313的某段代码
00C221D0 $ 56 push esi
00C221D1 . 57 push edi
00C221D2 . 8BF1 mov esi,ecx
00C221D4 . E8 87FAFFFF call San13_tc.00C21C60
00C221D9 . 0FB6C0 movzx eax,al
00C221DC . 83C0 BD add eax,-0x43 ; Switch (cases 43..53)
00C221DF . 83F8 10 cmp eax,0x10
00C221E2 . 0F87 E4000000 ja San13_tc.00C222CC
00C221E8 . 0FB680 F022C200 movzx eax,byte ptr ds:[eax+0xC222F0]
00C221EF . FF2485 D422C200 jmp dword ptr ds:[eax*4+0xC222D4]
00C221F6 > FF86 5C0A0000 inc dword ptr ds:[esi+0xA5C] ; Case 4A ('J') of switch 00C221DC
00C221FC . 81BE 5C0A0000 E8030000 cmp dword ptr ds:[esi+0xA5C],0x3E8
00C22206 . 0F87 C0000000 ja San13_tc.00C222CC
00C2220C . 8BCE mov ecx,esi
00C2220E . E8 CDFAFFFF call San13_tc.00C21CE0
00C22213 . 50 push eax
00C22214 . 8BCE mov ecx,esi
00C22216 . E8 35FDFFFF call San13_tc.00C21F50
00C2221B . 5F pop edi
00C2221C . 32C0 xor al,al
00C2221E . 5E pop esi
00C2221F . C3 retn
00C22220 > FF86 580A0000 inc dword ptr ds:[esi+0xA58] ; Case 43 ('C') of switch 00C221DC
00C22226 . 81BE 580A0000 E8030000 cmp dword ptr ds:[esi+0xA58],0x3E8
00C22230 . 0F87 96000000 ja San13_tc.00C222CC
00C22236 . 8B86 440A0000 mov eax,dword ptr ds:[esi+0xA44]
00C2223C . 83C0 04 add eax,0x4
00C2223F . 50 push eax
00C22240 . 8BCE mov ecx,esi
00C22242 . E8 49FCFFFF call San13_tc.00C21E90
00C22247 . FFB6 400A0000 push dword ptr ds:[esi+0xA40]
00C2224D . E8 3EFCFFFF call San13_tc.00C21E90
00C22252 . E8 89FAFFFF call San13_tc.00C21CE0
00C22257 . 50 push eax
00C22258 . 8BCE mov ecx,esi
00C2225A . E8 F1FCFFFF call San13_tc.00C21F50
00C2225F . 5F pop edi
00C22260 . 32C0 xor al,al
00C22262 . 5E pop esi
00C22263 . C3 retn
00C22264 > 53 push ebx ; Case 53 ('S') of switch 00C221DC
00C22265 . 8BCE mov ecx,esi
00C22267 . E8 54080000 call San13_tc.00C22AC0
00C2226C . 6A 00 push 0x0
00C2226E . 6A 00 push 0x0
00C22270 . 8BCE mov ecx,esi
00C22272 . 8BD8 mov ebx,eax
00C22274 . E8 B7FAFFFF call San13_tc.00C21D30
00C22279 . 8BF8 mov edi,eax
00C2227B . 85DB test ebx,ebx
00C2227D . 74 07 je XSan13_tc.00C22286
00C2227F . 3BFB cmp edi,ebx
00C22281 . 72 03 jb XSan13_tc.00C22286
00C22283 . 8D7B FF lea edi,dword ptr ds:[ebx-0x1]
00C22286 > 5B pop ebx
00C22287 . 85FF test edi,edi
00C22289 . 74 41 je XSan13_tc.00C222CC
00C2228B . EB 03 jmp XSan13_tc.00C22290
00C2228D 8D49 00 lea ecx,dword ptr ds:[ecx]
00C22290 > 8BCE mov ecx,esi
00C22292 . E8 69070000 call San13_tc.00C22A00
00C22297 . 4F dec edi
00C22298 .^ 75 F6 jnz XSan13_tc.00C22290
00C2229A . 5F pop edi
00C2229B . 32C0 xor al,al
00C2229D . 5E pop esi
00C2229E . C3 retn
00C2229F > 8B06 mov eax,dword ptr ds:[esi] ; Case 4D ('M') of switch 00C221DC
00C222A1 . 8BCE mov ecx,esi
00C222A3 . FF50 14 call dword ptr ds:[eax+0x14]
00C222A6 . 5F pop edi
00C222A7 . 32C0 xor al,al
00C222A9 . 5E pop esi
00C222AA . C3 retn
00C222AB > 6A 00 push 0x0 ; Case 52 ('R') of switch 00C221DC
00C222AD . 6A 00 push 0x0
00C222AF . 8BCE mov ecx,esi
00C222B1 . E8 7AFAFFFF call San13_tc.00C21D30
00C222B6 . 5F pop edi
00C222B7 . 8986 600A0000 mov dword ptr ds:[esi+0xA60],eax
00C222BD . 8BCE mov ecx,esi
00C222BF . 5E pop esi
00C222C0 . E9 5B040000 jmp San13_tc.00C22720
00C222C5 > 8B06 mov eax,dword ptr ds:[esi] ; Case 46 ('F') of switch 00C221DC
00C222C7 . 8BCE mov ecx,esi
00C222C9 . FF50 0C call dword ptr ds:[eax+0xC]
00C222CC > 5F pop edi ; Default case of switch 00C221DC
00C222CD . 32C0 xor al,al
00C222CF . 5E pop esi
00C222D0 . C3 retn
太阁的某段代码
0059CC30 $ 56 push esi
0059CC31 . 8BF1 mov esi,ecx
0059CC33 . 8B86 1C040000 mov eax,dword ptr ds:[esi+0x41C]
0059CC39 . 8D48 01 lea ecx,dword ptr ds:[eax+0x1]
0059CC3C . 898E 1C040000 mov dword ptr ds:[esi+0x41C],ecx
0059CC42 . 8B4E 0C mov ecx,dword ptr ds:[esi+0xC]
0059CC45 . 8B49 0C mov ecx,dword ptr ds:[ecx+0xC]
0059CC48 . 85C9 test ecx,ecx
0059CC4A . 75 04 jnz XTaikou5.0059CC50
0059CC4C . 33C0 xor eax,eax
0059CC4E . EB 06 jmp XTaikou5.0059CC56
0059CC50 > 50 push eax
0059CC51 . E8 3AC71000 call Taikou5.006A9390
0059CC56 > 0FB600 movzx eax,byte ptr ds:[eax] //读取1字节
0059CC59 . 83C0 BD add eax,-0x43 ; Switch (cases 43..53)
0059CC5C . 83F8 10 cmp eax,0x10
0059CC5F . 0F87 BB000000 ja Taikou5.0059CD20
0059CC65 . 0FB690 40CD5900 movzx edx,byte ptr ds:[eax+0x59CD40]
0059CC6C . FF2495 24CD5900 jmp dword ptr ds:[edx*4+0x59CD24]
0059CC73 > 8B8E 3C040000 mov ecx,dword ptr ds:[esi+0x43C] ; Case 4A ('J') of switch 0059CC59//直接性跳转,0143XXXX,XXXX为跳转的msg编号(目测)
0059CC79 . 41 inc ecx
0059CC7A . 8BC1 mov eax,ecx
0059CC7C . 3D E8030000 cmp eax,0x3E8
0059CC81 . 898E 3C040000 mov dword ptr ds:[esi+0x43C],ecx
0059CC87 . 0F87 93000000 ja Taikou5.0059CD20
0059CC8D . EB 33 jmp XTaikou5.0059CCC2
0059CC8F > 8B8E 38040000 mov ecx,dword ptr ds:[esi+0x438] ; Case 43 ('C') of switch 0059CC59//插入性跳转,014AXXXX,XXXX为跳转的msg编号(目测)
0059CC95 . 41 inc ecx
0059CC96 . 8BC1 mov eax,ecx
0059CC98 . 3D E8030000 cmp eax,0x3E8
0059CC9D . 898E 38040000 mov dword ptr ds:[esi+0x438],ecx
0059CCA3 . 77 7B ja XTaikou5.0059CD20
0059CCA5 . 8B8E 1C040000 mov ecx,dword ptr ds:[esi+0x41C]
0059CCAB . 83C1 02 add ecx,0x2
0059CCAE . 51 push ecx
0059CCAF . 8BCE mov ecx,esi
0059CCB1 . E8 EAF4FFFF call Taikou5.0059C1A0 //保存插入前的偏移
0059CCB6 . 8B96 18040000 mov edx,dword ptr ds:[esi+0x418]
0059CCBC . 52 push edx
0059CCBD . E8 DEF4FFFF call Taikou5.0059C1A0 //保存插入前的msg文件编号
0059CCC2 > 8BCE mov ecx,esi
0059CCC4 . E8 97F7FFFF call Taikou5.0059C460 //读取两字节,为跳转的msg编号
0059CCC9 . 0FB7C0 movzx eax,ax
0059CCCC . 50 push eax
0059CCCD . 8BCE mov ecx,esi
0059CCCF . E8 2CF8FFFF call Taikou5.0059C500 //跳转处理
0059CCD4 . 33C0 xor eax,eax
0059CCD6 . 5E pop esi
0059CCD7 . C3 retn
0059CCD8 > 6A 00 push 0x0 ; Case 53 ('S') of switch 0059CC59//后接属性获取及数值计算,得到的数值如果大于0,则搜索到第该数值个的050505
0059CCDA . 8BCE mov ecx,esi
0059CCDC . E8 7FF9FFFF call Taikou5.0059C660
0059CCE1 . 85C0 test eax,eax
0059CCE3 . 76 3B jbe XTaikou5.0059CD20
0059CCE5 . 57 push edi
0059CCE6 . 8BF8 mov edi,eax
0059CCE8 > 8BCE mov ecx,esi
0059CCEA . E8 51FCFFFF call Taikou5.0059C940
0059CCEF . 4F dec edi
0059CCF0 .^ 75 F6 jnz XTaikou5.0059CCE8
0059CCF2 . 5F pop edi
0059CCF3 . 33C0 xor eax,eax
0059CCF5 . 5E pop esi
0059CCF6 . C3 retn
0059CCF7 > 8B16 mov edx,dword ptr ds:[esi] ; Case 4D ('M') of switch 0059CC59//后接02+单字节对象类型寄存位置编号+属性获取及数值计算,将属性获取及数值计算写入对应对象类型寄存位置
0059CCF9 . 8BCE mov ecx,esi
0059CCFB . FF52 08 call dword ptr ds:[edx+0x8]
0059CCFE . 33C0 xor eax,eax
0059CD00 . 5E pop esi
0059CD01 . C3 retn
0059CD02 > 6A 00 push 0x0 ; Case 52 ('R') of switch 0059CC59//后接属性获取及数值计算,得到的数值写入[esi+0x440],然后返回到上个跳转过来的字串
0059CD04 . 8BCE mov ecx,esi
0059CD06 . E8 55F9FFFF call Taikou5.0059C660
0059CD0B . 8986 40040000 mov dword ptr ds:[esi+0x440],eax
0059CD11 . 8BCE mov ecx,esi
0059CD13 . 5E pop esi
0059CD14 .^ E9 B7FBFFFF jmp Taikou5.0059C8D0
0059CD19 > 8B06 mov eax,dword ptr ds:[esi] ; Case 46 ('F') of switch 0059CC59//睡眠,见次级分支,先读取1字节,如果是64,就进入,再读取属性获取及数值计算,将其值X10,调用sleep
0059CD1B . 8BCE mov ecx,esi
0059CD1D . FF50 04 call dword ptr ds:[eax+0x4]
0059CD20 > 33C0 xor eax,eax ; Default case of switch 0059CC59
0059CD22 . 5E pop esi
0059CD23 . C3 retn
除了编译局域变量的顺序不太一样看不出区别
00C221D0 $ 56 push esi
00C221D1 . 57 push edi
00C221D2 . 8BF1 mov esi,ecx
00C221D4 . E8 87FAFFFF call San13_tc.00C21C60
00C221D9 . 0FB6C0 movzx eax,al
00C221DC . 83C0 BD add eax,-0x43 ; Switch (cases 43..53)
00C221DF . 83F8 10 cmp eax,0x10
00C221E2 . 0F87 E4000000 ja San13_tc.00C222CC
00C221E8 . 0FB680 F022C200 movzx eax,byte ptr ds:[eax+0xC222F0]
00C221EF . FF2485 D422C200 jmp dword ptr ds:[eax*4+0xC222D4]
00C221F6 > FF86 5C0A0000 inc dword ptr ds:[esi+0xA5C] ; Case 4A ('J') of switch 00C221DC
00C221FC . 81BE 5C0A0000 E8030000 cmp dword ptr ds:[esi+0xA5C],0x3E8
00C22206 . 0F87 C0000000 ja San13_tc.00C222CC
00C2220C . 8BCE mov ecx,esi
00C2220E . E8 CDFAFFFF call San13_tc.00C21CE0
00C22213 . 50 push eax
00C22214 . 8BCE mov ecx,esi
00C22216 . E8 35FDFFFF call San13_tc.00C21F50
00C2221B . 5F pop edi
00C2221C . 32C0 xor al,al
00C2221E . 5E pop esi
00C2221F . C3 retn
00C22220 > FF86 580A0000 inc dword ptr ds:[esi+0xA58] ; Case 43 ('C') of switch 00C221DC
00C22226 . 81BE 580A0000 E8030000 cmp dword ptr ds:[esi+0xA58],0x3E8
00C22230 . 0F87 96000000 ja San13_tc.00C222CC
00C22236 . 8B86 440A0000 mov eax,dword ptr ds:[esi+0xA44]
00C2223C . 83C0 04 add eax,0x4
00C2223F . 50 push eax
00C22240 . 8BCE mov ecx,esi
00C22242 . E8 49FCFFFF call San13_tc.00C21E90
00C22247 . FFB6 400A0000 push dword ptr ds:[esi+0xA40]
00C2224D . E8 3EFCFFFF call San13_tc.00C21E90
00C22252 . E8 89FAFFFF call San13_tc.00C21CE0
00C22257 . 50 push eax
00C22258 . 8BCE mov ecx,esi
00C2225A . E8 F1FCFFFF call San13_tc.00C21F50
00C2225F . 5F pop edi
00C22260 . 32C0 xor al,al
00C22262 . 5E pop esi
00C22263 . C3 retn
00C22264 > 53 push ebx ; Case 53 ('S') of switch 00C221DC
00C22265 . 8BCE mov ecx,esi
00C22267 . E8 54080000 call San13_tc.00C22AC0
00C2226C . 6A 00 push 0x0
00C2226E . 6A 00 push 0x0
00C22270 . 8BCE mov ecx,esi
00C22272 . 8BD8 mov ebx,eax
00C22274 . E8 B7FAFFFF call San13_tc.00C21D30
00C22279 . 8BF8 mov edi,eax
00C2227B . 85DB test ebx,ebx
00C2227D . 74 07 je XSan13_tc.00C22286
00C2227F . 3BFB cmp edi,ebx
00C22281 . 72 03 jb XSan13_tc.00C22286
00C22283 . 8D7B FF lea edi,dword ptr ds:[ebx-0x1]
00C22286 > 5B pop ebx
00C22287 . 85FF test edi,edi
00C22289 . 74 41 je XSan13_tc.00C222CC
00C2228B . EB 03 jmp XSan13_tc.00C22290
00C2228D 8D49 00 lea ecx,dword ptr ds:[ecx]
00C22290 > 8BCE mov ecx,esi
00C22292 . E8 69070000 call San13_tc.00C22A00
00C22297 . 4F dec edi
00C22298 .^ 75 F6 jnz XSan13_tc.00C22290
00C2229A . 5F pop edi
00C2229B . 32C0 xor al,al
00C2229D . 5E pop esi
00C2229E . C3 retn
00C2229F > 8B06 mov eax,dword ptr ds:[esi] ; Case 4D ('M') of switch 00C221DC
00C222A1 . 8BCE mov ecx,esi
00C222A3 . FF50 14 call dword ptr ds:[eax+0x14]
00C222A6 . 5F pop edi
00C222A7 . 32C0 xor al,al
00C222A9 . 5E pop esi
00C222AA . C3 retn
00C222AB > 6A 00 push 0x0 ; Case 52 ('R') of switch 00C221DC
00C222AD . 6A 00 push 0x0
00C222AF . 8BCE mov ecx,esi
00C222B1 . E8 7AFAFFFF call San13_tc.00C21D30
00C222B6 . 5F pop edi
00C222B7 . 8986 600A0000 mov dword ptr ds:[esi+0xA60],eax
00C222BD . 8BCE mov ecx,esi
00C222BF . 5E pop esi
00C222C0 . E9 5B040000 jmp San13_tc.00C22720
00C222C5 > 8B06 mov eax,dword ptr ds:[esi] ; Case 46 ('F') of switch 00C221DC
00C222C7 . 8BCE mov ecx,esi
00C222C9 . FF50 0C call dword ptr ds:[eax+0xC]
00C222CC > 5F pop edi ; Default case of switch 00C221DC
00C222CD . 32C0 xor al,al
00C222CF . 5E pop esi
00C222D0 . C3 retn
太阁的某段代码
0059CC30 $ 56 push esi
0059CC31 . 8BF1 mov esi,ecx
0059CC33 . 8B86 1C040000 mov eax,dword ptr ds:[esi+0x41C]
0059CC39 . 8D48 01 lea ecx,dword ptr ds:[eax+0x1]
0059CC3C . 898E 1C040000 mov dword ptr ds:[esi+0x41C],ecx
0059CC42 . 8B4E 0C mov ecx,dword ptr ds:[esi+0xC]
0059CC45 . 8B49 0C mov ecx,dword ptr ds:[ecx+0xC]
0059CC48 . 85C9 test ecx,ecx
0059CC4A . 75 04 jnz XTaikou5.0059CC50
0059CC4C . 33C0 xor eax,eax
0059CC4E . EB 06 jmp XTaikou5.0059CC56
0059CC50 > 50 push eax
0059CC51 . E8 3AC71000 call Taikou5.006A9390
0059CC56 > 0FB600 movzx eax,byte ptr ds:[eax] //读取1字节
0059CC59 . 83C0 BD add eax,-0x43 ; Switch (cases 43..53)
0059CC5C . 83F8 10 cmp eax,0x10
0059CC5F . 0F87 BB000000 ja Taikou5.0059CD20
0059CC65 . 0FB690 40CD5900 movzx edx,byte ptr ds:[eax+0x59CD40]
0059CC6C . FF2495 24CD5900 jmp dword ptr ds:[edx*4+0x59CD24]
0059CC73 > 8B8E 3C040000 mov ecx,dword ptr ds:[esi+0x43C] ; Case 4A ('J') of switch 0059CC59//直接性跳转,0143XXXX,XXXX为跳转的msg编号(目测)
0059CC79 . 41 inc ecx
0059CC7A . 8BC1 mov eax,ecx
0059CC7C . 3D E8030000 cmp eax,0x3E8
0059CC81 . 898E 3C040000 mov dword ptr ds:[esi+0x43C],ecx
0059CC87 . 0F87 93000000 ja Taikou5.0059CD20
0059CC8D . EB 33 jmp XTaikou5.0059CCC2
0059CC8F > 8B8E 38040000 mov ecx,dword ptr ds:[esi+0x438] ; Case 43 ('C') of switch 0059CC59//插入性跳转,014AXXXX,XXXX为跳转的msg编号(目测)
0059CC95 . 41 inc ecx
0059CC96 . 8BC1 mov eax,ecx
0059CC98 . 3D E8030000 cmp eax,0x3E8
0059CC9D . 898E 38040000 mov dword ptr ds:[esi+0x438],ecx
0059CCA3 . 77 7B ja XTaikou5.0059CD20
0059CCA5 . 8B8E 1C040000 mov ecx,dword ptr ds:[esi+0x41C]
0059CCAB . 83C1 02 add ecx,0x2
0059CCAE . 51 push ecx
0059CCAF . 8BCE mov ecx,esi
0059CCB1 . E8 EAF4FFFF call Taikou5.0059C1A0 //保存插入前的偏移
0059CCB6 . 8B96 18040000 mov edx,dword ptr ds:[esi+0x418]
0059CCBC . 52 push edx
0059CCBD . E8 DEF4FFFF call Taikou5.0059C1A0 //保存插入前的msg文件编号
0059CCC2 > 8BCE mov ecx,esi
0059CCC4 . E8 97F7FFFF call Taikou5.0059C460 //读取两字节,为跳转的msg编号
0059CCC9 . 0FB7C0 movzx eax,ax
0059CCCC . 50 push eax
0059CCCD . 8BCE mov ecx,esi
0059CCCF . E8 2CF8FFFF call Taikou5.0059C500 //跳转处理
0059CCD4 . 33C0 xor eax,eax
0059CCD6 . 5E pop esi
0059CCD7 . C3 retn
0059CCD8 > 6A 00 push 0x0 ; Case 53 ('S') of switch 0059CC59//后接属性获取及数值计算,得到的数值如果大于0,则搜索到第该数值个的050505
0059CCDA . 8BCE mov ecx,esi
0059CCDC . E8 7FF9FFFF call Taikou5.0059C660
0059CCE1 . 85C0 test eax,eax
0059CCE3 . 76 3B jbe XTaikou5.0059CD20
0059CCE5 . 57 push edi
0059CCE6 . 8BF8 mov edi,eax
0059CCE8 > 8BCE mov ecx,esi
0059CCEA . E8 51FCFFFF call Taikou5.0059C940
0059CCEF . 4F dec edi
0059CCF0 .^ 75 F6 jnz XTaikou5.0059CCE8
0059CCF2 . 5F pop edi
0059CCF3 . 33C0 xor eax,eax
0059CCF5 . 5E pop esi
0059CCF6 . C3 retn
0059CCF7 > 8B16 mov edx,dword ptr ds:[esi] ; Case 4D ('M') of switch 0059CC59//后接02+单字节对象类型寄存位置编号+属性获取及数值计算,将属性获取及数值计算写入对应对象类型寄存位置
0059CCF9 . 8BCE mov ecx,esi
0059CCFB . FF52 08 call dword ptr ds:[edx+0x8]
0059CCFE . 33C0 xor eax,eax
0059CD00 . 5E pop esi
0059CD01 . C3 retn
0059CD02 > 6A 00 push 0x0 ; Case 52 ('R') of switch 0059CC59//后接属性获取及数值计算,得到的数值写入[esi+0x440],然后返回到上个跳转过来的字串
0059CD04 . 8BCE mov ecx,esi
0059CD06 . E8 55F9FFFF call Taikou5.0059C660
0059CD0B . 8986 40040000 mov dword ptr ds:[esi+0x440],eax
0059CD11 . 8BCE mov ecx,esi
0059CD13 . 5E pop esi
0059CD14 .^ E9 B7FBFFFF jmp Taikou5.0059C8D0
0059CD19 > 8B06 mov eax,dword ptr ds:[esi] ; Case 46 ('F') of switch 0059CC59//睡眠,见次级分支,先读取1字节,如果是64,就进入,再读取属性获取及数值计算,将其值X10,调用sleep
0059CD1B . 8BCE mov ecx,esi
0059CD1D . FF50 04 call dword ptr ds:[eax+0x4]
0059CD20 > 33C0 xor eax,eax ; Default case of switch 0059CC59
0059CD22 . 5E pop esi
0059CD23 . C3 retn
除了编译局域变量的顺序不太一样看不出区别
