(safedisc 2) 红色警报2破软件防拷贝部分
CrackBy: machoman[CCG]
AllRight Reserved : [CCG](China Crack Group)
其他不同SD2保护采用方式也是相似的,其保护方法其实采用Crack的方式是不太舒服的。在驱动级截获其命令,对付SD2是最简单的方法。
红色警报2的安装文件setup.exe 和可执行文件ra2.exe采用了多种防拷贝措施,在这里面加入了safedisc2
的防拷贝部分的代码,和一个不知道的壳,在这个壳的保护下。通过一系列代码保护的外加程序,变形的外接
dll文件。对程序进行一部分部分的还原。并且在其中加入了防止debug的措施,在以下的部分主要就是要通过
对这几部分的保护,找到程序的完全还原的映射。把它重新构件为一个无壳,无防debug,无safedisc2调用的可
执行文件。我通过以下步骤想完成该部分的无壳程序的重建。
1。)首先用trw 1.03装入程序ra2.exe
然后跟踪到程序完全还原处,在这个程序中的解密还原处为40787f绝对地址。用suspend 挂起程序
再把内存中的影象用pdump1.60保存在一个文件中。得到了该程序的无壳影象。但这个程序还不可执行,这个程
序破坏了导入表。无法装入外界的动态连接库。
再重构import_table ,让程序能够找到入口,这个程序的导入表也采用了加密措施,它把导入表的解密部分
放在~df349b.tmp的里面,在这里进行导入表的再装配,但其实只是对kernel32.dll和user32.dll的import_
table进行了加密,ra2.exe程序在对这两个的内含函数进行调用时,需要通过对~df349b.tmp调用,才能间接的
访问这些函数,但这个~df349b.tmp(~df349b.dll)本身也是加有外壳,被一个不知道的壳付在上面,而且也防
调试,只能通过自己重构一个import_table跳过对这的调用,给ra2.exe中的调用重新建立隐射。
下面是重建import_table的步骤
(1)首先在dump出来的文件中查找kernel32.dll这个字符串,它的导入表需要重建。在文件中可以找到几个位置
其中在0131a4,这个位置的字符就是该在import_table的IMAGE_IMPORT_DESCRIPTOR.name指针指向的内容,于是
就查找到在ra2.exe的正确的导入表位置在12cd8在这里开始的就是程序的导入表的IMAGE_IMPORT_DESCRIPTOR结
构所在。然后把程序的IMAGE_DATA_DIRCTORY的第二项,就是improt_table的地址改为12cd8就可以找到部分的导
入函数,就是除kernel32.dll,和user32.dll以外的其他函数都定位正确,但是这两个函数的RVA地址全没有正确
定位,看来程序是对这个部分的导入进行了手工的重新装配,它的手工装配程序在~df349b.tmp里执行,这部分
也是有壳加密的,脱起来很繁。最好的办法就是跳过这个动态库函数的调用。自己去给它重构它的RVA,但我对
pe的装入机制不了解,现在还不能重构好,重构出来的也不能完全对应。但是程序只要完成了导入表的重构,
就能够做到破软件防拷贝。不会在对硬件要求是safedisc2加密后的盘应该也能读,因为在脱壳完成后就已经
跳过了检测部分的代码。
有一个很奇怪的情况,程序在我下脱壳断点的位置,时我还dump出了一个很奇怪的文件。这个文件好象正跟我
上面要找的导入表互补,它的导入表是完整的,但是程序是一个部分的影射,不能执行。但我我用静态反汇编就已
经发现了我所有的调用的函数的入口,但是我现在还是没太搞懂import_table的结构,我自己去找这个文件的
入口结构时又是怪怪的。找不到。我有种感觉,这个程序是分段解密调入执行的,所有的tmp都是临时的可执行
影象,只要搞清楚这两个的联系,完全脱壳该是只有一步了,但我现在就是不能把这两个联系起来。。。
这样解后程序就能够跳过对soft_ice和safedisc2的检测,但还是不能对光盘的物理结构的section进行拷贝,
这样做只是跳过了软件部分的检测,对光盘的拷贝破解还是需要对safdisc2的结构继续研究。
在safedisc2加密的文件中有两种切入导入表的方法,第一种是在ra2.exe中除了导入表的位置改动,其他没有
变化的方法,这样的部分可以重新指正确就可以改动,在safedisc2中对这部分的处理采用了以下方法,先把程
序的导入表位置改为加密dll的入口,在加密dll中先有以下代码对程序的环境压入堆栈,保护然后进入加密部
分切入核心模块,
(2)在已经dump出的部分的程序中,也还有部分的import参数不是直接调用的情况它采用一个jmp指令跳到下面的地
方进行切换进入外接的dll,这样也造成了程序的代码返回后的不可读性,只有把这样的调用也给它重新构造,才
能把代码完全还原,它是采用的分别跳转的方法,有很多个类似的jmp和这样的切入真的好烦!!!每个都要去
给它打掉才可以重构,这个加密给解密的工作量是很大的。。
/*********************************************************************************************/
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C488(U)
|
:0041B025 53
push ebx //这个ebx该是外接dll的代码段描述符
:0041B026 E800000000 call 0041B02B//这个调用的目的是把IP压入堆栈
* Referenced by a CALL at Address:
|:0041B026
|
:0041B02B 870424
xchg dword ptr [esp], eax//eax中为新的IP跟堆栈中的进行交换
:0041B02E 9C
pushfd//32位标志压入堆栈
:0041B02F 05D5FFFFFF add eax,
FFFFFFD5//IP-2bh=41b02b-2bh=41b000,每个调用都是定位这里
:0041B034 8B18
mov ebx, dword ptr [eax]//把这个位置的内容送给ebx
:0041B036 6BDB01
imul ebx, 00000001
:0041B039 035804
add ebx, dword ptr [eax+04]//41b004中该是存储的入口dll的基地址
:0041B03C 9D
popfd
:0041B03D 58
pop eax
:0041B03E 871C24
xchg dword ptr [esp], ebx//改变ret的方向,实际上是切换进入dll
:0041B041 C3
ret//进入dll,调用函数,加密挺厉害的!!!!!!
/*********************************************************************************************/
红色警报2,该程序在安装及执行前先在系统的mywindows\temp生成一个子目录~ef87a,这个目录里有几个临时
文件,其中的~df394b.tmp其实是一个动态连接库,该为~df394b.dll在其中内有判断调试器存在的代码,要跟踪
就一定要打掉这几个保护,该类文件在程序退出时会删除,下面就是其判断Soft_ice的方法
Kill_ice (1)
/***********************************************************************************************/
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000F415(C), :1000F419(C)
|
:1000F41E EB03
jmp 1000F423
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000F413(C)
|
:1000F420 73F3
jnb 1000F415
:1000F422 18C7
sbb bh, al
:1000F424 45
inc ebp
:1000F425 FC
cld
:1000F426 00000000 BYTE
4 DUP(0)
;This method of detection of SoftICE (as well as the following one) is
;used by the majority of packers/encryptors found on Internet.
;It seeks the signature of BoundsChecker in SoftICE
:1000F42A 55
push ebp
:1000F42B BD4B484342 mov ebp,
4243484B ; 'BCHK'
:1000F430 B804000000 mov eax,
00000004
:1000F435 CC
int 03//这里是判断soft_ice的一种方法
:1000F436 5D
pop ebp
:1000F437 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:1000F43E EB14
jmp 1000F454
:1000F440 8B55EC
mov edx, dword ptr [ebp-14]
:1000F443 52
push edx
:1000F444 E8E7000000 call 1000F530
:1000F449 C3
ret
Kill_ice(2)
/***********************************************************************************************/
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000E493(C), :1000E4AF(U)
|
:1000E4A8 8BFF
mov edi, edi
:1000E4AA 7006
jo 1000E4B2
:1000E4AC 90
nop
:1000E4AD 7103
jno 1000E4B2
:1000E4AF EBF7
jmp 1000E4A8
:1000E4B1 DBE8
fucomi st(0), st(0)
:1000E4B3 C9
leave
:1000E4B4 000000
BYTE 3 DUP(0)
//Method of detection of the WinICE handler in the int68h (V86)
// mov ah,43h
// int 68h
// cmp ax,0F386h
// jz SoftICE_Detected
:1000E4B7 25FFFF0000 and eax,
0000FFFF
:1000E4BC 85C0
test eax, eax
:1000E4BE 7522
jne 1000E4E2
:1000E4C0 60
pushad
:1000E4C1 33C0
xor eax, eax
:1000E4C3 66B80043 mov
ax, 4300
:1000E4C7 CD68
int 68
:1000E4C9 89855CFFFFFF mov dword ptr
[ebp+FFFFFF5C], eax
:1000E4CF 3D00430000 cmp eax,
00004300
:1000E4D4 740B
je 1000E4E1
:1000E4D6 B801000000 mov eax,
00000001
:1000E4DB 898560FFFFFF mov dword ptr
[ebp+FFFFFF60], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000E4D4(C)
|
:1000E4E1 61
popad
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000E4BE(C)
|
:1000E4E2 33D2
xor edx, edx
:1000E4E4 83BD60FFFFFF00 cmp dword ptr [ebp+FFFFFF60],
00000000
:1000E4EB 0F95C2
setne dl
:1000E4EE 668955FC mov
word ptr [ebp-04], dx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000E43E(C)
|
:1000E4F2 EB07
jmp 1000E4FB
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000E4FB(U)
|
:1000E4F4 8BFF
mov edi, edi
:1000E4F6 7806
js 1000E4FE
:1000E4F8 90
nop
:1000E4F9 7903
jns 1000E4FE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000E4F2(U)
|
:1000E4FB EBF7
jmp 1000E4F4
:1000E4FD 3A7F09
cmp bh, byte ptr [edi+09]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000E50B(C)
|
:1000E500 90
nop
:1000E501 87DB
xchg ebx, ebx
:1000E503 7809
js 1000E50E
:1000E505 87D2
xchg edx, edx
:1000E507 7905
jns 1000E50E
:1000E509 7700
ja 1000E50B
Kill_ice (3)
/***********************************************************************************************/
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1001094C(C), :10010950(C)
|
:10010955 EB03
jmp 1001095A
:10010957 70F3
jo 1001094C
:10010959 0B6A00
or ebp, dword ptr [edx+00]
:1001095C 6880000000 push 00000080
:10010961 6A03
push 00000003
:10010963 6A00
push 00000000
:10010965 6A03
push 00000003
:10010967 68000000C0 push C0000000
:1001096C 8B955CFFFFFF mov edx, dword
ptr [ebp+FFFFFF5C]//检测在win98里有soft_ice存在
:10010972 52
push edx // \\.\SICE
:10010973 FF954CFFFFFF call dword ptr
[ebp+FFFFFF4C]//这里实际是调用API CreateFileA
:10010979 898548FFFFFF mov dword ptr
[ebp+FFFFFF48], eax //这里如果是有Soft_ice,eax!=-1
:1001097F EB07
jmp 10010988
kill_ice(4)
/***********************************************************************************************/
//在以下的程序中改动中断变量描述符表(idt)的int 05号中断,被该程序站用
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100081EA(C)
|
:100081F7 73F3
jnb 100081EC
:100081F9 82C745
add bh, 45
:100081FC FC
cld
:100081FD 00000000 BYTE
4 DUP(0)
:10008201 60
pushad
:10008202 9C
pushfd
:10008203 0F014DDC sidt
[ebp-24]//取出中断变量描述符(idtr)寄存器
:10008207 8B5DDE
mov ebx, dword ptr [ebp-22]//取出基地址
:1000820A 039D38FFFFFF add ebx, dword
ptr [ebp+FFFFFF38]//定位到int 05号中断base+0x28
:10008210 8BBD2CFFFFFF mov edi, dword
ptr [ebp+FFFFFF2C]//把原来的中断向量保存在这个单元
:10008216 8BF3
mov esi, ebx//保存原来的int 05中断描述符表的内容,以被后面退出恢复
:10008218 A5
movsd
:10008219 A5
movsd
:1000821A FA
cli //关中断
:1000821B 8BFB
mov edi, ebx//把红警的描述符表的05中断向量挂到int 05
:1000821D 8B75E4
mov esi, dword ptr [ebp-1C]//红警改动的描述符表的位址
:10008220 A5
movsd
:10008221 A5
movsd
:10008222 FB
sti//开中断,
//只在这条指令开放了中断,到底干啥?
:10008223 FA
cli //关中断
:10008224 8BFB
mov edi, ebx//恢复原来的中断向量
:10008226 8BB52CFFFFFF mov esi, dword
ptr [ebp+FFFFFF2C]//马上又恢复中断!
:1000822C A5
movsd
:1000822D A5
movsd
:1000822E FB
sti
:1000822F 9D
popfd
:10008230 61
popad
:10008231 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:10008238 E99E000000 jmp 100082DB
:1000823D B801000000 mov eax,
00000001
:10008242 C3
ret
/***********************************************************************************************/
//程序调用~df50cd.dll(~df50cd.tmp)验证逻辑驱动器是不是光驱,这里是判断的过程,这个保护很容易通过,
只要改动程序在以下部分的内容就可以实现,但关键是对解开safedisc 2的保护才能通过对程序的使用。
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10014993(C), :100149B7(C)
|
:100149C8 8D442418 lea
eax, dword ptr [esp+18]
:100149CC 50
push eax
:100149CD 6895000000 push 00000095
* Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:00F8h//把所有的逻辑驱动器的号取出,判断光驱
|
:100149D2 FF1554700210 Call dword ptr
[10027054]
:100149D8 8A442418 mov
al, byte ptr [esp+18]
:100149DC C644241000 mov [esp+10],
00
:100149E1 84C0
test al, al
:100149E3 0F8485000000 je 10014A6E
:100149E9 8B442410 mov
eax, dword ptr [esp+10]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10014A4F(C)
|
:100149ED 25FF000000 and eax,
000000FF
:100149F2 8D740418 lea
esi, dword ptr [esp+eax+18]
:100149F6 56
push esi
:100149F7 FFD3
call ebx //这里是调用GetDriveTypeA判断指定的驱动器是不是,光驱
:100149F9 83F805
cmp eax, 00000005
:100149FC 7520
jne 10014A1E
:100149FE 57
push edi
:100149FF 56
push esi
* Possible StringData Ref from Data Obj ->"%s%s"
|
:10014A00 6824A40210 push 1002A424
:10014A05 6830170310 push 10031730
:10014A0A E811300000 call 10017A20
:10014A0F 83C410
add esp, 00000010
:10014A12 6830170310 push 10031730
:10014A17 FFD5
call ebp
:10014A19 83F8FF
cmp eax, FFFFFFFF
:10014A1C 7541
jne 10014A5F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100149FC(C)
|
:10014A1E 803E00
cmp byte ptr [esi], 00
:10014A21 7416
je 10014A39
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10014A37(C)
|
:10014A23 FE442410 inc
[esp+10]
:10014A27 8B4C2410 mov
ecx, dword ptr [esp+10]
:10014A2B 81E1FF000000 and ecx, 000000FF
:10014A31 8A440C18 mov
al, byte ptr [esp+ecx+18]
:10014A35 84C0
test al, al
:10014A37 75EA
jne 10014A23
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10014A21(C)
|
:10014A39 FE442410 inc
[esp+10]
:10014A3D 8B442410 mov
eax, dword ptr [esp+10]
:10014A41 8BD0
mov edx, eax
:10014A43 81E2FF000000 and edx, 000000FF
:10014A49 8A4C1418 mov
cl, byte ptr [esp+edx+18]
:10014A4D 84C9
test cl, cl
:10014A4F 759C
jne 100149ED
:10014A51 6633C0
xor ax, ax
:10014A54 5F
pop edi
:10014A55 5E
pop esi
:10014A56 5D
pop ebp
:10014A57 5B
pop ebx
:10014A58 81C4A4010000 add esp, 000001A4
:10014A5E C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10014A1C(C)
|
:10014A5F 66B80100 mov
ax, 0001
:10014A63 5F
pop edi
:10014A64 5E
pop esi
:10014A65 5D
pop ebp
:10014A66 5B
pop ebx
:10014A67 81C4A4010000 add esp, 000001A4
:10014A6D C3
ret
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100149E3(C)
|
:10014A6E 5F pop edi
:10014A6F 5E pop esi
:10014A70 5D pop ebp
:10014A71 6633C0 xor ax, ax
:10014A74 5B pop ebx
:10014A75 81C4A4010000 add esp, 000001A4
:10014A7B C3 ret
:10014A7C 90 nop
:10014A7D 90 nop
:10014A7E 90 nop
:10014A7F 90 nop
* Referenced by a CALL at Address:
|:1000E81E
|
:10014A80 83EC1C sub esp, 0000001C
:10014A83 66833D0825031000 cmp word ptr [10032508], 0000
:10014A8B 53 push ebx
:10014A8C 56 push esi
:10014A8D 57 push edi
:10014A8E 745D je 10014AED
:10014A90 A110250310 mov eax, dword ptr [10032510]
:10014A95 50 push eax
* Reference To: USER32.DestroyWindow, Ord:008Ah
|
:10014A96 FF1594710210 Call dword ptr [10027194]
* Reference To: USER32.PeekMessageA, Ord:01AFh
|
:10014A9C 8B35E0710210 mov esi, dword ptr [100271E0]
:10014AA2 6A01 push 00000001
:10014AA4 6A00 push 00000000
:10014AA6 6A00 push 00000000
:10014AA8 8D4C2418 lea ecx, dword ptr [esp+18]
:10014AAC 6A00 push 00000000
:10014AAE 51 push ecx
:10014AAF FFD6 call esi
:10014AB1 85C0 test eax, eax
:10014AB3 7459 je 10014B0E
* Reference To: USER32.TranslateMessage, Ord:0245h
|
:10014AB5 8B3DE4710210 mov edi, dword ptr [100271E4]
* Reference To: USER32.DispatchMessageA, Ord:0090h
|
:10014ABB 8B1DE8710210 mov ebx, dword ptr [100271E8]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10014AE0(C)
|
:10014AC1 8D54240C lea edx, dword ptr [esp+0C]
:10014AC5 52 push edx
:10014AC6 FFD7 call edi
:10014AC8 8D44240C lea eax, dword ptr [esp+0C]
:10014ACC 50 push eax
:10014ACD FFD3 call ebx
:10014ACF 6A01 push 00000001
:10014AD1 6A00 push 00000000
:10014AD3 6A00 push 00000000
:10014AD5 8D4C2418 lea ecx, dword ptr [esp+18]
:10014AD9 6A00 push 00000000
:10014ADB 51 push ecx
:10014ADC FFD6 call esi
:10014ADE 85C0 test eax, eax
:10014AE0 75DF jne 10014AC1
:10014AE2 66B80100 mov ax, 0001
:10014AE6 5F pop edi
:10014AE7 5E pop esi
:10014AE8 5B pop ebx
:10014AE9 83C41C add esp, 0000001C
:10014AEC C3 ret
/*******************************************************************************************/
以下是脱壳过后的.stxt744 section的代码,跳转(jmp)切入Kernel32.dll 和User32.dll要用到这里的代码,这里就是IMPORT_TABLE
重构部分,小弟完全是用手工给重构的,真太笨了。哪个大哥能说说这样的东西该如何用技巧解决?
*********************************************************************************************
:0041B000 4B dec ebx
:0041B001 0300 add eax, dword ptr [eax]
:0041B003 00DB add bl, bl
:0041B005 630D0153E800 arpl dword ptr [00E85301], ecx
:0041B00B 000000 BYTE 3 DUP(0)
:0041B00E 870424 xchg dword ptr [esp], eax
:0041B011 9C pushfd
:0041B012 05F2FFFFFF add eax, FFFFFFF2
:0041B017 8B18 mov ebx, dword ptr [eax]
:0041B019 6BDB00 imul ebx, 00000000
:0041B01C 035804 add ebx, dword ptr [eax+04]
:0041B01F 9D popfd
:0041B020 58 pop eax
:0041B021 871C24 xchg dword ptr [esp], ebx
:0041B024 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C488(U)
|
:0041B025 53 push ebx
:0041B026 E800000000 call 0041B02B
* Referenced by a CALL at Address:
|:0041B026
|
:0041B02B 870424 xchg dword ptr [esp], eax
:0041B02E 9C pushfd
:0041B02F 05D5FFFFFF add eax, FFFFFFD5
:0041B034 8B18 mov ebx, dword ptr [eax]
:0041B036 6BDB01 imul ebx, 00000001
:0041B039 035804 add ebx, dword ptr [eax+04]
:0041B03C 9D popfd
:0041B03D 58 pop eax
:0041B03E 871C24 xchg dword ptr [esp], ebx
:0041B041 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C90A(U)
|
:0041B042 53 push ebx
:0041B043 E800000000 call 0041B048
* Referenced by a CALL at Address:
|:0041B043
|
:0041B048 870424 xchg dword ptr [esp], eax
:0041B04B 9C pushfd
:0041B04C 05B8FFFFFF add eax, FFFFFFB8
:0041B051 8B18 mov ebx, dword ptr [eax]
:0041B053 6BDB02 imul ebx, 00000002
:0041B056 035804 add ebx, dword ptr [eax+04]
:0041B059 9D popfd
:0041B05A 58 pop eax
:0041B05B 871C24 xchg dword ptr [esp], ebx
:0041B05E C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409D7D(U)
|
:0041B05F 53 push ebx
:0041B060 E800000000 call 0041B065
* Referenced by a CALL at Address:
|:0041B060
|
:0041B065 870424 xchg dword ptr [esp], eax
:0041B068 9C pushfd
:0041B069 059BFFFFFF add eax, FFFFFF9B
:0041B06E 8B18 mov ebx, dword ptr [eax]
:0041B070 6BDB03 imul ebx, 00000003
:0041B073 035804 add ebx, dword ptr [eax+04]
:0041B076 9D popfd
:0041B077 58 pop eax
:0041B078 871C24 xchg dword ptr [esp], ebx
:0041B07B C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D48A(U)
|
:0041B07C 53 push ebx
:0041B07D E800000000 call 0041B082
* Referenced by a CALL at Address:
|:0041B07D
|
:0041B082 870424 xchg dword ptr [esp], eax
:0041B085 9C pushfd
:0041B086 057EFFFFFF add eax, FFFFFF7E
:0041B08B 8B18 mov ebx, dword ptr [eax]
:0041B08D 6BDB04 imul ebx, 00000004
:0041B090 035804 add ebx, dword ptr [eax+04]
:0041B093 9D popfd
:0041B094 58 pop eax
:0041B095 871C24 xchg dword ptr [esp], ebx
:0041B098 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004079B7(U)
|
:0041B099 53 push ebx
:0041B09A E800000000 call 0041B09F
* Referenced by a CALL at Address:
|:0041B09A
|
:0041B09F 870424 xchg dword ptr [esp], eax
:0041B0A2 9C pushfd
:0041B0A3 0561FFFFFF add eax, FFFFFF61
:0041B0A8 8B18 mov ebx, dword ptr [eax]
:0041B0AA 6BDB05 imul ebx, 00000005
:0041B0AD 035804 add ebx, dword ptr [eax+04]
:0041B0B0 9D popfd
:0041B0B1 58 pop eax
:0041B0B2 871C24 xchg dword ptr [esp], ebx
:0041B0B5 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403788(U)
|
:0041B0B6 53 push ebx
:0041B0B7 E800000000 call 0041B0BC
* Referenced by a CALL at Address:
|:0041B0B7
|
:0041B0BC 870424 xchg dword ptr [esp], eax
:0041B0BF 9C pushfd
:0041B0C0 0544FFFFFF add eax, FFFFFF44
:0041B0C5 8B18 mov ebx, dword ptr [eax]
:0041B0C7 6BDB06 imul ebx, 00000006
:0041B0CA 035804 add ebx, dword ptr [eax+04]
:0041B0CD 9D popfd
:0041B0CE 58 pop eax
:0041B0CF 871C24 xchg dword ptr [esp], ebx
:0041B0D2 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409CF1(U)
|
:0041B0D3 53 push ebx
:0041B0D4 E800000000 call 0041B0D9
* Referenced by a CALL at Address:
|:0041B0D4
|
:0041B0D9 870424 xchg dword ptr [esp], eax
:0041B0DC 9C pushfd
:0041B0DD 0527FFFFFF add eax, FFFFFF27
:0041B0E2 8B18 mov ebx, dword ptr [eax]
:0041B0E4 6BDB07 imul ebx, 00000007
:0041B0E7 035804 add ebx, dword ptr [eax+04]
:0041B0EA 9D popfd
:0041B0EB 58 pop eax
:0041B0EC 871C24 xchg dword ptr [esp], ebx
:0041B0EF C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040517E(U)
|
:0041B0F0 53 push ebx
:0041B0F1 E800000000 call 0041B0F6
* Referenced by a CALL at Address:
|:0041B0F1
|
:0041B0F6 870424 xchg dword ptr [esp], eax
:0041B0F9 9C pushfd
:0041B0FA 050AFFFFFF add eax, FFFFFF0A
:0041B0FF 8B18 mov ebx, dword ptr [eax]
:0041B101 6BDB08 imul ebx, 00000008
:0041B104 035804 add ebx, dword ptr [eax+04]
:0041B107 9D popfd
:0041B108 58 pop eax
:0041B109 871C24 xchg dword ptr [esp], ebx
:0041B10C C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004090F1(U)
|
:0041B10D 53 push ebx
:0041B10E E800000000 call 0041B113
* Referenced by a CALL at Address:
|:0041B10E
|
:0041B113 870424 xchg dword ptr [esp], eax
:0041B116 9C pushfd
:0041B117 05EDFEFFFF add eax, FFFFFEED
:0041B11C 8B18 mov ebx, dword ptr [eax]
:0041B11E 6BDB09 imul ebx, 00000009
:0041B121 035804 add ebx, dword ptr [eax+04]
:0041B124 9D popfd
:0041B125 58 pop eax
:0041B126 871C24 xchg dword ptr [esp], ebx
:0041B129 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409450(U)
|
:0041B12A 53 push ebx
:0041B12B E800000000 call 0041B130
* Referenced by a CALL at Address:
|:0041B12B
|
:0041B130 870424 xchg dword ptr [esp], eax
:0041B133 9C pushfd
:0041B134 05D0FEFFFF add eax, FFFFFED0
:0041B139 8B18 mov ebx, dword ptr [eax]
:0041B13B 6BDB0A imul ebx, 0000000A
:0041B13E 035804 add ebx, dword ptr [eax+04]
:0041B141 9D popfd
:0041B142 58 pop eax
:0041B143 871C24 xchg dword ptr [esp], ebx
:0041B146 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040381C(U)
|
:0041B147 53 push ebx
:0041B148 E800000000 call 0041B14D
* Referenced by a CALL at Address:
|:0041B148
|
:0041B14D 870424 xchg dword ptr [esp], eax
:0041B150 9C pushfd
:0041B151 05B3FEFFFF add eax, FFFFFEB3
:0041B156 8B18 mov ebx, dword ptr [eax]
:0041B158 6BDB0B imul ebx, 0000000B
:0041B15B 035804 add ebx, dword ptr [eax+04]
:0041B15E 9D popfd
:0041B15F 58 pop eax
:0041B160 871C24 xchg dword ptr [esp], ebx
:0041B163 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403AD2(U)
|
:0041B164 53 push ebx
:0041B165 E800000000 call 0041B16A
* Referenced by a CALL at Address:
|:0041B165
|
:0041B16A 870424 xchg dword ptr [esp], eax
:0041B16D 9C pushfd
:0041B16E 0596FEFFFF add eax, FFFFFE96
:0041B173 8B18 mov ebx, dword ptr [eax]
:0041B175 6BDB0C imul ebx, 0000000C
:0041B178 035804 add ebx, dword ptr [eax+04]
:0041B17B 9D popfd
:0041B17C 58 pop eax
:0041B17D 871C24 xchg dword ptr [esp], ebx
:0041B180 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409485(U)
|
:0041B181 53 push ebx
:0041B182 E800000000 call 0041B187
* Referenced by a CALL at Address:
|:0041B182
|
:0041B187 870424 xchg dword ptr [esp], eax
:0041B18A 9C pushfd
:0041B18B 0579FEFFFF add eax, FFFFFE79
:0041B190 8B18 mov ebx, dword ptr [eax]
:0041B192 6BDB0D imul ebx, 0000000D
:0041B195 035804 add ebx, dword ptr [eax+04]
:0041B198 9D popfd
:0041B199 58 pop eax
:0041B19A 871C24 xchg dword ptr [esp], ebx
:0041B19D C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C41C(U)
|
:0041B19E 53 push ebx
:0041B19F E800000000 call 0041B1A4
* Referenced by a CALL at Address:
|:0041B19F
|
:0041B1A4 870424 xchg dword ptr [esp], eax
:0041B1A7 9C pushfd
:0041B1A8 055CFEFFFF add eax, FFFFFE5C
:0041B1AD 8B18 mov ebx, dword ptr [eax]
:0041B1AF 6BDB0E imul ebx, 0000000E
:0041B1B2 035804 add ebx, dword ptr [eax+04]
:0041B1B5 9D popfd
:0041B1B6 58 pop eax
:0041B1B7 871C24 xchg dword ptr [esp], ebx
:0041B1BA C3 ret