29-01-2021, 05:13 PM
السلام عليكم و رحمة الله تعالى و بركاته، أما بعد :
كنت أتبع درس أجنبي حول كسر حماية دونقل سونتينل و فجأة أصبح كلشي غامض و لم أفهم من أين كان يأتي بالدوال... على كل حال الحماية التي كانت عندو أعتقد أنها أصعب من الي كانت عندي فبعد تتبع مراحل الكسر كالآتي:
1- قمت بالبحث عن signatures لبرنامج IDA و وجدتها و قد قمت بتعريف الدوال
كنت أتبع درس أجنبي حول كسر حماية دونقل سونتينل و فجأة أصبح كلشي غامض و لم أفهم من أين كان يأتي بالدوال... على كل حال الحماية التي كانت عندو أعتقد أنها أصعب من الي كانت عندي فبعد تتبع مراحل الكسر كالآتي:
1- قمت بالبحث عن signatures لبرنامج IDA و وجدتها و قد قمت بتعريف الدوال
2- كسر دالة RNBOproFormatPacket
3- كسر دالة RNBOproInitialize
4- محاولة كسر دالة RNBOproQuery لكني وجدتها معقدة و لم أعرف ماذا أفعل لأنها تقوم بالولوج الى الذاكرة و مقارنة الخلايا ...
الدالة الموجودة في الدرس تقوم بقراءة ستة قيم إدخال ولكن الدالة التي عندي تقوم بقراءة 4 فقط بعد البحث وجدت ان هذه الدالة مشكلة كالتالي:
DRNBOproQuery (packetp, retstring, &word, len)
وهذا رابط الدرس:
Mega - Archive حجم 6 ميقا
وهذي الدالة الي عندي:
[align=left]
[align=left]CPU Disasm
Address Hex dump Command Comments
0075F8D0 /$ 83EC 04 SUB ESP,4 ; RNBOsproQuery(x,x,x,x
0075F8D3 |. 53 PUSH EBX
0075F8D4 |. 56 PUSH ESI
0075F8D5 |. 57 PUSH EDI
0075F8D6 |. 8B7424 1C MOV ESI,DWORD PTR SS:[ARG.3]
0075F8DA |. 8B7C24 14 MOV EDI,DWORD PTR SS:[ARG.1]
0075F8DE |. 0BFF OR EDI,EDI
0075F8E0 |. 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075F8E5 |. 75 0D JNZ SHORT 0075F8F4
0075F8E7 |. 66:B8 0200 MOV AX,2
0075F8EB |. 5F POP EDI
0075F8EC |. 5E POP ESI
0075F8ED |. 5B POP EBX
0075F8EE |. 83C4 04 ADD ESP,4
0075F8F1 |. C2 1000 RETN 10
0075F8F4 |> 57 PUSH EDI ; /Arg1 => [ARG.1]
0075F8F5 |. E8 C6ADFFFF CALL 0075A6C0 ; \Snet.0075A6C0
0075F8FA |. 8BD8 MOV EBX,EAX
0075F8FC |. 66:813B 4272 CMP WORD PTR DS:[EBX],7242
0075F901 |. 74 0D JE SHORT 0075F910
0075F903 |. 66:B8 0200 MOV AX,2
0075F907 |. 5F POP EDI
0075F908 |. 5E POP ESI
0075F909 |. 5B POP EBX
0075F90A |. 83C4 04 ADD ESP,4
0075F90D |. C2 1000 RETN 10
0075F910 |> 8B4C24 18 MOV ECX,DWORD PTR SS:[ARG.2]
0075F914 |. 0BC9 OR ECX,ECX
0075F916 |. 75 13 JNZ SHORT 0075F92B
0075F918 |. 66:C743 06 10 MOV WORD PTR DS:[EBX+6],0C10
0075F91E |. 66:B8 1000 MOV AX,10
0075F922 |. 5F POP EDI
0075F923 |. 5E POP ESI
0075F924 |. 5B POP EBX
0075F925 |. 83C4 04 ADD ESP,4
0075F928 |. C2 1000 RETN 10
0075F92B |> 0BF6 OR ESI,ESI
0075F92D |. 75 13 JNZ SHORT 0075F942
0075F92F |. 66:C743 06 10 MOV WORD PTR DS:[EBX+6],0C10
0075F935 |. 66:B8 1000 MOV AX,10
0075F939 |. 5F POP EDI
0075F93A |. 5E POP ESI
0075F93B |. 5B POP EBX
0075F93C |. 83C4 04 ADD ESP,4
0075F93F |. C2 1000 RETN 10
0075F942 |> F643 12 04 TEST BYTE PTR DS:[EBX+12],04
0075F946 |. 75 18 JNZ SHORT 0075F960
0075F948 |. 66:C743 06 39 MOV WORD PTR DS:[EBX+6],0C39
0075F94E |. 66:B8 3900 MOV AX,39
0075F952 |. 5F POP EDI
0075F953 |. 5E POP ESI
0075F954 |. 5B POP EBX
0075F955 |. 83C4 04 ADD ESP,4
0075F958 |. C2 1000 RETN 10
0075F95B | 05 00000000 ADD EAX,0
0075F960 |> 66:8B4424 20 MOV AX,WORD PTR SS:[ARG.4]
0075F965 |. 66:3D 0200 CMP AX,2
0075F969 |. 73 18 JAE SHORT 0075F983
0075F96B |. 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075F970 |. 66:C743 06 15 MOV WORD PTR DS:[EBX+6],0C15
0075F976 |. 66:B8 1500 MOV AX,15
0075F97A |. 5F POP EDI
0075F97B |. 5E POP ESI
0075F97C |. 5B POP EBX
0075F97D |. 83C4 04 ADD ESP,4
0075F980 |. C2 1000 RETN 10
0075F983 |> 66:3D 4000 CMP AX,40
0075F987 |. 76 18 JBE SHORT 0075F9A1
0075F989 |. 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075F98E |. 66:C743 06 14 MOV WORD PTR DS:[EBX+6],0C14
0075F994 |. 66:B8 1400 MOV AX,14
0075F998 |. 5F POP EDI
0075F999 |. 5E POP ESI
0075F99A |. 5B POP EBX
0075F99B |. 83C4 04 ADD ESP,4
0075F99E |. C2 1000 RETN 10
0075F9A1 |> 66:3D 0200 CMP AX,2
0075F9A5 |. 76 6C JBE SHORT 0075FA13
0075F9A7 |. 66:8943 34 MOV WORD PTR DS:[EBX+34],AX
0075F9AB |. 66:C743 30 09 MOV WORD PTR DS:[EBX+30],9
0075F9B1 |. 8D7B 36 LEA EDI,[EBX+36]
0075F9B4 |. 50 PUSH EAX ; /Arg3
0075F9B5 |. 57 PUSH EDI ; |Arg2
0075F9B6 |. 51 PUSH ECX ; |Arg1 => [ARG.2]
0075F9B7 |. E8 D4ACFFFF CALL 0075A690 ; \Snet.0075A690
0075F9BC |. 53 PUSH EBX ; /Arg1
0075F9BD |. E8 AEEAFFFF CALL 0075E470 ; \Snet.0075E470
0075F9C2 |. 66:8943 06 MOV WORD PTR DS:[EBX+6],AX
0075F9C6 |. 0AC0 OR AL,AL
0075F9C8 |. 75 16 JNZ SHORT 0075F9E0
0075F9CA |. 6A 02 PUSH 2 ; /Arg3 = 2
0075F9CC |. 56 PUSH ESI ; |Arg2
0075F9CD |. 57 PUSH EDI ; |Arg1
0075F9CE |. E8 BDACFFFF CALL 0075A690 ; \Snet.0075A690
0075F9D3 |. 66:2BC0 SUB AX,AX
0075F9D6 |. 5F POP EDI
0075F9D7 |. 5E POP ESI
0075F9D8 |. 5B POP EBX
0075F9D9 |. 83C4 04 ADD ESP,4
0075F9DC |. C2 1000 RETN 10
0075F9DF | 90 NOP
0075F9E0 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075F9E5 |. 66:8B43 06 MOV AX,WORD PTR DS:[EBX+6]
0075F9E9 |. 66:3D 0301 CMP AX,103
0075F9ED |. 75 12 JNE SHORT 0075FA01
0075F9EF |. B8 12010000 MOV EAX,112
0075F9F4 |. 66:25 FF00 AND AX,00FF
0075F9F8 |. 5F POP EDI
0075F9F9 |. 5E POP ESI
0075F9FA |. 5B POP EBX
0075F9FB |. 83C4 04 ADD ESP,4
0075F9FE |. C2 1000 RETN 10
0075FA01 |> 25 FFFF0000 AND EAX,0000FFFF
0075FA06 |. 66:25 FF00 AND AX,00FF
0075FA0A |. 5F POP EDI
0075FA0B |. 5E POP ESI
0075FA0C |. 5B POP EBX
0075FA0D |. 83C4 04 ADD ESP,4
0075FA10 |. C2 1000 RETN 10
0075FA13 |> 33C0 XOR EAX,EAX
0075FA15 |. 8A01 MOV AL,BYTE PTR DS:[ECX]
0075FA17 |. 83E8 30 SUB EAX,30 ; Switch (cases 30..37, 9 exits)
0075FA1A |. 83F8 07 CMP EAX,7
0075FA1D |. 77 07 JA SHORT 0075FA26
0075FA1F |. FF2485 A0FC75 JMP DWORD PTR DS:[EAX*4+75FCA0]
0075FA26 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF ; Default case of switch Snet.75FA17
0075FA2B |. 66:C743 06 15 MOV WORD PTR DS:[EBX+6],0C15
0075FA31 |. 66:B8 1500 MOV AX,15
0075FA35 |. 5F POP EDI
0075FA36 |. 5E POP ESI
0075FA37 |. 5B POP EBX
0075FA38 |. 83C4 04 ADD ESP,4
0075FA3B |. C2 1000 RETN 10
0075FA3E | 8BFF MOV EDI,EDI
0075FA40 |> 33C0 XOR EAX,EAX ; Case 30 ('0') of switch Snet.75FA17
0075FA42 |. 8A41 01 MOV AL,BYTE PTR DS:[ECX+1]
0075FA45 |. 83F8 31 CMP EAX,31
0075FA48 |. 74 38 JE SHORT 0075FA82
0075FA4A |. 83F8 32 CMP EAX,32
0075FA4D |. 74 79 JE SHORT 0075FAC8
0075FA4F |. 83F8 33 CMP EAX,33
0075FA52 |. 0F84 88000000 JE 0075FAE0
0075FA58 |. 83F8 34 CMP EAX,34
0075FA5B |. 0F84 96000000 JE 0075FAF7
0075FA61 |. 83F8 35 CMP EAX,35
0075FA64 |. 0F84 A0000000 JE 0075FB0A
0075FA6A |. 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FA6F |. 66:C743 06 15 MOV WORD PTR DS:[EBX+6],0C15
0075FA75 |. 66:B8 1500 MOV AX,15
0075FA79 |. 5F POP EDI
0075FA7A |. 5E POP ESI
0075FA7B |. 5B POP EBX
0075FA7C |. 83C4 04 ADD ESP,4
0075FA7F |. C2 1000 RETN 10
0075FA82 |> 8D4424 0D LEA EAX,[LOCAL.0+1]
0075FA86 |. 50 PUSH EAX ; /Arg5
0075FA87 |. 8D4424 10 LEA EAX,[LOCAL.0] ; |
0075FA8B |. 50 PUSH EAX ; |Arg4 => OFFSET LOCAL.0
0075FA8C |. 8D4424 17 LEA EAX,[LOCAL.0+3] ; |
0075FA90 |. 50 PUSH EAX ; |Arg3
0075FA91 |. 8D4424 1A LEA EAX,[LOCAL.0+2] ; |
0075FA95 |. 50 PUSH EAX ; |Arg2
0075FA96 |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FA97 |. E8 84030000 CALL 0075FE20 ; \Snet.0075FE20
0075FA9C |. 66:0BC0 OR AX,AX
0075FA9F |. 75 19 JNZ SHORT 0075FABA
0075FAA1 |. 8A4424 0E MOV AL,BYTE PTR SS:[LOCAL.0+2]
0075FAA5 |. 8846 01 MOV BYTE PTR DS:[ESI+1],AL
0075FAA8 |. 8A4424 0F MOV AL,BYTE PTR SS:[LOCAL.0+3]
0075FAAC |. 8806 MOV BYTE PTR DS:[ESI],AL
0075FAAE |. 66:2BC0 SUB AX,AX
0075FAB1 |. 5F POP EDI
0075FAB2 |. 5E POP ESI
0075FAB3 |. 5B POP EBX
0075FAB4 |. 83C4 04 ADD ESP,4
0075FAB7 |. C2 1000 RETN 10
0075FABA |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FABF |. 5F POP EDI
0075FAC0 |. 5E POP ESI
0075FAC1 |. 5B POP EBX
0075FAC2 |. 83C4 04 ADD ESP,4
0075FAC5 |. C2 1000 RETN 10
0075FAC8 |> 56 PUSH ESI ; /Arg3 => [ARG.3]
0075FAC9 |. 6A 01 PUSH 1 ; |Arg2 = 1
0075FACB |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FACC |. E8 EF010000 CALL 0075FCC0 ; \Snet.0075FCC0
0075FAD1 |. 5F POP EDI
0075FAD2 |. 5E POP ESI
0075FAD3 |. 5B POP EBX
0075FAD4 |. 83C4 04 ADD ESP,4
0075FAD7 |. C2 1000 RETN 10
0075FADA | 8D9B 00000000 LEA EBX,[EBX]
0075FAE0 |> 66:8B43 06 MOV AX,WORD PTR DS:[EBX+6]
0075FAE4 |. 66:25 FF00 AND AX,00FF
0075FAE8 |. 66:8906 MOV WORD PTR DS:[ESI],AX
0075FAEB |. 66:2BC0 SUB AX,AX
0075FAEE |. 5F POP EDI
0075FAEF |. 5E POP ESI
0075FAF0 |. 5B POP EBX
0075FAF1 |. 83C4 04 ADD ESP,4
0075FAF4 |. C2 1000 RETN 10
0075FAF7 |> 66:8B43 06 MOV AX,WORD PTR DS:[EBX+6]
0075FAFB |. 66:8906 MOV WORD PTR DS:[ESI],AX
0075FAFE |. 66:2BC0 SUB AX,AX
0075FB01 |. 5F POP EDI
0075FB02 |. 5E POP ESI
0075FB03 |. 5B POP EBX
0075FB04 |. 83C4 04 ADD ESP,4
0075FB07 |. C2 1000 RETN 10
0075FB0A |> 8D4424 0D LEA EAX,[LOCAL.0+1]
0075FB0E |. 50 PUSH EAX ; /Arg5
0075FB0F |. 8D4424 10 LEA EAX,[LOCAL.0] ; |
0075FB13 |. 50 PUSH EAX ; |Arg4 => OFFSET LOCAL.0
0075FB14 |. 8D4424 17 LEA EAX,[LOCAL.0+3] ; |
0075FB18 |. 50 PUSH EAX ; |Arg3
0075FB19 |. 8D4424 1A LEA EAX,[LOCAL.0+2] ; |
0075FB1D |. 50 PUSH EAX ; |Arg2
0075FB1E |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FB1F |. E8 FC020000 CALL 0075FE20 ; \Snet.0075FE20
0075FB24 |. 66:0BC0 OR AX,AX
0075FB27 |. 75 19 JNZ SHORT 0075FB42
0075FB29 |. 8A4424 0D MOV AL,BYTE PTR SS:[LOCAL.0+1]
0075FB2D |. 8806 MOV BYTE PTR DS:[ESI],AL
0075FB2F |. 8A4424 0C MOV AL,BYTE PTR SS:[LOCAL.0]
0075FB33 |. 8846 01 MOV BYTE PTR DS:[ESI+1],AL
0075FB36 |. 66:2BC0 SUB AX,AX
0075FB39 |. 5F POP EDI
0075FB3A |. 5E POP ESI
0075FB3B |. 5B POP EBX
0075FB3C |. 83C4 04 ADD ESP,4
0075FB3F |. C2 1000 RETN 10
0075FB42 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FB47 |. 5F POP EDI
0075FB48 |. 5E POP ESI
0075FB49 |. 5B POP EBX
0075FB4A |. 83C4 04 ADD ESP,4
0075FB4D |. C2 1000 RETN 10
0075FB50 |> 8A41 01 MOV AL,BYTE PTR DS:[ECX+1] ; Case 31 ('1') of switch Snet.75FA17
0075FB53 |. 50 PUSH EAX ; /Arg3
0075FB54 |. 6A 06 PUSH 6 ; |Arg2 = 6
0075FB56 |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FB57 |. E8 A4030000 CALL 0075FF00 ; \Snet.0075FF00
0075FB5C |. 66:0BC0 OR AX,AX
0075FB5F |. 75 11 JNZ SHORT 0075FB72
0075FB61 |. 66:C706 0000 MOV WORD PTR DS:[ESI],0
0075FB66 |. 66:2BC0 SUB AX,AX
0075FB69 |. 5F POP EDI
0075FB6A |. 5E POP ESI
0075FB6B |. 5B POP EBX
0075FB6C |. 83C4 04 ADD ESP,4
0075FB6F |. C2 1000 RETN 10
0075FB72 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FB77 |. 5F POP EDI
0075FB78 |. 5E POP ESI
0075FB79 |. 5B POP EBX
0075FB7A |. 83C4 04 ADD ESP,4
0075FB7D |. C2 1000 RETN 10
0075FB80 |> 8A41 01 MOV AL,BYTE PTR DS:[ECX+1] ; Case 32 ('2') of switch Snet.75FA17
0075FB83 |. 50 PUSH EAX ; /Arg3
0075FB84 |. 6A 05 PUSH 5 ; |Arg2 = 5
0075FB86 |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FB87 |. E8 74030000 CALL 0075FF00 ; \Snet.0075FF00
0075FB8C |. 66:0BC0 OR AX,AX
0075FB8F |. 75 11 JNZ SHORT 0075FBA2
0075FB91 |. 66:C706 0000 MOV WORD PTR DS:[ESI],0
0075FB96 |. 66:2BC0 SUB AX,AX
0075FB99 |. 5F POP EDI
0075FB9A |. 5E POP ESI
0075FB9B |. 5B POP EBX
0075FB9C |. 83C4 04 ADD ESP,4
0075FB9F |. C2 1000 RETN 10
0075FBA2 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FBA7 |. 5F POP EDI
0075FBA8 |. 5E POP ESI
0075FBA9 |. 5B POP EBX
0075FBAA |. 83C4 04 ADD ESP,4
0075FBAD |. C2 1000 RETN 10
0075FBB0 |> 8A41 01 MOV AL,BYTE PTR DS:[ECX+1] ; Case 33 ('3') of switch Snet.75FA17
0075FBB3 |. 50 PUSH EAX ; /Arg3
0075FBB4 |. 6A 03 PUSH 3 ; |Arg2 = 3
0075FBB6 |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FBB7 |. E8 44030000 CALL 0075FF00 ; \Snet.0075FF00
0075FBBC |. 66:0BC0 OR AX,AX
0075FBBF |. 75 11 JNZ SHORT 0075FBD2
0075FBC1 |. 66:C706 0000 MOV WORD PTR DS:[ESI],0
0075FBC6 |. 66:2BC0 SUB AX,AX
0075FBC9 |. 5F POP EDI
0075FBCA |. 5E POP ESI
0075FBCB |. 5B POP EBX
0075FBCC |. 83C4 04 ADD ESP,4
0075FBCF |. C2 1000 RETN 10
0075FBD2 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FBD7 |. 5F POP EDI
0075FBD8 |. 5E POP ESI
0075FBD9 |. 5B POP EBX
0075FBDA |. 83C4 04 ADD ESP,4
0075FBDD |. C2 1000 RETN 10
0075FBE0 |> 8A41 01 MOV AL,BYTE PTR DS:[ECX+1] ; Case 34 ('4') of switch Snet.75FA17
0075FBE3 |. 50 PUSH EAX ; /Arg3
0075FBE4 |. 6A 04 PUSH 4 ; |Arg2 = 4
0075FBE6 |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FBE7 |. E8 14030000 CALL 0075FF00 ; \Snet.0075FF00
0075FBEC |. 66:0BC0 OR AX,AX
0075FBEF |. 75 11 JNZ SHORT 0075FC02
0075FBF1 |. 66:C706 0000 MOV WORD PTR DS:[ESI],0
0075FBF6 |. 66:2BC0 SUB AX,AX
0075FBF9 |. 5F POP EDI
0075FBFA |. 5E POP ESI
0075FBFB |. 5B POP EBX
0075FBFC |. 83C4 04 ADD ESP,4
0075FBFF |. C2 1000 RETN 10
0075FC02 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FC07 |. 5F POP EDI
0075FC08 |. 5E POP ESI
0075FC09 |. 5B POP EBX
0075FC0A |. 83C4 04 ADD ESP,4
0075FC0D |. C2 1000 RETN 10
0075FC10 |> 8A41 01 MOV AL,BYTE PTR DS:[ECX+1] ; Case 35 ('5') of switch Snet.75FA17
0075FC13 |. 50 PUSH EAX ; /Arg3
0075FC14 |. 6A 07 PUSH 7 ; |Arg2 = 7
0075FC16 |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FC17 |. E8 E4020000 CALL 0075FF00 ; \Snet.0075FF00
0075FC1C |. 66:0BC0 OR AX,AX
0075FC1F |. 75 11 JNZ SHORT 0075FC32
0075FC21 |. 66:C706 0000 MOV WORD PTR DS:[ESI],0
0075FC26 |. 66:2BC0 SUB AX,AX
0075FC29 |. 5F POP EDI
0075FC2A |. 5E POP ESI
0075FC2B |. 5B POP EBX
0075FC2C |. 83C4 04 ADD ESP,4
0075FC2F |. C2 1000 RETN 10
0075FC32 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FC37 |. 5F POP EDI
0075FC38 |. 5E POP ESI
0075FC39 |. 5B POP EBX
0075FC3A |. 83C4 04 ADD ESP,4
0075FC3D |. C2 1000 RETN 10
0075FC40 |> 8A41 01 MOV AL,BYTE PTR DS:[ECX+1] ; Case 36 ('6') of switch Snet.75FA17
0075FC43 |. 50 PUSH EAX ; /Arg3
0075FC44 |. 6A 01 PUSH 1 ; |Arg2 = 1
0075FC46 |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FC47 |. E8 B4020000 CALL 0075FF00 ; \Snet.0075FF00
0075FC4C |. 66:0BC0 OR AX,AX
0075FC4F |. 75 11 JNZ SHORT 0075FC62
0075FC51 |. 66:C706 0000 MOV WORD PTR DS:[ESI],0
0075FC56 |. 66:2BC0 SUB AX,AX
0075FC59 |. 5F POP EDI
0075FC5A |. 5E POP ESI
0075FC5B |. 5B POP EBX
0075FC5C |. 83C4 04 ADD ESP,4
0075FC5F |. C2 1000 RETN 10
0075FC62 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FC67 |. 5F POP EDI
0075FC68 |. 5E POP ESI
0075FC69 |. 5B POP EBX
0075FC6A |. 83C4 04 ADD ESP,4
0075FC6D |. C2 1000 RETN 10
0075FC70 |> 8A41 01 MOV AL,BYTE PTR DS:[ECX+1] ; Case 37 ('7') of switch Snet.75FA17
0075FC73 |. 50 PUSH EAX ; /Arg3
0075FC74 |. 6A 02 PUSH 2 ; |Arg2 = 2
0075FC76 |. 57 PUSH EDI ; |Arg1 => [ARG.1]
0075FC77 |. E8 84020000 CALL 0075FF00 ; \Snet.0075FF00
0075FC7C |. 66:0BC0 OR AX,AX
0075FC7F |. 75 11 JNZ SHORT 0075FC92
0075FC81 |. 66:C706 0000 MOV WORD PTR DS:[ESI],0
0075FC86 |. 66:2BC0 SUB AX,AX
0075FC89 |. 5F POP EDI
0075FC8A |. 5E POP ESI
0075FC8B |. 5B POP EBX
0075FC8C |. 83C4 04 ADD ESP,4
0075FC8F |. C2 1000 RETN 10
0075FC92 |> 66:C706 FFFF MOV WORD PTR DS:[ESI],0FFFF
0075FC97 |. 5F POP EDI
0075FC98 |. 5E POP ESI
0075FC99 |. 5B POP EBX
0075FC9A |. 83C4 04 ADD ESP,4
0075FC9D \. C2 1000 RETN 10[/align][/align]
وهذي من برنامج IDA:
[align=left]
[align=left]_0000009:0075F8D0 ; __stdcall RNBOproQuery(x, x, x, x)
_0000009:0075F8D0 _RNBOproQuery@16 proc near ; CODE XREF: _0000009:0075975E↑p
_0000009:0075F8D0 ; _0000009:0075978D↑p ...
_0000009:0075F8D0
_0000009:0075F8D0 var_4 = byte ptr -4
_0000009:0075F8D0 var_3 = byte ptr -3
_0000009:0075F8D0 var_2 = byte ptr -2
_0000009:0075F8D0 var_1 = byte ptr -1
_0000009:0075F8D0 arg_0 = dword ptr 4
_0000009:0075F8D0 arg_4 = dword ptr 8
_0000009:0075F8D0 arg_8 = dword ptr 0Ch
_0000009:0075F8D0 arg_C = word ptr 10h
_0000009:0075F8D0
_0000009:0075F8D0 sub esp, 4
_0000009:0075F8D3 push ebx
_0000009:0075F8D4 push esi
_0000009:0075F8D5 push edi
_0000009:0075F8D6 mov esi, [esp+10h+arg_8]
_0000009:0075F8DA mov edi, [esp+10h+arg_0]
_0000009:0075F8DE or edi, edi
_0000009:0075F8E0 mov word ptr [esi], 0FFFFh
_0000009:0075F8E5 jnz short loc_75F8F4
_0000009:0075F8E7 mov ax, 2
_0000009:0075F8EB pop edi
_0000009:0075F8EC pop esi
_0000009:0075F8ED pop ebx
_0000009:0075F8EE add esp, 4
_0000009:0075F8F1 retn 10h
_0000009:0075F8F4 ; ---------------------------------------------------------------------------
_0000009:0075F8F4
_0000009:0075F8F4 loc_75F8F4: ; CODE XREF: RNBOproQuery(x,x,x,x)+15↑j
_0000009:0075F8F4 push edi
_0000009:0075F8F5 call _I386PRO551MSOFTCD@4 ; I386PRO551MSOFTCD(x)
_0000009:0075F8FA mov ebx, eax
_0000009:0075F8FC cmp word ptr [ebx], 7242h
_0000009:0075F901 jz short loc_75F910
_0000009:0075F903 mov ax, 2
_0000009:0075F907 pop edi
_0000009:0075F908 pop esi
_0000009:0075F909 pop ebx
_0000009:0075F90A add esp, 4
_0000009:0075F90D retn 10h
_0000009:0075F910 ; ---------------------------------------------------------------------------
_0000009:0075F910
_0000009:0075F910 loc_75F910: ; CODE XREF: RNBOproQuery(x,x,x,x)+31↑j
_0000009:0075F910 mov ecx, [esp+10h+arg_4]
_0000009:0075F914 or ecx, ecx
_0000009:0075F916 jnz short loc_75F92B
_0000009:0075F918 mov word ptr [ebx+6], 0C10h
_0000009:0075F91E mov ax, 10h
_0000009:0075F922 pop edi
_0000009:0075F923 pop esi
_0000009:0075F924 pop ebx
_0000009:0075F925 add esp, 4
_0000009:0075F928 retn 10h
_0000009:0075F92B ; ---------------------------------------------------------------------------
_0000009:0075F92B
_0000009:0075F92B loc_75F92B: ; CODE XREF: RNBOproQuery(x,x,x,x)+46↑j
_0000009:0075F92B or esi, esi
_0000009:0075F92D jnz short loc_75F942
_0000009:0075F92F mov word ptr [ebx+6], 0C10h
_0000009:0075F935 mov ax, 10h
_0000009:0075F939 pop edi
_0000009:0075F93A pop esi
_0000009:0075F93B pop ebx
_0000009:0075F93C add esp, 4
_0000009:0075F93F retn 10h
_0000009:0075F942 ; ---------------------------------------------------------------------------
_0000009:0075F942
_0000009:0075F942 loc_75F942: ; CODE XREF: RNBOproQuery(x,x,x,x)+5D↑j
_0000009:0075F942 test byte ptr [ebx+12h], 4
_0000009:0075F946 jnz short loc_75F960
_0000009:0075F948 mov word ptr [ebx+6], 0C39h
_0000009:0075F94E mov ax, 39h ; '9'
_0000009:0075F952 pop edi
_0000009:0075F953 pop esi
_0000009:0075F954 pop ebx
_0000009:0075F955 add esp, 4
_0000009:0075F958 retn 10h
_0000009:0075F958 ; ---------------------------------------------------------------------------
_0000009:0075F95B align 10h
_0000009:0075F960
_0000009:0075F960 loc_75F960: ; CODE XREF: RNBOproQuery(x,x,x,x)+76↑j
_0000009:0075F960 mov ax, [esp+10h+arg_C]
_0000009:0075F965 cmp ax, 2
_0000009:0075F969 jnb short loc_75F983
_0000009:0075F96B mov word ptr [esi], 0FFFFh
_0000009:0075F970 mov word ptr [ebx+6], 0C15h
_0000009:0075F976 mov ax, 15h
_0000009:0075F97A pop edi
_0000009:0075F97B pop esi
_0000009:0075F97C pop ebx
_0000009:0075F97D add esp, 4
_0000009:0075F980 retn 10h
_0000009:0075F983 ; ---------------------------------------------------------------------------
_0000009:0075F983
_0000009:0075F983 loc_75F983: ; CODE XREF: RNBOproQuery(x,x,x,x)+99↑j
_0000009:0075F983 cmp ax, 40h ; '@'
_0000009:0075F987 jbe short loc_75F9A1
_0000009:0075F989 mov word ptr [esi], 0FFFFh
_0000009:0075F98E mov word ptr [ebx+6], 0C14h
_0000009:0075F994 mov ax, 14h
_0000009:0075F998 pop edi
_0000009:0075F999 pop esi
_0000009:0075F99A pop ebx
_0000009:0075F99B add esp, 4
_0000009:0075F99E retn 10h
_0000009:0075F9A1 ; ---------------------------------------------------------------------------
_0000009:0075F9A1
_0000009:0075F9A1 loc_75F9A1: ; CODE XREF: RNBOproQuery(x,x,x,x)+B7↑j
_0000009:0075F9A1 cmp ax, 2
_0000009:0075F9A5 jbe short loc_75FA13
_0000009:0075F9A7 mov [ebx+34h], ax
_0000009:0075F9AB mov word ptr [ebx+30h], 9
_0000009:0075F9B1 lea edi, [ebx+36h]
_0000009:0075F9B4 push eax
_0000009:0075F9B5 push edi
_0000009:0075F9B6 push ecx
_0000009:0075F9B7 call _I386PRO551MSOFTCC@12 ; I386PRO551MSOFTCC(x,x,x)
_0000009:0075F9BC push ebx ; lpBuffer
_0000009:0075F9BD call _I386PRO551MSOFTCFM@4 ; I386PRO551MSOFTCFM(x)
_0000009:0075F9C2 mov [ebx+6], ax
_0000009:0075F9C6 or al, al
_0000009:0075F9C8 jnz short loc_75F9E0
_0000009:0075F9CA push 2
_0000009:0075F9CC push esi
_0000009:0075F9CD push edi
_0000009:0075F9CE call _I386PRO551MSOFTCC@12 ; I386PRO551MSOFTCC(x,x,x)
_0000009:0075F9D3 sub ax, ax
_0000009:0075F9D6 pop edi
_0000009:0075F9D7 pop esi
_0000009:0075F9D8 pop ebx
_0000009:0075F9D9 add esp, 4
_0000009:0075F9DC retn 10h
_0000009:0075F9DC ; ---------------------------------------------------------------------------
_0000009:0075F9DF align 10h
_0000009:0075F9E0
_0000009:0075F9E0 loc_75F9E0: ; CODE XREF: RNBOproQuery(x,x,x,x)+F8↑j
_0000009:0075F9E0 mov word ptr [esi], 0FFFFh
_0000009:0075F9E5 mov ax, [ebx+6]
_0000009:0075F9E9 cmp ax, 103h
_0000009:0075F9ED jnz short loc_75FA01
_0000009:0075F9EF mov eax, 112h
_0000009:0075F9F4 and ax, 0FFh
_0000009:0075F9F8 pop edi
_0000009:0075F9F9 pop esi
_0000009:0075F9FA pop ebx
_0000009:0075F9FB add esp, 4
_0000009:0075F9FE retn 10h
_0000009:0075FA01 ; ---------------------------------------------------------------------------
_0000009:0075FA01
_0000009:0075FA01 loc_75FA01: ; CODE XREF: RNBOproQuery(x,x,x,x)+11D↑j
_0000009:0075FA01 and eax, 0FFFFh
_0000009:0075FA06 and ax, 0FFh
_0000009:0075FA0A pop edi
_0000009:0075FA0B pop esi
_0000009:0075FA0C pop ebx
_0000009:0075FA0D add esp, 4
_0000009:0075FA10 retn 10h
_0000009:0075FA13 ; ---------------------------------------------------------------------------
_0000009:0075FA13
_0000009:0075FA13 loc_75FA13: ; CODE XREF: RNBOproQuery(x,x,x,x)+D5↑j
_0000009:0075FA13 xor eax, eax
_0000009:0075FA15 mov al, [ecx]
_0000009:0075FA17 sub eax, 30h ; '0' ; switch 8 cases
_0000009:0075FA1A cmp eax, 7
_0000009:0075FA1D ja short def_75FA1F ; jumptable 0075FA1F default case
_0000009:0075FA1F jmp ds:jpt_75FA1F[eax*4] ; switch jump
_0000009:0075FA26 ; ---------------------------------------------------------------------------
_0000009:0075FA26
_0000009:0075FA26 def_75FA1F: ; CODE XREF: RNBOproQuery(x,x,x,x)+14D↑j
_0000009:0075FA26 mov word ptr [esi], 0FFFFh ; jumptable 0075FA1F default case
_0000009:0075FA2B mov word ptr [ebx+6], 0C15h
_0000009:0075FA31 mov ax, 15h
_0000009:0075FA35 pop edi
_0000009:0075FA36 pop esi
_0000009:0075FA37 pop ebx
_0000009:0075FA38 add esp, 4
_0000009:0075FA3B retn 10h
_0000009:0075FA3B ; ---------------------------------------------------------------------------
_0000009:0075FA3E align 10h
_0000009:0075FA40
_0000009:0075FA40 loc_75FA40: ; CODE XREF: RNBOproQuery(x,x,x,x)+14F↑j
_0000009:0075FA40 ; DATA XREF: _0000009:jpt_75FA1F↓o
_0000009:0075FA40 xor eax, eax ; jumptable 0075FA1F case 48
_0000009:0075FA42 mov al, [ecx+1]
_0000009:0075FA45 cmp eax, 31h ; '1'
_0000009:0075FA48 jz short loc_75FA82
_0000009:0075FA4A cmp eax, 32h ; '2'
_0000009:0075FA4D jz short loc_75FAC8
_0000009:0075FA4F cmp eax, 33h ; '3'
_0000009:0075FA52 jz loc_75FAE0
_0000009:0075FA58 cmp eax, 34h ; '4'
_0000009:0075FA5B jz loc_75FAF7
_0000009:0075FA61 cmp eax, 35h ; '5'
_0000009:0075FA64 jz loc_75FB0A
_0000009:0075FA6A mov word ptr [esi], 0FFFFh
_0000009:0075FA6F mov word ptr [ebx+6], 0C15h
_0000009:0075FA75 mov ax, 15h
_0000009:0075FA79 pop edi
_0000009:0075FA7A pop esi
_0000009:0075FA7B pop ebx
_0000009:0075FA7C add esp, 4
_0000009:0075FA7F retn 10h
_0000009:0075FA82 ; ---------------------------------------------------------------------------
_0000009:0075FA82
_0000009:0075FA82 loc_75FA82: ; CODE XREF: RNBOproQuery(x,x,x,x)+178↑j
_0000009:0075FA82 lea eax, [esp+10h+var_3]
_0000009:0075FA86 push eax
_0000009:0075FA87 lea eax, [esp+14h+var_4]
_0000009:0075FA8B push eax
_0000009:0075FA8C lea eax, [esp+18h+var_1]
_0000009:0075FA90 push eax
_0000009:0075FA91 lea eax, [esp+1Ch+var_2]
_0000009:0075FA95 push eax
_0000009:0075FA96 push edi
_0000009:0075FA97 call _RNBOproGetVersion@20 ; RNBOproGetVersion(x,x,x,x,x)
_0000009:0075FA9C or ax, ax
_0000009:0075FA9F jnz short loc_75FABA
_0000009:0075FAA1 mov al, [esp+10h+var_2]
_0000009:0075FAA5 mov [esi+1], al
_0000009:0075FAA8 mov al, [esp+10h+var_1]
_0000009:0075FAAC mov [esi], al
_0000009:0075FAAE sub ax, ax
_0000009:0075FAB1 pop edi
_0000009:0075FAB2 pop esi
_0000009:0075FAB3 pop ebx
_0000009:0075FAB4 add esp, 4
_0000009:0075FAB7 retn 10h
_0000009:0075FABA ; ---------------------------------------------------------------------------
_0000009:0075FABA
_0000009:0075FABA loc_75FABA: ; CODE XREF: RNBOproQuery(x,x,x,x)+1CF↑j
_0000009:0075FABA mov word ptr [esi], 0FFFFh
_0000009:0075FABF pop edi
_0000009:0075FAC0 pop esi
_0000009:0075FAC1 pop ebx
_0000009:0075FAC2 add esp, 4
_0000009:0075FAC5 retn 10h
_0000009:0075FAC8 ; ---------------------------------------------------------------------------
_0000009:0075FAC8
_0000009:0075FAC8 loc_75FAC8: ; CODE XREF: RNBOproQuery(x,x,x,x)+17D↑j
_0000009:0075FAC8 push esi
_0000009:0075FAC9 push 1
_0000009:0075FACB push edi
_0000009:0075FACC call _I386PRO551MSOFTCHE@12 ; I386PRO551MSOFTCHE(x,x,x)
_0000009:0075FAD1 pop edi
_0000009:0075FAD2 pop esi
_0000009:0075FAD3 pop ebx
_0000009:0075FAD4 add esp, 4
_0000009:0075FAD7 retn 10h
_0000009:0075FAD7 ; ---------------------------------------------------------------------------
_0000009:0075FADA align 10h
_0000009:0075FAE0
_0000009:0075FAE0 loc_75FAE0: ; CODE XREF: RNBOproQuery(x,x,x,x)+182↑j
_0000009:0075FAE0 mov ax, [ebx+6]
_0000009:0075FAE4 and ax, 0FFh
_0000009:0075FAE8 mov [esi], ax
_0000009:0075FAEB sub ax, ax
_0000009:0075FAEE pop edi
_0000009:0075FAEF pop esi
_0000009:0075FAF0 pop ebx
_0000009:0075FAF1 add esp, 4
_0000009:0075FAF4 retn 10h
_0000009:0075FAF7 ; ---------------------------------------------------------------------------
_0000009:0075FAF7
_0000009:0075FAF7 loc_75FAF7: ; CODE XREF: RNBOproQuery(x,x,x,x)+18B↑j
_0000009:0075FAF7 mov ax, [ebx+6]
_0000009:0075FAFB mov [esi], ax
_0000009:0075FAFE sub ax, ax
_0000009:0075FB01 pop edi
_0000009:0075FB02 pop esi
_0000009:0075FB03 pop ebx
_0000009:0075FB04 add esp, 4
_0000009:0075FB07 retn 10h
_0000009:0075FB0A ; ---------------------------------------------------------------------------
_0000009:0075FB0A
_0000009:0075FB0A loc_75FB0A: ; CODE XREF: RNBOproQuery(x,x,x,x)+194↑j
_0000009:0075FB0A lea eax, [esp+10h+var_3]
_0000009:0075FB0E push eax
_0000009:0075FB0F lea eax, [esp+14h+var_4]
_0000009:0075FB13 push eax
_0000009:0075FB14 lea eax, [esp+18h+var_1]
_0000009:0075FB18 push eax
_0000009:0075FB19 lea eax, [esp+1Ch+var_2]
_0000009:0075FB1D push eax
_0000009:0075FB1E push edi
_0000009:0075FB1F call _RNBOproGetVersion@20 ; RNBOproGetVersion(x,x,x,x,x)
_0000009:0075FB24 or ax, ax
_0000009:0075FB27 jnz short loc_75FB42
_0000009:0075FB29 mov al, [esp+10h+var_3]
_0000009:0075FB2D mov [esi], al
_0000009:0075FB2F mov al, [esp+10h+var_4]
_0000009:0075FB33 mov [esi+1], al
_0000009:0075FB36 sub ax, ax
_0000009:0075FB39 pop edi
_0000009:0075FB3A pop esi
_0000009:0075FB3B pop ebx
_0000009:0075FB3C add esp, 4
_0000009:0075FB3F retn 10h
_0000009:0075FB42 ; ---------------------------------------------------------------------------
_0000009:0075FB42
_0000009:0075FB42 loc_75FB42: ; CODE XREF: RNBOproQuery(x,x,x,x)+257↑j
_0000009:0075FB42 mov word ptr [esi], 0FFFFh
_0000009:0075FB47 pop edi
_0000009:0075FB48 pop esi
_0000009:0075FB49 pop ebx
_0000009:0075FB4A add esp, 4
_0000009:0075FB4D retn 10h
_0000009:0075FB50 ; ---------------------------------------------------------------------------
_0000009:0075FB50
_0000009:0075FB50 loc_75FB50: ; CODE XREF: RNBOproQuery(x,x,x,x)+14F↑j
_0000009:0075FB50 ; DATA XREF: _0000009:jpt_75FA1F↓o
_0000009:0075FB50 mov al, [ecx+1] ; jumptable 0075FA1F case 49
_0000009:0075FB53 push eax
_0000009:0075FB54 push 6
_0000009:0075FB56 push edi
_0000009:0075FB57 call _I386PRO551MSOFTCHF@12 ; I386PRO551MSOFTCHF(x,x,x)
_0000009:0075FB5C or ax, ax
_0000009:0075FB5F jnz short loc_75FB72
_0000009:0075FB61 mov word ptr [esi], 0
_0000009:0075FB66 sub ax, ax
_0000009:0075FB69 pop edi
_0000009:0075FB6A pop esi
_0000009:0075FB6B pop ebx
_0000009:0075FB6C add esp, 4
_0000009:0075FB6F retn 10h
_0000009:0075FB72 ; ---------------------------------------------------------------------------
_0000009:0075FB72
_0000009:0075FB72 loc_75FB72: ; CODE XREF: RNBOproQuery(x,x,x,x)+28F↑j
_0000009:0075FB72 mov word ptr [esi], 0FFFFh
_0000009:0075FB77 pop edi
_0000009:0075FB78 pop esi
_0000009:0075FB79 pop ebx
_0000009:0075FB7A add esp, 4
_0000009:0075FB7D retn 10h
_0000009:0075FB80 ; ---------------------------------------------------------------------------
_0000009:0075FB80
_0000009:0075FB80 loc_75FB80: ; CODE XREF: RNBOproQuery(x,x,x,x)+14F↑j
_0000009:0075FB80 ; DATA XREF: _0000009:jpt_75FA1F↓o
_0000009:0075FB80 mov al, [ecx+1] ; jumptable 0075FA1F case 50
_0000009:0075FB83 push eax
_0000009:0075FB84 push 5
_0000009:0075FB86 push edi
_0000009:0075FB87 call _I386PRO551MSOFTCHF@12 ; I386PRO551MSOFTCHF(x,x,x)
_0000009:0075FB8C or ax, ax
_0000009:0075FB8F jnz short loc_75FBA2
_0000009:0075FB91 mov word ptr [esi], 0
_0000009:0075FB96 sub ax, ax
_0000009:0075FB99 pop edi
_0000009:0075FB9A pop esi
_0000009:0075FB9B pop ebx
_0000009:0075FB9C add esp, 4
_0000009:0075FB9F retn 10h
_0000009:0075FBA2 ; ---------------------------------------------------------------------------
_0000009:0075FBA2
_0000009:0075FBA2 loc_75FBA2: ; CODE XREF: RNBOproQuery(x,x,x,x)+2BF↑j
_0000009:0075FBA2 mov word ptr [esi], 0FFFFh
_0000009:0075FBA7 pop edi
_0000009:0075FBA8 pop esi
_0000009:0075FBA9 pop ebx
_0000009:0075FBAA add esp, 4
_0000009:0075FBAD retn 10h
_0000009:0075FBB0 ; ---------------------------------------------------------------------------
_0000009:0075FBB0
_0000009:0075FBB0 loc_75FBB0: ; CODE XREF: RNBOproQuery(x,x,x,x)+14F↑j
_0000009:0075FBB0 ; DATA XREF: _0000009:jpt_75FA1F↓o
_0000009:0075FBB0 mov al, [ecx+1] ; jumptable 0075FA1F case 51
_0000009:0075FBB3 push eax
_0000009:0075FBB4 push 3
_0000009:0075FBB6 push edi
_0000009:0075FBB7 call _I386PRO551MSOFTCHF@12 ; I386PRO551MSOFTCHF(x,x,x)
_0000009:0075FBBC or ax, ax
_0000009:0075FBBF jnz short loc_75FBD2
_0000009:0075FBC1 mov word ptr [esi], 0
_0000009:0075FBC6 sub ax, ax
_0000009:0075FBC9 pop edi
_0000009:0075FBCA pop esi
_0000009:0075FBCB pop ebx
_0000009:0075FBCC add esp, 4
_0000009:0075FBCF retn 10h
_0000009:0075FBD2 ; ---------------------------------------------------------------------------
_0000009:0075FBD2
_0000009:0075FBD2 loc_75FBD2: ; CODE XREF: RNBOproQuery(x,x,x,x)+2EF↑j
_0000009:0075FBD2 mov word ptr [esi], 0FFFFh
_0000009:0075FBD7 pop edi
_0000009:0075FBD8 pop esi
_0000009:0075FBD9 pop ebx
_0000009:0075FBDA add esp, 4
_0000009:0075FBDD retn 10h
_0000009:0075FBE0 ; ---------------------------------------------------------------------------
_0000009:0075FBE0
_0000009:0075FBE0 loc_75FBE0: ; CODE XREF: RNBOproQuery(x,x,x,x)+14F↑j
_0000009:0075FBE0 ; DATA XREF: _0000009:jpt_75FA1F↓o
_0000009:0075FBE0 mov al, [ecx+1] ; jumptable 0075FA1F case 52
_0000009:0075FBE3 push eax
_0000009:0075FBE4 push 4
_0000009:0075FBE6 push edi
_0000009:0075FBE7 call _I386PRO551MSOFTCHF@12 ; I386PRO551MSOFTCHF(x,x,x)
_0000009:0075FBEC or ax, ax
_0000009:0075FBEF jnz short loc_75FC02
_0000009:0075FBF1 mov word ptr [esi], 0
_0000009:0075FBF6 sub ax, ax
_0000009:0075FBF9 pop edi
_0000009:0075FBFA pop esi
_0000009:0075FBFB pop ebx
_0000009:0075FBFC add esp, 4
_0000009:0075FBFF retn 10h
_0000009:0075FC02 ; ---------------------------------------------------------------------------
_0000009:0075FC02
_0000009:0075FC02 loc_75FC02: ; CODE XREF: RNBOproQuery(x,x,x,x)+31F↑j
_0000009:0075FC02 mov word ptr [esi], 0FFFFh
_0000009:0075FC07 pop edi
_0000009:0075FC08 pop esi
_0000009:0075FC09 pop ebx
_0000009:0075FC0A add esp, 4
_0000009:0075FC0D retn 10h
_0000009:0075FC10 ; ---------------------------------------------------------------------------
_0000009:0075FC10
_0000009:0075FC10 loc_75FC10: ; CODE XREF: RNBOproQuery(x,x,x,x)+14F↑j
_0000009:0075FC10 ; DATA XREF: _0000009:jpt_75FA1F↓o
_0000009:0075FC10 mov al, [ecx+1] ; jumptable 0075FA1F case 53
_0000009:0075FC13 push eax
_0000009:0075FC14 push 7
_0000009:0075FC16 push edi
_0000009:0075FC17 call _I386PRO551MSOFTCHF@12 ; I386PRO551MSOFTCHF(x,x,x)
_0000009:0075FC1C or ax, ax
_0000009:0075FC1F jnz short loc_75FC32
_0000009:0075FC21 mov word ptr [esi], 0
_0000009:0075FC26 sub ax, ax
_0000009:0075FC29 pop edi
_0000009:0075FC2A pop esi
_0000009:0075FC2B pop ebx
_0000009:0075FC2C add esp, 4
_0000009:0075FC2F retn 10h
_0000009:0075FC32 ; ---------------------------------------------------------------------------
_0000009:0075FC32
_0000009:0075FC32 loc_75FC32: ; CODE XREF: RNBOproQuery(x,x,x,x)+34F↑j
_0000009:0075FC32 mov word ptr [esi], 0FFFFh
_0000009:0075FC37 pop edi
_0000009:0075FC38 pop esi
_0000009:0075FC39 pop ebx
_0000009:0075FC3A add esp, 4
_0000009:0075FC3D retn 10h
_0000009:0075FC40 ; ---------------------------------------------------------------------------
_0000009:0075FC40
_0000009:0075FC40 loc_75FC40: ; CODE XREF: RNBOproQuery(x,x,x,x)+14F↑j
_0000009:0075FC40 ; DATA XREF: _0000009:jpt_75FA1F↓o
_0000009:0075FC40 mov al, [ecx+1] ; jumptable 0075FA1F case 54
_0000009:0075FC43 push eax
_0000009:0075FC44 push 1
_0000009:0075FC46 push edi
_0000009:0075FC47 call _I386PRO551MSOFTCHF@12 ; I386PRO551MSOFTCHF(x,x,x)
_0000009:0075FC4C or ax, ax
_0000009:0075FC4F jnz short loc_75FC62
_0000009:0075FC51 mov word ptr [esi], 0
_0000009:0075FC56 sub ax, ax
_0000009:0075FC59 pop edi
_0000009:0075FC5A pop esi
_0000009:0075FC5B pop ebx
_0000009:0075FC5C add esp, 4
_0000009:0075FC5F retn 10h
_0000009:0075FC62 ; ---------------------------------------------------------------------------
_0000009:0075FC62
_0000009:0075FC62 loc_75FC62: ; CODE XREF: RNBOproQuery(x,x,x,x)+37F↑j
_0000009:0075FC62 mov word ptr [esi], 0FFFFh
_0000009:0075FC67 pop edi
_0000009:0075FC68 pop esi
_0000009:0075FC69 pop ebx
_0000009:0075FC6A add esp, 4
_0000009:0075FC6D retn 10h
_0000009:0075FC70 ; ---------------------------------------------------------------------------
_0000009:0075FC70
_0000009:0075FC70 loc_75FC70: ; CODE XREF: RNBOproQuery(x,x,x,x)+14F↑j
_0000009:0075FC70 ; DATA XREF: _0000009:jpt_75FA1F↓o
_0000009:0075FC70 mov al, [ecx+1] ; jumptable 0075FA1F case 55
_0000009:0075FC73 push eax
_0000009:0075FC74 push 2
_0000009:0075FC76 push edi
_0000009:0075FC77 call _I386PRO551MSOFTCHF@12 ; I386PRO551MSOFTCHF(x,x,x)
_0000009:0075FC7C or ax, ax
_0000009:0075FC7F jnz short loc_75FC92
_0000009:0075FC81 mov word ptr [esi], 0
_0000009:0075FC86 sub ax, ax
_0000009:0075FC89 pop edi
_0000009:0075FC8A pop esi
_0000009:0075FC8B pop ebx
_0000009:0075FC8C add esp, 4
_0000009:0075FC8F retn 10h
_0000009:0075FC92 ; ---------------------------------------------------------------------------
_0000009:0075FC92
_0000009:0075FC92 loc_75FC92: ; CODE XREF: RNBOproQuery(x,x,x,x)+3AF↑j
_0000009:0075FC92 mov word ptr [esi], 0FFFFh
_0000009:0075FC97 pop edi
_0000009:0075FC98 pop esi
_0000009:0075FC99 pop ebx
_0000009:0075FC9A add esp, 4
_0000009:0075FC9D retn 10h
_0000009:0075FC9D _RNBOproQuery@16 endp
_0000009:0075FC9D[/align][/align]
وهذا PseudoCode من IDA decompiler:
PDF - PseudoCodeOfRNBOquerry