STAR 5.6 [ԭ佫] ޸ģǨԴʵ֣

    һԻִ֧6 ԭ佫ܹ趨Χͷ񡢱֣
    һMOD ԸѡıְҵΪԭ佫ָͬS ͡ɱɳȵȡ





οϣ    obin()  ־}ľ籾ļ
              Һþ籾ļǿȲߣPE ļѿǾҺдעʣµľǷˡ






    *. ע 1. ͨ[71H: Ч] ָ, ЧֵָΪԭ佫DATA ţָ1023 ֵᵼָִУ
               MOD ߿ɶЩֵĴ

            2. ʹ[4050]ͱҿѡְҵֵΪ޸￴ֵ1ÿһֽڱʾһֿѡְҵ
              : ᲽıֱΪ3ӦΪ4ָѡְҵĬΪҽѡ

            3. [71H: Ч] ָʱ[4050]ͱѡְҵĿMOD߿Բ
               ĽΪ0 ʾѡǵһְҵ磺籾ֿѡְҵֱΪӢֺۡʹ̿
               71H ָغ4050 ͱֵΪ1 ʾѡְҵΪ

            4. [71H: Ч] ָʱ[4051]ͱԭ佫Ա0ʾԣ1ʾŮԣMOD
               ߿ʹ[77H: ] ָ[4051]ͱ޸սš磺77: ͱ 4051 += 5
               ԭΪսŽָΪ5ԭΪսŽָΪ6

            5. 籾ٲʹ佫һЩţԵľS 籾[19H: ʤ]ָ磺ʧXXX
               XXX Ϊԭ佫ʱMOD ߽޷֪ʵʵ֣Ϊ籾һЩָ߶˸ʽ
               ֻҪ籾ָа*.x x ȡֵΧΪ1 ~6 Ӧ1 ~6ԭ佫ԶתΪʵ佫

               ͨԵָ
               [12H: ѡ]
               [14H: Ի]磺&*.2\nãҵ*.2
               [15H: սԻ2]
               [16H: Ϣ]
               [17H: ]
               [18H: ¼趨]
               [19H: ʤ]
               [1AH: ʾʤ]
               [63H: Ի]
               [67H: ]
               [69H: ԰]
               зָֻ޷ʽĻλظӣ

            6. Ϸ򲻻ˢ佫SAV ӳе佫R 籾佫ֶΣʹһname.e5 ļ
               Ϸ浵ʱд뵽ļʱȴdata.e5 ж浵ԭ佫
               SAV ӳ䣬֮ٴname.e5 ļж佫ԭĿǷֹA 浵DATA XX 佫Ϊԭ佫
               B 浵ûXX ԭ佫µ佫ʾ

            7. ԭ佫ͷŮ10ţŰŵ500 (808 - 301 - 7) Tou.dll ļҪͷˣ֮Ӧ
               Сͷ Face.e5 ļӦӵ뵽508 ~ 527 

               Tou.dll ǽñMOD ûBMP ļһһµʮ˷ʱ䣬ҵʹResHacker 
               DLL ļеλͼȫ޸Դű±룬ʹַءԴɰ޸˵

               ͷ񹤳ļдΪWin32asmߵᷴ淢VC ̡


            8. ʹ[71H: Ч] ָ֮ǰʹ[3BH: 佫]ⱾϵͳǻΧʾģҲԴ
               ǰȽΪʾ
                                                                                            ϸ﷨վ籾

;--------------------------------------------------------------------------------------------------------------------

        ޸һЩҪݽṹֶζ壺

        [4BE000H]       ==> [ԭ佫]Ի佫ͷڴλͼ
        [+4H]           ==> lpDlgItemHandelԻťҪؼĺڲŵַ
        [+8H]           ==> lpOldNameEdit໯佫༭ʱԭĬϻصַ
        [+0CH]          ==> ָ4050ȫֱ
        [+10H]          ==> 4BE200Hָname.e5 ԭṹӳַ
        [+14H]          ==> ʣɷ
        [+15H]          ==> 
        [+16H]          ==> ͳʷ
        [+17H]          ==> 
        [+18H]          ==> ݷ
        [+19H]          ==> 
        [+1AH]          ==> ԭ佫Ա0 ʾУ1 ʾŮ
        [+1BH1CH]     ==> 佫ͷ
        [+1DH]          ==> ԭ佫ʱ佫name ӳеĿ

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

        ԭṹֶζ壺

        [4BE200H]       ==> ԭ佫*.1 DATA
        [+2H]           ==> ԭ
        [4BE210H]       ==> ԭ佫*.2 DATA
        [+2H]           ==> ԭ
        [4BE220H]       ==> ԭ佫*.3 DATA
        [+2H]           ==> ԭ
        [4BE230H]       ==> ԭ佫*.4 DATA
        [+2H]           ==> ԭ
        [4BE240H]       ==> ԭ佫*.5 DATA
        [+2H]           ==> ԭ
        [4BE250H]       ==> ԭ佫*.6 DATA
        [+2H]           ==> ԭ

;------------------------------------------------------------------------------------------------------------

һ޸ģ װPEļԴ

    *. ԭ±ԴʹԴ󣬿ܻʹļƫƵ´

    1. ȽҪ޸ĵEkd5.exe ļһݣΪEkd5().exe

    2. LordPE ==> [ѡ] ==> [PE ༭] һѡ[αԶС] ==> [ȷ]

    3. [PE༭] ==> Ekd5().exe ==> [] ==> Ҽ ==> []

    4. [.NewSec] Ҽ ==> [༭] ==> ޸[С]  [С] Ϊ00010000

    5. [.NewSec] [ַ] ֵҵ 00118000 ==> [ȷ] ==> ˳LordPE

    6. FixRes ==> [Dump] ==> [NewRVA] Ϊ00118000 ([.NewSec] [ַ] ֵ) ==> [FileAlignment] Ϊ1000

    7. [PE File] Ekd5().exe ==> [Res File] ļҵ D:\rsrc.bin

    8. [Dump Resource] ==> תɹʱ½ǻʾResource was dumped successfully.  ==> ˳FixRes

    9. ɾEkd5().exe

    10. LordPE ==> [PE༭] ==> Ҫ޸ĵEkd5.exe (ע⣺δһ) ==> []

    11. Ҽ ==> [Ӵ] ==> 򿪸ת rsrc.bin ==>   ʾɹ 

    12. [.rsrc] Ҽ ==> [༭] ==> [] Ϊ.nodata ==> [С] Ϊ 0F600

    13. [־] ߵ[ ..] ť[α־] ==> ͬʱѡ[Ϊִ][ɶȡ][д][ִд]
        [ѳʼ] ==> [ȷ]

    14. [rsrc.bin] Ҽ ==> [༭] ==> [] Ϊ.rsrc ==> [ַ] [С] ֵ
        ҵ 00118000  00010000

    15. Ͻ[X] ر[α] ==> [Ŀ¼] Ŀ¼Ϣ ==> ޸[Դ] һ[RVA] Ϊ00118000
        ==> ޸[Դ] һ[С] Ϊ00010000  ==> [] ==> ˳LordPE

;------------------------------------------------------------------------------------------------------------

ڶ޸ģ ǨPEļĹԴĿ¼һµĶԻԴ

    *. ڶԻĿ¼ֱӸŹڶĿ¼Ǩƾ޷µĶԻ


    1. ODװEkd5.exeڶĿ¼ǨƵ00527504H = 00518000H + 0F504H 

    *. 005274E0H [.rsrc] [ַ] 00118000 + ԭ[.rsrc] [С] 0000F4E0H + [PEļĬװַ] 00400000

    *. [ԴĿ¼_һ] ϢΪ00518038        0C 00 00 00 60 02 00 80
       [ԴĿ¼_һ] ͼϢΪ00518040        0E 00 00 00 D0 02 00 80

       ҪǨƵΪ00518260H  = 00518000H + 0260HǨƴСΪ70H(DEC: 112) = 2D0H - 260H

         00 00 00 00 00 00 00 00 04 00 00 00 00 00 0C 00
         73 00 00 00 40 08 00 80 74 00 00 00 58 08 00 80
         75 00 00 00 70 08 00 80 76 00 00 00 88 08 00 80
         77 00 00 00 A0 08 00 80 78 00 00 00 B8 08 00 80
         79 00 00 00 D0 08 00 80 7A 00 00 00 E8 08 00 80
         7B 00 00 00 00 09 00 80 7D 00 00 00 18 09 00 80
         7E 00 00 00 30 09 00 80 7F 00 00 00 48 09 00 80

    2. Ŀ¼¹offsetΪ: 0F504H

         0051803CH    60 02  ==>  04 F5


    3. 00518260H λԭ

        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


    4. IDĶԻ

        0051814EH    21 00  ==>  22 00

        *. 00518140  00 00 00 00    ; [ԴڶĿ¼] ¶ԻIMAGE_RESOURCE_DIRECTORY ṹ
                     00 00 00 00
                     04 00
                     00 00
                     01 00          ; ַԴ
                     21 00          ; IDԴ


    5. (ڶ) IMAGE_RESOURCE_DIRECTORY_ENTRY ṹ

       00518260H    00 00 00 00 00 00 00 00  ==>  91 01 00 00 70 02 00 80

        *. 91 01 00 00    ; λΪ0ʾΪIDʹ
           70 02 00 80    ; λΪ1ʱ, λָһ()ݵַ


    6. () IMAGE_RESOURCE_DIRECTORY IMAGE_RESOURCE_DATA_ENTRY ṹ00518270H 

       00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00
       04 08 00 00 88 02 00 00 80 75 12 00 2C 00 00 00
       E4 04 00 00 00 00 00 00

       *. 00518270H  00 00 00 00    ; ¶ԻIMAGE_RESOURCE_DIRECTORYṹ
                     00 00 00 00
                     04 00
                     00 00
                     00 00
                     01 00

       *. 00518280H  04 08 00 00
                     88 02 00 00    ; λΪ0λָIMAGE_RESOURCE_DATA_ENTRYṹ

       *. 00518288H  80 75 12 00    ; ԴRVA127580H(ĶԻַ - PEļװַ)
                     2C 00 00 00    ; Դݳ  2CH
                     E4 04 00 00    ; ҳһΪ0
                     00 00 00 00    ; ֶ


    7. ĶԻԴݿ00527580H 

       01 00 FF FF 00 00 00 00 00 00 02 00 40 00 20 40
       00 00 00 00 00 00 BB 00 5E 00 00 00 00 00 00 00
       09 00 00 00 00 01 8B 5B 53 4F 00 00

8. ResHackerEkd5.exe ==> [Ի] ==> [401] ==> CTRL+A ==> DELETE, ճԴű

401 DIALOG 0, 0, 228, 98
STYLE DS_MODALFRAME | DS_CENTER | WS_POPUP | WS_VISIBLE | WS_CAPTION
CAPTION "ԭ佫趨"
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
FONT 9, ""
{
   CONTROL "", 2000, STATIC, SS_BITMAP | WS_CHILD | WS_VISIBLE, 3, 3, 80, 80 
   CONTROL "Ա", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE, 7, 87, 24, 8 
   CONTROL "", 2002, BUTTON, BS_AUTORADIOBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 33, 87, 22, 8 
   CONTROL "Ů", 2003, BUTTON, BS_AUTORADIOBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 57, 87, 22, 8 
   CONTROL "", 2020, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_DISABLED | WS_TABSTOP, 87, 26, 9, 12 
   CONTROL "", 2021, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 87, 51, 9, 12 
   CONTROL "", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE, 108, 8, 26, 8 
   CONTROL "", 2033, EDIT, ES_LEFT | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 138, 5, 60, 12 
   CONTROL "ְҵ", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE, 108, 22, 24, 8 
   CONTROL "", 2005, COMBOBOX, CBS_DROPDOWNLIST | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 132, 19, 48, 50 
   CONTROL "", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE, 184, 22, 24, 8 
   CONTROL "40", 2006, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 210, 22, 8, 7 
   CONTROL "", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE, 108, 37, 24, 8 
   CONTROL "70", 2007, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 137, 37, 12, 7 
   CONTROL "+", 2022, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 152, 37, 12, 7 
   CONTROL "-", 2027, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_DISABLED | WS_TABSTOP, 167, 37, 12, 7 
   CONTROL "(B)", 2012, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 182, 37, 12, 7 
   CONTROL "ͳʣ", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE, 108, 49, 24, 8 
   CONTROL "70", 2008, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 137, 49, 12, 7 
   CONTROL "+", 2023, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 152, 49, 12, 7 
   CONTROL "-", 2028, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_DISABLED | WS_TABSTOP, 167, 49, 12, 7 
   CONTROL "(B)", 2013, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 182, 49, 12, 7 
   CONTROL "", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE, 108, 61, 24, 8 
   CONTROL "70", 2009, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 137, 61, 12, 7 
   CONTROL "+", 2024, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 152, 61, 12, 7 
   CONTROL "-", 2029, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_DISABLED | WS_TABSTOP, 167, 61, 12, 7 
   CONTROL "(B)", 2014, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 182, 61, 12, 7 
   CONTROL "ٶȣ", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE, 108, 73, 24, 8 
   CONTROL "70", 2010, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 137, 73, 12, 7 
   CONTROL "+", 2025, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 152, 73, 12, 7 
   CONTROL "-", 2030, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_DISABLED | WS_TABSTOP, 167, 73, 12, 7 
   CONTROL "(B)", 2015, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 182, 73, 12, 7 
   CONTROL "", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE, 108, 85, 24, 8 
   CONTROL "70", 2011, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 137, 85, 12, 7 
   CONTROL "+", 2026, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 152, 85, 12, 7 
   CONTROL "-", 2031, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_DISABLED | WS_TABSTOP, 167, 85, 12, 7 
   CONTROL "(B)", 2016, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 182, 85, 12, 7 
   CONTROL "", 2001, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 201, 70, 23, 11 
   CONTROL "ȷ", 2032, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_DISABLED | WS_TABSTOP, 201, 84, 23, 11 
}


   ==> [ű (C)] ==> ļ ע⣺ResHackerʱԶݵļƫƣ

;--------------------------------------------------------------------------------------------------------------------

޸ģ ޸

1. ʼ

   ڴ004BE000H ~004C0000H֮0 ֮[Ƶִļ]


2. ʾַزļ

   004BE7C0  28 45 29 00 28 44 29 00 28 43 29 00 28 42 29 00  (E).(D).(C).(B).
   004BE7D0  28 41 29 00 28 53 29 00 28 58 29 00 00 00 00 00  (A).(S).(X).....
   004BE7E0  6E 61 6D 65 2E 65 35 00 44 61 74 61 2E 65 35 00  name.e5.Data.e5.


3. [佫鱨]ʱͷʾ

00407660     /E9 00010000   jmp     00407765


4. [71H: Ч]ָڵַ

00410C02      00004C00      dd      Ekd5_oph.004C0000


5. [71H: Ч]ָ

004C0000    55              push    ebp
004C0001    8BEC            mov     ebp, esp
004C0003    6A 04           push    4
004C0005    8B4D 08         mov     ecx, dword ptr [ebp+8]
004C0008    E8 EA83F5FF     call    004183F7
004C000D    3D 00000080     cmp     eax, 80000000
004C0012    74 13           je      short 004C0027
004C0014    3D FF030000     cmp     eax, 3FF
004C0019    77 0C           ja      short 004C0027
004C001B    50              push    eax
004C001C    E8 DF000000     call    004C0100
004C0021    33C0            xor     eax, eax
004C0023    FEC0            inc     al
004C0025    EB 05           jmp     short 004C002C
004C0027    B8 05000000     mov     eax, 5
004C002C    C9              leave
004C002D    C3              retn

         ݣ

         55 8B EC 6A 04 8B 4D 08 E8 EA 83 F5 FF 3D 00 00 00 80 74 13 3D FF 03 00 00 77 0C 50 E8 DF 00 00
         00 33 C0 FE C0 EB 05 B8 05 00 00 00 C9 C3


6. Ի[71H: Ч]ָȡֵΧ0 ~1023Ĵ

004C0100    55              push    ebp
004C0101    8BEC            mov     ebp, esp
004C0103    83C4 C4         add     esp, -3C
004C0106    B9 00E04B00     mov     ecx, 004BE000                    ; ԭԴRVA
004C010B    894D C4         mov     dword ptr [ebp-3C], ecx
004C010E    B8 485F5000     mov     eax, 00505F48                    ; 4050αڴַ
004C0113    8941 0C         mov     dword ptr [ecx+C], eax
004C0116    8B45 08         mov     eax, dword ptr [ebp+8]           ; [71HЧ]ָ
004C0119    8941 10         mov     dword ptr [ecx+10], eax
004C011C    B9 606A4B00     mov     ecx, 004B6A60
004C0121    8B11            mov     edx, dword ptr [ecx]             ; ģ
004C0123    8B49 08         mov     ecx, dword ptr [ecx+8]           ; ھ
004C0126    8D45 C8         lea     eax, dword ptr [ebp-38]          ; [ԭ佫趨]Իؼַ
004C0129    50              push    eax                              ; ݸԻWM_INITDIALOGϢԶ
004C012A    68 50014C00     push    004C0150                         ; [ԭ佫趨]Ի̵ַ
004C012F    51              push    ecx
004C0130    68 91010000     push    191                              ; ԻID
004C0135    52              push    edx
004C0136    FF15 A0624800   call    dword ptr [<&USER32.DialogBoxPar>; USER32.DialogBoxParamA
004C013C    B9 0C000000     mov     ecx, 0C                          ; Ϣѭ
004C0141    57              push    edi
004C0142    8B7D C4         mov     edi, dword ptr [ebp-3C]          ; ԭԴRVA
004C0145    33C0            xor     eax, eax
004C0147    F3:AB           rep     stos dword ptr es:[edi]
004C0149    5F              pop     edi
004C014A    C9              leave
004C014B    C2 0400         retn    4

         ݣ

         55 8B EC 83 C4 C4 B9 00 E0 4B 00 89 4D C4 B8 48 5F 50 00 89 41 0C 8B 45 08 89 41 10 B9 60 6A 4B
         00 8B 11 8B 49 08 8D 45 C8 50 68 50 01 4C 00 51 68 91 01 00 00 52 FF 15 A0 62 48 00 B9 0C 00 00
         00 57 8B 7D C4 33 C0 F3 AB 5F C9 C2 04 00


7. Ի̻ص

004C0150    55              push    ebp                              ; _ProcDlgMain
004C0151    8BEC            mov     ebp, esp
004C0153    83C4 F0         add     esp, -10
004C0156    8B45 0C         mov     eax, dword ptr [ebp+C]           ; _wMsg
004C0159    3D 11010000     cmp     eax, 111                         ; WM_COMMAND
004C015E    0F85 0B010000   jnz     004C026F
004C0164    0FB745 10       movzx   eax, word ptr [ebp+10]
004C0168    3D D2070000     cmp     eax, 7D2
004C016D    75 14           jnz     short 004C0183
004C016F    6A 00           push    0
004C0171    68 28030000     push    328
004C0176    FF75 08         push    dword ptr [ebp+8]
004C0179    E8 FA040000     call    004C0678                         ; _CheckedBoyOrGirl
004C017E    E9 25010000     jmp     004C02A8
004C0183    3D D3070000     cmp     eax, 7D3
004C0188    75 14           jnz     short 004C019E
004C018A    6A 01           push    1
004C018C    68 32030000     push    332
004C0191    FF75 08         push    dword ptr [ebp+8]
004C0194    E8 DF040000     call    004C0678                         ; _CheckedBoyOrGirl
004C0199    E9 0A010000     jmp     004C02A8
004C019E    3D E4070000     cmp     eax, 7E4
004C01A3    75 0F           jnz     short 004C01B4
004C01A5    6A 00           push    0
004C01A7    FF75 08         push    dword ptr [ebp+8]
004C01AA    E8 F1030000     call    004C05A0                         ; _ChooseFaceBmp
004C01AF    E9 F4000000     jmp     004C02A8
004C01B4    3D E5070000     cmp     eax, 7E5
004C01B9    75 0F           jnz     short 004C01CA
004C01BB    6A 01           push    1
004C01BD    FF75 08         push    dword ptr [ebp+8]
004C01C0    E8 DB030000     call    004C05A0                         ; _ChooseFaceBmp
004C01C5    E9 DE000000     jmp     004C02A8
004C01CA    3D F1070000     cmp     eax, 7F1
004C01CF    75 41           jnz     short 004C0212
004C01D1    B9 00E04B00     mov     ecx, 004BE000
004C01D6    8B49 04         mov     ecx, dword ptr [ecx+4]
004C01D9    FF71 30         push    dword ptr [ecx+30]
004C01DC    8F45 FC         pop     dword ptr [ebp-4]
004C01DF    6A 10           push    10
004C01E1    8D45 F0         lea     eax, dword ptr [ebp-10]
004C01E4    50              push    eax
004C01E5    FF71 34         push    dword ptr [ecx+34]
004C01E8    FF15 B4634800   call    dword ptr [<&USER32.GetWindowTex>; USER32.GetWindowTextA
004C01EE    0BC0            or      eax, eax
004C01F0    74 10           je      short 004C0202
004C01F2    6A 01           push    1
004C01F4    FF75 FC         push    dword ptr [ebp-4]
004C01F7    FF15 E8624800   call    dword ptr [<&USER32.EnableWindow>; USER32.EnableWindow
004C01FD    E9 A6000000     jmp     004C02A8
004C0202    6A 00           push    0
004C0204    FF75 FC         push    dword ptr [ebp-4]
004C0207    FF15 E8624800   call    dword ptr [<&USER32.EnableWindow>; USER32.EnableWindow
004C020D    E9 96000000     jmp     004C02A8
004C0212    3D D1070000     cmp     eax, 7D1
004C0217    75 0F           jnz     short 004C0228
004C0219    6A 00           push    0
004C021B    FF75 08         push    dword ptr [ebp+8]
004C021E    E8 3D020000     call    004C0460                         ; _Restart
004C0223    E9 80000000     jmp     004C02A8
004C0228    3D F0070000     cmp     eax, 7F0
004C022D    75 0A           jnz     short 004C0239
004C022F    FF75 08         push    dword ptr [ebp+8]
004C0232    E8 83060000     call    004C08BA                         ; _FixLeave
004C0237    EB 6F           jmp     short 004C02A8
004C0239    3D E5070000     cmp     eax, 7E5
004C023E    76 14           jbe     short 004C0254
004C0240    3D EB070000     cmp     eax, 7EB
004C0245    73 0D           jnb     short 004C0254
004C0247    6A 00           push    0
004C0249    50              push    eax
004C024A    FF75 08         push    dword ptr [ebp+8]
004C024D    E8 C6040000     call    004C0718                         ; _AbilityIncOrDec
004C0252    EB 54           jmp     short 004C02A8
004C0254    3D EA070000     cmp     eax, 7EA
004C0259    76 4D           jbe     short 004C02A8
004C025B    3D F0070000     cmp     eax, 7F0
004C0260    73 46           jnb     short 004C02A8
004C0262    6A 01           push    1
004C0264    50              push    eax
004C0265    FF75 08         push    dword ptr [ebp+8]
004C0268    E8 AB040000     call    004C0718                         ; _AbilityIncOrDec
004C026D    EB 39           jmp     short 004C02A8
004C026F    83F8 10         cmp     eax, 10                          ; WM_CLOSE
004C0272    75 1A           jnz     short 004C028E
004C0274    B9 00E04B00     mov     ecx, 004BE000
004C0279    FF31            push    dword ptr [ecx]
004C027B    FF15 48604800   call    dword ptr [<&GDI32.DeleteObject>>; GDI32.DeleteObject
004C0281    6A 00           push    0
004C0283    FF75 08         push    dword ptr [ebp+8]
004C0286    FF15 D4624800   call    dword ptr [<&USER32.EndDialog>]  ; USER32.EndDialog
004C028C    EB 1A           jmp     short 004C02A8
004C028E    3D 10010000     cmp     eax, 110                         ; WM_INITDIALOG
004C0293    75 0D           jnz     short 004C02A2
004C0295    FF75 14         push    dword ptr [ebp+14]
004C0298    FF75 08         push    dword ptr [ebp+8]
004C029B    E8 10000000     call    004C02B0                         ; _InitDlg
004C02A0    EB 06           jmp     short 004C02A8
004C02A2    33C0            xor     eax, eax
004C02A4    C9              leave
004C02A5    C2 1000         retn    10
004C02A8    33C0            xor     eax, eax
004C02AA    FEC0            inc     al
004C02AC    C9              leave
004C02AD    C2 1000         retn    10

         ݣ

         55 8B EC 83 C4 F0 8B 45 0C 3D 11 01 00 00 0F 85 0B 01 00 00 0F B7 45 10 3D D2 07 00 00 75 14 6A
         00 68 28 03 00 00 FF 75 08 E8 FA 04 00 00 E9 25 01 00 00 3D D3 07 00 00 75 14 6A 01 68 32 03 00
         00 FF 75 08 E8 DF 04 00 00 E9 0A 01 00 00 3D E4 07 00 00 75 0F 6A 00 FF 75 08 E8 F1 03 00 00 E9
         F4 00 00 00 3D E5 07 00 00 75 0F 6A 01 FF 75 08 E8 DB 03 00 00 E9 DE 00 00 00 3D F1 07 00 00 75
         41 B9 00 E0 4B 00 8B 49 04 FF 71 30 8F 45 FC 6A 10 8D 45 F0 50 FF 71 34 FF 15 B4 63 48 00 0B C0
         74 10 6A 01 FF 75 FC FF 15 E8 62 48 00 E9 A6 00 00 00 6A 00 FF 75 FC FF 15 E8 62 48 00 E9 96 00
         00 00 3D D1 07 00 00 75 0F 6A 00 FF 75 08 E8 3D 02 00 00 E9 80 00 00 00 3D F0 07 00 00 75 0A FF
         75 08 E8 83 06 00 00 EB 6F 3D E5 07 00 00 76 14 3D EB 07 00 00 73 0D 6A 00 50 FF 75 08 E8 C6 04
         00 00 EB 54 3D EA 07 00 00 76 4D 3D F0 07 00 00 73 46 6A 01 50 FF 75 08 E8 AB 04 00 00 EB 39 83
         F8 10 75 1A B9 00 E0 4B 00 FF 31 FF 15 48 60 48 00 6A 00 FF 75 08 FF 15 D4 62 48 00 EB 1A 3D 10
         01 00 00 75 0D FF 75 14 FF 75 08 E8 10 00 00 00 EB 06 33 C0 C9 C2 10 00 33 C0 FE C0 C9 C2 10 00


8. WM_INITDIALOGϢ

004C02B0    55                 push    ebp                                    ; _InitDlg
004C02B1    8BEC               mov     ebp, esp
004C02B3    83C4 E4            add     esp, -1C
004C02B6    B9 00E04B00        mov     ecx, 004BE000                          ; ԭԴRVA
004C02BB    894D F8            mov     dword ptr [ebp-8], ecx
004C02BE    8B51 10            mov     edx, dword ptr [ecx+10]                ; [71HЧ]ָ(ԭ佫DATA)
004C02C1    42                 inc     edx
004C02C2    53                 push    ebx                                    ; EBXĴ
004C02C3    8BD9               mov     ebx, ecx
004C02C5    81C3 00020000      add     ebx, 200                               ; 4BE200Hԭ佫ṹڵַ
004C02CB    8959 10            mov     dword ptr [ecx+10], ebx
004C02CE    895D E4            mov     dword ptr [ebp-1C], ebx
004C02D1    B9 06000000        mov     ecx, 6                                 ; ָ6ԭ佫
004C02D6    66:8B03            mov     ax, word ptr [ebx]                     ; ȡԭṹһֶ(佫DATA+1)
004C02D9    66:3BC2            cmp     ax, dx                                 ; 佫ǷѾ
004C02DC    75 06              jnz     short 004C02E4
004C02DE    5B                 pop     ebx                                    ; ¼佫Ի
004C02DF    E9 0C010000        jmp     004C03F0
004C02E4    83C3 10            add     ebx, 10                                ; EBXָԭṹһĿ
004C02E7  ^ E2 ED              loopd   short 004C02D6
004C02E9    8B5D E4            mov     ebx, dword ptr [ebp-1C]                ; ԭ佫ṹڵַ
004C02EC    C645 FC 00         mov     byte ptr [ebp-4], 0                    ; ۼ0
004C02F0    B1 06              mov     cl, 6
004C02F2    66:8B03            mov     ax, word ptr [ebx]                     ; ȡԭṹһֶ(佫DATA+1)
004C02F5    66:0BC0            or      ax, ax                                 ; ⵱ǰĿǷΪ
004C02F8    74 0C              je      short 004C0306
004C02FA    83C3 10            add     ebx, 10                                ; EBXָԭṹһĿ
004C02FD    FF45 FC            inc     dword ptr [ebp-4]                      ; Ŀ1
004C0300  ^ E2 F0              loopd   short 004C02F2
004C0302    08C9               or      cl, cl                                 ; Ѵԭ佫ǷΪ6
004C0304  ^ 74 D8              je      short 004C02DE
004C0306    66:8913            mov     word ptr [ebx], dx             ; ڿλ(޿ʱдһ)дDATAż1
004C0309    8A45 FC            mov     al, byte ptr [ebp-4]                   ; ȡĿ
004C030C    8B5D F8            mov     ebx, dword ptr [ebp-8]                 ; ԭԴRVA
004C030F    8843 1D            mov     byte ptr [ebx+1D], al
004C0312    5B                 pop     ebx
004C0313    C745 FC F1070000   mov     dword ptr [ebp-4], 7F1
004C031A    6A 00              push    0
004C031C    6A 0C              push    0C
004C031E    68 C5000000        push    0C5
004C0323    FF75 FC            push    dword ptr [ebp-4]
004C0326    FF75 08            push    dword ptr [ebp+8]
004C0329    FF15 90634800      call    dword ptr [<&USER32.SendDlgItemMessage>; USER32.SendDlgItemMessageA
004C032F    8B45 F8            mov     eax, dword ptr [ebp-8]
004C0332    8B48 0C            mov     ecx, dword ptr [eax+C]                 ; ָ4050ͱ
004C0335    8B11               mov     edx, dword ptr [ecx]                   ; ȡ籾ָ4ҿѡְҵEDX
004C0337    57                 push    edi
004C0338    8D7D E4            lea     edi, dword ptr [ebp-1C]
004C033B    33C0               xor     eax, eax
004C033D    AB                 stos    dword ptr es:[edi]                     ; ѡְҵ0
004C033E    B9 04000000        mov     ecx, 4
004C0343    0AD2               or      dl, dl                                 ; Ƿδָ
004C0345    74 15              je      short 004C035C
004C0347    80FA 35            cmp     dl, 35                                 ; ǷЧִ(52ű)
004C034A    77 10              ja      short 004C035C
004C034C    FECA               dec     dl                                     ; ȡǰıִ
004C034E    0FB6C2             movzx   eax, dl
004C0351    8B0485 A8BE4800    mov     eax, dword ptr [eax*4+48BEA8]          ; ȡַָ
004C0358    AB                 stos    dword ptr es:[edi]                     ; 뺯ڲ
004C0359    FE45 E4            inc     byte ptr [ebp-1C]                      ; ѡְҵ1
004C035C    C1EA 08            shr     edx, 8                                 ; һ籾ְָҵ
004C035F  ^ E2 E2              loopd   short 004C0343
004C0361    807D E4 00         cmp     byte ptr [ebp-1C], 0                   ; 籾Ƿָ˿ѡְҵ
004C0365    75 12              jnz     short 004C0379
004C0367    8B4D F8            mov     ecx, dword ptr [ebp-8]                 ; offset hTouBmp(ԭԴRVA)
004C036A    8B49 0C            mov     ecx, dword ptr [ecx+C]
004C036D    C601 01            mov     byte ptr [ecx], 1                      ; Ĭʹ0űִ
004C0370    A1 A8BE4800        mov     eax, dword ptr [48BEA8]                ; Ĭʹ0ű
004C0375    AB                 stos    dword ptr es:[edi]
004C0376    FE45 E4            inc     byte ptr [ebp-1C]
004C0379    8D7D E8            lea     edi, dword ptr [ebp-18]
004C037C    836D FC 1C         sub     dword ptr [ebp-4], 1C
004C0380    EB 1B              jmp     short 004C039D
004C0382    FF37               push    dword ptr [edi]
004C0384    6A 00              push    0
004C0386    68 43010000        push    143
004C038B    FF75 FC            push    dword ptr [ebp-4]
004C038E    FF75 08            push    dword ptr [ebp+8]
004C0391    FF15 90634800      call    dword ptr [<&USER32.SendDlgItemMessage>; USER32.SendDlgItemMessageA
004C0397    83C7 04            add     edi, 4
004C039A    FF4D E4            dec     dword ptr [ebp-1C]
004C039D    807D E4 00         cmp     byte ptr [ebp-1C], 0                   ; ѭѡְҵ
004C03A1  ^ 77 DF              ja      short 004C0382
004C03A3    8345 FC 0F         add     dword ptr [ebp-4], 0F
004C03A7    8B7D 0C            mov     edi, dword ptr [ebp+C]
004C03AA    8B45 F8            mov     eax, dword ptr [ebp-8]
004C03AD    8978 04            mov     dword ptr [eax+4], edi
004C03B0    EB 10              jmp     short 004C03C2
004C03B2    FF75 FC            push    dword ptr [ebp-4]
004C03B5    FF75 08            push    dword ptr [ebp+8]
004C03B8    FF15 DC624800      call    dword ptr [<&USER32.GetDlgItem>]       ; USER32.GetDlgItem
004C03BE    AB                 stos    dword ptr es:[edi]
004C03BF    FF45 FC            inc     dword ptr [ebp-4]
004C03C2    817D FC F2070000   cmp     dword ptr [ebp-4], 7F2                 ; ѭȡԻҪؼľ
004C03C9  ^ 72 E7              jb      short 004C03B2
004C03CB    83EF 04            sub     edi, 4
004C03CE    68 00044C00        push    004C0400                               ; offset _NameEdit
004C03D3    6A FC              push    -4
004C03D5    FF37               push    dword ptr [edi]
004C03D7    FF15 50634800      call    dword ptr [<&USER32.SetWindowLongA>]   ; USER32.SetWindowLongA
004C03DD    8B4D F8            mov     ecx, dword ptr [ebp-8]
004C03E0    8941 08            mov     dword ptr [ecx+8], eax                 ; lpOldNameEdit
004C03E3    5F                 pop     edi
004C03E4    6A 01              push    1
004C03E6    FF75 08            push    dword ptr [ebp+8]
004C03E9    E8 72000000        call    004C0460                               ; _Restart
004C03EE    EB 0B              jmp     short 004C03FB
004C03F0    6A 00              push    0
004C03F2    FF75 08            push    dword ptr [ebp+8]
004C03F5    FF15 D4624800      call    dword ptr [<&USER32.EndDialog>]        ; USER32.EndDialog
004C03FB    C9                 leave
004C03FC    C2 0800            retn    8
004C03FF    90                 nop

         ݣ

         55 8B EC 83 C4 E4 B9 00 E0 4B 00 89 4D F8 8B 51 10 42 53 8B D9 81 C3 00 02 00 00 89 59 10 89 5D
         E4 B9 06 00 00 00 66 8B 03 66 3B C2 75 06 5B E9 0C 01 00 00 83 C3 10 E2 ED 8B 5D E4 C6 45 FC 00
         B1 06 66 8B 03 66 0B C0 74 0C 83 C3 10 FF 45 FC E2 F0 08 C9 74 D8 66 89 13 8A 45 FC 8B 5D F8 88
         43 1D 5B C7 45 FC F1 07 00 00 6A 00 6A 0C 68 C5 00 00 00 FF 75 FC FF 75 08 FF 15 90 63 48 00 8B
         45 F8 8B 48 0C 8B 11 57 8D 7D E4 33 C0 AB B9 04 00 00 00 0A D2 74 15 80 FA 35 77 10 FE CA 0F B6
         C2 8B 04 85 A8 BE 48 00 AB FE 45 E4 C1 EA 08 E2 E2 80 7D E4 00 75 12 8B 4D F8 8B 49 0C C6 01 01
         A1 A8 BE 48 00 AB FE 45 E4 8D 7D E8 83 6D FC 1C EB 1B FF 37 6A 00 68 43 01 00 00 FF 75 FC FF 75
         08 FF 15 90 63 48 00 83 C7 04 FF 4D E4 80 7D E4 00 77 DF 83 45 FC 0F 8B 7D 0C 8B 45 F8 89 78 04
         EB 10 FF 75 FC FF 75 08 FF 15 DC 62 48 00 AB FF 45 FC 81 7D FC F2 07 00 00 72 E7 83 EF 04 68 00
         04 4C 00 6A FC FF 37 FF 15 50 63 48 00 8B 4D F8 89 41 08 5F 6A 01 FF 75 08 E8 72 00 00 00 EB 0B
         6A 00 FF 75 08 FF 15 D4 62 48 00 C9 C2 08 00 90


9. ໯佫༭µĴڹ

004C0400    55                 push    ebp                                    ; _NameEdit
004C0401    8BEC               mov     ebp, esp
004C0403    8B45 0C            mov     eax, dword ptr [ebp+C]
004C0406    3D 02010000        cmp     eax, 102                               ; WM_CHAR
004C040B    75 25              jnz     short 004C0432
004C040D    8B45 10            mov     eax, dword ptr [ebp+10]
004C0410    3C 20              cmp     al, 20                                 ; .if al > 32 && al < 65
004C0412    76 08              jbe     short 004C041C
004C0414    3C 41              cmp     al, 41
004C0416    73 04              jnb     short 004C041C
004C0418    EB 34              jmp     short 004C044E
004C041A    EB 16              jmp     short 004C0432
004C041C    3C 5A              cmp     al, 5A                                 ; .elseif al > 90 && al < 97
004C041E    76 08              jbe     short 004C0428
004C0420    3C 61              cmp     al, 61
004C0422    73 04              jnb     short 004C0428
004C0424    EB 28              jmp     short 004C044E
004C0426    EB 0A              jmp     short 004C0432
004C0428    3C 7A              cmp     al, 7A                                 ; .elseif al > 122 && al < 128
004C042A    76 06              jbe     short 004C0432
004C042C    3C 80              cmp     al, 80
004C042E    73 02              jnb     short 004C0432
004C0430    EB 1C              jmp     short 004C044E
004C0432    B9 00E04B00        mov     ecx, 004BE000
004C0437    FF75 14            push    dword ptr [ebp+14]
004C043A    FF75 10            push    dword ptr [ebp+10]
004C043D    FF75 0C            push    dword ptr [ebp+C]
004C0440    FF75 08            push    dword ptr [ebp+8]
004C0443    FF71 08            push    dword ptr [ecx+8]
004C0446    FF15 4C634800      call    dword ptr [<&USER32.CallWindowProcA>]  ; USER32.CallWindowProcA
004C044C    EB 02              jmp     short 004C0450
004C044E    33C0               xor     eax, eax
004C0450    C9                 leave
004C0451    C2 1000            retn    10

         ݣ

         55 8B EC 8B 45 0C 3D 02 01 00 00 75 25 8B 45 10 3C 20 76 08 3C 41 73 04 EB 34 EB 16 3C 5A 76 08
         3C 61 73 04 EB 28 EB 0A 3C 7A 76 06 3C 80 73 02 EB 1C B9 00 E0 4B 00 FF 75 14 FF 75 10 FF 75 0C
         FF 75 08 FF 71 08 FF 15 4C 63 48 00 EB 02 33 C0 C9 C2 10 00


10. []ťӦ

004C0460    55                 push    ebp                                    ; _Restart
004C0461    8BEC               mov     ebp, esp
004C0463    83C4 F4            add     esp, -0C
004C0466    BA 00E04B00        mov     edx, 004BE000                          ; offset hTouBmp(ԭԴRVA)
004C046B    8955 F4            mov     dword ptr [ebp-C], edx
004C046E    8BCA               mov     ecx, edx
004C0470    8B41 04            mov     eax, dword ptr [ecx+4]                 ; ȡԻؼַ
004C0473    8945 F8            mov     dword ptr [ebp-8], eax
004C0476    83C1 14            add     ecx, 14                                ; ECXָʣ
004C0479    C601 28            mov     byte ptr [ecx], 28                     ; ʼɷ40
004C047C    33C0               xor     eax, eax
004C047E    8941 01            mov     dword ptr [ecx+1], eax                 ; ʼ䡢ͳǡΪ0
004C0481    8941 05            mov     dword ptr [ecx+5], eax                 ; ʼΪ0ԱΪ[]ʼλͼΪ0
004C0484    FF32               push    dword ptr [edx]
004C0486    FF15 48604800      call    dword ptr [<&GDI32.DeleteObject>]      ; GDI32.DeleteObject
004C048C    6A 40              push    40
004C048E    6A 00              push    0
004C0490    6A 00              push    0
004C0492    6A 00              push    0
004C0494    68 28030000        push    328
004C0499    FF35 F50E5000      push    dword ptr [500EF5]
004C049F    FF15 34705100      call    dword ptr [517034]                     ; USER32.LoadImageA
004C04A5    8B4D F4            mov     ecx, dword ptr [ebp-C]
004C04A8    8901               mov     dword ptr [ecx], eax
004C04AA    50                 push    eax
004C04AB    6A 00              push    0
004C04AD    68 72010000        push    172
004C04B2    68 D0070000        push    7D0
004C04B7    FF75 08            push    dword ptr [ebp+8]
004C04BA    FF15 90634800      call    dword ptr [<&USER32.SendDlgItemMessage>; USER32.SendDlgItemMessageA
004C04C0    6A 00              push    0
004C04C2    6A 01              push    1
004C04C4    68 F1000000        push    0F1
004C04C9    68 D2070000        push    7D2
004C04CE    FF75 08            push    dword ptr [ebp+8]
004C04D1    FF15 90634800      call    dword ptr [<&USER32.SendDlgItemMessage>; USER32.SendDlgItemMessageA
004C04D7    6A 00              push    0
004C04D9    6A 00              push    0
004C04DB    68 F1000000        push    0F1
004C04E0    68 D3070000        push    7D3
004C04E5    FF75 08            push    dword ptr [ebp+8]
004C04E8    FF15 90634800      call    dword ptr [<&USER32.SendDlgItemMessage>; USER32.SendDlgItemMessageA
004C04EE    6A 00              push    0
004C04F0    6A 00              push    0
004C04F2    68 4E010000        push    14E
004C04F7    68 D5070000        push    7D5
004C04FC    FF75 08            push    dword ptr [ebp+8]
004C04FF    FF15 90634800      call    dword ptr [<&USER32.SendDlgItemMessage>; USER32.SendDlgItemMessageA
004C0505    807D 0C 00         cmp     byte ptr [ebp+C], 0
004C0509    0F85 89000000      jnz     004C0598
004C050F    B9 0D000000        mov     ecx, 0D
004C0514    51                 push    ecx
004C0515    83F9 0D            cmp     ecx, 0D
004C0518    75 04              jnz     short 004C051E
004C051A    33C9               xor     ecx, ecx
004C051C    EB 07              jmp     short 004C0525
004C051E    83F9 07            cmp     ecx, 7
004C0521    73 02              jnb     short 004C0525
004C0523    33C9               xor     ecx, ecx
004C0525    8B45 F8            mov     eax, dword ptr [ebp-8]
004C0528    51                 push    ecx
004C0529    FF30               push    dword ptr [eax]
004C052B    FF15 E8624800      call    dword ptr [<&USER32.EnableWindow>]     ; USER32.EnableWindow
004C0531    8345 F8 04         add     dword ptr [ebp-8], 4
004C0535    59                 pop     ecx
004C0536  ^ E2 DC              loopd   short 004C0514                         ; ѭаť
004C0538    68 CCE74B00        push    004BE7CC                               ; ASCII "(B)"
004C053D    8F45 F8            pop     dword ptr [ebp-8]
004C0540    C745 FC D7070000   mov     dword ptr [ebp-4], 7D7
004C0547    B9 05000000        mov     ecx, 5
004C054C    51                 push    ecx
004C054D    6A 00              push    0
004C054F    6A 46              push    46
004C0551    FF75 FC            push    dword ptr [ebp-4]
004C0554    FF75 08            push    dword ptr [ebp+8]
004C0557    FF15 E4624800      call    dword ptr [<&USER32.SetDlgItemInt>]    ; USER32.SetDlgItemInt
004C055D    8B45 FC            mov     eax, dword ptr [ebp-4]
004C0560    83C0 05            add     eax, 5
004C0563    FF75 F8            push    dword ptr [ebp-8]
004C0566    50                 push    eax
004C0567    FF75 08            push    dword ptr [ebp+8]
004C056A    FF15 D8624800      call    dword ptr [<&USER32.SetDlgItemTextA>]  ; USER32.SetDlgItemTextA
004C0570    FE45 FC            inc     byte ptr [ebp-4]
004C0573    59                 pop     ecx
004C0574  ^ E2 D6              loopd   short 004C054C                         ; ѭʾ70 / (B)
004C0576    6A 00              push    0
004C0578    6A 28              push    28
004C057A    68 D6070000        push    7D6
004C057F    FF75 08            push    dword ptr [ebp+8]
004C0582    FF15 E4624800      call    dword ptr [<&USER32.SetDlgItemInt>]    ; USER32.SetDlgItemInt
004C0588    6A 00              push    0
004C058A    68 F1070000        push    7F1
004C058F    FF75 08            push    dword ptr [ebp+8]
004C0592    FF15 D8624800      call    dword ptr [<&USER32.SetDlgItemTextA>]  ; USER32.SetDlgItemTextA
004C0598    C9                 leave
004C0599    C2 0800            retn    8

         ݣ

         55 8B EC 83 C4 F4 BA 00 E0 4B 00 89 55 F4 8B CA 8B 41 04 89 45 F8 83 C1 14 C6 01 28 33 C0 89 41
         01 89 41 05 FF 32 FF 15 48 60 48 00 6A 40 6A 00 6A 00 6A 00 68 28 03 00 00 FF 35 F5 0E 50 00 FF
         15 34 70 51 00 8B 4D F4 89 01 50 6A 00 68 72 01 00 00 68 D0 07 00 00 FF 75 08 FF 15 90 63 48 00
         6A 00 6A 01 68 F1 00 00 00 68 D2 07 00 00 FF 75 08 FF 15 90 63 48 00 6A 00 6A 00 68 F1 00 00 00
         68 D3 07 00 00 FF 75 08 FF 15 90 63 48 00 6A 00 6A 00 68 4E 01 00 00 68 D5 07 00 00 FF 75 08 FF
         15 90 63 48 00 80 7D 0C 00 0F 85 89 00 00 00 B9 0D 00 00 00 51 83 F9 0D 75 04 33 C9 EB 07 83 F9
         07 73 02 33 C9 8B 45 F8 51 FF 30 FF 15 E8 62 48 00 83 45 F8 04 59 E2 DC 68 CC E7 4B 00 8F 45 F8
         C7 45 FC D7 07 00 00 B9 05 00 00 00 51 6A 00 6A 46 FF 75 FC FF 75 08 FF 15 E4 62 48 00 8B 45 FC
         83 C0 05 FF 75 F8 50 FF 75 08 FF 15 D8 62 48 00 FE 45 FC 59 E2 D6 6A 00 6A 28 68 D6 07 00 00 FF
         75 08 FF 15 E4 62 48 00 6A 00 68 F1 07 00 00 FF 75 08 FF 15 D8 62 48 00 C9 C2 08 00


11. [һ][һ]ťӦ

004C05A0    55                 push    ebp                                    ; _ChooseFaceBmp
004C05A1    8BEC               mov     ebp, esp
004C05A3    83C4 F4            add     esp, -0C
004C05A6    B9 00E04B00        mov     ecx, 004BE000                          ; offset hTouBmp(ԭԴRVA)
004C05AB    894D F4            mov     dword ptr [ebp-C], ecx
004C05AE    51                 push    ecx
004C05AF    FF31               push    dword ptr [ecx]                        ; ȡǰͷλͼ
004C05B1    FF15 48604800      call    dword ptr [<&GDI32.DeleteObject>]      ; GDI32.DeleteObject
004C05B7    59                 pop     ecx                                    ; offset hTouBmp(ԭԴRVA)
004C05B8    83C1 1A            add     ecx, 1A                                ; ECXָԭ佫Ա־
004C05BB    0FB741 01          movzx   eax, word ptr [ecx+1]                  ; ȡѡԭ佫ͷ
004C05BF    807D 0C 00         cmp     byte ptr [ebp+C], 0                    ; ⵱ǰµ[һ][һ]ť
004C05C3    75 04              jnz     short 004C05C9
004C05C5    FEC8               dec     al                                     ; [һ]1
004C05C7    EB 02              jmp     short 004C05CB
004C05C9    FEC0               inc     al                                     ; [һ]1
004C05CB    66:8941 01         mov     word ptr [ecx+1], ax                   ; 佫ͷԱ
004C05CF    8945 FC            mov     dword ptr [ebp-4], eax
004C05D2    8039 00            cmp     byte ptr [ecx], 0                      ; ⵱ǰѡеԻŮ
004C05D5    75 04              jnz     short 004C05DB
004C05D7    32D2               xor     dl, dl                                 ; Ϊ踽ֵ
004C05D9    EB 02              jmp     short 004C05DD
004C05DB    B2 0A              mov     dl, 0A                                 ; ΪŮ򸽼ֵΪ10
004C05DD    02C2               add     al, dl
004C05DF    05 28030000        add     eax, 328                               ; ԭ佫ͷʼ808
004C05E4    6A 40              push    40
004C05E6    6A 00              push    0
004C05E8    6A 00              push    0
004C05EA    6A 00              push    0
004C05EC    50                 push    eax
004C05ED    FF35 F50E5000      push    dword ptr [500EF5]
004C05F3    FF15 34705100      call    dword ptr [517034]                     ; USER32.LoadImageA
004C05F9    8B4D F4            mov     ecx, dword ptr [ebp-C]
004C05FC    8901               mov     dword ptr [ecx], eax
004C05FE    50                 push    eax
004C05FF    6A 00              push    0
004C0601    68 72010000        push    172
004C0606    68 D0070000        push    7D0
004C060B    FF75 08            push    dword ptr [ebp+8]
004C060E    FF15 90634800      call    dword ptr [<&USER32.SendDlgItemMessage>; USER32.SendDlgItemMessageA
004C0614    8B4D F4            mov     ecx, dword ptr [ebp-C]                 ; offset hTouBmp(ԭԴRVA)
004C0617    8B49 04            mov     ecx, dword ptr [ecx+4]                 ; ȡlpDlgItemHandel
004C061A    8B41 04            mov     eax, dword ptr [ecx+4]                 ; ȡԻ°ť
004C061D    8945 F8            mov     dword ptr [ebp-8], eax
004C0620    8B01               mov     eax, dword ptr [ecx]                   ; ȡԻϰť
004C0622    807D 0C 00         cmp     byte ptr [ebp+C], 0                    ; µ[һ]ť
004C0626    75 22              jnz     short 004C064A
004C0628    807D FC 00         cmp     byte ptr [ebp-4], 0                    ; Ƿһ
004C062C    75 09              jnz     short 004C0637
004C062E    6A 00              push    0
004C0630    50                 push    eax
004C0631    FF15 E8624800      call    dword ptr [<&USER32.EnableWindow>]     ; USER32.EnableWindow
004C0637    807D FC 09         cmp     byte ptr [ebp-4], 9                    ; δ[һ]ť
004C063B    73 2D              jnb     short 004C066A
004C063D    6A 01              push    1
004C063F    FF75 F8            push    dword ptr [ebp-8]
004C0642    FF15 E8624800      call    dword ptr [<&USER32.EnableWindow>]     ; USER32.EnableWindow
004C0648    EB 20              jmp     short 004C066A
004C064A    807D FC 00         cmp     byte ptr [ebp-4], 0               ; µ[һ]ťǷ·һ
004C064E    74 09              je      short 004C0659
004C0650    6A 01              push    1
004C0652    50                 push    eax
004C0653    FF15 E8624800      call    dword ptr [<&USER32.EnableWindow>]     ; USER32.EnableWindow
004C0659    807D FC 08         cmp     byte ptr [ebp-4], 8                    ; Ƿѷ
004C065D    76 0B              jbe     short 004C066A
004C065F    6A 00              push    0
004C0661    FF75 F8            push    dword ptr [ebp-8]
004C0664    FF15 E8624800      call    dword ptr [<&USER32.EnableWindow>]     ; USER32.EnableWindow
004C066A    C9                 leave
004C066B    C2 0800            retn    8

         ݣ

         55 8B EC 83 C4 F4 B9 00 E0 4B 00 89 4D F4 51 FF 31 FF 15 48 60 48 00 59 83 C1 1A 0F B7 41 01 80
         7D 0C 00 75 04 FE C8 EB 02 FE C0 66 89 41 01 89 45 FC 80 39 00 75 04 32 D2 EB 02 B2 0A 02 C2 05
         28 03 00 00 6A 40 6A 00 6A 00 6A 00 50 FF 35 F5 0E 50 00 FF 15 34 70 51 00 8B 4D F4 89 01 50 6A
         00 68 72 01 00 00 68 D0 07 00 00 FF 75 08 FF 15 90 63 48 00 8B 4D F4 8B 49 04 8B 41 04 89 45 F8
         8B 01 80 7D 0C 00 75 22 80 7D FC 00 75 09 6A 00 50 FF 15 E8 62 48 00 80 7D FC 09 73 2D 6A 01 FF
         75 F8 FF 15 E8 62 48 00 EB 20 80 7D FC 00 74 09 6A 01 50 FF 15 E8 62 48 00 80 7D FC 08 76 0B 6A
         00 FF 75 F8 FF 15 E8 62 48 00 C9 C2 08 00


12. [][Ů]ѡťӦ

004C0678    55                 push    ebp                                    ; _CheckedBoyOrGirl
004C0679    8BEC               mov     ebp, esp
004C067B    83C4 F8            add     esp, -8
004C067E    B9 00E04B00        mov     ecx, 004BE000                          ; offset hTouBmp(ԭԴRVA)
004C0683    894D F8            mov     dword ptr [ebp-8], ecx
004C0686    83C1 1A            add     ecx, 1A                                ; ECXָԭ佫Ա־
004C0689    8A01               mov     al, byte ptr [ecx]
004C068B    807D 10 00         cmp     byte ptr [ebp+10], 0                   ; ѡ
004C068F    75 0B              jnz     short 004C069C
004C0691    0AC0               or      al, al                                 ; ⵱ǰԱǷΪŮ
004C0693    74 10              je      short 004C06A5
004C0695    66:C701 0000       mov     word ptr [ecx], 0                      ; 佫ԱΪ
004C069A    EB 09              jmp     short 004C06A5
004C069C    0AC0               or      al, al                                 ; ѡŮ⵱ǰԱǷΪ
004C069E    75 05              jnz     short 004C06A5
004C06A0    66:C701 0100       mov     word ptr [ecx], 1                      ; 佫ԱΪŮ
004C06A5    8B4D F8            mov     ecx, dword ptr [ebp-8]                 ; offset hTouBmp(ԭԴRVA)
004C06A8    8B49 04            mov     ecx, dword ptr [ecx+4]                 ; ȡlpDlgItemHandel
004C06AB    8B41 04            mov     eax, dword ptr [ecx+4]                 ; ȡԻ°ť
004C06AE    8945 FC            mov     dword ptr [ebp-4], eax
004C06B1    8B01               mov     eax, dword ptr [ecx]                   ; ȡԻϰť
004C06B3    6A 00              push    0                                      ; ϰť
004C06B5    50                 push    eax
004C06B6    FF15 E8624800      call    dword ptr [<&USER32.EnableWindow>]     ; USER32.EnableWindow
004C06BC    6A 01              push    1                                      ; °ť
004C06BE    FF75 FC            push    dword ptr [ebp-4]
004C06C1    FF15 E8624800      call    dword ptr [<&USER32.EnableWindow>]     ; USER32.EnableWindow
004C06C7    8B4D F8            mov     ecx, dword ptr [ebp-8]                 ; ȡǰͷλͼ
004C06CA    FF31               push    dword ptr [ecx]
004C06CC    FF15 48604800      call    dword ptr [<&GDI32.DeleteObject>]      ; GDI32.DeleteObject
004C06D2    6A 40              push    40
004C06D4    6A 00              push    0
004C06D6    6A 00              push    0
004C06D8    6A 00              push    0
004C06DA    FF75 0C            push    dword ptr [ebp+C]
004C06DD    FF35 F50E5000      push    dword ptr [500EF5]
004C06E3    FF15 34705100      call    dword ptr [517034]                     ; USER32.LoadImageA
004C06E9    8B4D F8            mov     ecx, dword ptr [ebp-8]
004C06EC    8901               mov     dword ptr [ecx], eax
004C06EE    50                 push    eax
004C06EF    6A 00              push    0
004C06F1    68 72010000        push    172
004C06F6    68 D0070000        push    7D0
004C06FB    FF75 08            push    dword ptr [ebp+8]
004C06FE    FF15 90634800      call    dword ptr [<&USER32.SendDlgItemMessage>; USER32.SendDlgItemMessageA
004C0704    C9                 leave
004C0705    C2 0C00            retn    0C

         ݣ

         55 8B EC 83 C4 F8 B9 00 E0 4B 00 89 4D F8 83 C1 1A 8A 01 80 7D 10 00 75 0B 0A C0 74 10 66 C7 01
         00 00 EB 09 0A C0 75 05 66 C7 01 01 00 8B 4D F8 8B 49 04 8B 41 04 89 45 FC 8B 01 6A 00 50 FF 15
         E8 62 48 00 6A 01 FF 75 FC FF 15 E8 62 48 00 8B 4D F8 FF 31 FF 15 48 60 48 00 6A 40 6A 00 6A 00
         6A 00 FF 75 0C FF 35 F5 0E 50 00 FF 15 34 70 51 00 8B 4D F8 89 01 50 6A 00 68 72 01 00 00 68 D0
         07 00 00 FF 75 08 FF 15 90 63 48 00 C9 C2 0C 00


13. [][]ťӦ

004C0718    55                 push    ebp                                    ; _AbilityIncOrDec
004C0719    8BEC               mov     ebp, esp
004C071B    83C4 E8            add     esp, -18
004C071E    B9 00E04B00        mov     ecx, 004BE000                          ; offset hTouBmp(ԭԴRVA)
004C0723    894D E8            mov     dword ptr [ebp-18], ecx
004C0726    8B41 04            mov     eax, dword ptr [ecx+4]                 ; ȡlpDlgItemHandel
004C0729    83C0 08            add     eax, 8                                 ; ȡ[]׵ַ
004C072C    8945 F8            mov     dword ptr [ebp-8], eax
004C072F    83C0 14            add     eax, 14                                ; ȡ[]׵ַ
004C0732    8945 F4            mov     dword ptr [ebp-C], eax
004C0735    83C1 14            add     ecx, 14                                ; ECXָʣɷ
004C0738    894D FC            mov     dword ptr [ebp-4], ecx
004C073B    807D 10 00         cmp     byte ptr [ebp+10], 0                   ; ⵱ǰӻǼ
004C073F    0F85 83000000      jnz     004C07C8
004C0745    FE09               dec     byte ptr [ecx]                         ; ʣ1
004C0747    8039 00            cmp     byte ptr [ecx], 0                      ; ʣǷΪ0
004C074A    75 1A              jnz     short 004C0766
004C074C    B9 05000000        mov     ecx, 5                                 ; ѭ5
004C0751    51                 push    ecx                                    ; ѭ
004C0752    8B45 F8            mov     eax, dword ptr [ebp-8]                 ; ȡǰ[]ťŵַ
004C0755    8345 F8 04         add     dword ptr [ebp-8], 4                   ; ָһ[]ť
004C0759    6A 00              push    0                                      ; ðť
004C075B    FF30               push    dword ptr [eax]
004C075D    FF15 E8624800      call    dword ptr [<&USER32.EnableWindow>]     ; USER32.EnableWindow
004C0763    59                 pop     ecx
004C0764  ^ E2 EB              loopd   short 004C0751
004C0766    8B45 0C            mov     eax, dword ptr [ebp+C]                 ; ȡҰµӰťID
004C0769    8BC8               mov     ecx, eax
004C076B    83E9 0F            sub     ecx, 0F                                ; λĿӦֵʾID
004C076E    894D EC            mov     dword ptr [ebp-14], ecx
004C0771    2D E5070000        sub     eax, 7E5                               ; ȡĿID(Ŀ+1)
004C0776    8945 F0            mov     dword ptr [ebp-10], eax
004C0779    8B4D FC            mov     ecx, dword ptr [ebp-4]                 ; ȡṹ׵ַ
004C077C    03C8               add     ecx, eax
004C077E    FE01               inc     byte ptr [ecx]                         ; Ŀ1
004C0780    894D F8            mov     dword ptr [ebp-8], ecx
004C0783    8039 01            cmp     byte ptr [ecx], 1                      ; ĿܵǷΪ1
004C0786    75 16              jnz     short 004C079E
004C0788    8B4D F4            mov     ecx, dword ptr [ebp-C]                 ; ȡ[]׵ַ
004C078B    8B45 F0            mov     eax, dword ptr [ebp-10]                ; ȡĿID
004C078E    48                 dec     eax
004C078F    C1E0 02            shl     eax, 2
004C0792    03C8               add     ecx, eax                               ; ָĿӦ[]ť
004C0794    6A 01              push    1                                      ; ĿӦ[]ť
004C0796    FF31               push    dword ptr [ecx]
004C0798    FF15 E8624800      call    dword ptr [<&USER32.EnableWindow>]     ; USER32.EnableWindow
004C079E    8B4D F8            mov     ecx, dword ptr [ebp-8]
004C07A1    8039 13            cmp     byte ptr [ecx], 13                     ; ĿܵǷ19
004C07A4    0F86 82000000      jbe     004C082C
004C07AA    8B4D E8            mov     ecx, dword ptr [ebp-18]                ; offset hTouBmp(ԭԴRVA)
004C07AD    8B49 04            mov     ecx, dword ptr [ecx+4]                 ; ȡlpDlgItemHandel
004C07B0    83C1 08            add     ecx, 8                                 ; ȡ[]׵ַ
004C07B3    8B45 F0            mov     eax, dword ptr [ebp-10]                ; ȡĿID
004C07B6    48                 dec     eax
004C07B7    C1E0 02            shl     eax, 2
004C07BA    03C8               add     ecx, eax                               ; ָĿӦ[]ť
004C07BC    6A 00              push    0                                      ; ĿӦ[]ť
004C07BE    FF31               push    dword ptr [ecx]
004C07C0    FF15 E8624800      call    dword ptr [<&USER32.EnableWindow>]     ; USER32.EnableWindow
004C07C6    EB 64              jmp     short 004C082C
004C07C8    FE01               inc     byte ptr [ecx]                         ; ʣ1
004C07CA    8B45 0C            mov     eax, dword ptr [ebp+C]                 ; ȡҰµťID
004C07CD    8BC8               mov     ecx, eax
004C07CF    83E9 14            sub     ecx, 14                                ; λĿӦֵʾID
004C07D2    894D EC            mov     dword ptr [ebp-14], ecx
004C07D5    2D EA070000        sub     eax, 7EA                               ; ȡĿID(Ŀ+1)
004C07DA    8945 F0            mov     dword ptr [ebp-10], eax
004C07DD    8B4D FC            mov     ecx, dword ptr [ebp-4]                 ; ȡṹ׵ַ
004C07E0    034D F0            add     ecx, dword ptr [ebp-10]                ; ָĿĵŵַ
004C07E3    FE09               dec     byte ptr [ecx]                         ; Ŀ1
004C07E5    8039 00            cmp     byte ptr [ecx], 0                      ; ĿܵǷΪ0
004C07E8    75 16              jnz     short 004C0800
004C07EA    8B4D F4            mov     ecx, dword ptr [ebp-C]                 ; ȡ[]׵ַ
004C07ED    8B45 F0            mov     eax, dword ptr [ebp-10]                ; ȡĿID
004C07F0    48                 dec     eax
004C07F1    C1E0 02            shl     eax, 2
004C07F4    03C8               add     ecx, eax
004C07F6    6A 00              push    0                                      ; üĿӦ[]ť
004C07F8    FF31               push    dword ptr [ecx]
004C07FA    FF15 E8624800      call    dword ptr [<&USER32.EnableWindow>]     ; USER32.EnableWindow
004C0800    8B4D FC            mov     ecx, dword ptr [ebp-4]                 ; ȡṹ׵ַ
004C0803    8039 01            cmp     byte ptr [ecx], 1                      ; ʣǷڵ1
004C0806    72 24              jb      short 004C082C
004C0808    56                 push    esi
004C0809    8BF1               mov     esi, ecx                               ; ṹ׵ַ
004C080B    46                 inc     esi
004C080C    B9 05000000        mov     ecx, 5                                 ; ѭ5
004C0811    51                 push    ecx
004C0812    AC                 lods    byte ptr [esi]                         ; ȡһĿѷ
004C0813    3C 14              cmp     al, 14                                 ; ǷС20
004C0815    73 0D              jnb     short 004C0824
004C0817    8B45 F8            mov     eax, dword ptr [ebp-8]
004C081A    6A 01              push    1                                      ; ѭ[]ť
004C081C    FF30               push    dword ptr [eax]
004C081E    FF15 E8624800      call    dword ptr [<&USER32.EnableWindow>]     ; USER32.EnableWindow
004C0824    8345 F8 04         add     dword ptr [ebp-8], 4
004C0828    59                 pop     ecx
004C0829  ^ E2 E6              loopd   short 004C0811
004C082B    5E                 pop     esi
004C082C    8B4D FC            mov     ecx, dword ptr [ebp-4]                 ; ȡṹ׵ַ
004C082F    034D F0            add     ecx, dword ptr [ebp-10]                ; ECXָǰĿַ
004C0832    0FB601             movzx   eax, byte ptr [ecx]                    ; ȡĿѷܵ
004C0835    83C0 46            add     eax, 46                                ; ֵ
004C0838    8945 F4            mov     dword ptr [ebp-C], eax
004C083B    6A 00              push    0
004C083D    50                 push    eax
004C083E    FF75 EC            push    dword ptr [ebp-14]
004C0841    FF75 08            push    dword ptr [ebp+8]
004C0844    FF15 E4624800      call    dword ptr [<&USER32.SetDlgItemInt>]    ; USER32.SetDlgItemInt
004C084A    B8 C0E74B00        mov     eax, 004BE7C0                          ; ASCII "(E)"
004C084F    8B4D F4            mov     ecx, dword ptr [ebp-C]                 ; ݵǰʾǿ
004C0852    83F9 64            cmp     ecx, 64
004C0855    72 05              jb      short 004C085C
004C0857    83C0 18            add     eax, 18
004C085A    EB 30              jmp     short 004C088C
004C085C    83F9 5A            cmp     ecx, 5A
004C085F    72 05              jb      short 004C0866
004C0861    83C0 14            add     eax, 14
004C0864    EB 26              jmp     short 004C088C
004C0866    83F9 50            cmp     ecx, 50
004C0869    72 05              jb      short 004C0870
004C086B    83C0 10            add     eax, 10
004C086E    EB 1C              jmp     short 004C088C
004C0870    83F9 46            cmp     ecx, 46
004C0873    72 05              jb      short 004C087A
004C0875    83C0 0C            add     eax, 0C
004C0878    EB 12              jmp     short 004C088C
004C087A    83F9 32            cmp     ecx, 32
004C087D    72 05              jb      short 004C0884
004C087F    83C0 08            add     eax, 8
004C0882    EB 08              jmp     short 004C088C
004C0884    83F9 1E            cmp     ecx, 1E
004C0887    72 03              jb      short 004C088C
004C0889    83C0 04            add     eax, 4
004C088C    8B4D EC            mov     ecx, dword ptr [ebp-14]
004C088F    83C1 05            add     ecx, 5
004C0892    50                 push    eax
004C0893    51                 push    ecx
004C0894    FF75 08            push    dword ptr [ebp+8]
004C0897    FF15 D8624800      call    dword ptr [<&USER32.SetDlgItemTextA>]  ; USER32.SetDlgItemTextA
004C089D    8B4D FC            mov     ecx, dword ptr [ebp-4]
004C08A0    0FB601             movzx   eax, byte ptr [ecx]
004C08A3    6A 00              push    0
004C08A5    50                 push    eax
004C08A6    68 D6070000        push    7D6
004C08AB    FF75 08            push    dword ptr [ebp+8]
004C08AE    FF15 E4624800      call    dword ptr [<&USER32.SetDlgItemInt>]    ; USER32.SetDlgItemInt
004C08B4    C9                 leave
004C08B5    C2 0C00            retn    0C

         ݣ

         55 8B EC 83 C4 E8 B9 00 E0 4B 00 89 4D E8 8B 41 04 83 C0 08 89 45 F8 83 C0 14 89 45 F4 83 C1 14
         89 4D FC 80 7D 10 00 0F 85 83 00 00 00 FE 09 80 39 00 75 1A B9 05 00 00 00 51 8B 45 F8 83 45 F8
         04 6A 00 FF 30 FF 15 E8 62 48 00 59 E2 EB 8B 45 0C 8B C8 83 E9 0F 89 4D EC 2D E5 07 00 00 89 45
         F0 8B 4D FC 03 C8 FE 01 89 4D F8 80 39 01 75 16 8B 4D F4 8B 45 F0 48 C1 E0 02 03 C8 6A 01 FF 31
         FF 15 E8 62 48 00 8B 4D F8 80 39 13 0F 86 82 00 00 00 8B 4D E8 8B 49 04 83 C1 08 8B 45 F0 48 C1
         E0 02 03 C8 6A 00 FF 31 FF 15 E8 62 48 00 EB 64 FE 01 8B 45 0C 8B C8 83 E9 14 89 4D EC 2D EA 07
         00 00 89 45 F0 8B 4D FC 03 4D F0 FE 09 80 39 00 75 16 8B 4D F4 8B 45 F0 48 C1 E0 02 03 C8 6A 00
         FF 31 FF 15 E8 62 48 00 8B 4D FC 80 39 01 72 24 56 8B F1 46 B9 05 00 00 00 51 AC 3C 14 73 0D 8B
         45 F8 6A 01 FF 30 FF 15 E8 62 48 00 83 45 F8 04 59 E2 E6 5E 8B 4D FC 03 4D F0 0F B6 01 83 C0 46
         89 45 F4 6A 00 50 FF 75 EC FF 75 08 FF 15 E4 62 48 00 B8 C0 E7 4B 00 8B 4D F4 83 F9 64 72 05 83
         C0 18 EB 30 83 F9 5A 72 05 83 C0 14 EB 26 83 F9 50 72 05 83 C0 10 EB 1C 83 F9 46 72 05 83 C0 0C
         EB 12 83 F9 32 72 05 83 C0 08 EB 08 83 F9 1E 72 03 83 C0 04 8B 4D EC 83 C1 05 50 51 FF 75 08 FF
         15 D8 62 48 00 8B 4D FC 0F B6 01 6A 00 50 68 D6 07 00 00 FF 75 08 FF 15 E4 62 48 00 C9 C2 0C 00



14. [ȷ]ťӦ

004C08BA    55              push    ebp                              ; _FixLeave
004C08BB    8BEC            mov     ebp, esp
004C08BD    83C4 E0         add     esp, -20
004C08C0    B9 00E04B00     mov     ecx, 004BE000                    ; offset hTouBmp(ԭԴRVA)
004C08C5    894D FC         mov     dword ptr [ebp-4], ecx
004C08C8    0FB641 1D       movzx   eax, byte ptr [ecx+1D]           ; ȡԭ
004C08CC    8945 F4         mov     dword ptr [ebp-C], eax
004C08CF    8B51 10         mov     edx, dword ptr [ecx+10]          ; ȡԭṹӳַ
004C08D2    C1E0 04         shl     eax, 4
004C08D5    0FB70410        movzx   eax, word ptr [eax+edx]          ; ȡԭŶӦ佫DATA+1
004C08D9    48              dec     eax
004C08DA    6BC0 48         imul    eax, eax, 48
004C08DD    0305 00EA4C00   add     eax, dword ptr [4CEA00]          ; ȡ佫SAVӳָ
004C08E3    8945 F8         mov     dword ptr [ebp-8], eax
004C08E6    57              push    edi
004C08E7    56              push    esi
004C08E8    8BF8            mov     edi, eax                         ; 佫SAVӳָ
004C08EA    8D75 E0         lea     esi, dword ptr [ebp-20]
004C08ED    8B49 04         mov     ecx, dword ptr [ecx+4]           ; ȡlpDlgItemHandel
004C08F0    6A 10           push    10
004C08F2    56              push    esi
004C08F3    FF71 34         push    dword ptr [ecx+34]               ; 佫ؼ
004C08F6    FF15 B4634800   call    dword ptr [<&USER32.GetWindowTex>; USER32.GetWindowTextA
004C08FC    83C7 04         add     edi, 4                           ; EDIָSAVӳеͷ
004C08FF    8B75 FC         mov     esi, dword ptr [ebp-4]           ; offset hTouBmp(ԭԴRVA)
004C0902    83C6 1A         add     esi, 1A                          ; ESIָҶƵ佫Ա
004C0905    AC              lods    byte ptr [esi]
004C0906    0FB6C0          movzx   eax, al                          ; ѡǷΪ
004C0909    8945 F0         mov     dword ptr [ebp-10], eax
004C090C    0AC0            or      al, al                           ; ѡǷΪ
004C090E    75 06           jnz     short 004C0916
004C0910    66:BA F401      mov     dx, 1F4                          ; ԭ佫ͷʼ
004C0914    EB 04           jmp     short 004C091A
004C0916    66:BA FE01      mov     dx, 1FE                          ; Ůԭ佫ͷʼ
004C091A    66:AD           lods    word ptr [esi]                   ; ȡҶ佫ͷ
004C091C    66:03C2         add     ax, dx                           ; λͷλͼID
004C091F    66:AB           stos    word ptr es:[edi]
004C0921    EB 1B           jmp     short 004C093E
004C0923    8D75 E0         lea     esi, dword ptr [ebp-20]          ; ڲ佫׵ַ
004C0926    0FB6C9          movzx   ecx, cl                          ; CL󿽱ֽ
004C0929    33D2            xor     edx, edx                         ; дַ0
004C092B    AC              lods    byte ptr [esi]                   ; 佫ȡһֽ
004C092C    0AC0            or      al, al
004C092E    74 05           je      short 004C0935
004C0930    AA              stos    byte ptr es:[edi]                ; Ŀд뻺
004C0931    FEC2            inc     dl                               ; дַ1
004C0933  ^ E2 F6           loopd   short 004C092B
004C0935    8ACB            mov     cl, bl                           ; BLĿд뻺
004C0937    2ACA            sub     cl, dl                           ; Ŀд뻺δռõĿֽ
004C0939    32C0            xor     al, al
004C093B    F3:AA           rep     stos byte ptr es:[edi]           ; δռõĿֽȫ0
004C093D    C3              retn
004C093E    83C7 02         add     edi, 2                           ; EDIָSAVӳе佫ֶ
004C0941    53              push    ebx                              ; ʹEBXĴ
004C0942    B1 08           mov     cl, 8
004C0944    B3 09           mov     bl, 9
004C0946    E8 D8FFFFFF     call    004C0923                         ; 佫ַָ
004C094B    83C7 26         add     edi, 26                          ; EDIָSAVӳеR籾ʾֶ
004C094E    B1 0C           mov     cl, 0C
004C0950    B3 10           mov     bl, 10
004C0952    E8 CCFFFFFF     call    004C0923
004C0957    8B4D FC         mov     ecx, dword ptr [ebp-4]           ; offset hTouBmp(ԭԴRVA)
004C095A    8B79 10         mov     edi, dword ptr [ecx+10]          ; ȡԭṹӳַ
004C095D    8B45 F4         mov     eax, dword ptr [ebp-C]           ; ȡԭ
004C0960    C1E0 04         shl     eax, 4                           ; *16
004C0963    03F8            add     edi, eax
004C0965    83C7 02         add     edi, 2                           ; EDIָԭ佫洢ַ
004C0968    B1 0C           mov     cl, 0C                           ; ԭ佫ַ12
004C096A    B3 0E           mov     bl, 0E                           ; 󳤶14
004C096C    E8 B2FFFFFF     call    004C0923
004C0971    5B              pop     ebx
004C0972    8B7D F8         mov     edi, dword ptr [ebp-8]           ; 佫SAVӳָ
004C0975    8BD7            mov     edx, edi
004C0977    83C7 21         add     edi, 21                          ; EDIָSAVӳе佫
004C097A    8B75 FC         mov     esi, dword ptr [ebp-4]
004C097D    83C6 15         add     esi, 15                          ; ESIָҶƵΧ
004C0980    B1 05           mov     cl, 5                            ; ѭ5
004C0982    AC              lods    byte ptr [esi]                   ; ȡǰͷ
004C0983    04 46           add     al, 46                           ; ϻ70
004C0985    AA              stos    byte ptr es:[edi]                ; SAVӳе佫Χ
004C0986  ^ E2 FA           loopd   short 004C0982
004C0988    8BFA            mov     edi, edx                         ; 佫SAVӳָ
004C098A    EB 5F           jmp     short 004C09EB
004C098C    80F9 64         cmp     cl, 64
004C098F    72 06           jb      short 004C0997
004C0991    66:83C0 14      add     ax, 14
004C0995    EB 53           jmp     short 004C09EA
004C0997    80F9 5A         cmp     cl, 5A
004C099A    72 06           jb      short 004C09A2
004C099C    66:83C0 0F      add     ax, 0F
004C09A0    EB 48           jmp     short 004C09EA
004C09A2    80F9 50         cmp     cl, 50
004C09A5    72 06           jb      short 004C09AD
004C09A7    66:83C0 0A      add     ax, 0A
004C09AB    EB 3D           jmp     short 004C09EA
004C09AD    80F9 46         cmp     cl, 46
004C09B0    72 06           jb      short 004C09B8
004C09B2    66:83C0 05      add     ax, 5
004C09B6    EB 32           jmp     short 004C09EA
004C09B8    80F9 32         cmp     cl, 32
004C09BB    72 06           jb      short 004C09C3
004C09BD    66:83C0 00      add     ax, 0
004C09C1    EB 27           jmp     short 004C09EA
004C09C3    80F9 1E         cmp     cl, 1E
004C09C6    72 12           jb      short 004C09DA
004C09C8    66:83F8 05      cmp     ax, 5
004C09CC    72 06           jb      short 004C09D4
004C09CE    66:83E8 05      sub     ax, 5
004C09D2    EB 16           jmp     short 004C09EA
004C09D4    66:B8 0000      mov     ax, 0
004C09D8    EB 10           jmp     short 004C09EA
004C09DA    66:83F8 0A      cmp     ax, 0A
004C09DE    72 06           jb      short 004C09E6
004C09E0    66:83E8 0A      sub     ax, 0A
004C09E4    EB 04           jmp     short 004C09EA
004C09E6    66:B8 0000      mov     ax, 0
004C09EA    C3              retn
004C09EB    83C7 1C         add     edi, 1C
004C09EE    8A4F 05         mov     cl, byte ptr [edi+5]             ; ȡԭ佫
004C09F1    66:8B07         mov     ax, word ptr [edi]               ; ȡԭ佫HPʼֵ
004C09F4    E8 93FFFFFF     call    004C098C                         ; /HP/MPֵļӳ
004C09F9    66:AB           stos    word ptr es:[edi]                ; ӳɺHPֵ
004C09FB    66:33C0         xor     ax, ax
004C09FE    66:AB           stos    word ptr es:[edi]                ; SAVӳеHPֵ16λ
004C0A00    8A4F 03         mov     cl, byte ptr [edi+3]             ; ȡԭ佫
004C0A03    66:0FB607       movzx   ax, byte ptr [edi]               ; ȡԭ佫MPʼֵ
004C0A07    E8 80FFFFFF     call    004C098C
004C0A0C    AA              stos    byte ptr es:[edi]                ; ӳɺMPֵ
004C0A0D    83C7 0A         add     edi, 0A
004C0A10    6A 00           push    0
004C0A12    6A 00           push    0
004C0A14    68 47010000     push    147
004C0A19    68 D5070000     push    7D5
004C0A1E    FF75 08         push    dword ptr [ebp+8]
004C0A21    FF15 90634800   call    dword ptr [<&USER32.SendDlgItemM>; USER32.SendDlgItemMessageA
004C0A27    83F8 FF         cmp     eax, -1                          ; ѡǷδѡ
004C0A2A    75 02           jnz     short 004C0A2E
004C0A2C    33C0            xor     eax, eax
004C0A2E    8BD0            mov     edx, eax                         ; ǰѡĿ
004C0A30    8B4D FC         mov     ecx, dword ptr [ebp-4]           ; offset hTouBmp(ԭԴRVA)
004C0A33    83C1 0C         add     ecx, 0C
004C0A36    8B09            mov     ecx, dword ptr [ecx]             ; ȡ4050ͱַ
004C0A38    8A040A          mov     al, byte ptr [edx+ecx]
004C0A3B    FEC8            dec     al                               ; ȡѡеְҵ
004C0A3D    AA              stos    byte ptr es:[edi]
004C0A3E    8911            mov     dword ptr [ecx], edx             ; 4050αзѡеĿ
004C0A40    8B55 F0         mov     edx, dword ptr [ebp-10]          ; ȡԭ佫Ա
004C0A43    8951 04         mov     dword ptr [ecx+4], edx           ; 4051αзԭ佫Ա
004C0A46    5E              pop     esi
004C0A47    5F              pop     edi
004C0A48    6A 00           push    0
004C0A4A    6A 00           push    0
004C0A4C    6A 10           push    10                               ; WM_CLOSE
004C0A4E    FF75 08         push    dword ptr [ebp+8]
004C0A51    FF15 18634800   call    dword ptr [<&USER32.PostMessageA>; USER32.PostMessageA
004C0A57    C9              leave
004C0A58    C2 0400         retn    4


         ݣ

         55 8B EC 83 C4 E0 B9 00 E0 4B 00 89 4D FC 0F B6 41 1D 89 45 F4 8B 51 10 C1 E0 04 0F B7 04 10 48
         6B C0 48 03 05 00 EA 4C 00 89 45 F8 57 56 8B F8 8D 75 E0 8B 49 04 6A 10 56 FF 71 34 FF 15 B4 63
         48 00 83 C7 04 8B 75 FC 83 C6 1A AC 0F B6 C0 89 45 F0 0A C0 75 06 66 BA F4 01 EB 04 66 BA FE 01
         66 AD 66 03 C2 66 AB EB 1B 8D 75 E0 0F B6 C9 33 D2 AC 0A C0 74 05 AA FE C2 E2 F6 8A CB 2A CA 32
         C0 F3 AA C3 83 C7 02 53 B1 08 B3 09 E8 D8 FF FF FF 83 C7 26 B1 0C B3 10 E8 CC FF FF FF 8B 4D FC
         8B 79 10 8B 45 F4 C1 E0 04 03 F8 83 C7 02 B1 0C B3 0E E8 B2 FF FF FF 5B 8B 7D F8 8B D7 83 C7 21
         8B 75 FC 83 C6 15 B1 05 AC 04 46 AA E2 FA 8B FA EB 5F 80 F9 64 72 06 66 83 C0 14 EB 53 80 F9 5A
         72 06 66 83 C0 0F EB 48 80 F9 50 72 06 66 83 C0 0A EB 3D 80 F9 46 72 06 66 83 C0 05 EB 32 80 F9
         32 72 06 66 83 C0 00 EB 27 80 F9 1E 72 12 66 83 F8 05 72 06 66 83 E8 05 EB 16 66 B8 00 00 EB 10
         66 83 F8 0A 72 06 66 83 E8 0A EB 04 66 B8 00 00 C3 83 C7 1C 8A 4F 05 66 8B 07 E8 93 FF FF FF 66
         AB 66 33 C0 66 AB 8A 4F 03 66 0F B6 07 E8 80 FF FF FF AA 83 C7 0A 6A 00 6A 00 68 47 01 00 00 68
         D5 07 00 00 FF 75 08 FF 15 90 63 48 00 83 F8 FF 75 02 33 C0 8B D0 8B 4D FC 83 C1 0C 8B 09 8A 04
         0A FE C8 AA 89 11 8B 55 F0 89 51 04 5E 5F 6A 00 6A 00 6A 10 FF 75 08 FF 15 18 63 48 00 C9 C2 04
         00 90


;--------------------------------------------------------------------------------------------------------------------

15. ԭ浵д봦

0041B22E  - E9 2D580A00     jmp     004C0A60

004C0A60    FF75 08         push    dword ptr [ebp+8]
004C0A63    E8 62E40000     call    004CEECA
004C0A68    FF75 08         push    dword ptr [ebp+8]
004C0A6B    E8 06000000     call    004C0A76
004C0A70  - E9 C1A7F5FF     jmp     0041B236

004C0A76    55              push    ebp
004C0A77    8BEC            mov     ebp, esp
004C0A79    83C4 F4         add     esp, -0C
004C0A7C    6A 00           push    0
004C0A7E    68 80000000     push    80
004C0A83    6A 03           push    3
004C0A85    6A 00           push    0
004C0A87    6A 01           push    1
004C0A89    68 000000C0     push    C0000000
004C0A8E    68 E0E74B00     push    004BE7E0                         ; ASCII "name.e5"
004C0A93    FF15 18614800   call    dword ptr [<&KERNEL32.CreateFile>; kernel32.CreateFileA
004C0A99    83F8 FF         cmp     eax, -1
004C0A9C    75 04           jnz     short 004C0AA2
004C0A9E    EB 5A           jmp     short 004C0AFA
004C0AA0    EB 03           jmp     short 004C0AA5
004C0AA2    8945 FC         mov     dword ptr [ebp-4], eax
004C0AA5    6A 02           push    2
004C0AA7    6A 00           push    0
004C0AA9    6A 00           push    0
004C0AAB    FF75 FC         push    dword ptr [ebp-4]
004C0AAE    FF15 04614800   call    dword ptr [<&KERNEL32.SetFilePoi>; kernel32.SetFilePointer
004C0AB4    3D C0030000     cmp     eax, 3C0
004C0AB9    75 36           jnz     short 004C0AF1
004C0ABB    B9 00E04B00     mov     ecx, 004BE000
004C0AC0    81C1 00020000   add     ecx, 200
004C0AC6    894D F8         mov     dword ptr [ebp-8], ecx
004C0AC9    8B45 08         mov     eax, dword ptr [ebp+8]
004C0ACC    6BC0 60         imul    eax, eax, 60
004C0ACF    6A 00           push    0
004C0AD1    6A 00           push    0
004C0AD3    50              push    eax
004C0AD4    FF75 FC         push    dword ptr [ebp-4]
004C0AD7    FF15 04614800   call    dword ptr [<&KERNEL32.SetFilePoi>; kernel32.SetFilePointer
004C0ADD    6A 00           push    0
004C0ADF    8D45 F4         lea     eax, dword ptr [ebp-C]
004C0AE2    50              push    eax
004C0AE3    6A 60           push    60
004C0AE5    FF75 F8         push    dword ptr [ebp-8]
004C0AE8    FF75 FC         push    dword ptr [ebp-4]
004C0AEB    FF15 0C614800   call    dword ptr [<&KERNEL32.WriteFile>>; kernel32.WriteFile
004C0AF1    FF75 FC         push    dword ptr [ebp-4]
004C0AF4    FF15 08614800   call    dword ptr [<&KERNEL32.CloseHandl>; kernel32.CloseHandle
004C0AFA    C9              leave
004C0AFB    C2 0400         retn    4

         ݣ

         FF 75 08 E8 62 E4 00 00 FF 75 08 E8 06 00 00 00 E9 C1 A7 F5 FF 90 55 8B EC 83 C4 F4 6A 00 68 80
         00 00 00 6A 03 6A 00 6A 01 68 00 00 00 C0 68 E0 E7 4B 00 FF 15 18 61 48 00 83 F8 FF 75 04 EB 5A
         EB 03 89 45 FC 6A 02 6A 00 6A 00 FF 75 FC FF 15 04 61 48 00 3D C0 03 00 00 75 36 B9 00 E0 4B 00
         81 C1 00 02 00 00 89 4D F8 8B 45 08 6B C0 60 6A 00 6A 00 50 FF 75 FC FF 15 04 61 48 00 6A 00 8D
         45 F4 50 6A 60 FF 75 F8 FF 75 FC FF 15 0C 61 48 00 FF 75 FC FF 15 08 61 48 00 C9 C2 04 00


16. ԭ浵

0041ADC1  - E9 425D0A00     jmp     004C0B08

004C0B08    FF75 08         push    dword ptr [ebp+8]
004C0B0B    E8 06000000     call    004C0B16
004C0B10  - E9 3DE80000     jmp     004CF352

004C0B16    55              push    ebp
004C0B17    8BEC            mov     ebp, esp
004C0B19    83C4 E0         add     esp, -20
004C0B1C    B8 00E04B00     mov     eax, 004BE000
004C0B21    05 00020000     add     eax, 200
004C0B26    8945 F8         mov     dword ptr [ebp-8], eax
004C0B29    6A 00           push    0
004C0B2B    68 80000000     push    80
004C0B30    6A 03           push    3
004C0B32    6A 00           push    0
004C0B34    6A 01           push    1
004C0B36    68 000000C0     push    C0000000
004C0B3B    68 E8E74B00     push    004BE7E8                         ; ASCII "Data.e5"
004C0B40    FF15 18614800   call    dword ptr [<&KERNEL32.CreateFile>; kernel32.CreateFileA
004C0B46    83F8 FF         cmp     eax, -1
004C0B49    75 07           jnz     short 004C0B52
004C0B4B    E9 BE000000     jmp     004C0C0E
004C0B50    EB 03           jmp     short 004C0B55
004C0B52    8945 FC         mov     dword ptr [ebp-4], eax
004C0B55    6A 02           push    2
004C0B57    6A 00           push    0
004C0B59    6A 00           push    0
004C0B5B    FF75 FC         push    dword ptr [ebp-4]
004C0B5E    FF15 04614800   call    dword ptr [<&KERNEL32.SetFilePoi>; kernel32.SetFilePointer
004C0B64    3D C3EF0000     cmp     eax, 0EFC3
004C0B69    0F85 96000000   jnz     004C0C05
004C0B6F    EB 3F           jmp     short 004C0BB0
004C0B71    6A 00           push    0
004C0B73    6A 00           push    0
004C0B75    51              push    ecx
004C0B76    FF75 FC         push    dword ptr [ebp-4]
004C0B79    FF15 04614800   call    dword ptr [<&KERNEL32.SetFilePoi>; kernel32.SetFilePointer
004C0B7F    6A 00           push    0
004C0B81    8D45 F4         lea     eax, dword ptr [ebp-C]
004C0B84    50              push    eax
004C0B85    6A 11           push    11
004C0B87    8D45 E0         lea     eax, dword ptr [ebp-20]
004C0B8A    50              push    eax
004C0B8B    FF75 FC         push    dword ptr [ebp-4]
004C0B8E    FF15 14614800   call    dword ptr [<&KERNEL32.ReadFile>] ; kernel32.ReadFile
004C0B94    C3              retn
004C0B95    8B75 F4         mov     esi, dword ptr [ebp-C]
004C0B98    0FB6C9          movzx   ecx, cl
004C0B9B    33D2            xor     edx, edx
004C0B9D    AC              lods    byte ptr [esi]
004C0B9E    0AC0            or      al, al
004C0BA0    74 05           je      short 004C0BA7
004C0BA2    AA              stos    byte ptr es:[edi]
004C0BA3    FEC2            inc     dl
004C0BA5  ^ E2 F6           loopd   short 004C0B9D
004C0BA7    8ACB            mov     cl, bl
004C0BA9    2ACA            sub     cl, dl
004C0BAB    32C0            xor     al, al
004C0BAD    F3:AA           rep     stos byte ptr es:[edi]           ; Case 2A ('*') of switch 0044BF26
004C0BAF    C3              retn
004C0BB0    8B55 F8         mov     edx, dword ptr [ebp-8]
004C0BB3    B9 06000000     mov     ecx, 6
004C0BB8    60              pushad
004C0BB9    0FB70A          movzx   ecx, word ptr [edx]
004C0BBC    66:0BC9         or      cx, cx
004C0BBF    74 44           je      short 004C0C05
004C0BC1    49              dec     ecx
004C0BC2    894D F0         mov     dword ptr [ebp-10], ecx
004C0BC5    C1E1 05         shl     ecx, 5
004C0BC8    81C1 8C010000   add     ecx, 18C
004C0BCE    E8 9EFFFFFF     call    004C0B71
004C0BD3    8B45 F0         mov     eax, dword ptr [ebp-10]
004C0BD6    6BC0 48         imul    eax, eax, 48
004C0BD9    0305 00EA4C00   add     eax, dword ptr [4CEA00]
004C0BDF    83C0 08         add     eax, 8
004C0BE2    8BF8            mov     edi, eax
004C0BE4    8D45 E0         lea     eax, dword ptr [ebp-20]
004C0BE7    8945 F4         mov     dword ptr [ebp-C], eax
004C0BEA    B1 08           mov     cl, 8
004C0BEC    B3 09           mov     bl, 9
004C0BEE    E8 A2FFFFFF     call    004C0B95
004C0BF3    83C7 26         add     edi, 26
004C0BF6    B1 10           mov     cl, 10
004C0BF8    B3 11           mov     bl, 11
004C0BFA    E8 96FFFFFF     call    004C0B95
004C0BFF    61              popad
004C0C00    83C2 10         add     edx, 10
004C0C03  ^ E2 B3           loopd   short 004C0BB8
004C0C05    FF75 FC         push    dword ptr [ebp-4]
004C0C08    FF15 08614800   call    dword ptr [<&KERNEL32.CloseHandl>; kernel32.CloseHandle
004C0C0E    EB 0F           jmp     short 004C0C1F
004C0C10    57              push    edi
004C0C11    8B7D F8         mov     edi, dword ptr [ebp-8]
004C0C14    33C0            xor     eax, eax
004C0C16    B9 18000000     mov     ecx, 18
004C0C1B    F3:AB           rep     stos dword ptr es:[edi]
004C0C1D    5F              pop     edi
004C0C1E    C3              retn
004C0C1F    6A 00           push    0
004C0C21    68 80000000     push    80
004C0C26    6A 03           push    3
004C0C28    6A 00           push    0
004C0C2A    6A 01           push    1
004C0C2C    68 000000C0     push    C0000000
004C0C31    68 E0E74B00     push    004BE7E0                         ; ASCII "name.e5"
004C0C36    FF15 18614800   call    dword ptr [<&KERNEL32.CreateFile>; kernel32.CreateFileA
004C0C3C    83F8 FF         cmp     eax, -1
004C0C3F    75 0C           jnz     short 004C0C4D
004C0C41    E8 CAFFFFFF     call    004C0C10
004C0C46    E9 A3000000     jmp     004C0CEE
004C0C4B    EB 03           jmp     short 004C0C50
004C0C4D    8945 FC         mov     dword ptr [ebp-4], eax
004C0C50    6A 02           push    2
004C0C52    6A 00           push    0
004C0C54    6A 00           push    0
004C0C56    FF75 FC         push    dword ptr [ebp-4]
004C0C59    FF15 04614800   call    dword ptr [<&KERNEL32.SetFilePoi>; kernel32.SetFilePointer
004C0C5F    3D C0030000     cmp     eax, 3C0
004C0C64    74 07           je      short 004C0C6D
004C0C66    E8 A5FFFFFF     call    004C0C10
004C0C6B    EB 78           jmp     short 004C0CE5
004C0C6D    8B45 08         mov     eax, dword ptr [ebp+8]
004C0C70    6BC0 60         imul    eax, eax, 60
004C0C73    6A 00           push    0
004C0C75    6A 00           push    0
004C0C77    50              push    eax
004C0C78    FF75 FC         push    dword ptr [ebp-4]
004C0C7B    FF15 04614800   call    dword ptr [<&KERNEL32.SetFilePoi>; kernel32.SetFilePointer
004C0C81    6A 00           push    0
004C0C83    8D45 F4         lea     eax, dword ptr [ebp-C]
004C0C86    50              push    eax
004C0C87    6A 60           push    60
004C0C89    FF75 F8         push    dword ptr [ebp-8]
004C0C8C    FF75 FC         push    dword ptr [ebp-4]
004C0C8F    FF15 14614800   call    dword ptr [<&KERNEL32.ReadFile>] ; kernel32.ReadFile
004C0C95    837D F4 60      cmp     dword ptr [ebp-C], 60
004C0C99    74 07           je      short 004C0CA2
004C0C9B    E8 70FFFFFF     call    004C0C10
004C0CA0    EB 43           jmp     short 004C0CE5
004C0CA2    EB 00           jmp     short 004C0CA4
004C0CA4    8B55 F8         mov     edx, dword ptr [ebp-8]
004C0CA7    B9 06000000     mov     ecx, 6
004C0CAC    60              pushad
004C0CAD    0FB702          movzx   eax, word ptr [edx]
004C0CB0    66:0BC0         or      ax, ax
004C0CB3    74 30           je      short 004C0CE5
004C0CB5    83C2 02         add     edx, 2
004C0CB8    8955 F4         mov     dword ptr [ebp-C], edx
004C0CBB    48              dec     eax
004C0CBC    6BC0 48         imul    eax, eax, 48
004C0CBF    0305 00EA4C00   add     eax, dword ptr [4CEA00]
004C0CC5    83C0 08         add     eax, 8
004C0CC8    8BF8            mov     edi, eax
004C0CCA    B1 08           mov     cl, 8
004C0CCC    B3 09           mov     bl, 9
004C0CCE    E8 C2FEFFFF     call    004C0B95
004C0CD3    83C7 26         add     edi, 26
004C0CD6    B1 0C           mov     cl, 0C
004C0CD8    B3 10           mov     bl, 10
004C0CDA    E8 B6FEFFFF     call    004C0B95
004C0CDF    61              popad
004C0CE0    83C2 10         add     edx, 10
004C0CE3  ^ E2 C7           loopd   short 004C0CAC
004C0CE5    FF75 FC         push    dword ptr [ebp-4]
004C0CE8    FF15 08614800   call    dword ptr [<&KERNEL32.CloseHandl>; kernel32.CloseHandle
004C0CEE    C9              leave
004C0CEF    C2 0400         retn    4

         ݣ

         FF 75 08 E8 06 00 00 00 E9 3D E8 00 00 90 55 8B EC 83 C4 E0 B8 00 E0 4B 00 05 00 02 00 00 89 45
         F8 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 C0 68 E8 E7 4B 00 FF 15 18 61 48 00 83 F8
         FF 75 07 E9 BE 00 00 00 EB 03 89 45 FC 6A 02 6A 00 6A 00 FF 75 FC FF 15 04 61 48 00 3D C3 EF 00
         00 0F 85 96 00 00 00 EB 3F 6A 00 6A 00 51 FF 75 FC FF 15 04 61 48 00 6A 00 8D 45 F4 50 6A 11 8D
         45 E0 50 FF 75 FC FF 15 14 61 48 00 C3 8B 75 F4 0F B6 C9 33 D2 AC 0A C0 74 05 AA FE C2 E2 F6 8A
         CB 2A CA 32 C0 F3 AA C3 8B 55 F8 B9 06 00 00 00 60 0F B7 0A 66 0B C9 74 44 49 89 4D F0 C1 E1 05
         81 C1 8C 01 00 00 E8 9E FF FF FF 8B 45 F0 6B C0 48 03 05 00 EA 4C 00 83 C0 08 8B F8 8D 45 E0 89
         45 F4 B1 08 B3 09 E8 A2 FF FF FF 83 C7 26 B1 10 B3 11 E8 96 FF FF FF 61 83 C2 10 E2 B3 FF 75 FC
         FF 15 08 61 48 00 EB 0F 57 8B 7D F8 33 C0 B9 18 00 00 00 F3 AB 5F C3 6A 00 68 80 00 00 00 6A 03
         6A 00 6A 01 68 00 00 00 C0 68 E0 E7 4B 00 FF 15 18 61 48 00 83 F8 FF 75 0C E8 CA FF FF FF E9 A3
         00 00 00 EB 03 89 45 FC 6A 02 6A 00 6A 00 FF 75 FC FF 15 04 61 48 00 3D C0 03 00 00 74 07 E8 A5
         FF FF FF EB 78 8B 45 08 6B C0 60 6A 00 6A 00 50 FF 75 FC FF 15 04 61 48 00 6A 00 8D 45 F4 50 6A
         60 FF 75 F8 FF 75 FC FF 15 14 61 48 00 83 7D F4 60 74 07 E8 70 FF FF FF EB 43 EB 00 8B 55 F8 B9
         06 00 00 00 60 0F B7 02 66 0B C0 74 30 83 C2 02 89 55 F4 48 6B C0 48 03 05 00 EA 4C 00 83 C0 08
         8B F8 B1 08 B3 09 E8 C2 FE FF FF 83 C7 26 B1 0C B3 10 E8 B6 FE FF FF 61 83 C2 10 E2 C7 FF 75 FC
         FF 15 08 61 48 00 C9 C2 04 00


;--------------------------------------------------------------------------------------------------------------------

17. [14H: Ի] ָ佫ͷʾʽ

004137F3   .  80F9 0A             cmp     cl, 0A                           ;  ǷΪз
004137F6   .  74 26               je      short 0041381E
004137F8   .  80F9 2A             cmp     cl, 2A                           ;  ǷΪ'*'־
004137FB    - 0F84 FFD40A00       je      004C0D00
00413801   .  8B55 F4             mov     edx, dword ptr [ebp-C]           ;  ȡEEXӳѶȡֽ
00413804   .  888C2A F0FBFFFF     mov     byte ptr [edx+ebp-410], cl       ;  ȡݴ뺯ڲջ
0041380B   .  FF45 F4             inc     dword ptr [ebp-C]                ;  ӴEEXӳѶȡֽ
0041380E   .  90                  nop
0041380F   .  90                  nop

         ݣ

         80 F9 0A 74 26 80 F9 2A 0F 84 FF D4 0A 00 8B 55 F4 88 8C 2A F0 FB FF FF FF 45 F4 90 90


004C0D00    8A50 01               mov     dl, byte ptr [eax+1]
004C0D03    80FA 2E               cmp     dl, 2E
004C0D06    75 3B                 jnz     short 004C0D43
004C0D08    8A50 03               mov     dl, byte ptr [eax+3]
004C0D0B    80FA 0A               cmp     dl, 0A
004C0D0E    75 33                 jnz     short 004C0D43
004C0D10    0FB650 02             movzx   edx, byte ptr [eax+2]
004C0D14    80FA 31               cmp     dl, 31
004C0D17    72 2A                 jb      short 004C0D43
004C0D19    80FA 36               cmp     dl, 36
004C0D1C    77 25                 ja      short 004C0D43
004C0D1E    80EA 31               sub     dl, 31
004C0D21    B8 00E04B00           mov     eax, 004BE000
004C0D26    C1E2 04               shl     edx, 4
004C0D29    8D8410 00020000       lea     eax, dword ptr [eax+edx+200]
004C0D30    0FB700                movzx   eax, word ptr [eax]
004C0D33    66:09C0               or      ax, ax
004C0D36    74 0B                 je      short 004C0D43
004C0D38    66:48                 dec     ax
004C0D3A    8345 FC 04            add     dword ptr [ebp-4], 4
004C0D3E  - E9 F92AF5FF           jmp     0041383C
004C0D43  - E9 B92AF5FF           jmp     00413801

         ݣ

         8A 50 01 80 FA 2E 75 3B 8A 50 03 80 FA 0A 75 33 0F B6 50 02 80 FA 31 72 2A 80 FA 36 77 25 80 EA
         31 B8 00 E0 4B 00 C1 E2 04 8D 84 10 00 02 00 00 0F B7 00 66 09 C0 74 0B 66 48 83 45 FC 04 E9 F9
         2A F5 FF E9 B9 2A F5 FF


17. EEX 籾ӳжȡָʽ

004179C3   .  80FA 2A             cmp     dl, 2A
004179C6    - 0F84 84930A00       je      004C0D50
004179CC   .  80FA 20             cmp     dl, 20
004179CF   .  7D 37               jge     short 00417A08
004179D1   .  80FA 0A             cmp     dl, 0A
004179D4   .  75 14               jnz     short 004179EA
004179D6   .  90                  nop
004179D7   .  90                  nop
004179D8   .  90                  nop
004179D9   .  90                  nop
004179DA   .  90                  nop

         ݣ

         80 FA 2A 0F 84 84 93 0A 00 80 FA 20 7D 37 80 FA 0A 75 14 90 90 90 90 90


004C0D50    8A51 01               mov     dl, byte ptr [ecx+1]
004C0D53    80FA 2E               cmp     dl, 2E
004C0D56    75 4C                 jnz     short 004C0DA4
004C0D58    8A51 02               mov     dl, byte ptr [ecx+2]
004C0D5B    80FA 31               cmp     dl, 31
004C0D5E    72 44                 jb      short 004C0DA4
004C0D60    80FA 36               cmp     dl, 36
004C0D63    77 3F                 ja      short 004C0DA4
004C0D65    80EA 31               sub     dl, 31
004C0D68    B8 00E04B00           mov     eax, 004BE000
004C0D6D    C1E2 04               shl     edx, 4
004C0D70    8D8410 00020000       lea     eax, dword ptr [eax+edx+200]
004C0D77    66:8B08               mov     cx, word ptr [eax]
004C0D7A    66:09C9               or      cx, cx
004C0D7D    74 25                 je      short 004C0DA4
004C0D7F    83C0 02               add     eax, 2
004C0D82    57                    push    edi
004C0D83    56                    push    esi
004C0D84    8BF0                  mov     esi, eax
004C0D86    8B7D 08               mov     edi, dword ptr [ebp+8]
004C0D89    B9 0C000000           mov     ecx, 0C
004C0D8E    AC                    lods    byte ptr [esi]
004C0D8F    08C0                  or      al, al
004C0D91    74 03                 je      short 004C0D96
004C0D93    AA                    stos    byte ptr es:[edi]
004C0D94  ^ E2 F8                 loopd   short 004C0D8E
004C0D96    897D 08               mov     dword ptr [ebp+8], edi
004C0D99    8345 0C 03            add     dword ptr [ebp+C], 3
004C0D9D    5E                    pop     esi
004C0D9E    5F                    pop     edi
004C0D9F  - E9 106CF5FF           jmp     004179B4
004C0DA4  - E9 5F6CF5FF           jmp     00417A08
004C0DA9    90                    nop

         ݣ

         8A 51 01 80 FA 2E 75 4C 8A 51 02 80 FA 31 72 44 80 FA 36 77 3F 80 EA 31 B8 00 E0 4B 00 C1 E2 04
         8D 84 10 00 02 00 00 66 8B 08 66 09 C9 74 25 83 C0 02 57 56 8B F0 8B 7D 08 B9 0C 00 00 00 AC 08
         C0 74 03 AA E2 F8 89 7D 08 83 45 0C 03 5E 5F E9 10 6C F5 FF E9 5F 6C F5 FF 90


18. [1AH: ʾʤ] ָݸʽ

0044BF23   .  0FB602              movzx   eax, byte ptr [edx]
0044BF26   .  84C0                test    al, al
0044BF28   .  74 37               je      short 0044BF61
0044BF2A   .  3C 2A               cmp     al, 2A
0044BF2C    - 0F84 834E0700       je      004C0DB5
0044BF32   .  3C 0A               cmp     al, 0A                           ;  ղһֽǷΪз
0044BF34   .  75 0E               jnz     short 0044BF44
0044BF36   .  90                  nop
0044BF37   .  90                  nop
0044BF38   .  90                  nop

         ݣ

         0F B6 02 84 C0 74 37 3C 2A 0F 84 83 4E 07 00 3C 0A 75 0E 90 90 90


004C0DB0  - E9 8FB1F8FF           jmp     0044BF44
004C0DB5    8A42 01               mov     al, byte ptr [edx+1]
004C0DB8    3C 2E                 cmp     al, 2E
004C0DBA  ^ 75 F4                 jnz     short 004C0DB0
004C0DBC    8A42 02               mov     al, byte ptr [edx+2]
004C0DBF    3C 31                 cmp     al, 31
004C0DC1  ^ 72 ED                 jb      short 004C0DB0
004C0DC3    3C 36                 cmp     al, 36
004C0DC5  ^ 77 E9                 ja      short 004C0DB0
004C0DC7    2C 31                 sub     al, 31
004C0DC9    B9 00E04B00           mov     ecx, 004BE000
004C0DCE    C1E0 04               shl     eax, 4
004C0DD1    8D8408 00020000       lea     eax, dword ptr [eax+ecx+200]
004C0DD8    66:8B08               mov     cx, word ptr [eax]
004C0DDB    66:09C9               or      cx, cx
004C0DDE  ^ 74 D0                 je      short 004C0DB0
004C0DE0    83C0 02               add     eax, 2
004C0DE3    57                    push    edi
004C0DE4    56                    push    esi
004C0DE5    8BF0                  mov     esi, eax
004C0DE7    8BF8                  mov     edi, eax
004C0DE9    33C9                  xor     ecx, ecx
004C0DEB    AC                    lods    byte ptr [esi]
004C0DEC    08C0                  or      al, al
004C0DEE    74 04                 je      short 004C0DF4
004C0DF0    FEC1                  inc     cl
004C0DF2  ^ EB F7                 jmp     short 004C0DEB
004C0DF4    8AD1                  mov     dl, cl
004C0DF6    024D E4               add     cl, byte ptr [ebp-1C]
004C0DF9    80F9 1D               cmp     cl, 1D
004C0DFC    73 20                 jnb     short 004C0E1E
004C0DFE    8BF7                  mov     esi, edi
004C0E00    0FB645 E4             movzx   eax, byte ptr [ebp-1C]
004C0E04    8D7C28 C4             lea     edi, dword ptr [eax+ebp-3C]
004C0E08    AC                    lods    byte ptr [esi]
004C0E09    08C0                  or      al, al
004C0E0B    74 03                 je      short 004C0E10
004C0E0D    AA                    stos    byte ptr es:[edi]
004C0E0E  ^ EB F8                 jmp     short 004C0E08
004C0E10    0055 E4               add     byte ptr [ebp-1C], dl
004C0E13    8345 08 03            add     dword ptr [ebp+8], 3
004C0E17    B8 F5BE4400           mov     eax, 0044BEF5
004C0E1C    EB 02                 jmp     short 004C0E20
004C0E1E    5E                    pop     esi
004C0E1F    5F                    pop     edi
004C0E20    FFE0                  jmp     eax

         ݣ

         E9 8F B1 F8 FF 8A 42 01 3C 2E 75 F4 8A 42 02 3C 31 72 ED 3C 36 77 E9 2C 31 B9 00 E0 4B 00 C1 E0
         04 8D 84 08 00 02 00 00 66 8B 08 66 09 C9 74 D0 83 C0 02 57 56 8B F0 8B F8 33 C9 AC 08 C0 74 04
         FE C1 EB F7 8A D1 02 4D E4 80 F9 1D 73 20 8B F7 0F B6 45 E4 8D 7C 28 C4 AC 08 C0 74 03 AA EB F8
         00 55 E4 83 45 08 03 B8 F5 BE 44 00 EB 02 5E 5F FF E0


19. [18H: ¼趨] ָݸʽ

0040BB4B      B8 28114A00         mov     eax, 004A1128                    ;  EEXӳеľ籾ָݵڴַ
0040BB50      50                  push    eax
0040BB51      FF75 08             push    dword ptr [ebp+8]
0040BB54      50                  push    eax                              ;  ַ
0040BB55      E8 4BBE0000         call    004179A5
0040BB5A      90                  nop
0040BB5B      90                  nop
0040BB5C      90                  nop                                      ;  EEXӳеľ籾ָݵڴַ
0040BB5D      90                  nop
0040BB5E      90                  nop
0040BB5F      90                  nop
0040BB60  |.  E8 AAA90600         call    0047650F
0040BB65      90                  nop
0040BB66      90                  nop
0040BB67      90                  nop
0040BB68      90                  nop
0040BB69      90                  nop
0040BB6A      90                  nop
0040BB6B      90                  nop

         ݣ

         B8 28 11 4A 00 50 FF 75 08 50 E8 4B BE 00 00 90 90 90 90 90 90 E8 AA A9 06 00 90 90 90 90 90 90
         90

;--------------------------------------------------------------------------------------------------------------------