好友
阅读权限40
听众
最后登录1970-1-1
|
0127CF0C 0127D7F0 UNICODE "C:\Users\Administrator.DESKTOP-8JRMERI\Desktop\HeliumHexEditor\HeliumLicenses\2019_07_04_06_04_35.li"
软件在这里
https://www.52pojie.cn/thread-984828-1-1.html
我用的 32位版本。
0127CF10 72AF5170 RETURN to HexContr.72AF5170
堆栈中看到了关键的两句
===================================
7229BD1B |. 50 push eax ; /pLocaltime = NULL
7229BD1C |. FF15 F0624172 call dword ptr ds:[<&KERNEL32.GetLocalTi>; \GetLocalTime
7229BD22 |. 8DB5 ACF4FFFF lea esi, [local.725]
7229BD28 |. E8 E3BBFCFF call HexContr.72267910
7229BD2D |. 6A 07 push 7
7229BD2F |. 8D85 D0F8FFFF lea eax, [local.460]
7229BD35 |. B9 F4364872 mov ecx, HexContr.724836F4 ; UNICODE "4oYgT/Plh4Jue/)j+Lx4CFbe"
7229BD3A |. E8 0190F0FF call HexContr.721A4D40
7229BD3F |. 0FB795 A4F4FF>movzx edx, word ptr ss:[ebp-B5C]
7229BD46 |. 0FB785 A2F4FF>movzx eax, word ptr ss:[ebp-B5E]
7229BD4D |. 8D8D D0F8FFFF lea ecx, [local.460]
7229BD53 |. 51 push ecx
7229BD54 |. 0FB78D A0F4FF>movzx ecx, word ptr ss:[ebp-B60]
7229BD5B |. 52 push edx
7229BD5C |. 0FB795 9EF4FF>movzx edx, word ptr ss:[ebp-B62]
7229BD63 |. 50 push eax
7229BD64 |. 0FB785 9AF4FF>movzx eax, word ptr ss:[ebp-B66]
7229BD6B |. 51 push ecx
7229BD6C |. 0FB78D 98F4FF>movzx ecx, word ptr ss:[ebp-B68]
7229BD73 |. 52 push edx
7229BD74 |. 8B95 ACF4FFFF mov edx, [local.725]
7229BD7A |. 50 push eax
7229BD7B |. 51 push ecx
7229BD7C |. 52 push edx
7229BD7D |. 68 28374872 push HexContr.72483728 ; XXXX-XXXX 显然 像是格式
7229BD82 |. 8D85 D0FCFFFF lea eax, [local.204]
7229BD88 |. 68 04010000 push 104
7229BD8D |. 50 push eax
7229BD8E |. E8 02A60100 call HexContr.722B6395
7229BD93 |. 83C4 30 add esp, 30
7229BD96 |. 8DBD D0FCFFFF lea edi, [local.204]
7229BD9C |. E8 9F94F2FF call HexContr.721C5240
7229BDA1 |. 85C0 test eax, eax
7229BDA3 |. 75 39 jnz short HexContr.7229BDDE
7229BDA5 |> 8D8D D0FCFFFF lea ecx, [local.204]
7229BDAB |. 51 push ecx
7229BDAC |. 68 70374872 push HexContr.72483770 ; UNICODE "Error creating file %s"
7229BDB1 |. 8D95 D0F4FFFF lea edx, [local.716]
7229BDB7 |. 68 00020000 push 200
7229BDBC |. 52 push edx
7229BDBD |. E8 D3A50100 call HexContr.722B6395
7229BDC2 |. 8B8D CCF4FFFF mov ecx, [local.717]
7229BDC8 |. 8B01 mov eax, dword ptr ds:[ecx]
7229BDCA |. 8B40 64 mov eax, dword ptr ds:[eax+64]
7229BDCD |. 83C4 10 add esp, 10
7229BDD0 |. 8D95 D0F4FFFF lea edx, [local.716]
7229BDD6 |. 52 push edx
7229BDD7 |. FFD0 call eax
7229BDD9 |. E9 63020000 jmp HexContr.7229C041
7229BDDE |> 8B85 7CF4FFFF mov eax, [local.737]
7229BDE4 |. 8D8D C0F4FFFF lea ecx, [local.720]
7229BDEA |. 51 push ecx ; /Arg7 = 00000001
7229BDEB |. 8B8D 78F4FFFF mov ecx, [local.738] ; |
7229BDF1 |. 8D95 C8F4FFFF lea edx, [local.718] ; |
7229BDF7 |. 52 push edx ; |Arg6 = 00000000
7229BDF8 |. 53 push ebx ; |Arg5 = 000E0786
7229BDF9 |. 6A 02 push 2 ; |Arg4 = 00000002
7229BDFB |. 50 push eax ; |Arg3 = 00000000
7229BDFC |. 51 push ecx ; |Arg2 = 00000001
7229BDFD |. 8D95 5CF4FFFF lea edx, [local.745] ; |
7229BE03 |. 52 push edx ; |Arg1 = 00000000
7229BE04 |. E8 5778F0FF call HexContr.721A3660 ; \HexContr.721A3660
7229BE09 |. 8BB5 70F4FFFF mov esi, [local.740]
7229BE0F |. 6A 04 push 4
7229BE11 |. 8D85 D0F8FFFF lea eax, [local.460]
7229BE17 |. B9 A0374872 mov ecx, HexContr.724837A0 ; UNICODE "3Wt*[.%6ZTGfPWklPZ4jXeOwr+z>SfLV>>z`m?r|o-H)zNOD6nfe[eg"
7229BE1C |. 89B5 C8F4FFFF mov [local.718], esi
7229BE22 |. E8 198FF0FF call HexContr.721A4D40 ; F7
7229BE27 |. 8D85 D0F8FFFF lea eax, [local.460] ; |
7229BE2D |. 50 push eax ; |Arg2 = 00000000
7229BE2E |. 56 push esi ; |Arg1 = 00000000
7229BE2F |. E8 7AA70100 call HexContr.722B65AE ; \这里得F7
7229BE34 |. 83C4 0C add esp, 0C
7229BE37 |. 3BC3 cmp eax, ebx
7229BE39 |. 74 22 je short HexContr.7229BE5D ; 我们先改下这里
7229BE3B |. EB 03 jmp short HexContr.7229BE40
7229BE3D | 8D49 00 lea ecx, dword ptr ds:[ecx]
7229BE40 |> 8D8D D0F8FFFF /lea ecx, [local.460]
7229BE46 |. 8BF8 |mov edi, eax
7229BE48 |. 51 |push ecx ; /Arg2 = 00000001
7229BE49 |. 83C0 02 |add eax, 2 ; |
7229BE4C |. 50 |push eax ; |Arg1 = 00000000
7229BE4D |. E8 5CA70100 |call HexContr.722B65AE ; \HexContr.722B65AE
7229BE52 |. 83C4 08 |add esp, 8
7229BE55 |. 3BC3 |cmp eax, ebx
7229BE57 |.^ 75 E7 \jnz short HexContr.7229BE40
7229BE59 |. 3BFB cmp edi, ebx
7229BE5B |. 75 19 jnz short HexContr.7229BE76 ; 貌似修改这里
7229BE5D |> 8B8D CCF4FFFF mov ecx, [local.717]
7229BE63 |. 8B11 mov edx, dword ptr ds:[ecx]
7229BE65 |. 8B52 64 mov edx, dword ptr ds:[edx+64]
7229BE68 |. 8D85 D8FEFFFF lea eax, [local.74]
7229BE6E |. 50 push eax
7229BE6F |. FFD2 call edx
7229BE71 |. E9 CB010000 jmp HexContr.7229C041
7229BE76 |> 6A 06 push 6
7229BE78 |. 8D85 D0F8FFFF lea eax, [local.460]
7229BE7E |. B9 10384872 mov ecx, HexContr.72483810 ; UNICODE "e+DKS,S Hc_UZjTy2f{^i6t!+[?G'1QrIEeX!Dn,xy#s<TWRgsh>M_+D"
7229BE83 |. E8 B88EF0FF call HexContr.721A4D40
7229BE88 |. 8D85 D0F8FFFF lea eax, [local.460] ; |
7229BE8E |. 50 push eax ; |Arg2 = 00000000
7229BE8F |. 57 push edi ; |Arg1 = 00000000
7229BE90 |. E8 19A70100 call HexContr.722B65AE ; \HexContr.722B65AE
====================================
[Asm] 纯文本查看 复制代码 72278660 /. 55 push ebp
72278661 |. 8BEC mov ebp, esp
72278663 |. 83E4 F8 and esp, FFFFFFF8
72278666 |. 81EC 140C0000 sub esp, 0C14
7227866C |. A1 40804A72 mov eax, dword ptr ds:[724A8040]
72278671 |. 33C4 xor eax, esp
72278673 |. 898424 100C00>mov dword ptr ss:[esp+C10], eax
7227867A |. 0FB745 08 movzx eax, word ptr ss:[ebp+8]
7227867E |. 3D F8040000 cmp eax, 4F8 ; Switch (cases 3EB..5EE)
72278683 |. 53 push ebx
72278684 |. 56 push esi
72278685 |. 8B75 0C mov esi, [arg.2]
72278688 |. 57 push edi
72278689 |. 8BF9 mov edi, ecx
7227868B |. 897C24 10 mov dword ptr ss:[esp+10], edi
7227868F |. 0F8F E8050000 jg HexContr.72278C7D
72278695 |. 0F84 C1050000 je HexContr.72278C5C
7227869B |. 2D EB030000 sub eax, 3EB
722786A0 |. 3D EB000000 cmp eax, 0EB
722786A5 |. 0F87 71040000 ja HexContr.72278B1C
722786AB |. 0FB680 D88D27>movzx eax, byte ptr ds:[eax+72278DD8]
722786B2 |. FF2485 288D27>jmp dword ptr ds:[eax*4+72278D28] ; HexContr.72278AE8
722786B9 |> 8B87 84020000 mov eax, dword ptr ds:[edi+284] ; Case 415 of switch 7227867E
722786BF |. 8B57 F8 mov edx, dword ptr ds:[edi-8]
722786C2 |. 8B52 04 mov edx, dword ptr ds:[edx+4]
722786C5 |. 50 push eax
722786C6 |. 8B87 40020000 mov eax, dword ptr ds:[edi+240]
722786CC |. 8D4F F8 lea ecx, dword ptr ds:[edi-8]
722786CF |. 50 push eax
722786D0 |. 8B87 1C020000 mov eax, dword ptr ds:[edi+21C]
722786D6 |. 50 push eax
722786D7 |. FFD2 call edx
722786D9 |. E9 33040000 jmp HexContr.72278B11
722786DE |> 8B97 94020000 mov edx, dword ptr ds:[edi+294] ; Case 416 of switch 7227867E
722786E4 |. 8B47 F8 mov eax, dword ptr ds:[edi-8]
722786E7 |. 8B40 04 mov eax, dword ptr ds:[eax+4]
722786EA |. 52 push edx
722786EB |. 8B97 44020000 mov edx, dword ptr ds:[edi+244]
722786F1 |. 8D4F F8 lea ecx, dword ptr ds:[edi-8]
722786F4 |. 52 push edx
722786F5 |. 8B97 1C020000 mov edx, dword ptr ds:[edi+21C]
722786FB |. 52 push edx
722786FC |. FFD0 call eax
722786FE |. E9 0E040000 jmp HexContr.72278B11
72278703 |> 8B47 38 mov eax, dword ptr ds:[edi+38] ; Case 41C of switch 7227867E
72278706 |. 8B08 mov ecx, dword ptr ds:[eax]
72278708 |. 8B51 40 mov edx, dword ptr ds:[ecx+40]
7227870B |. 50 push eax
7227870C |. FFD2 call edx
7227870E |. E9 FE030000 jmp HexContr.72278B11
72278713 |> 8D4F E0 lea ecx, dword ptr ds:[edi-20] ; Case 417 of switch 7227867E
72278716 |. E8 352D0000 call HexContr.7227B450
7227871B |. E9 FC030000 jmp HexContr.72278B1C
72278720 |> 8B47 70 mov eax, dword ptr ds:[edi+70] ; Case 3F7 of switch 7227867E
72278723 |. 85C0 test eax, eax
72278725 |. 0F84 E6030000 je HexContr.72278B11
7227872B |. 8B40 04 mov eax, dword ptr ds:[eax+4]
7227872E |. 50 push eax ; /Arg1 = 00000000
7227872F |. 8D47 E0 lea eax, dword ptr ds:[edi-20] ; |
72278732 |. E8 B98A0000 call HexContr.722811F0 ; \HexContr.722811F0
72278737 |. E9 D5030000 jmp HexContr.72278B11
7227873C |> 8B47 70 mov eax, dword ptr ds:[edi+70] ; Case 3F8 of switch 7227867E
7227873F |. 85C0 test eax, eax
72278741 |. 0F84 CA030000 je HexContr.72278B11
72278747 |. 8B70 04 mov esi, dword ptr ds:[eax+4]
7227874A |. 85F6 test esi, esi
7227874C |. 0F84 BF030000 je HexContr.72278B11
72278752 |. 8B86 A8000000 mov eax, dword ptr ds:[esi+A8]
72278758 |. 85C0 test eax, eax
7227875A |. 0F84 B1030000 je HexContr.72278B11
72278760 |. 83B8 24090000>cmp dword ptr ds:[eax+924], 0
72278767 |. 0F84 A4030000 je HexContr.72278B11
7227876D |. E8 1E9EF9FF call HexContr.72212590
72278772 |. 8BFE mov edi, esi
72278774 |. E8 F73EFFFF call HexContr.7226C670
72278779 |. 8B86 A8000000 mov eax, dword ptr ds:[esi+A8]
7227877F |. 85C0 test eax, eax
72278781 |. 0F84 86030000 je HexContr.72278B0D
72278787 |. 83B8 24090000>cmp dword ptr ds:[eax+924], 0
7227878E |. 0F84 79030000 je HexContr.72278B0D
72278794 |. 83B8 3C090000>cmp dword ptr ds:[eax+93C], 0
7227879B |. 0F84 6C030000 je HexContr.72278B0D
722787A1 |. 8BB6 A0000000 mov esi, dword ptr ds:[esi+A0]
722787A7 |. 85F6 test esi, esi
722787A9 |. 0F84 5E030000 je HexContr.72278B0D
722787AF |. 6A 01 push 1 ; /Erase = TRUE
722787B1 |. 6A 00 push 0 ; |pRect = NULL
722787B3 |. 56 push esi ; |hWnd = NULL
722787B4 |. FF15 E8654172 call dword ptr ds:[<&USER32.InvalidateRe>; \InvalidateRect
722787BA |. E9 4E030000 jmp HexContr.72278B0D
722787BF |> 8B47 70 mov eax, dword ptr ds:[edi+70] ; Case 3F9 of switch 7227867E
722787C2 |. 85C0 test eax, eax
722787C4 |. 0F84 47030000 je HexContr.72278B11
722787CA |. 8B48 04 mov ecx, dword ptr ds:[eax+4]
722787CD |. 6A 00 push 0 ; /Arg3 = 00000000
722787CF |. 6A 00 push 0 ; |Arg2 = 00000000
722787D1 |. 51 push ecx ; |Arg1 = 00000001
722787D2 |. 8D47 E0 lea eax, dword ptr ds:[edi-20] ; |
722787D5 |. E8 16DEFFFF call HexContr.722765F0 ; \HexContr.722765F0
722787DA |. E9 32030000 jmp HexContr.72278B11
722787DF |> 8B4F 70 mov ecx, dword ptr ds:[edi+70] ; Case 3FA of switch 7227867E
722787E2 |. 8D5F E0 lea ebx, dword ptr ds:[edi-20]
722787E5 |. 85C9 test ecx, ecx
722787E7 |. 75 1B jnz short HexContr.72278804
722787E9 |. 8B53 28 mov edx, dword ptr ds:[ebx+28]
722787EC |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
722787EE |. 68 08AD4572 push HexContr.7245AD08 ; |Title = "Error"
722787F3 |. 68 58B54772 push HexContr.7247B558 ; |Text = "No Hex document selected !..Please select a document first."
722787F8 |. 52 push edx ; |hOwner = NULL
722787F9 |. FF15 E0644172 call dword ptr ds:[<&USER32.MessageBoxW>>; \MessageBoxW
722787FF |. E9 18030000 jmp HexContr.72278B1C
72278804 |> E8 F72D0000 call HexContr.7227B600
72278809 |. E9 0E030000 jmp HexContr.72278B1C
7227880E |> 8B47 70 mov eax, dword ptr ds:[edi+70] ; Case 3FC of switch 7227867E
72278811 |. 85C0 test eax, eax
72278813 |. 0F84 F8020000 je HexContr.72278B11
72278819 |. 8B40 04 mov eax, dword ptr ds:[eax+4]
7227881C |. 85C0 test eax, eax
7227881E |. 0F84 ED020000 je HexContr.72278B11
72278824 |. 8D4F E0 lea ecx, dword ptr ds:[edi-20]
72278827 |. 51 push ecx ; /Arg1 = 00000001
72278828 |. 8BF0 mov esi, eax ; |
7227882A |. E8 41E3FFFF call HexContr.72276B70 ; \HexContr.72276B70
7227882F |. E9 DD020000 jmp HexContr.72278B11
72278834 |> 8B5F 70 mov ebx, dword ptr ds:[edi+70] ; Case 3FB of switch 7227867E
72278837 |. 85DB test ebx, ebx
72278839 |. 0F84 D2020000 je HexContr.72278B11
7227883F |. 837B 04 00 cmp dword ptr ds:[ebx+4], 0
72278843 |. 0F84 C8020000 je HexContr.72278B11
72278849 |. 8B57 E0 mov edx, dword ptr ds:[edi-20]
7227884C |. 8B42 10 mov eax, dword ptr ds:[edx+10]
7227884F |. 8D77 E0 lea esi, dword ptr ds:[edi-20]
72278852 |. 56 push esi
72278853 |. C74424 14 3CA>mov dword ptr ss:[esp+14], HexContr.7247>; UNICODE "allocated memory"
7227885B |. FFD0 call eax
7227885D |. 48 dec eax ; Switch (cases 1..E)
7227885E |. 83F8 0D cmp eax, 0D
72278861 |. 0F87 AA020000 ja HexContr.72278B11
72278867 |. 0FB688 D08E27>movzx ecx, byte ptr ds:[eax+72278ED0]
7227886E |. FF248D C48E27>jmp dword ptr ds:[ecx*4+72278EC4] ; HexContr.7227887D
72278875 |> C74424 10 6CD>mov dword ptr ss:[esp+10], HexContr.7245>; UNICODE "file"; Cases 1,D,E of switch 7227885D
7227887D |> 8B4B 08 mov ecx, dword ptr ds:[ebx+8] ; Cases 3,5,8 of switch 7227885D
72278880 |. 8B11 mov edx, dword ptr ds:[ecx]
72278882 |. 8B92 3C010000 mov edx, dword ptr ds:[edx+13C]
72278888 |. 6A 00 push 0
7227888A |. 68 00020000 push 200
7227888F |. 8D4424 20 lea eax, dword ptr ss:[esp+20]
72278893 |. 50 push eax
72278894 |. FFD2 call edx
72278896 |. 8B4C24 10 mov ecx, dword ptr ss:[esp+10]
7227889A |. 8D4424 18 lea eax, dword ptr ss:[esp+18]
7227889E |. 50 push eax
7227889F |. 51 push ecx
722788A0 |. 68 60AF4772 push HexContr.7247AF60 ; UNICODE "Are you sure you want to delete %s %s ?"
722788A5 |. 8D9424 240400>lea edx, dword ptr ss:[esp+424]
722788AC |. 68 00040000 push 400
722788B1 |. 52 push edx
722788B2 |. E8 DEDA0300 call HexContr.722B6395
722788B7 |. 8B4F 08 mov ecx, dword ptr ds:[edi+8]
722788BA |. 83C4 14 add esp, 14
722788BD |. 6A 24 push 24 ; /Style = MB_YESNO|MB_ICONQUESTION|MB_APPLMODAL
722788BF |. 68 C4E64572 push HexContr.7245E6C4 ; |Title = "Question"
722788C4 |. 8D8424 200400>lea eax, dword ptr ss:[esp+420] ; |
722788CB |. 50 push eax ; |Text = NULL
722788CC |. 51 push ecx ; |hOwner = 00000001
722788CD |. FF15 E0644172 call dword ptr ds:[<&USER32.MessageBoxW>>; \MessageBoxW
722788D3 |. 83F8 06 cmp eax, 6
722788D6 |. 0F85 35020000 jnz HexContr.72278B11
722788DC |. 53 push ebx ; /Arg2 = 000E0786
722788DD |. 56 push esi ; |Arg1 = 00000000
722788DE |. E8 3D080000 call HexContr.72279120 ; \HexContr.72279120
722788E3 |. 8B43 04 mov eax, dword ptr ds:[ebx+4]
722788E6 |. E8 6542FBFF call HexContr.7222CB50
722788EB |. 837B 08 00 cmp dword ptr ds:[ebx+8], 0
722788EF |. 74 43 je short HexContr.72278934
722788F1 |. 8B4B 08 mov ecx, dword ptr ds:[ebx+8]
722788F4 |. 8B11 mov edx, dword ptr ds:[ecx]
722788F6 |. 8B82 24010000 mov eax, dword ptr ds:[edx+124]
722788FC |. FFD0 call eax
722788FE |. 85C0 test eax, eax
72278900 |. 74 32 je short HexContr.72278934
72278902 |. 837B 04 00 cmp dword ptr ds:[ebx+4], 0
72278906 |. 0F84 05020000 je HexContr.72278B11
7227890C |. 8B0B mov ecx, dword ptr ds:[ebx]
7227890E |. 8B41 60 mov eax, dword ptr ds:[ecx+60]
72278911 |. 85C0 test eax, eax
72278913 |. 0F84 F8010000 je HexContr.72278B11
72278919 |. C740 20 00000>mov dword ptr ds:[eax+20], 0
72278920 |. 8B76 58 mov esi, dword ptr ds:[esi+58]
72278923 |. 8B40 14 mov eax, dword ptr ds:[eax+14]
72278926 |. 8B16 mov edx, dword ptr ds:[esi]
72278928 |. 8B4A 24 mov ecx, dword ptr ds:[edx+24]
7227892B |. 50 push eax
7227892C |. 56 push esi
7227892D |. FFD1 call ecx
7227892F |. E9 DD010000 jmp HexContr.72278B11
72278934 |> 8B43 08 mov eax, dword ptr ds:[ebx+8]
72278937 |. 8B4B 04 mov ecx, dword ptr ds:[ebx+4]
7227893A |. E8 3140FBFF call HexContr.7222C970
7227893F |. 6A 01 push 1 ; /Arg1 = 00000001
72278941 |. E8 4A6C0000 call HexContr.7227F590 ; \HexContr.7227F590
72278946 |. E9 C6010000 jmp HexContr.72278B11
7227894B |> 8B47 70 mov eax, dword ptr ds:[edi+70] ; Case 3EF of switch 7227867E
7227894E |. 85C0 test eax, eax
72278950 |. 0F84 BB010000 je HexContr.72278B11
72278956 |. 8B40 04 mov eax, dword ptr ds:[eax+4]
72278959 |. 85C0 test eax, eax
7227895B |. 0F84 B0010000 je HexContr.72278B11
72278961 |. E8 6AA3FBFF call HexContr.72232CD0
72278966 |. E9 A6010000 jmp HexContr.72278B11
7227896B |> 8B47 70 mov eax, dword ptr ds:[edi+70] ; Case 3F0 of switch 7227867E
7227896E |. 85C0 test eax, eax
72278970 |. 74 14 je short HexContr.72278986
72278972 |. 8B40 04 mov eax, dword ptr ds:[eax+4]
72278975 |. 85C0 test eax, eax
72278977 |. 74 0D je short HexContr.72278986
72278979 |. 6A 00 push 0 ; /Arg1 = 00000000
7227897B |. 8BF8 mov edi, eax ; |
7227897D |. E8 BED0FBFF call HexContr.72235A40 ; \HexContr.72235A40
72278982 |. 8B7C24 10 mov edi, dword ptr ss:[esp+10]
72278986 |> 8B47 70 mov eax, dword ptr ds:[edi+70] ; Case 3F1 of switch 7227867E
72278989 |. 85C0 test eax, eax
7227898B |. 0F84 80010000 je HexContr.72278B11
72278991 |. 8B40 04 mov eax, dword ptr ds:[eax+4]
72278994 |. 85C0 test eax, eax
72278996 |. 0F84 75010000 je HexContr.72278B11
7227899C |. 8BC8 mov ecx, eax
7227899E |. E8 BDD2FBFF call HexContr.72235C60
722789A3 |. E9 69010000 jmp HexContr.72278B11
722789A8 |> 6A 00 push 0 ; /Arg1 = 00000000; Case 3F2 of switch 7227867E
722789AA |. 8D47 E0 lea eax, dword ptr ds:[edi-20] ; |
722789AD |. E8 8E310000 call HexContr.7227BB40 ; \HexContr.7227BB40
722789B2 |. E9 5A010000 jmp HexContr.72278B11
722789B7 |> 8D47 E0 lea eax, dword ptr ds:[edi-20] ; Case 3FD of switch 7227867E
722789BA |. E8 11360000 call HexContr.7227BFD0
722789BF |. E9 4D010000 jmp HexContr.72278B11
722789C4 |> 8D47 E0 lea eax, dword ptr ds:[edi-20] ; Case 462 of switch 7227867E
722789C7 |. E8 84380000 call HexContr.7227C250
722789CC |. E9 40010000 jmp HexContr.72278B11
722789D1 |> 8B47 70 mov eax, dword ptr ds:[edi+70] ; Case 3F3 of switch 7227867E
722789D4 |. 85C0 test eax, eax
722789D6 |. 0F84 35010000 je HexContr.72278B11
722789DC |. 8B40 04 mov eax, dword ptr ds:[eax+4]
722789DF |. 85C0 test eax, eax
722789E1 |. 0F84 2A010000 je HexContr.72278B11
722789E7 |. E8 0443FBFF call HexContr.7222CCF0
722789EC |. E9 20010000 jmp HexContr.72278B11
722789F1 |> 8B47 70 mov eax, dword ptr ds:[edi+70] ; Case 3F4 of switch 7227867E
722789F4 |. 85C0 test eax, eax
722789F6 |. 0F84 15010000 je HexContr.72278B11
722789FC |. 8B40 04 mov eax, dword ptr ds:[eax+4]
722789FF |. 85C0 test eax, eax
72278A01 |. 0F84 0A010000 je HexContr.72278B11
72278A07 |. E8 2444FBFF call HexContr.7222CE30
72278A0C |. E9 00010000 jmp HexContr.72278B11
72278A11 |> 8D47 E0 lea eax, dword ptr ds:[edi-20] ; Case 3FF of switch 7227867E
72278A14 |. E8 973E0000 call HexContr.7227C8B0
72278A19 |. E9 FE000000 jmp HexContr.72278B1C
72278A1E |> 8D47 E0 lea eax, dword ptr ds:[edi-20] ; Case 442 of switch 7227867E
72278A21 |. E8 3A4F0000 call HexContr.7227D960
72278A26 |. 85F6 test esi, esi
72278A28 |. 0F84 EE000000 je HexContr.72278B1C
72278A2E |. 8B9F 80000000 mov ebx, dword ptr ds:[edi+80]
72278A34 |. 85DB test ebx, ebx
72278A36 |. 0F84 E0000000 je HexContr.72278B1C
72278A3C |. 56 push esi ; /Arg1 = 00000000
72278A3D |. E8 0E930200 call HexContr.722A1D50 ; \HexContr.722A1D50
72278A42 |. 8BBF 9C010000 mov edi, dword ptr ds:[edi+19C]
72278A48 |. 8B17 mov edx, dword ptr ds:[edi]
72278A4A |. 8B42 04 mov eax, dword ptr ds:[edx+4]
72278A4D |. 8B1438 mov edx, dword ptr ds:[eax+edi]
72278A50 |. 8D0C38 lea ecx, dword ptr ds:[eax+edi]
72278A53 |. 8B41 28 mov eax, dword ptr ds:[ecx+28]
72278A56 |. 6A 00 push 0
72278A58 |. 56 push esi
72278A59 |. 50 push eax
72278A5A |. 8B42 14 mov eax, dword ptr ds:[edx+14]
72278A5D |. FFD0 call eax
72278A5F |. F7D8 neg eax
72278A61 |. 1BC0 sbb eax, eax
72278A63 |. F7D8 neg eax
72278A65 |. 5F pop edi ; USER32.76EFBB13
72278A66 |. 5E pop esi ; USER32.76EFBB13
72278A67 |. 5B pop ebx ; USER32.76EFBB13
72278A68 |. 8B8C24 100C00>mov ecx, dword ptr ss:[esp+C10]
72278A6F |. 33CC xor ecx, esp
72278A71 |. E8 10D90300 call HexContr.722B6386
72278A76 |. 8BE5 mov esp, ebp
72278A78 |. 5D pop ebp ; USER32.76EFBB13
72278A79 |. C2 0800 retn 8
72278A7C |> 8D47 E0 lea eax, dword ptr ds:[edi-20] ; Case 400 of switch 7227867E
72278A7F |. E8 9C550000 call HexContr.7227E020
72278A84 |. E9 93000000 jmp HexContr.72278B1C
72278A89 |> 8D47 E0 lea eax, dword ptr ds:[edi-20] ; Case 46B of switch 7227867E
72278A8C |. E8 DF570000 call HexContr.7227E270
72278A91 |. E9 86000000 jmp HexContr.72278B1C
72278A96 |> 8D47 E0 lea eax, dword ptr ds:[edi-20] ; Case 443 of switch 7227867E
72278A99 |. 8BCE mov ecx, esi
72278A9B |. E8 205A0000 call HexContr.7227E4C0
72278AA0 |. EB 7A jmp short HexContr.72278B1C
72278AA2 |> 8B47 70 mov eax, dword ptr ds:[edi+70] ; Case 3F5 of switch 7227867E
72278AA5 |. 85C0 test eax, eax
72278AA7 |. 74 68 je short HexContr.72278B11
72278AA9 |. 8B40 04 mov eax, dword ptr ds:[eax+4]
72278AAC |. 85C0 test eax, eax
72278AAE |. 74 61 je short HexContr.72278B11
72278AB0 |. 6A 01 push 1 ; /Arg1 = 00000001
72278AB2 |. 8BF0 mov esi, eax ; |
72278AB4 |. E8 C744FBFF call HexContr.7222CF80 ; \HexContr.7222CF80
72278AB9 |. EB 56 jmp short HexContr.72278B11
72278ABB |> 8B47 70 mov eax, dword ptr ds:[edi+70] ; Case 3F6 of switch 7227867E
72278ABE |. 85C0 test eax, eax
72278AC0 |. 74 4F je short HexContr.72278B11
72278AC2 |. 8B40 04 mov eax, dword ptr ds:[eax+4]
72278AC5 |. 85C0 test eax, eax
72278AC7 |. 74 48 je short HexContr.72278B11
72278AC9 |. 6A 01 push 1 ; /Arg1 = 00000001
72278ACB |. 8BF0 mov esi, eax ; |
72278ACD |. E8 5E45FBFF call HexContr.7222D030 ; \HexContr.7222D030
72278AD2 |. EB 3D jmp short HexContr.72278B11
72278AD4 |> 8D47 E0 lea eax, dword ptr ds:[edi-20] ; Case 44E of switch 7227867E
72278AD7 |. E8 545F0000 call HexContr.7227EA30
72278ADC |. EB 3E jmp short HexContr.72278B1C
72278ADE |> 8D47 E0 lea eax, dword ptr ds:[edi-20] ; Case 3FE of switch 7227867E
72278AE1 |. E8 8A3B0000 call HexContr.7227C670
72278AE6 |. EB 34 jmp short HexContr.72278B1C
72278AE8 |> 8B97 28020000 mov edx, dword ptr ds:[edi+228] ; Case 3EB of switch 7227867E
72278AEE |. B9 EB030000 mov ecx, 3EB
72278AF3 |. E8 6849F9FF call HexContr.7220D460
72278AF8 |. B9 00000000 mov ecx, 0
72278AFD |. 8D77 E0 lea esi, dword ptr ds:[edi-20]
72278B00 |. 83E0 01 and eax, 1
72278B03 |. 0f94c1 sete cl
72278B06 |. 8BF9 mov edi, ecx
72278B08 |> E8 B3D6FFFF call HexContr.722761C0
72278B0D |> 8B7C24 10 mov edi, dword ptr ss:[esp+10]
72278B11 |> 8B7F 38 mov edi, dword ptr ds:[edi+38] ; Default case of switch 7227885D
72278B14 |. 8B17 mov edx, dword ptr ds:[edi]
72278B16 |. 8B42 2C mov eax, dword ptr ds:[edx+2C]
72278B19 |. 57 push edi
72278B1A |> FFD0 call eax
72278B1C |> 8B8C24 1C0C00>mov ecx, dword ptr ss:[esp+C1C] ; Default case of switch 7227867E
72278B23 |. 5F pop edi ; USER32.76EFBB13
72278B24 |. 5E pop esi ; USER32.76EFBB13
72278B25 |. 5B pop ebx ; USER32.76EFBB13
72278B26 |. 33CC xor ecx, esp
72278B28 |. 33C0 xor eax, eax
72278B2A |. E8 57D80300 call HexContr.722B6386
72278B2F |. 8BE5 mov esp, ebp
72278B31 |. 5D pop ebp ; USER32.76EFBB13
72278B32 |. C2 0800 retn 8
72278B35 |> 8B97 28020000 mov edx, dword ptr ds:[edi+228] ; Case 3EC of switch 7227867E
72278B3B |. B9 EC030000 mov ecx, 3EC
72278B40 |. E8 1B49F9FF call HexContr.7220D460
72278B45 |. 8D77 E0 lea esi, dword ptr ds:[edi-20]
72278B48 |. 83E0 01 and eax, 1
72278B4B |. 8BF8 mov edi, eax
72278B4D |.^ EB B9 jmp short HexContr.72278B08
72278B4F |> 8D77 E0 lea esi, dword ptr ds:[edi-20] ; Case 3ED of switch 7227867E
72278B52 |. 8BC6 mov eax, esi
72278B54 |. E8 F7040000 call HexContr.72279050
72278B59 |. 8BF8 mov edi, eax
72278B5B |. 8BC6 mov eax, esi
72278B5D |. E8 2ED8FFFF call HexContr.72276390
72278B62 |.^ EB A9 jmp short HexContr.72278B0D
72278B64 |> 8D77 E0 lea esi, dword ptr ds:[edi-20] ; Case 3EE of switch 7227867E
72278B67 |. 8BC6 mov eax, esi
72278B69 |. E8 02050000 call HexContr.72279070
72278B6E |. 8BF8 mov edi, eax
72278B70 |. E8 8BD8FFFF call HexContr.72276400
72278B75 |.^ EB 96 jmp short HexContr.72278B0D
72278B77 |> 8D47 E0 lea eax, dword ptr ds:[edi-20] ; Case 453 of switch 7227867E
72278B7A |. E8 315B0000 call HexContr.7227E6B0
72278B7F |.^ EB 9B jmp short HexContr.72278B1C
72278B81 |> 8D47 E0 lea eax, dword ptr ds:[edi-20] ; Case 47C of switch 7227867E
72278B84 |. E8 F75C0000 call HexContr.7227E880
72278B89 |.^ EB 91 jmp short HexContr.72278B1C
72278B8B |> 8D47 E0 lea eax, dword ptr ds:[edi-20] ; Case 46A of switch 7227867E
72278B8E |. E8 CD380000 call HexContr.7227C460
72278B93 |.^ EB 87 jmp short HexContr.72278B1C
72278B95 |> 83C7 E0 add edi, -20 ; Case 49A of switch 7227867E
72278B98 |. E8 630E0000 call HexContr.72279A00
72278B9D |.^ E9 7AFFFFFF jmp HexContr.72278B1C
72278BA2 |> 8BBF 58040000 mov edi, dword ptr ds:[edi+458] ; Case 4AF of switch 7227867E
72278BA8 |. 85FF test edi, edi
72278BAA |.^ 0F84 6CFFFFFF je HexContr.72278B1C
72278BB0 |. A1 04A34B72 mov eax, dword ptr ds:[724BA304]
72278BB5 |. 8378 1C 00 cmp dword ptr ds:[eax+1C], 0
72278BB9 |. 75 0B jnz short HexContr.72278BC6
72278BBB |> 57 push edi ; /Arg1 = 00000000
72278BBC |. E8 3FEBFEFF call HexContr.72267700 ; \HexContr.72267700
72278BC1 |.^ E9 56FFFFFF jmp HexContr.72278B1C
72278BC6 |> 8B57 04 mov edx, dword ptr ds:[edi+4]
72278BC9 |. 8B40 1C mov eax, dword ptr ds:[eax+1C]
72278BCC |. 52 push edx
72278BCD |.^ E9 48FFFFFF jmp HexContr.72278B1A
72278BD2 |> 8BBF 58040000 mov edi, dword ptr ds:[edi+458] ; Case 4CF of switch 7227867E
72278BD8 |. 85FF test edi, edi
72278BDA |.^ 0F84 3CFFFFFF je HexContr.72278B1C
72278BE0 |. A1 04A34B72 mov eax, dword ptr ds:[724BA304]
72278BE5 |. 8378 20 00 cmp dword ptr ds:[eax+20], 0
72278BE9 |.^ 74 D0 je short HexContr.72278BBB
72278BEB |. 8B4F 04 mov ecx, dword ptr ds:[edi+4]
72278BEE |. 8B50 20 mov edx, dword ptr ds:[eax+20]
72278BF1 |. 51 push ecx
72278BF2 |. FFD2 call edx
72278BF4 |.^ E9 23FFFFFF jmp HexContr.72278B1C
72278BF9 |> 8D4F E0 lea ecx, dword ptr ds:[edi-20] ; Case 4D6 of switch 7227867E
72278BFC |. 6A 00 push 0 ; /Arg1 = 00000000
72278BFE |. 33FF xor edi, edi ; |
72278C00 |. E8 4B470000 call HexContr.7227D350 ; \HexContr.7227D350
72278C05 |.^ E9 12FFFFFF jmp HexContr.72278B1C
72278C0A |> 8D5F E0 lea ebx, dword ptr ds:[edi-20] ; Case 418 of switch 7227867E
72278C0D |. E8 EECA0000 call HexContr.72285700
72278C12 |.^ E9 05FFFFFF jmp HexContr.72278B1C
72278C17 |> 8D47 E0 lea eax, dword ptr ds:[edi-20] ; Case 419 of switch 7227867E
72278C1A |. 8B78 28 mov edi, dword ptr ds:[eax+28]
72278C1D |. 68 10A34B72 push HexContr.724BA310 ; /Arg2 = 724BA310
72278C22 |. 50 push eax ; |Arg1 = 00000000
72278C23 |. E8 4891FDFF call HexContr.72251D70 ; \HexContr.72251D70
72278C28 |. 83C4 08 add esp, 8
72278C2B |.^ E9 ECFEFFFF jmp HexContr.72278B1C
72278C30 |> 8D77 E0 lea esi, dword ptr ds:[edi-20] ; Case 41A of switch 7227867E
72278C33 |. E8 08CC0000 call HexContr.72285840
72278C38 |.^ E9 DFFEFFFF jmp HexContr.72278B1C
72278C3D |> 8B47 08 mov eax, dword ptr ds:[edi+8] ; Case 41B of switch 7227867E
72278C40 |. 50 push eax ; /Arg1 = 00000000
72278C41 |. E8 5A56F7FF call HexContr.721EE2A0 ; \HexContr.721EE2A0
72278C46 |. 83C4 04 add esp, 4
72278C49 |.^ E9 CEFEFFFF jmp HexContr.72278B1C
72278C4E |> 83C7 E0 add edi, -20 ; Case 491 of switch 7227867E
72278C51 |. 57 push edi ; /Arg1 = 00000000
72278C52 |. E8 99CC0000 call HexContr.722858F0 ; \HexContr.722858F0
72278C57 |.^ E9 C0FEFFFF jmp HexContr.72278B1C
72278C5C |> 85F6 test esi, esi ; Case 4F8 of switch 7227867E
72278C5E |.^ 0F84 B8FEFFFF je HexContr.72278B1C
72278C64 |. 83C7 E0 add edi, -20
72278C67 |. 57 push edi ; /Arg1 = 00000000
72278C68 |. 8BC6 mov eax, esi ; |
72278C6A |. E8 51510000 call HexContr.7227DDC0 ; \HexContr.7227DDC0
72278C6F |. 56 push esi
72278C70 |. E8 F2D90300 call HexContr.722B6667
72278C75 |. 83C4 04 add esp, 4
72278C78 |.^ E9 9FFEFFFF jmp HexContr.72278B1C
72278C7D |> 2D 00050000 sub eax, 500
72278C82 |. 3D EE000000 cmp eax, 0EE
72278C87 |.^ 0F87 8FFEFFFF ja HexContr.72278B1C
72278C8D |. 0FB688 088F27>movzx ecx, byte ptr ds:[eax+72278F08]
72278C94 |. FF248D E08E27>jmp dword ptr ds:[ecx*4+72278EE0] ; HexContr.72278CCB
72278C9B |> 8D77 E0 lea esi, dword ptr ds:[edi-20] ; Case 5ED of switch 7227867E
72278C9E |. E8 BDC90000 call HexContr.72285660 ; 来自于这里
72278CA3 |.^ E9 74FEFFFF jmp HexContr.72278B1C
72278CA8 |> 8D77 E0 lea esi, dword ptr ds:[edi-20] ; Case 5EE of switch 7227867E
72278CAB |. E8 00CA0000 call HexContr.722856B0
72278CB0 |.^ E9 67FEFFFF jmp HexContr.72278B1C
72278CB5 |> 6A 00 push 0 ; /Arg2 = 00000000; Case 5DF of switch 7227867E
72278CB7 |. 8D77 E0 lea esi, dword ptr ds:[edi-20] ; |
72278CBA |. 56 push esi ; |Arg1 = 00000000
72278CBB |. E8 90C60000 call HexContr.72285350 ; \HexContr.72285350
72278CC0 |. 56 push esi ; /Arg1 = 00000000
72278CC1 |. E8 0AC60000 call HexContr.722852D0 ; \HexContr.722852D0
|
|
发表于 2019-7-4 06:48
|
发表于 2019-7-4 06:54
