.0F84 C8020000 je HexContr.72278B11
72278849|.8B57 E0 mov edx, dword ptr ds:
7227884C|.8B42 10 mov eax, dword ptr ds:
7227884F|.8D77 E0 lea esi, dword ptr ds:
72278852|.56 push esi
72278853|.C74424 14 3CA>mov dword ptr ss:, HexContr.7247>;UNICODE "allocated memory"
7227885B|.FFD0 call eax
7227885D|.48 dec eax ;Switch (cases 1..E)
7227885E|.83F8 0D cmp eax, 0D
72278861|.0F87 AA020000 ja HexContr.72278B11
72278867|.0FB688 D08E27>movzx ecx, byte ptr ds:
7227886E|.FF248D C48E27>jmp dword ptr ds: ;HexContr.7227887D
72278875|>C74424 10 6CD>mov dword ptr ss:, HexContr.7245>;UNICODE "file"; Cases 1,D,E of switch 7227885D
7227887D|>8B4B 08 mov ecx, dword ptr ds: ;Cases 3,5,8 of switch 7227885D
72278880|.8B11 mov edx, dword ptr ds:
72278882|.8B92 3C010000 mov edx, dword ptr ds:
72278888|.6A 00 push 0
7227888A|.68 00020000 push 200
7227888F|.8D4424 20 lea eax, dword ptr ss:
72278893|.50 push eax
72278894|.FFD2 call edx
72278896|.8B4C24 10 mov ecx, dword ptr ss:
7227889A|.8D4424 18 lea eax, dword ptr ss:
7227889E|.50 push eax
7227889F|.51 push ecx
722788A0|.68 60AF4772 push HexContr.7247AF60 ;UNICODE "Are you sure you want to delete %s %s ?"
722788A5|.8D9424 240400>lea edx, dword ptr ss:
722788AC|.68 00040000 push 400
722788B1|.52 push edx
722788B2|.E8 DEDA0300 call HexContr.722B6395
722788B7|.8B4F 08 mov ecx, dword ptr ds:
722788BA|.83C4 14 add esp, 14
722788BD|.6A 24 push 24 ; /Style = MB_YESNO|MB_ICONQUESTION|MB_APPLMODAL
722788BF|.68 C4E64572 push HexContr.7245E6C4 ; |Title = "Question"
722788C4|.8D8424 200400>lea eax, dword ptr ss: ; |
722788CB|.50 push eax ; |Text = NULL
722788CC|.51 push ecx ; |hOwner = 00000001
722788CD|.FF15 E0644172 call dword ptr ds:[<&USER32.MessageBoxW>>; \MessageBoxW
722788D3|.83F8 06 cmp eax, 6
722788D6|.0F85 35020000 jnz HexContr.72278B11
722788DC|.53 push ebx ; /Arg2 = 000E0786
722788DD|.56 push esi ; |Arg1 = 00000000
722788DE|.E8 3D080000 call HexContr.72279120 ; \HexContr.72279120
722788E3|.8B43 04 mov eax, dword ptr ds:
722788E6|.E8 6542FBFF call HexContr.7222CB50
722788EB|.837B 08 00 cmp dword ptr ds:, 0
722788EF|.74 43 je short HexContr.72278934
722788F1|.8B4B 08 mov ecx, dword ptr ds:
722788F4|.8B11 mov edx, dword ptr ds:
722788F6|.8B82 24010000 mov eax, dword ptr ds:
722788FC|.FFD0 call eax
722788FE|.85C0 test eax, eax
72278900|.74 32 je short HexContr.72278934
72278902|.837B 04 00 cmp dword ptr ds:, 0
72278906|.0F84 05020000 je HexContr.72278B11
7227890C|.8B0B mov ecx, dword ptr ds:
7227890E|.8B41 60 mov eax, dword ptr ds:
72278911|.85C0 test eax, eax
72278913|.0F84 F8010000 je HexContr.72278B11
72278919|.C740 20 00000>mov dword ptr ds:, 0
72278920|.8B76 58 mov esi, dword ptr ds:
72278923|.8B40 14 mov eax, dword ptr ds:
72278926|.8B16 mov edx, dword ptr ds:
72278928|.8B4A 24 mov ecx, dword ptr ds:
7227892B|.50 push eax
7227892C|.56 push esi
7227892D|.FFD1 call ecx
7227892F|.E9 DD010000 jmp HexContr.72278B11
72278934|>8B43 08 mov eax, dword ptr ds:
72278937|.8B4B 04 mov ecx, dword ptr ds:
7227893A|.E8 3140FBFF call HexContr.7222C970
7227893F|.6A 01 push 1 ; /Arg1 = 00000001
72278941|.E8 4A6C0000 call HexContr.7227F590 ; \HexContr.7227F590
72278946|.E9 C6010000 jmp HexContr.72278B11
7227894B|>8B47 70 mov eax, dword ptr ds: ;Case 3EF of switch 7227867E
7227894E|.85C0 test eax, eax
72278950|.0F84 BB010000 je HexContr.72278B11
72278956|.8B40 04 mov eax, dword ptr ds:
72278959|.85C0 test eax, eax
7227895B|.0F84 B0010000 je HexContr.72278B11
72278961|.E8 6AA3FBFF call HexContr.72232CD0
72278966|.E9 A6010000 jmp HexContr.72278B11
7227896B|>8B47 70 mov eax, dword ptr ds: ;Case 3F0 of switch 7227867E
7227896E|.85C0 test eax, eax
72278970|.74 14 je short HexContr.72278986
72278972|.8B40 04 mov eax, dword ptr ds:
72278975|.85C0 test eax, eax
72278977|.74 0D je short HexContr.72278986
72278979|.6A 00 push 0 ; /Arg1 = 00000000
7227897B|.8BF8 mov edi, eax ; |
7227897D|.E8 BED0FBFF call HexContr.72235A40 ; \HexContr.72235A40
72278982|.8B7C24 10 mov edi, dword ptr ss:
72278986|>8B47 70 mov eax, dword ptr ds: ;Case 3F1 of switch 7227867E
72278989|.85C0 test eax, eax
7227898B|.0F84 80010000 je HexContr.72278B11
72278991|.8B40 04 mov eax, dword ptr ds:
72278994|.85C0 test eax, eax
72278996|.0F84 75010000 je HexContr.72278B11
7227899C|.8BC8 mov ecx, eax
7227899E|.E8 BDD2FBFF call HexContr.72235C60
722789A3|.E9 69010000 jmp HexContr.72278B11
722789A8|>6A 00 push 0 ; /Arg1 = 00000000; Case 3F2 of switch 7227867E
722789AA|.8D47 E0 lea eax, dword ptr ds: ; |
722789AD|.E8 8E310000 call HexContr.7227BB40 ; \HexContr.7227BB40
722789B2|.E9 5A010000 jmp HexContr.72278B11
722789B7|>8D47 E0 lea eax, dword ptr ds: ;Case 3FD of switch 7227867E
722789BA|.E8 11360000 call HexContr.7227BFD0
722789BF|.E9 4D010000 jmp HexContr.72278B11
722789C4|>8D47 E0 lea eax, dword ptr ds: ;Case 462 of switch 7227867E
722789C7|.E8 84380000 call HexContr.7227C250
722789CC|.E9 40010000 jmp HexContr.72278B11
722789D1|>8B47 70 mov eax, dword ptr ds: ;Case 3F3 of switch 7227867E
722789D4|.85C0 test eax, eax
722789D6|.0F84 35010000 je HexContr.72278B11
722789DC|.8B40 04 mov eax, dword ptr ds:
722789DF|.85C0 test eax, eax
722789E1|.0F84 2A010000 je HexContr.72278B11
722789E7|.E8 0443FBFF call HexContr.7222CCF0
722789EC|.E9 20010000 jmp HexContr.72278B11
722789F1|>8B47 70 mov eax, dword ptr ds: ;Case 3F4 of switch 7227867E
722789F4|.85C0 test eax, eax
722789F6|.0F84 15010000 je HexContr.72278B11
722789FC|.8B40 04 mov eax, dword ptr ds:
722789FF|.85C0 test eax, eax
72278A01|.0F84 0A010000 je HexContr.72278B11
72278A07|.E8 2444FBFF call HexContr.7222CE30
72278A0C|.E9 00010000 jmp HexContr.72278B11
72278A11|>8D47 E0 lea eax, dword ptr ds: ;Case 3FF of switch 7227867E
72278A14|.E8 973E0000 call HexContr.7227C8B0
72278A19|.E9 FE000000 jmp HexContr.72278B1C
72278A1E|>8D47 E0 lea eax, dword ptr ds: ;Case 442 of switch 7227867E
72278A21|.E8 3A4F0000 call HexContr.7227D960
72278A26|.85F6 test esi, esi
72278A28|.0F84 EE000000 je HexContr.72278B1C
72278A2E|.8B9F 80000000 mov ebx, dword ptr ds:
72278A34|.85DB test ebx, ebx
72278A36|.0F84 E0000000 je HexContr.72278B1C
72278A3C|.56 push esi ; /Arg1 = 00000000
72278A3D|.E8 0E930200 call HexContr.722A1D50 ; \HexContr.722A1D50
72278A42|.8BBF 9C010000 mov edi, dword ptr ds:
72278A48|.8B17 mov edx, dword ptr ds:
72278A4A|.8B42 04 mov eax, dword ptr ds:
72278A4D|.8B1438 mov edx, dword ptr ds:
72278A50|.8D0C38 lea ecx, dword ptr ds:
72278A53|.8B41 28 mov eax, dword ptr ds:
72278A56|.6A 00 push 0
72278A58|.56 push esi
72278A59|.50 push eax
72278A5A|.8B42 14 mov eax, dword ptr ds:
72278A5D|.FFD0 call eax
72278A5F|.F7D8 neg eax
72278A61|.1BC0 sbb eax, eax
72278A63|.F7D8 neg eax
72278A65|.5F pop edi ;USER32.76EFBB13
72278A66|.5E pop esi ;USER32.76EFBB13
72278A67|.5B pop ebx ;USER32.76EFBB13
72278A68|.8B8C24 100C00>mov ecx, dword ptr ss:
72278A6F|.33CC xor ecx, esp
72278A71|.E8 10D90300 call HexContr.722B6386
72278A76|.8BE5 mov esp, ebp
72278A78|.5D pop ebp ;USER32.76EFBB13
72278A79|.C2 0800 retn 8
72278A7C|>8D47 E0 lea eax, dword ptr ds: ;Case 400 of switch 7227867E
72278A7F|.E8 9C550000 call HexContr.7227E020
72278A84|.E9 93000000 jmp HexContr.72278B1C
72278A89|>8D47 E0 lea eax, dword ptr ds: ;Case 46B of switch 7227867E
72278A8C|.E8 DF570000 call HexContr.7227E270
72278A91|.E9 86000000 jmp HexContr.72278B1C
72278A96|>8D47 E0 lea eax, dword ptr ds: ;Case 443 of switch 7227867E
72278A99|.8BCE mov ecx, esi
72278A9B|.E8 205A0000 call HexContr.7227E4C0
72278AA0|.EB 7A jmp short HexContr.72278B1C
72278AA2|>8B47 70 mov eax, dword ptr ds: ;Case 3F5 of switch 7227867E
72278AA5|.85C0 test eax, eax
72278AA7|.74 68 je short HexContr.72278B11
72278AA9|.8B40 04 mov eax, dword ptr ds:
72278AAC|.85C0 test eax, eax
72278AAE|.74 61 je short HexContr.72278B11
72278AB0|.6A 01 push 1 ; /Arg1 = 00000001
72278AB2|.8BF0 mov esi, eax ; |
72278AB4|.E8 C744FBFF call HexContr.7222CF80 ; \HexContr.7222CF80
72278AB9|.EB 56 jmp short HexContr.72278B11
72278ABB|>8B47 70 mov eax, dword ptr ds: ;Case 3F6 of switch 7227867E
72278ABE|.85C0 test eax, eax
72278AC0|.74 4F je short HexContr.72278B11
72278AC2|.8B40 04 mov eax, dword ptr ds:
72278AC5|.85C0 test eax, eax
72278AC7|.74 48 je short HexContr.72278B11
72278AC9|.6A 01 push 1 ; /Arg1 = 00000001
72278ACB|.8BF0 mov esi, eax ; |
72278ACD|.E8 5E45FBFF call HexContr.7222D030 ; \HexContr.7222D030
72278AD2|.EB 3D jmp short HexContr.72278B11
72278AD4|>8D47 E0 lea eax, dword ptr ds: ;Case 44E of switch 7227867E
72278AD7|.E8 545F0000 call HexContr.7227EA30
72278ADC|.EB 3E jmp short HexContr.72278B1C
72278ADE|>8D47 E0 lea eax, dword ptr ds: ;Case 3FE of switch 7227867E
72278AE1|.E8 8A3B0000 call HexContr.7227C670
72278AE6|.EB 34 jmp short HexContr.72278B1C
72278AE8|>8B97 28020000 mov edx, dword ptr ds: ;Case 3EB of switch 7227867E
72278AEE|.B9 EB030000 mov ecx, 3EB
72278AF3|.E8 6849F9FF call HexContr.7220D460
72278AF8|.B9 00000000 mov ecx, 0
72278AFD|.8D77 E0 lea esi, dword ptr ds:
72278B00|.83E0 01 and eax, 1
72278B03|.0f94c1 sete cl
72278B06|.8BF9 mov edi, ecx
72278B08|>E8 B3D6FFFF call HexContr.722761C0
72278B0D|>8B7C24 10 mov edi, dword ptr ss:
72278B11|>8B7F 38 mov edi, dword ptr ds: ;Default case of switch 7227885D
72278B14|.8B17 mov edx, dword ptr ds:
72278B16|.8B42 2C mov eax, dword ptr ds:
72278B19|.57 push edi
72278B1A|>FFD0 call eax
72278B1C|>8B8C24 1C0C00>mov ecx, dword ptr ss: ;Default case of switch 7227867E
72278B23|.5F pop edi ;USER32.76EFBB13
72278B24|.5E pop esi ;USER32.76EFBB13
72278B25|.5B pop ebx ;USER32.76EFBB13
72278B26|.33CC xor ecx, esp
72278B28|.33C0 xor eax, eax
72278B2A|.E8 57D80300 call HexContr.722B6386
72278B2F|.8BE5 mov esp, ebp
72278B31|.5D pop ebp ;USER32.76EFBB13
72278B32|.C2 0800 retn 8
72278B35|>8B97 28020000 mov edx, dword ptr ds: ;Case 3EC of switch 7227867E
72278B3B|.B9 EC030000 mov ecx, 3EC
72278B40|.E8 1B49F9FF call HexContr.7220D460
72278B45|.8D77 E0 lea esi, dword ptr ds:
72278B48|.83E0 01 and eax, 1
72278B4B|.8BF8 mov edi, eax
72278B4D|.^ EB B9 jmp short HexContr.72278B08
72278B4F|>8D77 E0 lea esi, dword ptr ds: ;Case 3ED of switch 7227867E
72278B52|.8BC6 mov eax, esi
72278B54|.E8 F7040000 call HexContr.72279050
72278B59|.8BF8 mov edi, eax
72278B5B|.8BC6 mov eax, esi
72278B5D|.E8 2ED8FFFF call HexContr.72276390
72278B62|.^ EB A9 jmp short HexContr.72278B0D
72278B64|>8D77 E0 lea esi, dword ptr ds: ;Case 3EE of switch 7227867E
72278B67|.8BC6 mov eax, esi
72278B69|.E8 02050000 call HexContr.72279070
72278B6E|.8BF8 mov edi, eax
72278B70|.E8 8BD8FFFF call HexContr.72276400
72278B75|.^ EB 96 jmp short HexContr.72278B0D
72278B77|>8D47 E0 lea eax, dword ptr ds: ;Case 453 of switch 7227867E
72278B7A|.E8 315B0000 call HexContr.7227E6B0
72278B7F|.^ EB 9B jmp short HexContr.72278B1C
72278B81|>8D47 E0 lea eax, dword ptr ds: ;Case 47C of switch 7227867E
72278B84|.E8 F75C0000 call HexContr.7227E880
72278B89|.^ EB 91 jmp short HexContr.72278B1C
72278B8B|>8D47 E0 lea eax, dword ptr ds: ;Case 46A of switch 7227867E
72278B8E|.E8 CD380000 call HexContr.7227C460
72278B93|.^ EB 87 jmp short HexContr.72278B1C
72278B95|>83C7 E0 add edi, -20 ;Case 49A of switch 7227867E
72278B98|.E8 630E0000 call HexContr.72279A00
72278B9D|.^ E9 7AFFFFFF jmp HexContr.72278B1C
72278BA2|>8BBF 58040000 mov edi, dword ptr ds: ;Case 4AF of switch 7227867E
72278BA8|.85FF test edi, edi
72278BAA|.^ 0F84 6CFFFFFF je HexContr.72278B1C
72278BB0|.A1 04A34B72 mov eax, dword ptr ds:
72278BB5|.8378 1C 00 cmp dword ptr ds:, 0
72278BB9|.75 0B jnz short HexContr.72278BC6
72278BBB|>57 push edi ; /Arg1 = 00000000
72278BBC|.E8 3FEBFEFF call HexContr.72267700 ; \HexContr.72267700
72278BC1|.^ E9 56FFFFFF jmp HexContr.72278B1C
72278BC6|>8B57 04 mov edx, dword ptr ds:
72278BC9|.8B40 1C mov eax, dword ptr ds:
72278BCC|.52 push edx
72278BCD|.^ E9 48FFFFFF jmp HexContr.72278B1A
72278BD2|>8BBF 58040000 mov edi, dword ptr ds: ;Case 4CF of switch 7227867E
72278BD8|.85FF test edi, edi
72278BDA|.^ 0F84 3CFFFFFF je HexContr.72278B1C
72278BE0|.A1 04A34B72 mov eax, dword ptr ds:
72278BE5|.8378 20 00 cmp dword ptr ds:, 0
72278BE9|.^ 74 D0 je short HexContr.72278BBB
72278BEB|.8B4F 04 mov ecx, dword ptr ds:
72278BEE|.8B50 20 mov edx, dword ptr ds:
72278BF1|.51 push ecx
72278BF2|.FFD2 call edx
72278BF4|.^ E9 23FFFFFF jmp HexContr.72278B1C
72278BF9|>8D4F E0 lea ecx, dword ptr ds: ;Case 4D6 of switch 7227867E
72278BFC|.6A 00 push 0 ; /Arg1 = 00000000
72278BFE|.33FF xor edi, edi ; |
72278C00|.E8 4B470000 call HexContr.7227D350 ; \HexContr.7227D350
72278C05|.^ E9 12FFFFFF jmp HexContr.72278B1C
72278C0A|>8D5F E0 lea ebx, dword ptr ds: ;Case 418 of switch 7227867E
72278C0D|.E8 EECA0000 call HexContr.72285700
72278C12|.^ E9 05FFFFFF jmp HexContr.72278B1C
72278C17|>8D47 E0 lea eax, dword ptr ds: ;Case 419 of switch 7227867E
72278C1A|.8B78 28 mov edi, dword ptr ds:
72278C1D|.68 10A34B72 push HexContr.724BA310 ; /Arg2 = 724BA310
72278C22|.50 push eax ; |Arg1 = 00000000
72278C23|.E8 4891FDFF call HexContr.72251D70 ; \HexContr.72251D70
72278C28|.83C4 08 add esp, 8
72278C2B|.^ E9 ECFEFFFF jmp HexContr.72278B1C
72278C30|>8D77 E0 lea esi, dword ptr ds: ;Case 41A of switch 7227867E
72278C33|.E8 08CC0000 call HexContr.72285840
72278C38|.^ E9 DFFEFFFF jmp HexContr.72278B1C
72278C3D|>8B47 08 mov eax, dword ptr ds: ;Case 41B of switch 7227867E
72278C40|.50 push eax ; /Arg1 = 00000000
72278C41|.E8 5A56F7FF call HexContr.721EE2A0 ; \HexContr.721EE2A0
72278C46|.83C4 04 add esp, 4
72278C49|.^ E9 CEFEFFFF jmp HexContr.72278B1C
72278C4E|>83C7 E0 add edi, -20 ;Case 491 of switch 7227867E
72278C51|.57 push edi ; /Arg1 = 00000000
72278C52|.E8 99CC0000 call HexContr.722858F0 ; \HexContr.722858F0
72278C57|.^ E9 C0FEFFFF jmp HexContr.72278B1C
72278C5C|>85F6 test esi, esi ;Case 4F8 of switch 7227867E
72278C5E|.^ 0F84 B8FEFFFF je HexContr.72278B1C
72278C64|.83C7 E0 add edi, -20
72278C67|.57 push edi ; /Arg1 = 00000000
72278C68|.8BC6 mov eax, esi ; |
72278C6A|.E8 51510000 call HexContr.7227DDC0 ; \HexContr.7227DDC0
72278C6F|.56 push esi
72278C70|.E8 F2D90300 call HexContr.722B6667
72278C75|.83C4 04 add esp, 4
72278C78|.^ E9 9FFEFFFF jmp HexContr.72278B1C
72278C7D|>2D 00050000 sub eax, 500
72278C82|.3D EE000000 cmp eax, 0EE
72278C87|.^ 0F87 8FFEFFFF ja HexContr.72278B1C
72278C8D|.0FB688 088F27>movzx ecx, byte ptr ds:
72278C94|.FF248D E08E27>jmp dword ptr ds: ;HexContr.72278CCB
72278C9B|>8D77 E0 lea esi, dword ptr ds: ;Case 5ED of switch 7227867E
72278C9E|.E8 BDC90000 call HexContr.72285660 ;来自于这里
72278CA3|.^ E9 74FEFFFF jmp HexContr.72278B1C
72278CA8|>8D77 E0 lea esi, dword ptr ds: ;Case 5EE of switch 7227867E
72278CAB|.E8 00CA0000 call HexContr.722856B0
72278CB0|.^ E9 67FEFFFF jmp HexContr.72278B1C
72278CB5|>6A 00 push 0 ; /Arg2 = 00000000; Case 5DF of switch 7227867E
72278CB7|.8D77 E0 lea esi, dword ptr ds: ; |
72278CBA|.56 push esi ; |Arg1 = 00000000
72278CBB|.E8 90C60000 call HexContr.72285350 ; \HexContr.72285350
72278CC0|.56 push esi ; /Arg1 = 00000000
72278CC1|.E8 0AC60000 call HexContr.722852D0 ; \HexContr.722852D0
7228567B|.B9 D0BE4772 mov ecx, HexContr.7247BED0 ; |UNICODE "!CPBwp#]vH@#/We4N{6UgG>pyCtV{j*Qlkiw"<q%U-]Et5Y~x{#;/1&"(j0"{:''azWz}Ek!er,6_.aH %?.=V""u".N>Qv6!*&5"
果然修改这个字符串影响显示结果(从而Unreg是加密的) 谢谢分享一下! 法王大仙,法力无边!
页:
[1]