noglorp
24th July 2005, 08:05
I have found code that accesses all of the data (addresses that hold gravity, etc) every several seconds. I am quite sure that this is the detection code, as it does this recursively throughout the data section.
005AACD7 - the routine that scans the data section (00625000 through 00660000)
The routine is thus:
005AACD7 /$ 55 PUSH EBP
005AACD8 |. 8BEC MOV EBP,ESP
005AACDA |. 837D 14 00 CMP DWORD PTR SS:[EBP+14],0
005AACDE |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
005AACE1 |. 74 03 JE SHORT MapleSto.005AACE6
005AACE3 |. 314D 10 XOR DWORD PTR SS:[EBP+10],ECX
005AACE6 |> 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
005AACE9 |. 56 PUSH ESI
005AACEA |. 57 PUSH EDI
005AACEB |. 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C]
005AACEE |. 83FF 10 CMP EDI,10
005AACF1 |. 0F82 91010000 JB MapleSto.005AAE88
005AACF7 |. 8BF7 MOV ESI,EDI
005AACF9 |. 53 PUSH EBX
005AACFA |. C1EE 04 SHR ESI,4
005AACFD |> 0FB619 /MOVZX EBX,BYTE PTR DS:[ECX]
005AAD00 |. 8BD0 |MOV EDX,EAX
005AAD02 |. C1EA 18 |SHR EDX,18
005AAD05 |. 33D3 |XOR EDX,EBX
005AAD07 |. 8BD8 |MOV EBX,EAX
005AAD09 |. 8B0495 7050660>|MOV EAX,DWORD PTR DS:[EDX*4+665070]
005AAD10 |. C1E3 08 |SHL EBX,8
005AAD13 |. 33C3 |XOR EAX,EBX
005AAD15 |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAD19 |. 8BD0 |MOV EDX,EAX
005AAD1B |. C1EA 18 |SHR EDX,18
005AAD1E |. 33D3 |XOR EDX,EBX
005AAD20 |. 8B1495 7050660>|MOV EDX,DWORD PTR DS:[EDX*4+665070]
005AAD27 |. C1E0 08 |SHL EAX,8
005AAD2A |. 33D0 |XOR EDX,EAX
005AAD2C |. 8BC2 |MOV EAX,EDX
005AAD2E |. C1E8 18 |SHR EAX,18
005AAD31 |. C1E2 08 |SHL EDX,8
005AAD34 |. 41 |INC ECX
005AAD35 |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAD39 |. 33C3 |XOR EAX,EBX
005AAD3B |. 8B0485 7050660>|MOV EAX,DWORD PTR DS:[EAX*4+665070]
005AAD42 |. 33C2 |XOR EAX,EDX
005AAD44 |. 41 |INC ECX
005AAD45 |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAD49 |. 8BD0 |MOV EDX,EAX
005AAD4B |. C1EA 18 |SHR EDX,18
005AAD4E |. 33D3 |XOR EDX,EBX
005AAD50 |. 8B1495 7050660>|MOV EDX,DWORD PTR DS:[EDX*4+665070]
005AAD57 |. C1E0 08 |SHL EAX,8
005AAD5A |. 33D0 |XOR EDX,EAX
005AAD5C |. 41 |INC ECX
005AAD5D |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAD61 |. 8BC2 |MOV EAX,EDX
005AAD63 |. C1E8 18 |SHR EAX,18
005AAD66 |. 33C3 |XOR EAX,EBX
005AAD68 |. 8B0485 7050660>|MOV EAX,DWORD PTR DS:[EAX*4+665070]
005AAD6F |. C1E2 08 |SHL EDX,8
005AAD72 |. 33C2 |XOR EAX,EDX
005AAD74 |. 41 |INC ECX
005AAD75 |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAD79 |. 8BD0 |MOV EDX,EAX
005AAD7B |. C1EA 18 |SHR EDX,18
005AAD7E |. 33D3 |XOR EDX,EBX
005AAD80 |. 8B1495 7050660>|MOV EDX,DWORD PTR DS:[EDX*4+665070]
005AAD87 |. C1E0 08 |SHL EAX,8
005AAD8A |. 33D0 |XOR EDX,EAX
005AAD8C |. 41 |INC ECX
005AAD8D |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAD91 |. 8BC2 |MOV EAX,EDX
005AAD93 |. C1E8 18 |SHR EAX,18
005AAD96 |. 33C3 |XOR EAX,EBX
005AAD98 |. 8B0485 7050660>|MOV EAX,DWORD PTR DS:[EAX*4+665070]
005AAD9F |. C1E2 08 |SHL EDX,8
005AADA2 |. 33C2 |XOR EAX,EDX
005AADA4 |. 41 |INC ECX
005AADA5 |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AADA9 |. 8BD0 |MOV EDX,EAX
005AADAB |. C1EA 18 |SHR EDX,18
005AADAE |. 33D3 |XOR EDX,EBX
005AADB0 |. 8B1495 7050660>|MOV EDX,DWORD PTR DS:[EDX*4+665070]
005AADB7 |. 41 |INC ECX
005AADB8 |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AADBC |. C1E0 08 |SHL EAX,8
005AADBF |. 33D0 |XOR EDX,EAX
005AADC1 |. 8BC2 |MOV EAX,EDX
005AADC3 |. 41 |INC ECX
005AADC4 |. C1E8 18 |SHR EAX,18
005AADC7 |. 33C3 |XOR EAX,EBX
005AADC9 |. 8B0485 7050660>|MOV EAX,DWORD PTR DS:[EAX*4+665070]
005AADD0 |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AADD4 |. C1E2 08 |SHL EDX,8
005AADD7 |. 33C2 |XOR EAX,EDX
005AADD9 |. 41 |INC ECX
005AADDA |. 8BD0 |MOV EDX,EAX
005AADDC |. C1EA 18 |SHR EDX,18
005AADDF |. 33D3 |XOR EDX,EBX
005AADE1 |. 8B1495 7050660>|MOV EDX,DWORD PTR DS:[EDX*4+665070]
005AADE8 |. C1E0 08 |SHL EAX,8
005AADEB |. 33D0 |XOR EDX,EAX
005AADED |. 41 |INC ECX
005AADEE |. 0FB619 |MOVZX EBX,BYTE PTR DS:[ECX]
005AADF1 |. 8BC2 |MOV EAX,EDX
005AADF3 |. C1E8 18 |SHR EAX,18
005AADF6 |. 33C3 |XOR EAX,EBX
005AADF8 |. 8B0485 7050660>|MOV EAX,DWORD PTR DS:[EAX*4+665070]
005AADFF |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAE03 |. C1E2 08 |SHL EDX,8
005AAE06 |. 33C2 |XOR EAX,EDX
005AAE08 |. 8BD0 |MOV EDX,EAX
005AAE0A |. C1EA 18 |SHR EDX,18
005AAE0D |. 33D3 |XOR EDX,EBX
005AAE0F |. 8B1495 7050660>|MOV EDX,DWORD PTR DS:[EDX*4+665070]
005AAE16 |. C1E0 08 |SHL EAX,8
005AAE19 |. 33D0 |XOR EDX,EAX
005AAE1B |. 41 |INC ECX
005AAE1C |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAE20 |. 8BC2 |MOV EAX,EDX
005AAE22 |. C1E8 18 |SHR EAX,18
005AAE25 |. 33C3 |XOR EAX,EBX
005AAE27 |. 8B0485 7050660>|MOV EAX,DWORD PTR DS:[EAX*4+665070]
005AAE2E |. C1E2 08 |SHL EDX,8
005AAE31 |. 33C2 |XOR EAX,EDX
005AAE33 |. 41 |INC ECX
005AAE34 |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAE38 |. 8BD0 |MOV EDX,EAX
005AAE3A |. C1EA 18 |SHR EDX,18
005AAE3D |. 33D3 |XOR EDX,EBX
005AAE3F |. 8B1495 7050660>|MOV EDX,DWORD PTR DS:[EDX*4+665070]
005AAE46 |. 41 |INC ECX
005AAE47 |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAE4B |. C1E0 08 |SHL EAX,8
005AAE4E |. 33D0 |XOR EDX,EAX
005AAE50 |. 41 |INC ECX
005AAE51 |. 8BC2 |MOV EAX,EDX
005AAE53 |. C1E8 18 |SHR EAX,18
005AAE56 |. 33C3 |XOR EAX,EBX
005AAE58 |. 8B0485 7050660>|MOV EAX,DWORD PTR DS:[EAX*4+665070]
005AAE5F |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAE63 |. C1E2 08 |SHL EDX,8
005AAE66 |. 33C2 |XOR EAX,EDX
005AAE68 |. 41 |INC ECX
005AAE69 |. 8BD0 |MOV EDX,EAX
005AAE6B |. C1EA 18 |SHR EDX,18
005AAE6E |. 33D3 |XOR EDX,EBX
005AAE70 |. 8B1495 7050660>|MOV EDX,DWORD PTR DS:[EDX*4+665070]
005AAE77 |. C1E0 08 |SHL EAX,8
005AAE7A |. 33C2 |XOR EAX,EDX
005AAE7C |. 41 |INC ECX
005AAE7D |. 83EF 10 |SUB EDI,10
005AAE80 |. 4E |DEC ESI
005AAE81 |.^0F85 76FEFFFF \JNZ MapleSto.005AACFD
005AAE87 |. 5B POP EBX
005AAE88 |> 85FF TEST EDI,EDI
005AAE8A |. 76 1A JBE SHORT MapleSto.005AAEA6
005AAE8C |> 0FB631 /MOVZX ESI,BYTE PTR DS:[ECX]
005AAE8F |. 8BD0 |MOV EDX,EAX
005AAE91 |. C1EA 18 |SHR EDX,18
005AAE94 |. 33D6 |XOR EDX,ESI
005AAE96 |. 8B1495 7050660>|MOV EDX,DWORD PTR DS:[EDX*4+665070]
005AAE9D |. C1E0 08 |SHL EAX,8
005AAEA0 |. 33C2 |XOR EAX,EDX
005AAEA2 |. 41 |INC ECX
005AAEA3 |. 4F |DEC EDI
005AAEA4 |.^75 E6 \JNZ SHORT MapleSto.005AAE8C
005AAEA6 |> 5F POP EDI
005AAEA7 |. 5E POP ESI
005AAEA8 |. 5D POP EBP
005AAEA9 \. C3 RETN
This is called in two places, both in the same subroutine, beginning at 0043BEFB.
It is as follows:
0043BEFB |> 33DB /XOR EBX,EBX
0043BEFD |. 53 |PUSH EBX ; /Arg4 => 00000000
0043BEFE |. 53 |PUSH EBX ; |Arg3 => 00000000
0043BEFF |. 6A 02 |PUSH 2 ; |Arg2 = 00000002
0043BF01 |. 56 |PUSH ESI ; |Arg1
0043BF02 |. E8 D0ED1600 |CALL MapleSto.005AACD7 ; \MapleSto.005AACD7
0043BF07 |. 83C4 10 |ADD ESP,10
0043BF0A |. 8945 F0 |MOV DWORD PTR SS:[EBP-10],EAX
0043BF0D |> 8B87 98000000 |/MOV EAX,DWORD PTR DS:[EDI+98]
0043BF13 |. 85C0 ||TEST EAX,EAX
0043BF15 |. 74 20 ||JE SHORT MapleSto.0043BF37
0043BF17 |. 3B58 FC ||CMP EBX,DWORD PTR DS:[EAX-4]
0043BF1A |. 73 1B ||JNB SHORT MapleSto.0043BF37
0043BF1C |. 6A 01 ||PUSH 1 ; /Arg4 = 00000001
0043BF1E |. FF75 F0 ||PUSH DWORD PTR SS:[EBP-10] ; |Arg3
0043BF21 |. 8D04D8 ||LEA EAX,DWORD PTR DS:[EAX+EBX*8] ; |
0043BF24 |. FF70 04 ||PUSH DWORD PTR DS:[EAX+4] ; |Arg2
0043BF27 |. FF30 ||PUSH DWORD PTR DS:[EAX] ; |Arg1
0043BF29 |. E8 A9ED1600 ||CALL MapleSto.005AACD7 ; \MapleSto.005AACD7
0043BF2E |. 83C4 10 ||ADD ESP,10
0043BF31 |. 8945 F0 ||MOV DWORD PTR SS:[EBP-10],EAX
0043BF34 |. 43 ||INC EBX
0043BF35 |.^EB D6 |\JMP SHORT MapleSto.0043BF0D
0043BF37 |> 6A 00 |PUSH 0
0043BF39 |. 6A 0E |PUSH 0E
0043BF3B |. 8D4D E0 |LEA ECX,DWORD PTR SS:[EBP-20]
0043BF3E |. E8 FBCF0A00 |CALL MapleSto.004E8F3E
0043BF43 |. FF75 F0 |PUSH DWORD PTR SS:[EBP-10]
0043BF46 |. 8365 FC 00 |AND DWORD PTR SS:[EBP-4],0
0043BF4A |. 8D4D E0 |LEA ECX,DWORD PTR SS:[EBP-20]
0043BF4D |. E8 07DFFEFF |CALL MapleSto.00429E59
0043BF52 |. FF36 |PUSH DWORD PTR DS:[ESI]
0043BF54 |. 8D47 64 |LEA EAX,DWORD PTR DS:[EDI+64]
0043BF57 |. 6A 01 |PUSH 1
0043BF59 |. 56 |PUSH ESI
0043BF5A |. 6A 05 |PUSH 5
0043BF5C |. 50 |PUSH EAX
0043BF5D |. 8D4D E0 |LEA ECX,DWORD PTR SS:[EBP-20]
0043BF60 |. E8 4AD00A00 |CALL MapleSto.004E8FAF
0043BF65 |. 6A 00 |PUSH 0
0043BF67 |. 6A 04 |PUSH 4
0043BF69 |. 56 |PUSH ESI
0043BF6A |. E8 99621B00 |CALL MapleSto.005F2208
0043BF6F |. 834D FC FF |OR DWORD PTR SS:[EBP-4],FFFFFFFF
0043BF73 |. 83C4 0C |ADD ESP,0C
0043BF76 |. 8D4D E4 |LEA ECX,DWORD PTR SS:[EBP-1C]
0043BF79 |. 8906 |MOV DWORD PTR DS:[ESI],EAX
0043BF7B |. E8 BFBD0D00 |CALL MapleSto.00517D3F
0043BF80 |. 0FB706 |MOVZX EAX,WORD PTR DS:[ESI]
0043BF83 |. 6A 1F |PUSH 1F
0043BF85 |. 99 |CDQ
0043BF86 |. 59 |POP ECX
0043BF87 |. F7F9 |IDIV ECX
0043BF89 |. 85D2 |TEST EDX,EDX
0043BF8B |.^0F84 6AFFFFFF \JE MapleSto.0043BEFB
I hope this is helpful. I attempted NOPing the calls to 005AACFD, but this resulted in a crash after several seconds (a complete program crash, not an exception).
~nog_lorp
005AACD7 - the routine that scans the data section (00625000 through 00660000)
The routine is thus:
005AACD7 /$ 55 PUSH EBP
005AACD8 |. 8BEC MOV EBP,ESP
005AACDA |. 837D 14 00 CMP DWORD PTR SS:[EBP+14],0
005AACDE |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
005AACE1 |. 74 03 JE SHORT MapleSto.005AACE6
005AACE3 |. 314D 10 XOR DWORD PTR SS:[EBP+10],ECX
005AACE6 |> 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
005AACE9 |. 56 PUSH ESI
005AACEA |. 57 PUSH EDI
005AACEB |. 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C]
005AACEE |. 83FF 10 CMP EDI,10
005AACF1 |. 0F82 91010000 JB MapleSto.005AAE88
005AACF7 |. 8BF7 MOV ESI,EDI
005AACF9 |. 53 PUSH EBX
005AACFA |. C1EE 04 SHR ESI,4
005AACFD |> 0FB619 /MOVZX EBX,BYTE PTR DS:[ECX]
005AAD00 |. 8BD0 |MOV EDX,EAX
005AAD02 |. C1EA 18 |SHR EDX,18
005AAD05 |. 33D3 |XOR EDX,EBX
005AAD07 |. 8BD8 |MOV EBX,EAX
005AAD09 |. 8B0495 7050660>|MOV EAX,DWORD PTR DS:[EDX*4+665070]
005AAD10 |. C1E3 08 |SHL EBX,8
005AAD13 |. 33C3 |XOR EAX,EBX
005AAD15 |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAD19 |. 8BD0 |MOV EDX,EAX
005AAD1B |. C1EA 18 |SHR EDX,18
005AAD1E |. 33D3 |XOR EDX,EBX
005AAD20 |. 8B1495 7050660>|MOV EDX,DWORD PTR DS:[EDX*4+665070]
005AAD27 |. C1E0 08 |SHL EAX,8
005AAD2A |. 33D0 |XOR EDX,EAX
005AAD2C |. 8BC2 |MOV EAX,EDX
005AAD2E |. C1E8 18 |SHR EAX,18
005AAD31 |. C1E2 08 |SHL EDX,8
005AAD34 |. 41 |INC ECX
005AAD35 |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAD39 |. 33C3 |XOR EAX,EBX
005AAD3B |. 8B0485 7050660>|MOV EAX,DWORD PTR DS:[EAX*4+665070]
005AAD42 |. 33C2 |XOR EAX,EDX
005AAD44 |. 41 |INC ECX
005AAD45 |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAD49 |. 8BD0 |MOV EDX,EAX
005AAD4B |. C1EA 18 |SHR EDX,18
005AAD4E |. 33D3 |XOR EDX,EBX
005AAD50 |. 8B1495 7050660>|MOV EDX,DWORD PTR DS:[EDX*4+665070]
005AAD57 |. C1E0 08 |SHL EAX,8
005AAD5A |. 33D0 |XOR EDX,EAX
005AAD5C |. 41 |INC ECX
005AAD5D |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAD61 |. 8BC2 |MOV EAX,EDX
005AAD63 |. C1E8 18 |SHR EAX,18
005AAD66 |. 33C3 |XOR EAX,EBX
005AAD68 |. 8B0485 7050660>|MOV EAX,DWORD PTR DS:[EAX*4+665070]
005AAD6F |. C1E2 08 |SHL EDX,8
005AAD72 |. 33C2 |XOR EAX,EDX
005AAD74 |. 41 |INC ECX
005AAD75 |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAD79 |. 8BD0 |MOV EDX,EAX
005AAD7B |. C1EA 18 |SHR EDX,18
005AAD7E |. 33D3 |XOR EDX,EBX
005AAD80 |. 8B1495 7050660>|MOV EDX,DWORD PTR DS:[EDX*4+665070]
005AAD87 |. C1E0 08 |SHL EAX,8
005AAD8A |. 33D0 |XOR EDX,EAX
005AAD8C |. 41 |INC ECX
005AAD8D |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAD91 |. 8BC2 |MOV EAX,EDX
005AAD93 |. C1E8 18 |SHR EAX,18
005AAD96 |. 33C3 |XOR EAX,EBX
005AAD98 |. 8B0485 7050660>|MOV EAX,DWORD PTR DS:[EAX*4+665070]
005AAD9F |. C1E2 08 |SHL EDX,8
005AADA2 |. 33C2 |XOR EAX,EDX
005AADA4 |. 41 |INC ECX
005AADA5 |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AADA9 |. 8BD0 |MOV EDX,EAX
005AADAB |. C1EA 18 |SHR EDX,18
005AADAE |. 33D3 |XOR EDX,EBX
005AADB0 |. 8B1495 7050660>|MOV EDX,DWORD PTR DS:[EDX*4+665070]
005AADB7 |. 41 |INC ECX
005AADB8 |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AADBC |. C1E0 08 |SHL EAX,8
005AADBF |. 33D0 |XOR EDX,EAX
005AADC1 |. 8BC2 |MOV EAX,EDX
005AADC3 |. 41 |INC ECX
005AADC4 |. C1E8 18 |SHR EAX,18
005AADC7 |. 33C3 |XOR EAX,EBX
005AADC9 |. 8B0485 7050660>|MOV EAX,DWORD PTR DS:[EAX*4+665070]
005AADD0 |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AADD4 |. C1E2 08 |SHL EDX,8
005AADD7 |. 33C2 |XOR EAX,EDX
005AADD9 |. 41 |INC ECX
005AADDA |. 8BD0 |MOV EDX,EAX
005AADDC |. C1EA 18 |SHR EDX,18
005AADDF |. 33D3 |XOR EDX,EBX
005AADE1 |. 8B1495 7050660>|MOV EDX,DWORD PTR DS:[EDX*4+665070]
005AADE8 |. C1E0 08 |SHL EAX,8
005AADEB |. 33D0 |XOR EDX,EAX
005AADED |. 41 |INC ECX
005AADEE |. 0FB619 |MOVZX EBX,BYTE PTR DS:[ECX]
005AADF1 |. 8BC2 |MOV EAX,EDX
005AADF3 |. C1E8 18 |SHR EAX,18
005AADF6 |. 33C3 |XOR EAX,EBX
005AADF8 |. 8B0485 7050660>|MOV EAX,DWORD PTR DS:[EAX*4+665070]
005AADFF |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAE03 |. C1E2 08 |SHL EDX,8
005AAE06 |. 33C2 |XOR EAX,EDX
005AAE08 |. 8BD0 |MOV EDX,EAX
005AAE0A |. C1EA 18 |SHR EDX,18
005AAE0D |. 33D3 |XOR EDX,EBX
005AAE0F |. 8B1495 7050660>|MOV EDX,DWORD PTR DS:[EDX*4+665070]
005AAE16 |. C1E0 08 |SHL EAX,8
005AAE19 |. 33D0 |XOR EDX,EAX
005AAE1B |. 41 |INC ECX
005AAE1C |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAE20 |. 8BC2 |MOV EAX,EDX
005AAE22 |. C1E8 18 |SHR EAX,18
005AAE25 |. 33C3 |XOR EAX,EBX
005AAE27 |. 8B0485 7050660>|MOV EAX,DWORD PTR DS:[EAX*4+665070]
005AAE2E |. C1E2 08 |SHL EDX,8
005AAE31 |. 33C2 |XOR EAX,EDX
005AAE33 |. 41 |INC ECX
005AAE34 |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAE38 |. 8BD0 |MOV EDX,EAX
005AAE3A |. C1EA 18 |SHR EDX,18
005AAE3D |. 33D3 |XOR EDX,EBX
005AAE3F |. 8B1495 7050660>|MOV EDX,DWORD PTR DS:[EDX*4+665070]
005AAE46 |. 41 |INC ECX
005AAE47 |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAE4B |. C1E0 08 |SHL EAX,8
005AAE4E |. 33D0 |XOR EDX,EAX
005AAE50 |. 41 |INC ECX
005AAE51 |. 8BC2 |MOV EAX,EDX
005AAE53 |. C1E8 18 |SHR EAX,18
005AAE56 |. 33C3 |XOR EAX,EBX
005AAE58 |. 8B0485 7050660>|MOV EAX,DWORD PTR DS:[EAX*4+665070]
005AAE5F |. 0FB659 01 |MOVZX EBX,BYTE PTR DS:[ECX+1]
005AAE63 |. C1E2 08 |SHL EDX,8
005AAE66 |. 33C2 |XOR EAX,EDX
005AAE68 |. 41 |INC ECX
005AAE69 |. 8BD0 |MOV EDX,EAX
005AAE6B |. C1EA 18 |SHR EDX,18
005AAE6E |. 33D3 |XOR EDX,EBX
005AAE70 |. 8B1495 7050660>|MOV EDX,DWORD PTR DS:[EDX*4+665070]
005AAE77 |. C1E0 08 |SHL EAX,8
005AAE7A |. 33C2 |XOR EAX,EDX
005AAE7C |. 41 |INC ECX
005AAE7D |. 83EF 10 |SUB EDI,10
005AAE80 |. 4E |DEC ESI
005AAE81 |.^0F85 76FEFFFF \JNZ MapleSto.005AACFD
005AAE87 |. 5B POP EBX
005AAE88 |> 85FF TEST EDI,EDI
005AAE8A |. 76 1A JBE SHORT MapleSto.005AAEA6
005AAE8C |> 0FB631 /MOVZX ESI,BYTE PTR DS:[ECX]
005AAE8F |. 8BD0 |MOV EDX,EAX
005AAE91 |. C1EA 18 |SHR EDX,18
005AAE94 |. 33D6 |XOR EDX,ESI
005AAE96 |. 8B1495 7050660>|MOV EDX,DWORD PTR DS:[EDX*4+665070]
005AAE9D |. C1E0 08 |SHL EAX,8
005AAEA0 |. 33C2 |XOR EAX,EDX
005AAEA2 |. 41 |INC ECX
005AAEA3 |. 4F |DEC EDI
005AAEA4 |.^75 E6 \JNZ SHORT MapleSto.005AAE8C
005AAEA6 |> 5F POP EDI
005AAEA7 |. 5E POP ESI
005AAEA8 |. 5D POP EBP
005AAEA9 \. C3 RETN
This is called in two places, both in the same subroutine, beginning at 0043BEFB.
It is as follows:
0043BEFB |> 33DB /XOR EBX,EBX
0043BEFD |. 53 |PUSH EBX ; /Arg4 => 00000000
0043BEFE |. 53 |PUSH EBX ; |Arg3 => 00000000
0043BEFF |. 6A 02 |PUSH 2 ; |Arg2 = 00000002
0043BF01 |. 56 |PUSH ESI ; |Arg1
0043BF02 |. E8 D0ED1600 |CALL MapleSto.005AACD7 ; \MapleSto.005AACD7
0043BF07 |. 83C4 10 |ADD ESP,10
0043BF0A |. 8945 F0 |MOV DWORD PTR SS:[EBP-10],EAX
0043BF0D |> 8B87 98000000 |/MOV EAX,DWORD PTR DS:[EDI+98]
0043BF13 |. 85C0 ||TEST EAX,EAX
0043BF15 |. 74 20 ||JE SHORT MapleSto.0043BF37
0043BF17 |. 3B58 FC ||CMP EBX,DWORD PTR DS:[EAX-4]
0043BF1A |. 73 1B ||JNB SHORT MapleSto.0043BF37
0043BF1C |. 6A 01 ||PUSH 1 ; /Arg4 = 00000001
0043BF1E |. FF75 F0 ||PUSH DWORD PTR SS:[EBP-10] ; |Arg3
0043BF21 |. 8D04D8 ||LEA EAX,DWORD PTR DS:[EAX+EBX*8] ; |
0043BF24 |. FF70 04 ||PUSH DWORD PTR DS:[EAX+4] ; |Arg2
0043BF27 |. FF30 ||PUSH DWORD PTR DS:[EAX] ; |Arg1
0043BF29 |. E8 A9ED1600 ||CALL MapleSto.005AACD7 ; \MapleSto.005AACD7
0043BF2E |. 83C4 10 ||ADD ESP,10
0043BF31 |. 8945 F0 ||MOV DWORD PTR SS:[EBP-10],EAX
0043BF34 |. 43 ||INC EBX
0043BF35 |.^EB D6 |\JMP SHORT MapleSto.0043BF0D
0043BF37 |> 6A 00 |PUSH 0
0043BF39 |. 6A 0E |PUSH 0E
0043BF3B |. 8D4D E0 |LEA ECX,DWORD PTR SS:[EBP-20]
0043BF3E |. E8 FBCF0A00 |CALL MapleSto.004E8F3E
0043BF43 |. FF75 F0 |PUSH DWORD PTR SS:[EBP-10]
0043BF46 |. 8365 FC 00 |AND DWORD PTR SS:[EBP-4],0
0043BF4A |. 8D4D E0 |LEA ECX,DWORD PTR SS:[EBP-20]
0043BF4D |. E8 07DFFEFF |CALL MapleSto.00429E59
0043BF52 |. FF36 |PUSH DWORD PTR DS:[ESI]
0043BF54 |. 8D47 64 |LEA EAX,DWORD PTR DS:[EDI+64]
0043BF57 |. 6A 01 |PUSH 1
0043BF59 |. 56 |PUSH ESI
0043BF5A |. 6A 05 |PUSH 5
0043BF5C |. 50 |PUSH EAX
0043BF5D |. 8D4D E0 |LEA ECX,DWORD PTR SS:[EBP-20]
0043BF60 |. E8 4AD00A00 |CALL MapleSto.004E8FAF
0043BF65 |. 6A 00 |PUSH 0
0043BF67 |. 6A 04 |PUSH 4
0043BF69 |. 56 |PUSH ESI
0043BF6A |. E8 99621B00 |CALL MapleSto.005F2208
0043BF6F |. 834D FC FF |OR DWORD PTR SS:[EBP-4],FFFFFFFF
0043BF73 |. 83C4 0C |ADD ESP,0C
0043BF76 |. 8D4D E4 |LEA ECX,DWORD PTR SS:[EBP-1C]
0043BF79 |. 8906 |MOV DWORD PTR DS:[ESI],EAX
0043BF7B |. E8 BFBD0D00 |CALL MapleSto.00517D3F
0043BF80 |. 0FB706 |MOVZX EAX,WORD PTR DS:[ESI]
0043BF83 |. 6A 1F |PUSH 1F
0043BF85 |. 99 |CDQ
0043BF86 |. 59 |POP ECX
0043BF87 |. F7F9 |IDIV ECX
0043BF89 |. 85D2 |TEST EDX,EDX
0043BF8B |.^0F84 6AFFFFFF \JE MapleSto.0043BEFB
I hope this is helpful. I attempted NOPing the calls to 005AACFD, but this resulted in a crash after several seconds (a complete program crash, not an exception).
~nog_lorp