(safedisc 2) 紅色警報2破軟體防拷貝部分分析 (30千字)
(safedisc 2) 紅色警報2破軟體防拷貝部分
CrackBy: machoman[CCG]
AllRight Reserved : [CCG](China Crack Group)
其他不同SD2保護採用方式也是相似的,其保護方法其實採用Crack的方式是不太舒服的。在驅動級截獲其命令,對付SD2是最簡單的方法。
紅色警報2的安裝檔案setup.exe 和可執行檔案ra2.exe採用了多種防拷貝措施,在這裡面加入了safedisc2
的防拷貝部分的程式碼,和一個不知道的殼,在這個殼的保護下。通過一系列程式碼保護的外加程式,變形的外接
dll檔案。對程式進行一部分部分的還原。並且在其中加入了防止debug的措施,在以下的部分主要就是要通過
對這幾部分的保護,找到程式的完全還原的對映。把它重新構件為一個無殼,無防debug,無safedisc2呼叫的可
執行檔案。我通過以下步驟想完成該部分的無殼程式的重建。
1。)首先用trw 1.03裝入程式ra2.exe
然後跟蹤到程式完全還原處,在這個程式中的解密還原處為40787f絕對地址。用suspend 掛起程式
再把記憶體中的影像用pdump1.60儲存在一個檔案中。得到了該程式的無殼影像。但這個程式還不可執行,這個程
序破壞了匯入表。無法裝入外界的動態連線庫。
再重構import_table ,讓程式能夠找到入口,這個程式的匯入表也採用了加密措施,它把匯入表的解密部分
放在~df349b.tmp的裡面,在這裡進行匯入表的再裝配,但其實只是對kernel32.dll和user32.dll的import_
table進行了加密,ra2.exe程式在對這兩個的內含函式進行呼叫時,需要通過對~df349b.tmp呼叫,才能間接的
訪問這些函式,但這個~df349b.tmp(~df349b.dll)本身也是加有外殼,被一個不知道的殼付在上面,而且也防
除錯,只能通過自己重構一個import_table跳過對這的呼叫,給ra2.exe中的呼叫重新建立隱射。
下面是重建import_table的步驟
(1)首先在dump出來的檔案中查詢kernel32.dll這個字串,它的匯入表需要重建。在檔案中可以找到幾個位置
其中在0131a4,這個位置的字元就是該在import_table的IMAGE_IMPORT_DESCRIPTOR.name指標指向的內容,於是
就查詢到在ra2.exe的正確的匯入表位置在12cd8在這裡開始的就是程式的匯入表的IMAGE_IMPORT_DESCRIPTOR結
構所在。然後把程式的IMAGE_DATA_DIRCTORY的第二項,就是improt_table的地址改為12cd8就可以找到部分的導
入函式,就是除kernel32.dll,和user32.dll以外的其他函式都定位正確,但是這兩個函式的RVA地址全沒有正確
定位,看來程式是對這個部分的匯入進行了手工的重新裝配,它的手工裝配程式在~df349b.tmp裡執行,這部分
也是有殼加密的,脫起來很繁。最好的辦法就是跳過這個動態庫函式的呼叫。自己去給它重構它的RVA,但我對
pe的裝入機制不瞭解,現在還不能重構好,重構出來的也不能完全對應。但是程式只要完成了匯入表的重構,
就能夠做到破軟體防拷貝。不會在對硬體要求是safedisc2加密後的盤應該也能讀,因為在脫殼完成後就已經
跳過了檢測部分的程式碼。
有一個很奇怪的情況,程式在我下脫殼斷點的位置,時我還dump出了一個很奇怪的檔案。這個檔案好象正跟我
上面要找的匯入表互補,它的匯入表是完整的,但是程式是一個部分的影射,不能執行。但我我用靜態反彙編就已
經發現了我所有的呼叫的函式的入口,但是我現在還是沒太搞懂import_table的結構,我自己去找這個檔案的
入口結構時又是怪怪的。找不到。我有種感覺,這個程式是分段解密調入執行的,所有的tmp都是臨時的可執行
影像,只要搞清楚這兩個的聯絡,完全脫殼該是隻有一步了,但我現在就是不能把這兩個聯絡起來。。。
這樣解後程式就能夠跳過對soft_ice和safedisc2的檢測,但還是不能對光碟的物理結構的section進行拷貝,
這樣做只是跳過了軟體部分的檢測,對光碟的拷貝破解還是需要對safdisc2的結構繼續研究。
在safedisc2加密的檔案中有兩種切入匯入表的方法,第一種是在ra2.exe中除了匯入表的位置改動,其他沒有
變化的方法,這樣的部分可以重新指正確就可以改動,在safedisc2中對這部分的處理採用了以下方法,先把程
序的匯入表位置改為加密dll的入口,在加密dll中先有以下程式碼對程式的環境壓入堆疊,保護然後進入加密部
分切入核心模組,
(2)在已經dump出的部分的程式中,也還有部分的import引數不是直接呼叫的情況它採用一個jmp指令跳到下面的地
方進行切換進入外接的dll,這樣也造成了程式的程式碼返回後的不可讀性,只有把這樣的呼叫也給它重新構造,才
能把程式碼完全還原,它是採用的分別跳轉的方法,有很多個類似的jmp和這樣的切入真的好煩!!!每個都要去
給它打掉才可以重構,這個加密給解密的工作量是很大的。。
/*********************************************************************************************/
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C488(U)
|
:0041B025 53
push ebx //這個ebx該是外接dll的程式碼段描述符
:0041B026 E800000000 call 0041B02B//這個呼叫的目的是把IP壓入堆疊
* Referenced by a CALL at Address:
|:0041B026
|
:0041B02B 870424
xchg dword ptr [esp], eax//eax中為新的IP跟堆疊中的進行交換
:0041B02E 9C
pushfd//32位標誌壓入堆疊
:0041B02F 05D5FFFFFF add eax,
FFFFFFD5//IP-2bh=41b02b-2bh=41b000,每個呼叫都是定位這裡
:0041B034 8B18
mov ebx, dword ptr [eax]//把這個位置的內容送給ebx
:0041B036 6BDB01
imul ebx, 00000001
:0041B039 035804
add ebx, dword ptr [eax+04]//41b004中該是儲存的入口dll的基地址
:0041B03C 9D
popfd
:0041B03D 58
pop eax
:0041B03E 871C24
xchg dword ptr [esp], ebx//改變ret的方向,實際上是切換進入dll
:0041B041 C3
ret//進入dll,呼叫函式,加密挺厲害的!!!!!!
/*********************************************************************************************/
紅色警報2,該程式在安裝及執行前先在系統的mywindows\temp生成一個子目錄~ef87a,這個目錄裡有幾個臨時
檔案,其中的~df394b.tmp其實是一個動態連線庫,該為~df394b.dll在其中內有判斷偵錯程式存在的程式碼,要跟蹤
就一定要打掉這幾個保護,該類檔案在程式退出時會刪除,下面就是其判斷Soft_ice的方法
Kill_ice (1)
/***********************************************************************************************/
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000F415(C), :1000F419(C)
|
:1000F41E EB03
jmp 1000F423
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000F413(C)
|
:1000F420 73F3
jnb 1000F415
:1000F422 18C7
sbb bh, al
:1000F424 45
inc ebp
:1000F425 FC
cld
:1000F426 00000000 BYTE
4 DUP(0)
;This method of detection of SoftICE (as well as the following one) is
;used by the majority of packers/encryptors found on Internet.
;It seeks the signature of BoundsChecker in SoftICE
:1000F42A 55
push ebp
:1000F42B BD4B484342 mov ebp,
4243484B ; 'BCHK'
:1000F430 B804000000 mov eax,
00000004
:1000F435 CC
int 03//這裡是判斷soft_ice的一種方法
:1000F436 5D
pop ebp
:1000F437 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:1000F43E EB14
jmp 1000F454
:1000F440 8B55EC
mov edx, dword ptr [ebp-14]
:1000F443 52
push edx
:1000F444 E8E7000000 call 1000F530
:1000F449 C3
ret
Kill_ice(2)
/***********************************************************************************************/
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000E493(C), :1000E4AF(U)
|
:1000E4A8 8BFF
mov edi, edi
:1000E4AA 7006
jo 1000E4B2
:1000E4AC 90
nop
:1000E4AD 7103
jno 1000E4B2
:1000E4AF EBF7
jmp 1000E4A8
:1000E4B1 DBE8
fucomi st(0), st(0)
:1000E4B3 C9
leave
:1000E4B4 000000
BYTE 3 DUP(0)
//Method of detection of the WinICE handler in the int68h (V86)
// mov ah,43h
// int 68h
// cmp ax,0F386h
// jz SoftICE_Detected
:1000E4B7 25FFFF0000 and eax,
0000FFFF
:1000E4BC 85C0
test eax, eax
:1000E4BE 7522
jne 1000E4E2
:1000E4C0 60
pushad
:1000E4C1 33C0
xor eax, eax
:1000E4C3 66B80043 mov
ax, 4300
:1000E4C7 CD68
int 68
:1000E4C9 89855CFFFFFF mov dword ptr
[ebp+FFFFFF5C], eax
:1000E4CF 3D00430000 cmp eax,
00004300
:1000E4D4 740B
je 1000E4E1
:1000E4D6 B801000000 mov eax,
00000001
:1000E4DB 898560FFFFFF mov dword ptr
[ebp+FFFFFF60], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000E4D4(C)
|
:1000E4E1 61
popad
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000E4BE(C)
|
:1000E4E2 33D2
xor edx, edx
:1000E4E4 83BD60FFFFFF00 cmp dword ptr [ebp+FFFFFF60],
00000000
:1000E4EB 0F95C2
setne dl
:1000E4EE 668955FC mov
word ptr [ebp-04], dx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000E43E(C)
|
:1000E4F2 EB07
jmp 1000E4FB
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000E4FB(U)
|
:1000E4F4 8BFF
mov edi, edi
:1000E4F6 7806
js 1000E4FE
:1000E4F8 90
nop
:1000E4F9 7903
jns 1000E4FE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000E4F2(U)
|
:1000E4FB EBF7
jmp 1000E4F4
:1000E4FD 3A7F09
cmp bh, byte ptr [edi+09]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000E50B(C)
|
:1000E500 90
nop
:1000E501 87DB
xchg ebx, ebx
:1000E503 7809
js 1000E50E
:1000E505 87D2
xchg edx, edx
:1000E507 7905
jns 1000E50E
:1000E509 7700
ja 1000E50B
Kill_ice (3)
/***********************************************************************************************/
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1001094C(C), :10010950(C)
|
:10010955 EB03
jmp 1001095A
:10010957 70F3
jo 1001094C
:10010959 0B6A00
or ebp, dword ptr [edx+00]
:1001095C 6880000000 push 00000080
:10010961 6A03
push 00000003
:10010963 6A00
push 00000000
:10010965 6A03
push 00000003
:10010967 68000000C0 push C0000000
:1001096C 8B955CFFFFFF mov edx, dword
ptr [ebp+FFFFFF5C]//檢測在win98裡有soft_ice存在
:10010972 52
push edx // \\.\SICE
:10010973 FF954CFFFFFF call dword ptr
[ebp+FFFFFF4C]//這裡實際是呼叫API CreateFileA
:10010979 898548FFFFFF mov dword ptr
[ebp+FFFFFF48], eax //這裡如果是有Soft_ice,eax!=-1
:1001097F EB07
jmp 10010988
kill_ice(4)
/***********************************************************************************************/
//在以下的程式中改動中斷變數描述符表(idt)的int 05號中斷,被該程式站用
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100081EA(C)
|
:100081F7 73F3
jnb 100081EC
:100081F9 82C745
add bh, 45
:100081FC FC
cld
:100081FD 00000000 BYTE
4 DUP(0)
:10008201 60
pushad
:10008202 9C
pushfd
:10008203 0F014DDC sidt
[ebp-24]//取出中斷變數描述符(idtr)暫存器
:10008207 8B5DDE
mov ebx, dword ptr [ebp-22]//取出基地址
:1000820A 039D38FFFFFF add ebx, dword
ptr [ebp+FFFFFF38]//定位到int 05號中斷base+0x28
:10008210 8BBD2CFFFFFF mov edi, dword
ptr [ebp+FFFFFF2C]//把原來的中斷向量儲存在這個單元
:10008216 8BF3
mov esi, ebx//儲存原來的int 05中斷描述符表的內容,以被後面退出恢復
:10008218 A5
movsd
:10008219 A5
movsd
:1000821A FA
cli //關中斷
:1000821B 8BFB
mov edi, ebx//把紅警的描述符表的05中斷向量掛到int 05
:1000821D 8B75E4
mov esi, dword ptr [ebp-1C]//紅警改動的描述符表的位址
:10008220 A5
movsd
:10008221 A5
movsd
:10008222 FB
sti//開中斷,
//只在這條指令開放了中斷,到底幹啥?
:10008223 FA
cli //關中斷
:10008224 8BFB
mov edi, ebx//恢復原來的中斷向量
:10008226 8BB52CFFFFFF mov esi, dword
ptr [ebp+FFFFFF2C]//馬上又恢復中斷!
:1000822C A5
movsd
:1000822D A5
movsd
:1000822E FB
sti
:1000822F 9D
popfd
:10008230 61
popad
:10008231 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:10008238 E99E000000 jmp 100082DB
:1000823D B801000000 mov eax,
00000001
:10008242 C3
ret
/***********************************************************************************************/
//程式呼叫~df50cd.dll(~df50cd.tmp)驗證邏輯驅動器是不是光碟機,這裡是判斷的過程,這個保護很容易通過,
只要改動程式在以下部分的內容就可以實現,但關鍵是對解開safedisc 2的保護才能通過對程式的使用。
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10014993(C), :100149B7(C)
|
:100149C8 8D442418 lea
eax, dword ptr [esp+18]
:100149CC 50
push eax
:100149CD 6895000000 push 00000095
* Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:00F8h//把所有的邏輯驅動器的號取出,判斷光碟機
|
:100149D2 FF1554700210 Call dword ptr
[10027054]
:100149D8 8A442418 mov
al, byte ptr [esp+18]
:100149DC C644241000 mov [esp+10],
00
:100149E1 84C0
test al, al
:100149E3 0F8485000000 je 10014A6E
:100149E9 8B442410 mov
eax, dword ptr [esp+10]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10014A4F(C)
|
:100149ED 25FF000000 and eax,
000000FF
:100149F2 8D740418 lea
esi, dword ptr [esp+eax+18]
:100149F6 56
push esi
:100149F7 FFD3
call ebx //這裡是呼叫GetDriveTypeA判斷指定的驅動器是不是,光碟機
:100149F9 83F805
cmp eax, 00000005
:100149FC 7520
jne 10014A1E
:100149FE 57
push edi
:100149FF 56
push esi
* Possible StringData Ref from Data Obj ->"%s%s"
|
:10014A00 6824A40210 push 1002A424
:10014A05 6830170310 push 10031730
:10014A0A E811300000 call 10017A20
:10014A0F 83C410
add esp, 00000010
:10014A12 6830170310 push 10031730
:10014A17 FFD5
call ebp
:10014A19 83F8FF
cmp eax, FFFFFFFF
:10014A1C 7541
jne 10014A5F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100149FC(C)
|
:10014A1E 803E00
cmp byte ptr [esi], 00
:10014A21 7416
je 10014A39
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10014A37(C)
|
:10014A23 FE442410 inc
[esp+10]
:10014A27 8B4C2410 mov
ecx, dword ptr [esp+10]
:10014A2B 81E1FF000000 and ecx, 000000FF
:10014A31 8A440C18 mov
al, byte ptr [esp+ecx+18]
:10014A35 84C0
test al, al
:10014A37 75EA
jne 10014A23
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10014A21(C)
|
:10014A39 FE442410 inc
[esp+10]
:10014A3D 8B442410 mov
eax, dword ptr [esp+10]
:10014A41 8BD0
mov edx, eax
:10014A43 81E2FF000000 and edx, 000000FF
:10014A49 8A4C1418 mov
cl, byte ptr [esp+edx+18]
:10014A4D 84C9
test cl, cl
:10014A4F 759C
jne 100149ED
:10014A51 6633C0
xor ax, ax
:10014A54 5F
pop edi
:10014A55 5E
pop esi
:10014A56 5D
pop ebp
:10014A57 5B
pop ebx
:10014A58 81C4A4010000 add esp, 000001A4
:10014A5E C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10014A1C(C)
|
:10014A5F 66B80100 mov
ax, 0001
:10014A63 5F
pop edi
:10014A64 5E
pop esi
:10014A65 5D
pop ebp
:10014A66 5B
pop ebx
:10014A67 81C4A4010000 add esp, 000001A4
:10014A6D C3
ret
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100149E3(C)
|
:10014A6E 5F pop edi
:10014A6F 5E pop esi
:10014A70 5D pop ebp
:10014A71 6633C0 xor ax, ax
:10014A74 5B pop ebx
:10014A75 81C4A4010000 add esp, 000001A4
:10014A7B C3 ret
:10014A7C 90 nop
:10014A7D 90 nop
:10014A7E 90 nop
:10014A7F 90 nop
* Referenced by a CALL at Address:
|:1000E81E
|
:10014A80 83EC1C sub esp, 0000001C
:10014A83 66833D0825031000 cmp word ptr [10032508], 0000
:10014A8B 53 push ebx
:10014A8C 56 push esi
:10014A8D 57 push edi
:10014A8E 745D je 10014AED
:10014A90 A110250310 mov eax, dword ptr [10032510]
:10014A95 50 push eax
* Reference To: USER32.DestroyWindow, Ord:008Ah
|
:10014A96 FF1594710210 Call dword ptr [10027194]
* Reference To: USER32.PeekMessageA, Ord:01AFh
|
:10014A9C 8B35E0710210 mov esi, dword ptr [100271E0]
:10014AA2 6A01 push 00000001
:10014AA4 6A00 push 00000000
:10014AA6 6A00 push 00000000
:10014AA8 8D4C2418 lea ecx, dword ptr [esp+18]
:10014AAC 6A00 push 00000000
:10014AAE 51 push ecx
:10014AAF FFD6 call esi
:10014AB1 85C0 test eax, eax
:10014AB3 7459 je 10014B0E
* Reference To: USER32.TranslateMessage, Ord:0245h
|
:10014AB5 8B3DE4710210 mov edi, dword ptr [100271E4]
* Reference To: USER32.DispatchMessageA, Ord:0090h
|
:10014ABB 8B1DE8710210 mov ebx, dword ptr [100271E8]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10014AE0(C)
|
:10014AC1 8D54240C lea edx, dword ptr [esp+0C]
:10014AC5 52 push edx
:10014AC6 FFD7 call edi
:10014AC8 8D44240C lea eax, dword ptr [esp+0C]
:10014ACC 50 push eax
:10014ACD FFD3 call ebx
:10014ACF 6A01 push 00000001
:10014AD1 6A00 push 00000000
:10014AD3 6A00 push 00000000
:10014AD5 8D4C2418 lea ecx, dword ptr [esp+18]
:10014AD9 6A00 push 00000000
:10014ADB 51 push ecx
:10014ADC FFD6 call esi
:10014ADE 85C0 test eax, eax
:10014AE0 75DF jne 10014AC1
:10014AE2 66B80100 mov ax, 0001
:10014AE6 5F pop edi
:10014AE7 5E pop esi
:10014AE8 5B pop ebx
:10014AE9 83C41C add esp, 0000001C
:10014AEC C3 ret
/*******************************************************************************************/
以下是脫殼過後的.stxt744 section的程式碼,跳轉(jmp)切入Kernel32.dll 和User32.dll要用到這裡的程式碼,這裡就是IMPORT_TABLE
重構部分,小弟完全是用手工給重構的,真太笨了。哪個大哥能說說這樣的東西該如何用技巧解決?
*********************************************************************************************
:0041B000 4B dec ebx
:0041B001 0300 add eax, dword ptr [eax]
:0041B003 00DB add bl, bl
:0041B005 630D0153E800 arpl dword ptr [00E85301], ecx
:0041B00B 000000 BYTE 3 DUP(0)
:0041B00E 870424 xchg dword ptr [esp], eax
:0041B011 9C pushfd
:0041B012 05F2FFFFFF add eax, FFFFFFF2
:0041B017 8B18 mov ebx, dword ptr [eax]
:0041B019 6BDB00 imul ebx, 00000000
:0041B01C 035804 add ebx, dword ptr [eax+04]
:0041B01F 9D popfd
:0041B020 58 pop eax
:0041B021 871C24 xchg dword ptr [esp], ebx
:0041B024 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C488(U)
|
:0041B025 53 push ebx
:0041B026 E800000000 call 0041B02B
* Referenced by a CALL at Address:
|:0041B026
|
:0041B02B 870424 xchg dword ptr [esp], eax
:0041B02E 9C pushfd
:0041B02F 05D5FFFFFF add eax, FFFFFFD5
:0041B034 8B18 mov ebx, dword ptr [eax]
:0041B036 6BDB01 imul ebx, 00000001
:0041B039 035804 add ebx, dword ptr [eax+04]
:0041B03C 9D popfd
:0041B03D 58 pop eax
:0041B03E 871C24 xchg dword ptr [esp], ebx
:0041B041 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C90A(U)
|
:0041B042 53 push ebx
:0041B043 E800000000 call 0041B048
* Referenced by a CALL at Address:
|:0041B043
|
:0041B048 870424 xchg dword ptr [esp], eax
:0041B04B 9C pushfd
:0041B04C 05B8FFFFFF add eax, FFFFFFB8
:0041B051 8B18 mov ebx, dword ptr [eax]
:0041B053 6BDB02 imul ebx, 00000002
:0041B056 035804 add ebx, dword ptr [eax+04]
:0041B059 9D popfd
:0041B05A 58 pop eax
:0041B05B 871C24 xchg dword ptr [esp], ebx
:0041B05E C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409D7D(U)
|
:0041B05F 53 push ebx
:0041B060 E800000000 call 0041B065
* Referenced by a CALL at Address:
|:0041B060
|
:0041B065 870424 xchg dword ptr [esp], eax
:0041B068 9C pushfd
:0041B069 059BFFFFFF add eax, FFFFFF9B
:0041B06E 8B18 mov ebx, dword ptr [eax]
:0041B070 6BDB03 imul ebx, 00000003
:0041B073 035804 add ebx, dword ptr [eax+04]
:0041B076 9D popfd
:0041B077 58 pop eax
:0041B078 871C24 xchg dword ptr [esp], ebx
:0041B07B C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D48A(U)
|
:0041B07C 53 push ebx
:0041B07D E800000000 call 0041B082
* Referenced by a CALL at Address:
|:0041B07D
|
:0041B082 870424 xchg dword ptr [esp], eax
:0041B085 9C pushfd
:0041B086 057EFFFFFF add eax, FFFFFF7E
:0041B08B 8B18 mov ebx, dword ptr [eax]
:0041B08D 6BDB04 imul ebx, 00000004
:0041B090 035804 add ebx, dword ptr [eax+04]
:0041B093 9D popfd
:0041B094 58 pop eax
:0041B095 871C24 xchg dword ptr [esp], ebx
:0041B098 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004079B7(U)
|
:0041B099 53 push ebx
:0041B09A E800000000 call 0041B09F
* Referenced by a CALL at Address:
|:0041B09A
|
:0041B09F 870424 xchg dword ptr [esp], eax
:0041B0A2 9C pushfd
:0041B0A3 0561FFFFFF add eax, FFFFFF61
:0041B0A8 8B18 mov ebx, dword ptr [eax]
:0041B0AA 6BDB05 imul ebx, 00000005
:0041B0AD 035804 add ebx, dword ptr [eax+04]
:0041B0B0 9D popfd
:0041B0B1 58 pop eax
:0041B0B2 871C24 xchg dword ptr [esp], ebx
:0041B0B5 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403788(U)
|
:0041B0B6 53 push ebx
:0041B0B7 E800000000 call 0041B0BC
* Referenced by a CALL at Address:
|:0041B0B7
|
:0041B0BC 870424 xchg dword ptr [esp], eax
:0041B0BF 9C pushfd
:0041B0C0 0544FFFFFF add eax, FFFFFF44
:0041B0C5 8B18 mov ebx, dword ptr [eax]
:0041B0C7 6BDB06 imul ebx, 00000006
:0041B0CA 035804 add ebx, dword ptr [eax+04]
:0041B0CD 9D popfd
:0041B0CE 58 pop eax
:0041B0CF 871C24 xchg dword ptr [esp], ebx
:0041B0D2 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409CF1(U)
|
:0041B0D3 53 push ebx
:0041B0D4 E800000000 call 0041B0D9
* Referenced by a CALL at Address:
|:0041B0D4
|
:0041B0D9 870424 xchg dword ptr [esp], eax
:0041B0DC 9C pushfd
:0041B0DD 0527FFFFFF add eax, FFFFFF27
:0041B0E2 8B18 mov ebx, dword ptr [eax]
:0041B0E4 6BDB07 imul ebx, 00000007
:0041B0E7 035804 add ebx, dword ptr [eax+04]
:0041B0EA 9D popfd
:0041B0EB 58 pop eax
:0041B0EC 871C24 xchg dword ptr [esp], ebx
:0041B0EF C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040517E(U)
|
:0041B0F0 53 push ebx
:0041B0F1 E800000000 call 0041B0F6
* Referenced by a CALL at Address:
|:0041B0F1
|
:0041B0F6 870424 xchg dword ptr [esp], eax
:0041B0F9 9C pushfd
:0041B0FA 050AFFFFFF add eax, FFFFFF0A
:0041B0FF 8B18 mov ebx, dword ptr [eax]
:0041B101 6BDB08 imul ebx, 00000008
:0041B104 035804 add ebx, dword ptr [eax+04]
:0041B107 9D popfd
:0041B108 58 pop eax
:0041B109 871C24 xchg dword ptr [esp], ebx
:0041B10C C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004090F1(U)
|
:0041B10D 53 push ebx
:0041B10E E800000000 call 0041B113
* Referenced by a CALL at Address:
|:0041B10E
|
:0041B113 870424 xchg dword ptr [esp], eax
:0041B116 9C pushfd
:0041B117 05EDFEFFFF add eax, FFFFFEED
:0041B11C 8B18 mov ebx, dword ptr [eax]
:0041B11E 6BDB09 imul ebx, 00000009
:0041B121 035804 add ebx, dword ptr [eax+04]
:0041B124 9D popfd
:0041B125 58 pop eax
:0041B126 871C24 xchg dword ptr [esp], ebx
:0041B129 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409450(U)
|
:0041B12A 53 push ebx
:0041B12B E800000000 call 0041B130
* Referenced by a CALL at Address:
|:0041B12B
|
:0041B130 870424 xchg dword ptr [esp], eax
:0041B133 9C pushfd
:0041B134 05D0FEFFFF add eax, FFFFFED0
:0041B139 8B18 mov ebx, dword ptr [eax]
:0041B13B 6BDB0A imul ebx, 0000000A
:0041B13E 035804 add ebx, dword ptr [eax+04]
:0041B141 9D popfd
:0041B142 58 pop eax
:0041B143 871C24 xchg dword ptr [esp], ebx
:0041B146 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040381C(U)
|
:0041B147 53 push ebx
:0041B148 E800000000 call 0041B14D
* Referenced by a CALL at Address:
|:0041B148
|
:0041B14D 870424 xchg dword ptr [esp], eax
:0041B150 9C pushfd
:0041B151 05B3FEFFFF add eax, FFFFFEB3
:0041B156 8B18 mov ebx, dword ptr [eax]
:0041B158 6BDB0B imul ebx, 0000000B
:0041B15B 035804 add ebx, dword ptr [eax+04]
:0041B15E 9D popfd
:0041B15F 58 pop eax
:0041B160 871C24 xchg dword ptr [esp], ebx
:0041B163 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403AD2(U)
|
:0041B164 53 push ebx
:0041B165 E800000000 call 0041B16A
* Referenced by a CALL at Address:
|:0041B165
|
:0041B16A 870424 xchg dword ptr [esp], eax
:0041B16D 9C pushfd
:0041B16E 0596FEFFFF add eax, FFFFFE96
:0041B173 8B18 mov ebx, dword ptr [eax]
:0041B175 6BDB0C imul ebx, 0000000C
:0041B178 035804 add ebx, dword ptr [eax+04]
:0041B17B 9D popfd
:0041B17C 58 pop eax
:0041B17D 871C24 xchg dword ptr [esp], ebx
:0041B180 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409485(U)
|
:0041B181 53 push ebx
:0041B182 E800000000 call 0041B187
* Referenced by a CALL at Address:
|:0041B182
|
:0041B187 870424 xchg dword ptr [esp], eax
:0041B18A 9C pushfd
:0041B18B 0579FEFFFF add eax, FFFFFE79
:0041B190 8B18 mov ebx, dword ptr [eax]
:0041B192 6BDB0D imul ebx, 0000000D
:0041B195 035804 add ebx, dword ptr [eax+04]
:0041B198 9D popfd
:0041B199 58 pop eax
:0041B19A 871C24 xchg dword ptr [esp], ebx
:0041B19D C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C41C(U)
|
:0041B19E 53 push ebx
:0041B19F E800000000 call 0041B1A4
* Referenced by a CALL at Address:
|:0041B19F
|
:0041B1A4 870424 xchg dword ptr [esp], eax
:0041B1A7 9C pushfd
:0041B1A8 055CFEFFFF add eax, FFFFFE5C
:0041B1AD 8B18 mov ebx, dword ptr [eax]
:0041B1AF 6BDB0E imul ebx, 0000000E
:0041B1B2 035804 add ebx, dword ptr [eax+04]
:0041B1B5 9D popfd
:0041B1B6 58 pop eax
:0041B1B7 871C24 xchg dword ptr [esp], ebx
:0041B1BA C3 ret
相關文章
- L2-013 紅色警報2024-04-18
- L2-013 紅色警報【並查集】2019-03-27並查集
- L2-013 紅色警報 (25 分)(並查集)2019-01-30並查集
- 並查集 - 紅色警報 - 天梯賽 L2-0132020-11-25並查集
- 【CCCC】L2-013 紅色警報 (25分),,並查集計算集合個數2020-10-03並查集
- IT技術員職業生涯的紅色警報2009-06-01
- win10執行紅警2步驟_如何在win10上執行紅警22020-08-05Win10
- 密碼管理軟體。 (2千字)2001-03-12密碼
- win10可以玩紅警嗎_win10玩紅警2的步驟2020-07-20Win10
- 什麼國產軟體不許破解,我就破就破!!!------FlashSoft1.07破解方法 (2千字)2001-05-19
- 紅色警戒2win10黑屏怎麼辦_win10紅色警戒2黑屏如何解決2020-07-21Win10
- 紅警2共和國之輝win10黑屏怎麼回事 紅色警戒2共和國之輝win10黑屏怎麼解決2020-09-25Win10
- 2個菜鳥級軟體 (1千字)2001-03-26
- win10紅警2黑屏有聲音怎麼解決_win10紅警2黑屏有聲音有滑鼠修復方法2020-08-06Win10
- 國產軟體每日一破(1) (彩票快車V1.07破解記錄) (2千字)2001-02-19
- win10 紅警2切換黑屏怎麼辦 win10 紅警切黑屏怎麼解決2020-09-27Win10
- RESTOOLS -- freeRes分析軟體壓縮資源的超級利器 (2千字)2001-10-03REST
- 破文三,高手莫入,非常簡單 (2千字)2001-08-01
- \淡破windows commander Ver4.5 (2千字)2000-08-01Windows
- 這個軟體是有點麻煩! (2千字)2001-10-28
- 《Diablo 2 暗黑破壞神 》破解(轉載) (1千字)2001-10-07
- 我的第2篇破文 高手莫入!! (3千字)2001-11-11
- 軟體工程基礎——實驗2:需求分析2024-04-19軟體工程
- 不錯的軟體,我來寫過程。:) (2千字)2001-05-13
- 用ISDCC2破KPT 6的安裝 (8千字)2001-04-17
- 《卜運算元_權謀個人彩票分析助理軟體》V6.00的破解 (2千字)2001-05-13
- 紅色警報 ORACLE RAC 11.2.0.4 FOR SOLARIS 10 ASM 和DB因叢集心跳丟失重啟2019-05-23OracleASM
- 菜鳥初鳴--最易破解的軟體 supercleaner (2千字)2001-10-11
- 破解flash32(抓圖軟體)實站錄 (2千字)2000-05-28
- 用ollydbg跟蹤te!lock加殼的軟體
(2千字)2015-11-15
- 五十種大資料分析工具和軟體(2)2022-01-18大資料
- Win10系統玩紅警2遊戲卡住卡死怎麼解決2020-03-08Win10遊戲
- 30秒破解 超級個人軟體V2.3--簡單介紹 Regmon 工具使用方法 (2千字)2002-01-30
- 軟體開發22024-04-20
- win10系統紅警如何關閉3d加速_win10中紅警2怎麼關閉3D加速2019-12-24Win103D
- 紅色警戒開啟黑屏如何解決 window10開啟紅警黑屏怎麼辦2020-09-25
- 連續好幾個軟體破不了,找了一個簡單的增強一點信心,PolyView v3.61 (2千字)2001-08-11View
- 分析破解數字五筆3.0 (2千字)2002-04-17