00401000 > $ 6A 00 push 0 ; |/pModule = NULL
00401002 . E8 64020000 call <jmp.&KERNEL32.GetModuleHandleA> ; |\GetModuleHandleA
00401007 . A3 77214000 mov dword ptr [402177], eax ; |
0040100C . C705 97214000>mov dword ptr [402197], 4003 ; |
00401016 . C705 9B214000>mov dword ptr [40219B], 004011A6 ; |
00401020 . C705 9F214000>mov dword ptr [40219F], 0 ; |
0040102A . C705 A3214000>mov dword ptr [4021A3], 0 ; |
00401034 . A1 77214000 mov eax, dword ptr [402177] ; |
00401039 . A3 A7214000 mov dword ptr [4021A7], eax ; |
0040103E . 6A 04 push 4 ; |/RsrcName = 4.
00401040 . 50 push eax ; ||hInst => NULL
00401041 . E8 3F030000 call <jmp.&USER32.LoadIconA> ; |\LoadIconA
00401046 . A3 AB214000 mov dword ptr [4021AB], eax ; |
0040104B . 68 007F0000 push 7F00 ; |/RsrcName = IDC_ARROW
00401050 . 6A 00 push 0 ; ||hInst = NULL
00401052 . E8 C8020000 call <jmp.&USER32.LoadCursorA> ; |\LoadCursorA
00401057 . A3 AF214000 mov dword ptr [4021AF], eax ; |
0040105C . 6A 00 push 0 ; |/hTemplateFile = NULL
0040105E . 68 6F214000 push 0040216F ; ||Attributes = READONLY|HIDDEN|SYSTEM|ARCHIVE|TEMPORARY|402048
00401063 . 6A 03 push 3 ; ||Mode = OPEN_EXISTING
00401065 . 6A 00 push 0 ; ||pSecurity = NULL
00401067 . 6A 03 push 3 ; ||ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401069 . 68 000000C0 push C0000000 ; ||Access = GENERIC_READ|GENERIC_WRITE
0040106E . 68 79204000 push 00402079 ; ||FileName = "Keyfile.dat"
00401073 . E8 0B020000 call <jmp.&KERNEL32.CreateFileA> ; |\CreateFileA
00401078 . 83F8 FF cmp eax, -1 ; |
0040107B . 75 1D jnz short 0040109A ; |
0040107D . 6A 00 push 0 ; |/Style = MB_OK|MB_APPLMODAL
0040107F . 68 00204000 push 00402000 ; ||Title = " Key File ReverseMe"
00401084 . 68 17204000 push 00402017 ; ||Text = "Evaluation period out of date. Purchase new license"
00401089 . 6A 00 push 0 ; ||hOwner = NULL
0040108B . E8 D7020000 call <jmp.&USER32.MessageBoxA> ; |\MessageBoxA
00401090 . E8 24020000 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
00401095 . E9 83010000 jmp 0040121D
0040109A > 6A 00 push 0 ; /pOverlapped = NULL
0040109C . 68 73214000 push 00402173 ; |pBytesRead = reverseM.00402173
004010A1 . 6A 46 push 46 ; |BytesToRead = 46 (70.)
004010A3 . 68 1A214000 push 0040211A ; |Buffer = reverseM.0040211A
004010A8 . 50 push eax ; |hFile
004010A9 . E8 2F020000 call <jmp.&KERNEL32.ReadFile> ; \ReadFile
004010AE . 85C0 test eax, eax
004010B0 . 75 02 jnz short 004010B4
004010B2 . EB 43 jmp short 004010F7
004010B4 > 33DB xor ebx, ebx
004010B6 . 33F6 xor esi, esi
004010B8 . 833D 73214000>cmp dword ptr [402173], 10
004010BF . 7C 36 jl short 004010F7
004010C1 > 8A83 1A214000 mov al, byte ptr [ebx+40211A]
004010C7 . 3C 00 cmp al, 0
004010C9 . 74 08 je short 004010D3
004010CB . 3C 47 cmp al, 47
004010CD . 75 01 jnz short 004010D0
004010CF . 46 inc esi
004010D0 > 43 inc ebx
004010D1 .^ EB EE jmp short 004010C1
004010D3 > 83FE 08 cmp esi, 8
004010D6 . 7C 1F jl short 004010F7
004010D8 . E9 28010000 jmp 00401205
004010DD 00 db 00
004010DE . 00000000 dd 00000000
004010E2 00 db 00
004010E3 00 db 00
004010E4 00 db 00
004010E5 00 db 00
004010E6 00 db 00
004010E7 00 db 00
004010E8 00 db 00
004010E9 00 db 00
004010EA 00 db 00
004010EB 00 db 00
004010EC 00 db 00
004010ED 00 db 00
004010EE 00 db 00
004010EF 00 db 00
004010F0 00 db 00
004010F1 00 db 00
004010F2 00 db 00
004010F3 00 db 00
004010F4 00 db 00
004010F5 . EB 00 jmp short 004010F7
004010F7 > 6A 00 push 0 ; |/Style = MB_OK|MB_APPLMODAL
004010F9 . 68 00204000 push 00402000 ; ||Title = " Key File ReverseMe"
004010FE . 68 86204000 push 00402086 ; ||Text = "Keyfile is not valid. Sorry."
00401103 . 6A 00 push 0 ; ||hOwner = NULL
00401105 . E8 5D020000 call <jmp.&USER32.MessageBoxA> ; |\MessageBoxA
0040110A . E8 AA010000 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
反汇编windows避让陷阱
最新推荐文章于 2023-11-10 10:14:11 发布