OD̬ʵ -- ߍ(WaGan.wa)˺޸


ƪ: (޸ľ˺Ϊ߽OLLYICE ̬Եһ, Ŷһ)

       Ȳ˺Ƕ¼ֻǶ˺ֵмӳ

       ο褵ġܲٴexeֺܡ, ȡܺϢ

       0043BC4B      ; ȡECX佫08ջ佫˺, 10ջΪǷʵֵ, Ƿк
                     ; ֵע

       OLLYICEWaGan.wa ļ, (ļѡ: κļ(*.*) )

       ڷര CTRL + G, [Ҫıʽ]Ի: 0043BC4B
       ͣ0043BC4B һ, Ϣʾʾ: 
       ص 00405EB4, 00438ABF, 00438EB8, 004406AB

       ҪϷ, Ҫȥĵط¶, ϷϷûͣ
       ڡߍ˫ԶҪе㼼, CTRL+ F2 ¿ʼ

       ȶڵöϵ:
       004817E0 >  $  55    push    ebp
       Ϊ:
       004817E0 >     CC    int3
       ļ

       ȻOLLYICEΪʵʱ, ˵[ѡ] ==> [ʵʱ] ==> [OLLYICEΪʵʱ]
        ==> [ǰȷ] ==> []

       ˫ߍɽh.exeԶ

       ͣڵ:   004817E0 >    CC       int3
       ˫int3 Ŀ[ڴ˴: 004817E0]Ի: push ebp       ; ԭڴָ

       ھͿʵʱϵ㡢޸ļĴݴջȲ, Կʼ!!

       ȶȡȽ뵽ս(ʱ浵еĹؿ[ɽ - ֮ս - ( 3غ)])

       രڵĹϵ

       CTRL + F, []Ի: CALL 0043BC4B
       ͣ:    00405EB4 . E8 925D0300   call    0043BC4B    һаF2 ¶ϵ

       ǰ۲칲Ĵ, CTRL + F س
       ͣ:    00438ABF |. E8 87310000   call    0043BC4B    һаF2 ¶ϵ

       ͬCTRL + F س
       00438EB8  |.  E8 8E2D0000   |call    0043BC4B
       004406AB   .  E8 9BB5FFFF   call    0043BC4B
       ¶ϵ, ֱʾ: Ŀδҵ

       ALT + B [ϵ㴰]Թϵ, :

       Breakpoints
       ַ       ģ                                ע
       00405EB4   WaGan      ʼ          call    0043BC4B
       00438ABF   WaGan      ʼ          call    0043BC4B
       00438EB8   WaGan      ʼ          call    0043BC4B
       004406AB   WaGan      ʼ          call    0043BC4B


       F9 Ϸ, ƶ<>ӽ˵[], (ʱ浵еĵΪ[])
       Ϸͣ:    004406AB . E8 9BB5FFFF   call    0043BC4B

       , ڲܵսﲻӦ, Ϊʲô?
       ֻȡһеĶϵ, 004406AB һаF2, ְF9 Ϸ, ʱƶ͵

       û, ƶΧڵĵн(ʱ浵еĵΪ<>), ʾɫһε˺ֵ
       𰸾: ʾ˺ֵ֮ǰ 0043BC4B

       , ʱͣ:    00405EB4 . E8 925D0300   call    0043BC4B
       ٰF9 Ϸ, ҷ佫Եз佫
       Ϸʱͣ:    00405EB4 . E8 925D0300   call    0043BC4B
       F9 Ϸ, ʱз佫ҷ佫

       ʹ˿00405EB4 []˺Ĺؼ

       ڷര CTRL + G, [Ҫıʽ]Ի: 00405EB4
       00405E78 . 8B4D F4           mov     ecx, dword ptr [ebp-C]
       00405E7B . 33D2              xor     edx, edx
       00405E7D . 8A51 01           mov     dl, byte ptr [ecx+1]
       00405E80 . 8BCA              mov     ecx, edx
       00405E82 . 6BC9 24           imul    ecx, ecx, 24
       00405E85 . 81C1 502C4B00     add     ecx, 004B2C50
       00405E8B . E8 E0970500       call    0045F670
       00405E90 . 6BC0 48           imul    eax, eax, 48
       00405E93 . 05 0000D600       add     eax, 0D60000
       00405E98 . 8945 F8           mov     dword ptr [ebp-8], eax

       00405E9B . 33C0              xor     eax, eax
       00405E9D . 3B05 042E4900     cmp     eax, dword ptr [492E04]
       00405EA3 . 1BC9              sbb     ecx, ecx
       00405EA5 . F7D9              neg     ecx
       00405EA7 . 51                push    ecx
       00405EA8 . 6A 01             push    1
       00405EAA . 8B55 F8           mov     edx, dword ptr [ebp-8]
       00405EAD . 52                push    edx
       00405EAE . 8B45 F4           mov     eax, dword ptr [ebp-C]
       00405EB1 . 8B48 0C           mov     ecx, dword ptr [eax+C]
       00405EB4 . E8 925D0300       call    0043BC4B                    
                                                            ; ȡECX佫08ջ佫˺
       00405EB9 . 8B4D FC           mov     ecx, dword ptr [ebp-4]
       00405EBC . 81E1 FF000000     and     ecx, 0FF
       00405EC2 . 8B55 F4           mov     edx, dword ptr [ebp-C]
       00405EC5 . 89848A 84000000   mov     dword ptr [edx+ecx*4+84], eax    ; ˺ֵ



       ȡϷ, ƶ<>ӽ˵[], (ʱ浵еĵΪ<>)
       ͣ:    00405EB4 . E8 925D0300       call    0043BC4B
       F8 callָ, ִе:    00405EB9 . 8B4D FC       mov   ecx, dword ptr [ebp-4]

       Ĵ:
       EAX  0000001E            ; (0043BC4B) ķֵ, ʮ: 30 (ע:  1)

       ע:  1. OLLYICE·[Command]: 0000001E
            سʾ:  HEX: 1E  -  DEC: 30  -  ASCII: 


       F9 Ϸ, ҷ佫Եз佫, 30 ˺

       ʱϷһͣ:    00405EB4 . E8 925D0300   call    0043BC4B
       ͬF8 callָ, ִе:    00405EB9 . 8B4D FC       mov   ecx, dword ptr [ebp-4]

       Ĵ:
       EAX  00000021            ; (0043BC4B) ķֵ, ʮ: 33
       F9 Ϸ, з佫ҷ佫, 33 ˺


       ٿָ:
       00405EB4 . E8 925D0300       call    0043BC4B
       00405EB9 . 8B4D FC           mov     ecx, dword ptr [ebp-4]
       00405EBC . 81E1 FF000000     and     ecx, 0FF
       00405EC2 . 8B55 F4           mov     edx, dword ptr [ebp-C]
       00405EC5 . 89848A 84000000   mov     dword ptr [edx+ecx*4+84], eax    ; ˺ֵ

       , Ѿ֪˺ֵ

       һζȡϷ, ƶ<>ӽ˵[], (ʱ浵еĵΪ<>)
       ͣ:    00405EB4 . E8 925D0300       call    0043BC4B
       Ǹղŵλ, ˺˺й

       F8 callָ, ִе:    00405EB9 . 8B4D FC       mov   ecx, dword ptr [ebp-4]

       Ĵ:
       EAX  0000001F            ; (0043BC4B) ķֵ, ʮ: 31

       F9 Ϸ, <>Եз佫ų[ǹ], 37 ˺
       Ƕ˺ֵмӳɼ


       , ALT + B[ϵ㴰]ɾжϵ, ͣ:
       00405EC5 . 89848A 84000000     mov   dword ptr [edx+ecx*4+84], eax
       һ, F2¶ϵ, ƶ<>ӽ˵[], (ʱ浵еĵΪ<>)


       ͣ:    00405EC5 . 89848A 84000000     mov   dword ptr [edx+ecx*4+84], eax

       Ĵ:
       EAX   0000001E
       ECX   00000000
       EDX   004927F0   WaGan.004927F0
       EBX   00000000
       ESP   0022FD60
       EBP   0022FD7C
       ESI   00242360
       EDI   FFFFFFFF
       EIP   00405EC5   WaGan.00405EC5

       Ҫһ±ʽ:  edx+ecx*4+84 ĽǶ

       OLLYICE·[Command]: 004927F0+00000000*4+84
       سʾ:  HEX: 492874  -  DEC: 4794484  -  ASCII: I(t

       ݴ, CTRL + G [Ҫݴиıʽ]Ի: 492874

       00492874  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
       ȫ0, δʼ?? ʱ֪
       F7 һָ, ͣ:    00405ECC . 8B45 FC      mov   eax, dword ptr [ebp-4]

       ݴ, CTRL + G [Ҫݴиıʽ]Ի: 492874

       00492874  1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
       עǰֽڵֵıΪ:  1E 00 00 00; ǻʵΪ: 00 00 00 1E, ʮ: 30

       ڲ²Ƕ˺ֵмӳɼ, ǿ00492874 ڴдϵ
       (ע:  2)


       ע:  2. Զݻڴʶϵ㡢ڴдϵ, Ӳϵ, Ӳϵ
            ֻĸ(ϸ˽⽨鿴߿ʹ˵)


       ݴ1Eλ, Ҽ ==> ϵ ==> ڴд(W)

       F9 Ϸ, Ϸͣ:    00405F5F  89848A 84000000    mov  dword ptr [edx+ecx*4+84], eax

       :
       00405F38  8B55 FC             mov   edx, dword ptr [ebp-4]
       00405F3B  81E2 FF000000       and   edx, 0FF
       00405F41  8B45 F4             mov   eax, dword ptr [ebp-C]
       00405F44  8B8490 84000000     mov   eax, dword ptr [eax+edx*4+84] ; ղŴ˺ĵط
       00405F4B  6BC0 03             imul  eax, eax, 3                   ; ȡ*3EAX
       00405F4E  99                  cdq                                 ; EAXչEDX
       00405F4F  2BC2                sub   eax, edx                      ; EDXòΪ0
       00405F51  D1F8                sar   eax, 1                        ; 1λ, λ
       00405F53  8B4D FC             mov   ecx, dword ptr [ebp-4]
       00405F56  81E1 FF000000       and   ecx, 0FF
       00405F5C  8B55 F4             mov   edx, dword ptr [ebp-C]
       00405F5F  89848A 84000000     mov   dword ptr [edx+ecx*4+84], eax ; ӳɺ˱ԭλ

       F7 һָ, ͣ:    00405F66   8B45 F4     mov  eax, dword ptr [ebp-C]
       ݴ:
       00492874  2D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  $...............
       ʮ:  45

       F9Ϸ, <>Եз佫ų[ǹ], 45 ˺

       ݴ2Dλ, Ҽ ==> ϵ ==> ɾڴϵ(M)

       ܽ:  ԭ˺ = ˺ * 3 / 2
              Ҫ޸ľ˺, ֻҪ޸00405F4B ʼָ










       ޸ľ˺ʹ֮˫, ¶㷽

       ȾҪȡ˫
       ο褵ġܲٴexeֺܡ, ȡܺϢ

       0040709A      ; ȡECX佫䡢ͳǡ, 208ջֵ0~4
                     ; ֵע

       ALT + B[ϵ㴰]ɾжϵ

       㷴ര, CTRL + G, [Ҫıʽ]Ի: 0040709A
       ʱͣ:    0040709A  /$  55      push    ebp
       Ϣʾ:    ص   0041DE40, 0041DE80, 0041DEC0, 0041DF00, 0041DF40

       㷴ര, CTRL + G, [Ҫıʽ]Ի: 0041DE40
       ʱͣ:    0041DE40 |. E8 5592FEFF    call  0040709A

       һ:
       0041DE30 /$  55            push    ebp
       0041DE31 |.  8BEC          mov     ebp, esp
       0041DE33 |.  51            push    ecx
       0041DE34 |.  894D FC       mov     [local.1], ecx
       0041DE37 |.  8B45 08       mov     eax, [arg.1]
       0041DE3A |.  50            push    eax                ; 0Cջʲô, 
       0041DE3B |.  6A 00         push    0                  ; ݽ, 08ջΪ0ʱȡֵ
       0041DE3D |.  8B4D FC       mov     ecx, [local.1]     ; ECXʲô, 
       0041DE40 |.  E8 5592FEFF   call    0040709A           ; ʱû褵, 㵽
                                                             ; SetDlgItemInt APIʼ..
       0041DE45 |.  8BE5          mov     esp, ebp
       0041DE47 |.  5D            pop     ebp
       0041DE48 \.  C2 0400       retn    4


       ¶ϵ:    0041DE40 һ, ٰF9Ϸ
       ս佫<>ϵҼʱ, Ϸͣ, ٰF7
       ִе:    0040709B |. 8BEC      mov   ebp, esp

       ջ:
       0022FCC8  /0022FCDC    ; EBP      ԭEBPֵ
       0022FCCC  |0041DE45    ; EBP+4    CALL ָصַ, ص WaGan.0041DE45
       0022FCD0  |00000000    ; EBP+8    ȡֵ
       0022FCD4  |00000001    ; EBP+0CH


       ٿĴ:
       ECX   00D60000         ; , ʱ֪ʲô, òΪָ߻ַ

       ݴ, CTRL + G [Ҫݴиıʽ]Ի: 00D60000

       00D60000   00 10 00 00 00 00 00 00 B9 DC D2 E3 00 00 00 00    ...........
       00D60010   00 3B 00 47 00 44 00 3B 00 3D 00 00 88 00 00 00    .;.G.D.;.=..?..
       00D60020   2A 2A 31 2D 2A 2B 00 02 00 00 00 00 06 3B 17 01    **1-*+.....;
       00D60030   2F 26 02 13 FF FF FF B9 DC D2 E3 00 00 00 00 00    /&.....

       ֪ʲô, ս佫<>ϵҼʱ, ٰF7
       ٿĴ:
       ECX   00D605E8         ; ʱECXֵһҪ, Ҷ00D6XXXX 

       ݴ, CTRL + G [Ҫݴиıʽ]Ի: 00D605E8

       00D605E8   15 10 19 00 19 00 00 00 B2 F1 C9 DC 00 00 00 00   ........
       00D605F8   00 32 00 2B 00 47 00 2C 00 3D 00 00 79 00 00 00   .2.+.G.,.=..y...
       00D60608   37 26 1F 2F 20 2B 14 01 00 00 00 1B 06 00 0F 01   7&/ +....
       00D60618   00 29 01 00 FF FF FF B2 F1 C9 DC 00 00 00 00 00   .)......

       Եһֽڳ8λ͵Ļ:
       HEX: 00  -  DEC: 0   -  ASCII:           ; <>DATAͬ
       HEX: 15  -  DEC: 21  -  ASCII: !         ; <>DATAͬ

       ٿ:
       00D605F9 : 32 00                ; ʮ50,  ʱ浵<>Ϊ 50
       00D605FB : 2B 00                ; ʮ43,  ʱ浵<>Ϊ 43
       00D605FD : 47 00                ; ʮ71,  ʱ浵<>Ϊ 71
       00D605FF : 2C 00                ; ʮ44,  ʱ浵<>Ϊ 44
       00D60601 : 3D 00                ; ʮ61,  ʱ浵<>ʿΪ 61
       00D60604 : 79 00                ; ʮ121, ʱ浵<>HPֵΪ 121
       00D60608 : 37                   ; ʮ55,  ʱ浵<>MPֵΪ 55

       00D60609 : 26                   ; ʮ38,  ٳ2 76, ʱ浵<>Ϊ 76
       00D6060A : 1F                   ; ʮ31,  ٳ2 62, ʱ浵<>ͳΪ 62
       00D6060B : 2F                   ; ʮ47,  ٳ2 94, ʱ浵<>Ϊ 94
       00D6060C : 20                   ; ʮ32,  ٳ2 64, ʱ浵<>Ϊ 64
       00D6060D : 2B                   ; ʮ43,  ٳ2 86, ʱ浵<>ʿΪ 86



       㷴ര, CTRL + G [Ҫıʽ]Ի: 00405EB4

       ǰ:

       00405E78 . 8B4D F4          mov    ecx, dword ptr [ebp-C]
       00405E7B . 33D2             xor    edx, edx
       00405E7D . 8A51 01          mov    dl, byte ptr [ecx+1]
       00405E80 . 8BCA             mov    ecx, edx
       00405E82 . 6BC9 24          imul   ecx, ecx, 24
       00405E85 . 81C1 502C4B00    add    ecx, 004B2C50           ; 004B2C50 òսϢַ
       00405E8B . E8 E0970500      call   0045F670                ; ȡECX佫DATA
       00405E90 . 6BC0 48          imul   eax, eax, 48            ; DATA*48H EAX
       00405E93 . 05 0000D600      add    eax, 0D60000            ; 15*48+0D60000պõ00D605E8


       ȷ֤һ, 㷴ര, CTRL + G, [Ҫıʽ]Ի: 00405EB4

       س, (0043BC4B) ڲ, :

       0043BC54 . 8B45 08       mov   eax, dword ptr [ebp+8]    ; ȡ08ջ, ²ǻַ
       0043BC57 . 50            push  eax                       ; 08ջѹջ
       0043BC58 . E8 2002FDFF   call  0040BE7D                  ; 褵Ľ(0040BE7D) 
                                                                ; ȡ08ջ佫DATA
       0043BC5D . 83C4 04       add   esp, 4
       0043BC60 . 50            push  eax                       ; DATAѹջ
       0043BC61 . E8 70280000   call  0043E4D6                  ; ȡ08ջ佫ս
       0043BC66 . 83C4 04       add   esp, 4


       ƶ:    0043BC58 һаس, (0040BE7D) ڲ, ٿ:

       0040BE7D /$ 55            push  ebp
       0040BE7E |. 8BEC          mov   ebp, esp
       0040BE80 |. 8B45 08       mov   eax, dword ptr [ebp+8]
       0040BE83 |. 2D 0000D600   sub   eax, 0D60000             ; 08ջֵȥ0D60000H
       0040BE88 |. 99            cdq
       0040BE89 |. B9 48000000   mov   ecx, 48
       0040BE8E |. F7F9          idiv  ecx                      ; (08ջ - 0D60000H) / 48
       0040BE90 |. 5D            pop   ebp
       0040BE91 \. C3            retn

       [-] 0043BC58 , һаF2¶ϵ

       ƶ<>ӽ˵[], (ʱ浵еĵΪ<>)

       F7 , ִе:    0043BC4C . 8BEC         mov   ebp, esp

       ջ:

       0022FD08  /0022FD50      ԭEBP ֵ, ʱڴ
       0022FD0C  |0043BC5D      EBP+4, CALL ָصַ
       0022FD10  |00D61488      EBP+8, Ҫ

       OLLYICE·[Command]: (00D61488-0D60000) / 48
       سʾ:  HEX: 49  -  DEC: 73  -  ASCII: I              ; εDATA73


       ɴ˿֪00D60000 ǴӴ浵ļ SvXXd.Was ڴ, ṹĻַ(ԺSAVӳ)
       Ϊ:  48H








       ŷ(0040709A) һ0Cջ: 
       㷴ര, CTRL + G [Ҫıʽ]Ի: 0040709A

       濴:

       004070F7 |> 837D 0C 00    cmp   [arg.2], 0                 ; EBP+0C 2, ǷΪ0
       004070FB |. 74 0C         je    short 00407109             ; Ϊ0 ת00407109 
       004070FD |. 8B45 FC       mov   eax, [local.1]             ; ȡֲ1 EAX
       00407100 |. 25 FF000000   and   eax, 0FF                   ; EAX24 λ0
       00407105 |. D1E0          shl   eax, 1                     ; ߼1 λ, ൱*2
       00407107 |. EB 03         jmp   short 0040710C             ; ת0040710C
       00407109 |> 8A45 FC       mov   al, byte ptr [ebp-4]       ; ȡֲ1
       0040710C |> 8BE5          mov   esp, ebp                   ; ͷžֲ
       0040710E |. 5D            pop   ebp                        ; ԭEBP
       0040710F \. C2 0800       retn  8                          ; ջ

       ɴ˿֪(0040709A) 0CջΪ1 2, ͨEAX
       ֤һ, 㷴ര, CTRL + G [Ҫıʽ]Ի: 0041DE30

       0041DE30 /$ 55            push   ebp
       0041DE31 |. 8BEC          mov    ebp, esp
       0041DE33 |. 51            push   ecx
       0041DE34 |. 894D FC       mov    [local.1], ecx
       0041DE37 |. 8B45 08       mov    eax, [arg.1]              ; ָΪ push 0
       0041DE3A    50            push   eax                       ; ָΪ nop
       0041DE3B    6A 00         push   0
       0041DE3D |. 8B4D FC       mov    ecx, [local.1]
       0041DE40 |. E8 5592FEFF   call   0040709A
       0041DE45 |. 8BE5          mov    esp, ebp
       0041DE47 |. 5D            pop    ebp
       0041DE48 \. C2 0400       retn   4

       ¶ϵ:    0041DE40 һ

       ս佫<>ϵҼ, ͣ:    0041DE40 |. E8 5592FEFF   call  0040709A

       F8, Ĵ:
       EAX   0000002A        ; ʮ42, ϷԻʾΪ: 42

       ALT + B [ϵ㴰]ɾжϵ
       ѡ 0041DE370041DE390041DE3A , Ҽ ==> ѡ޸

       ܽ(0040709A) ԭαΪ:
       <ֵ: 佫Χ> <ڵַ: 0040709A> PROTO STDCALL <1: ΪҪȡ>, 
                                 <2: ǷҪ2>, 
                                 <ĴECX: Ŀ佫SAVӳ = * 48H + 0D60000H>







 


       ھҪ취ȡ(0040709A) <ĴECX: Ŀ佫SAVӳ>

       㷴ര, CTRL + G, [Ҫıʽ]Ի: 00405EB4

       ¶ϵ:    00405EB4 . E8 925D0300   call  0043BC4B       ; ȡECX佫08ջ佫˺

       ȡϷ, ƶ<>ӽ˵[], (ʱ浵еĵΪ<>)
       ͣ:    00405EB4 . E8 925D0300   call  0043BC4B

       F7 , ִе:    0043BC4C . 8BEC         mov   ebp, esp

       ջ:

       0022FDA8  /0022FDD8      ԭEBP ֵ, ʱڴ
       0022FDAC  |00405EB9      CALLָصַ, ص WaGan.00405EB9  WaGan.0043BC4B
       0022FDB0  |00D61488      SAVӳ
       0022FDB4  |00000001      0Cջ Ƿʵֵ, Ƿк
       0022FDB8  |00000000      10ջ òƲֵ, жʲôδ֪


       Ĵ:
       ECX  004B2C50            ; ʮ: 4926544

       ں: ȡECX佫08ջ佫˺, ECXֵҪôDATA, ֵ̫
       ҪôSAVӳ, ֵ̫СٲǸֵָ, 

       



       ݴ, CTRL + G [Ҫݴиıʽ]Ի: 004B2C50

       004B2BE0    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ................
       ȫ0, δʼ?? ʱ֪

       F9Ϸ, ҷ佫Եз佫
       ͣ:    00405EB4 . E8 925D0300       call   0043BC4B
       F7 , ִе:    0043BC4C . 8BEC        mov   ebp, esp

       ٿĴ:
       ECX  004B3160            ; ʮ: 4927840

       ݴ, CTRL + G [Ҫݴиıʽ]Ի: 004B3160
       004B3160    49 00 00 00 24 02 0D 05 FF 00 00 FF 02 00 01 03      I...$....
       עǰֽڵֵΪ: 49 00 00 00     ; ǻʵΪ: 00 00 00 49, ʮ: 73

       ֵпǹ佫DATA

       ڵʱ浵бĵΪ<>, ޸DATAΪ: 73
       F9Ϸ, з佫ҷ佫, ʱȷ

       ʹ<>һɽ, ٿ
       F7 , ִе:    0043BC4C . 8BEC        mov   ebp, esp

       ٿĴ:
       ECX  004B2C98            ; ʮ: 4926616

       ݴ, CTRL + G [Ҫݴиıʽ]Ի: 004B2C98
       004B2C98  15 00 00 00 02 00 0A 07 FF 00 00 FF 02 04 07 03  .......
       עǰֽڵֵΪ: 15 00 00 00     ; ǻʵΪ: 00 00 00 15, ʮ: 21
       ޸<>DATAΪ: 21


       ȷ֤һ, 㷴ര, CTRL + G, [Ҫıʽ]Ի: 00405EB4

       س, (0043BC4B) ڲ, :

       0043BC4B $ 55            push  ebp
       0043BC4C . 8BEC          mov   ebp, esp
       0043BC4E . 83EC 3C       sub   esp, 3C
       0043BC51 . 894D D4       mov   dword ptr [ebp-2C], ecx     ; ĴECX, [ebp-2C]

       0043BEA8 . 8B55 D4       mov   edx, dword ptr [ebp-2C]     ; ȡĴECXEDX
       0043BEAB . 8B0A          mov   ecx, dword ptr [edx]        ; EDXָڴȡĽECX
       0043BEAD . 6BC9 48       imul  ecx, ecx, 48
       0043BEB0 . 81C1 0000D600 add   ecx, 0D60000                ; ʽ 


       0043BEC1 . 8B45 D4       mov   eax, dword ptr [ebp-2C]
       0043BEC4 . 8B08          mov   ecx, dword ptr [eax]
       0043BEC6 . 6BC9 48       imul  ecx, ecx, 48
       0043BEC9 . 81C1 0000D600 add   ecx, 0D60000
       0043BECF . E8 1EBCFCFF   call  00407AF2

      
       ɴ֤ʵECX ֵΪ: 佫DATAڴдŵĵַ

       Ŀ佫SAVӳ = DATA* 48H + 0D60000H

       ϢѾʤ, ֻǷ..
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::







       

޸ƪ: 
       һƪ֪ľ˺㷽: 
       00405F38  8B55 FC             mov   edx, dword ptr [ebp-4]
       00405F3B  81E2 FF000000       and   edx, 0FF
       00405F41  8B45 F4             mov   eax, dword ptr [ebp-C]
       00405F44  8B8490 84000000     mov   eax, dword ptr [eax+edx*4+84] ; ղŴ˺ĵط
       00405F4B  6BC0 03             imul  eax, eax, 3                   ; ȡ*3EAX
       00405F4E  99                  cdq                                 ; EAXչEDX
       00405F4F  2BC2                sub   eax, edx                      ; EDXòΪ0
       00405F51  D1F8                sar   eax, 1                        ; 1λ, λ
       00405F53  8B4D FC             mov   ecx, dword ptr [ebp-4]
       00405F56  81E1 FF000000       and   ecx, 0FF
       00405F5C  8B55 F4             mov   edx, dword ptr [ebp-C]
       00405F5F  89848A 84000000     mov   dword ptr [edx+ecx*4+84], eax ; ӳɺ˱ԭλ



       Ŀ佫SAVӳ = DATA* 48H + 0D60000H


¼㷽: ˺ * 175% *(˫ֵ * 2 + 100) / 100           (ע:  4)

            : δ֪ (¿ܵһ˺Լ2.5 ~ 3,
                            : 127 , 0)
            : ˺120%

            ע:  4. ˺175% ¸˫Ӱ, Խ˺Խ, ֮˺Խ
                 (ʵʲԷֵڱ22 ʱҲֻ˺ 120%)


ԭαΪ:
       <ֵ: ¾˺> <: ¾˺> PROTO STDCALL <1: ˺>, 
                                <2: 佫DATA>, <3: 佫SAVӳ>


       ע:  5. ԭĳ  <˺> <> PROC STDCALL <>, <SAVӳ>, <SAVӳ>
       00405F44 λò, ȥֲ, ûд


004D0C80   55            push  ebp
004D0C81   8BEC          mov   ebp, esp
004D0C83   83EC 08       sub   esp, 8
004D0C86   8B45 08       mov   eax, dword ptr [ebp+8]     ; ȡ1 ˺
004D0C89   B9 78000000   mov   ecx, 78
004D0C8E   F7E1          mul   ecx                        ; ˺*120
004D0C90   B9 64000000   mov   ecx, 64
004D0C95   33D2          xor   edx, edx
004D0C97   F7F1          div   ecx                        ; ˺*120/100
004D0C99   8945 FC       mov   dword ptr [ebp-4], eax
004D0C9C   8B4D 10       mov   ecx, dword ptr [ebp+10]    ; (0040709A) ECX, SAV
004D0C9F   6A 01         push  1                          ; (0040709A) 2, 2
004D0CA1   6A 00         push  0                          ; (0040709A) 1, ȡ
004D0CA3   E8 F263F3FF   call  0040709A                   ; ȡECX佫
004D0CA8   8945 F8       mov   dword ptr [ebp-8], eax
004D0CAB   B9 48000000   mov   ecx, 48
004D0CB0   8B45 0C       mov   eax, dword ptr [ebp+C]     ; ȡ2 DATA
004D0CB3   F7E1          mul   ecx                        ; DATAųԽṹ48H
004D0CB5   05 0000D600   add   eax, 0D60000               ; SAVӳַ0D60000H
004D0CBA   8BC8          mov   ecx, eax                   ; (0040709A) ECX, SAVӳ
004D0CBC   6A 01         push  1
004D0CBE   6A 00         push  0
004D0CC0   E8 D563F3FF   call  0040709A
004D0CC5   2B45 F8       sub   eax, dword ptr [ebp-8]     ;  - 
004D0CC8   83F8 CE       cmp   eax, -32                   ; ֵ-50, 
004D0CCB   7D 05         jge   short 004D0CD2             ; ڵ-50, ת
004D0CCD   8B45 FC       mov   eax, dword ptr [ebp-4]     ; ȡ˺120%
004D0CD0   EB 25         jmp   short 004D0CF7             ; ת
004D0CD2   D1E0          shl   eax, 1                     ; ֵ*2
004D0CD4   90            nop                              ; Ԥһ޸Ŀռ
004D0CD5   90            nop
004D0CD6   90            nop
004D0CD7   90            nop
004D0CD8   83C0 64       add   eax, 64                    ; ֵ*2+100
004D0CDB   8945 F8       mov   dword ptr [ebp-8], eax
004D0CDE   8B45 08       mov   eax, dword ptr [ebp+8]     ; ȡ˺
004D0CE1   BA AF000000   mov   edx, 0AF
004D0CE6   F7E2          mul   edx                        ; ˺*175
004D0CE8   B9 64000000   mov   ecx, 64
004D0CED   33D2          xor   edx, edx
004D0CEF   F7F1          div   ecx                        ; ˺*175/100
004D0CF1   F765 F8       mul   dword ptr [ebp-8]          ; *175/100*(*2+100)
004D0CF4   33D2          xor   edx, edx
004D0CF6   F7F1          div   ecx                        ; *175/100*(*2+100)/100
004D0CF8   3B45 FC       cmp   eax, dword ptr [ebp-4]     ; ˺120% Ƚ
004D0CFB ^ 72 D0         jb    short 004D0CCD             ; С˺120%
004D0CFD   8BE5          mov   esp, ebp
004D0CFF   5D            pop   ebp
004D0D00   C2 0C00       retn  0C



ô޸: 
00405F44 . 8D8C90 84000000  lea   ecx, dword ptr [eax+edx*4+84]   ; ȡ[eax+edx*4+84]ƫ
00405F4B   51               push  ecx                             ; ƫ޸
00405F4C   8B09             mov   ecx, dword ptr [ecx]            ; ڴ[ecx]˺
00405F4E   8B55 F8          mov   edx, dword ptr [ebp-8]          ; [ebp-8]űSAVӳ
00405F51   52               push  edx                             ; 3
00405F52   8B45 F4          mov   eax, dword ptr [ebp-C]
00405F55   8B50 0C          mov   edx, dword ptr [eax+C]
00405F58   8B02             mov   eax, dword ptr [edx]            ; DATA
00405F5A   50               push  eax                             ; 2 
00405F5B   51               push  ecx                             ; 1
00405F5C   E8 1FAD0C00      call  004D0C80                        ; (¾˺)
00405F61   59               pop   ecx                             ; [eax+edx*4+84]ƫ
00405F62   8901             mov   dword ptr [ecx], eax            ; Ľ
00405F64   90               nop
00405F65   90               nop


ջṹ:                                                    ʱĶջʾ:
       ߵַ   /.  [ebp+10]     SAVӳ             0022FD58    00D61488
                |.  [ebp+C]      DATA              0022FD54    00000000
                |.  [ebp+8]      ˺                0022FD50    00000020
                |.  [ebp+4]      CALL ָصַ           0022FD4C    00405F61  WaGan.00405F61
                |.  [ebp]        ԭEBPֵ                   0022FD48    0022FD7C
                |.  [ebp-4]      ˺120%        0022FD44    00000026
       ͵ַ   \.  [ebp-8]      ʱ                    0022FD40    00000068
 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::







ƪ:
       ΧDATAԼSAVļϷʾֵ2 洢, ڴж߼1 λʾ
       ϲʾ, Ҫ޸һEXE, ȻٽDATASAVļнΧ2, Ҫ޸1024
       佫ʵҪһʱ, дСԶʵʩ(ﲻṩ)


       ȿDATA.WAļΧĴ:
       0x018CH : B9 DC D2 E3 00 00 00 00  ; Ϊַ ""
       0x019EH : 2A                       ; ʮ42,  ٳ2 84
       0x019FH : 31                       ; ʮ49,  ٳ2 98
       0x01A0H : 2D                       ; ʮ45,  ٳ2 90
       0x01A1H : 2A                       ; ʮ42,  ٳ2 84
       0x01A2H : 2B                       ; ʮ43,  ٳ2 86
       0x01A3H : 6A 00                    ; ʮ106
       0x01A5H : 24                       ; ʮ36
       0x01A6H : 00                       ; ?
       0x01A7H : 01                       ; ʼȼ




       ٿSvXXd.WASļΧĴ:
       0x14E0H : 3B 00          ; ʮ59,  ʱ浵<>Ϊ 59
       0x14E2H : 47 00          ; ʮ71,  ʱ浵<>Ϊ 71
       0x14E4H : 44 00          ; ʮ68,  ʱ浵<>Ϊ 68
       0x14E6H : 3B 00          ; ʮ59,  ʱ浵<>Ϊ 59
       0x14E8H : 3D 00          ; ʮ61,  ʱ浵<>ʿΪ 61
       0x14EAH : 2A             ; ʮ42,  ٳ2 84, ʱ浵<>Ϊ 84
       0x14EBH : 31             ; ʮ49,  ٳ2 98, ʱ浵<>ͳΪ 98
       0x14ECH : 2D             ; ʮ45,  ٳ2 90, ʱ浵<>Ϊ 90
       0x14EDH : 2A             ; ʮ42,  ٳ2 84, ʱ浵<>Ϊ 84
       0x14EEH : 2B             ; ʮ43,  ٳ2 86, ʱ浵<>Ϊ 86
       0x14EFH : 88 00          ; ʮ136, ʱ浵<>HPΪ 136
       0x14F1H : 2A             ; ʮ42,  ʱ浵<>MPΪ 42
       0x14F2H : 00             ; ?
       0x14F3H : 06             ; ʮ6,   ʱ浵<>ȼΪ 6
       0x14F4H : 3B             ; ʮ59,  ʱ浵<>Ϊ 59
       0x14F5H : 17             ; ʮ23,  ʱ浵<>װԯǹı
       0x14F6H : 01             ; ʮ1,   ʱ浵<>ԯǹĵȼΪ1
       0x14F7H : 2F             ; ʮ47,  ʱ浵<>ԯǹľΪ47
       0x14F8H : 26             ; ʮ38,  ʱ浵<>װߡۼסı
       0x14F9H : 02             ; ʮ2,   ʱ浵<>ߡۼסĵȼΪ2
       0x14FAH : 13             ; ʮ19,  ʱ浵<>ߡۼסľΪ19

 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
       ע:  6. μ佫ԴеCAPACITY_STORAGE.inc ļ
 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::




ߍʾ(οSTAR175 ġһϸķ)

       004072D4 /$ 55            push  ebp
       004072D5 |. 8BEC          mov   ebp, esp
       004072D7    8B45 08       mov   eax, dword ptr [ebp+8]   ; ȡ1, δʾ
       004072DA    25 FF000000   and   eax, 0FF                 ; 24 λ0
       004072DF    08C0          or    al, al                   ; ˢCPU ־
       004072E1    74 0A         je    short 004072ED           ; EAXΪ0 ʾ"E"
       004072E3    2C 01         sub   al, 1                    ; EAXֵ1
                                                                  ; DATAΪ1 ʱʾ"E"
       004072E5    3C 06         cmp   al, 6                    ; ٱȽEAX6
       004072E7    72 02         jb    short 004072EB           ; С6 ת
       004072E9    B0 06         mov   al, 6                    ; δǰ6ʱʾַ
       004072EB    D1E0          shl   eax, 1                   ; NULL βַ
       004072ED    05 70545500   add   eax, 00555470            ; UNICODEַ "EDCBASX"
       004072F2    8BE5          mov   esp, ebp
       004072F4    5D            pop   ebp
       004072F5    C2 0400       retn  4



       ٽ¼ 00477CF7, 00477D30, 00477D69, 00477DA0, 00477DD9 ԭָ:

       00477CF7 |. 25 FF000000   and   eax, 0FF
       00477CFC |. D1E0          shl   eax, 1
       00477CFE |. 05 70545500   add   eax, 00555470             ; UNICODE "EDCBASX"

       Ϊ:
       00477CF7    50            push  eax
       00477CF8    E8 D7F5F8FF   call  004072D4
       00477CFD    90            nop
       00477CFE    90            nop
       00477CFF    90            nop
       00477D00    90            nop
       00477D01    90            nop
       00477D02    90            nop







OLLYICE в鿴:    CTRL + N
            ñ:    Ҽ ==>  ==> ģĵ
            ַ:  Ҽ ==>  ==> вοıַ


       ַ:

       004102AC  push    0048B348                          ASCII "EEX"
       00410F0D  push    0048BB60                          ASCII "Data.wa"
       00411133  dd      WaGan(ol.00410A2D                 ASCII LF,"A"
       00411772  push    0048B3AC                          ASCII ""
       0041420E  push    0048BBF8                          ASCII "Xben.wa"
       00417FA1  mov     dword ptr [ebp-18], 0048B390      ASCII "R_xx.WAGAN"
       00417FAA  mov     dword ptr [ebp-18], 0048B3A0      ASCII "S_xx.WAGAN"
       00419506  push    0048B3F4                          ASCII "WAGAN"

       004752D1  push    00555058                          ASCII "sge.wa"

       ٴһᷴԱһ:

       004102AC  push    0048B348                          ASCII "EEX"
       00410F0D  push    0048BB60                          ASCII "DATA.E5"
       00411133  dd      ekd5.00410A2D                     ASCII LF,"A"
       00411772  push    0048B3AC                          ASCII ""
       0041420E  push    0048BBF8                          ASCII "MEFF.E5"
       00417FA1  mov     dword ptr [ebp-18], 0048B390      ASCII "R_xx.eex"
       00417FAA  mov     dword ptr [ebp-18], 0048B3A0      ASCII "S_xx.eex"
       00419506  push    0048B3F4                          ASCII "WAGAN"

       004752D1  push    00555058                          ASCII "TOU.dll"


       Ҹ°, ݴCTRL + G [Ҫݴиıʽ]Ի: 00555058

       00555058  73 67 65 2E 77 61 00 00 4C 4F 47 2E 61 76 69 00  sge.wa..LOG.avi.

       0055505C CTRL + E, 77 ޸Ϊ6F 70 68, :

       00555058  73 67 65 2E 6F 70 68 00 4C 4F 47 2E 61 76 69 00  sge.oph.LOG.avi.

       Ҽ ==> Ƶִļ, ʱϷ, ͷ񲻼

       ˳Ϸ, ٽsge.wa ļΪsge.oph

       һνϷ, ͷһγ

       Ÿλ֪ζԼMOD 򵥵ļ任\ˡ




       ½ϳ, ṩı

       ͣ, ʿ޷ڶڻظ, дΪ, лл!!






       ռ¥, ллλ!!







 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
       һ:    ¥ϡ佫 Դ, Ŀǰֻ֧佫ΧԶ
                    Ҫھ, Լ޸һ½ṹԴ롣
 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::