theKidOfArcrania/hook.asm

## hook.asm
BITS 32

_printf: equ 0x0043C3E0
_WriteProcessMemory: equ 0x0043C400

_base:

hook_WriteProcessMemory:
  push ebp
  mov ebp, esp

  push ebx
  push edi
  push esi

  call get_pc_bx
.off:
  add ebx, _base - .off

  mov eax, [ebp + 0x0c] ; lpBaseAddress
  mov edi, [ebp + 0x10] ; lpBuffer
  mov ecx, [ebp + 0x14] ; nSize
  lea esi, [edi + ecx]

  ; call printf
  push ecx
  push eax
  lea eax, [ebx + dump_fmt - _base]
  push eax
  call printf
  add esp, 0xc

  jmp .loop_cond
.loop:
  movzx eax, byte [edi]
  lea edx, [ebx + hex_fmt - _base]
  push eax
  push edx
  call printf
  add esp, 0x8
  inc edi
.loop_cond:
  cmp edi, esi
  jl .loop

  lea eax, [ebx + newline_fmt - _base]
  push eax
  call printf
  add esp, 0x4

  pop esi
  pop edi
  pop ebx
  pop ebp
  jmp WriteProcessMemory

;.text:0040182F                 add     esp, 70h
;.text:00401832                 pop     esi
;.text:00401833                 pop     edi
;.text:00401834                 pop     ebp
;.text:00401835                 retn
tail_handle_exc:
  call get_pc_ax
.off:
  add eax, exc_fmt - .off
  push dword [ebp - 0xc] ; addr
  push dword [ebp - 0x60] ; exc_code
  push eax
  call printf
  add esp, 0x7c
  pop esi
  pop edi
  pop ebp
  ret


get_pc_ax:
  mov eax, [esp + 0]
  ret
get_pc_bx:
  mov ebx, [esp + 0]
  ret

dump_fmt: db "Write @ %p", 0xa, "  ", 0

hex_fmt: db "%02hhx ", 0

newline_fmt: db 0xa, 0

exc_fmt: db "Cont 0x%08x from @ %p", 0xa, 0

printf:
  mov eax, _printf
  jmp [eax]

WriteProcessMemory:
  mov eax, _WriteProcessMemory
  jmp [eax]


## parse.py
#!/usr/bin/python3

import capstone as cs
md = cs.Cs(arch=cs.CS_ARCH_X86, mode=cs.CS_MODE_32)
md.detail = True

def get_insn(mem, addr):
    data = []
    for i in range(16):
        if addr + i not in mem:
            break
        data.append(mem[addr + i])
    data = bytes(data)
    try:
        return next(md.disasm(data, addr))
    except:
        return None

last_ip = 0

commit_insn = {}
exe_mem = {}
with open('log2') as f:
    f.readline()
    while True:
        line = f.readline()
        if 'Cont' in line:
            addr = int(line.split(' @ ')[1], 16)
            insn = get_insn(exe_mem, addr)
            if insn:
                insn_str = '{} {}'.format(insn.insn_name(), insn.op_str)
                #print('{:08x}+{}: {}'.format(addr, insn.size, insn_str))
                if 'ud2' not in insn_str:
                    if addr not in commit_insn:
                        print('{:08x}+{}: {}'.format(addr, insn.size, insn_str))
                    elif commit_insn[addr] != insn_str:
                        print('!!{:08x}+{}: {}'.format(addr, insn.size, insn_str))
                    commit_insn[addr] = insn_str
            else:
                print('{:08x}+0: ???'.format(addr))
        elif 'Write' in line:
            addr = int(line.split(' @ ')[1], 16)
            line = f.readline()
            data = [int(x, 16) for x in line.strip().split(' ')]
            for off in range(len(data)):
                exe_mem[addr + off] = data[off]
        elif not line:
            break


## patch.sh
#!/bin/bash

set -e

patch () {
  echo -ne "$2" > tmp
  dd conv=notrunc if=tmp of=watchmen.exe seek=$(($1)) bs=1
  rm tmp
}


nasm hook.asm
patch 0xc2e '\xe9\x18\x04\x03\x00'
patch 0x1401 '\xb8\xf4\x1b'
patch 0x147a '\xb8\xf4\x1b'
dd conv=notrunc if=hook of=watchmen.exe seek=$((0x30ff4)) bs=1

## trace.asm
00401e69+1: push ebp
00401e6a+2: mov ebp, esp
00401e6c+3: sub esp, 0x48
00401e6f+7: mov dword ptr [esp], 0x43a0cc
00401e76+5: call 0x436e44
00436e44+0: ???
00436e44+6: jmp dword ptr [0x43d1e0]
774e8d2c+0: ???
00401e7b+3: lea eax, [ebp - 0x2a]
00401e7e+4: mov dword ptr [esp + 4], eax
00401e82+7: mov dword ptr [esp], 0x43a12f
00401e89+5: call 0x436e3c
00436e3c+0: ???
00436e3c+6: jmp dword ptr [0x43d1e4]
774e68f1+0: ???
00401e8e+5: mov eax, dword ptr [0x43d1a8]
00401e93+3: mov dword ptr [esp], eax
00401e96+5: call 0x436e84
00436e84+0: ???
00436e84+6: jmp dword ptr [0x43d1c0]
77484142+0: ???
00401e9b+3: lea eax, [ebp - 0x2a]
00401e9e+3: mov dword ptr [esp], eax
00401ea1+5: call 0x401e30
00401e30+0: ???
00401e30+1: push ebp
00401e31+2: mov ebp, esp
00401e33+3: sub esp, 0x28
00401e36+7: mov dword ptr [ebp - 0xc], 0x43a0a8
00401e3d+3: mov eax, dword ptr [ebp + 8]
00401e40+3: mov dword ptr [esp], eax
00401e43+5: call 0x401e09
00401e09+0: ???
00401e09+1: push ebp
00401e0a+2: mov ebp, esp
00401e0c+3: sub esp, 0x14
00401e0f+7: mov dword ptr [ebp - 4], 0
00401e16+2: jmp 0x401e27
00401e27+0: ???
00401e27+4: cmp dword ptr [ebp - 4], 0xf
00401e2b+2: jle 0x401e18
00401e18+3: mov eax, dword ptr [ebp + 8]
00401e1b+3: mov dword ptr [esp], eax
00401e1e+5: call 0x401ddf
00401ddf+0: ???
00401ddf+1: push ebp
00401de0+2: mov ebp, esp
00401de2+3: sub esp, 4
00401de5+3: mov eax, dword ptr [ebp + 8]
00401de8+3: mov dword ptr [esp], eax
00401deb+5: call 0x401c20
00401c20+0: ???
00401c20+1: push ebp
00401c21+2: mov ebp, esp
00401c23+1: push ebx
00401c24+3: sub esp, 0x10
00401c27+7: mov dword ptr [ebp - 0xc], 0x43a010
00401c2e+7: mov dword ptr [ebp - 8], 0
00401c35+2: jmp 0x401c5f
00401c5f+0: ???
00401c5f+4: cmp dword ptr [ebp - 8], 0x1f
00401c63+2: jle 0x401c37
00401c37+3: mov edx, dword ptr [ebp - 8]
00401c3a+3: mov eax, dword ptr [ebp + 8]
00401c3d+2: add eax, edx
00401c3f+3: movzx ebx, byte ptr [eax]
00401c42+3: mov edx, dword ptr [ebp - 8]
00401c45+3: mov eax, dword ptr [ebp - 0xc]
00401c48+2: add eax, edx
00401c4a+3: movzx ecx, byte ptr [eax]
00401c4d+3: mov edx, dword ptr [ebp - 8]
00401c50+3: mov eax, dword ptr [ebp + 8]
00401c53+2: add eax, edx
00401c55+2: xor ebx, ecx
00401c57+2: mov edx, ebx
00401c59+2: mov byte ptr [eax], dl
00401c5b+4: add dword ptr [ebp - 8], 1
00401c65+1: nop
00401c66+3: add esp, 0x10
00401c69+1: pop ebx
00401c6a+1: pop ebp
00401c6b+1: ret
00401df0+3: mov eax, dword ptr [ebp + 8]
00401df3+3: mov dword ptr [esp], eax
00401df6+5: call 0x401c6c
00401c6c+1: push ebp
00401c6d+2: mov ebp, esp
00401c6f+3: sub esp, 0x10
00401c72+3: mov eax, dword ptr [ebp + 8]
00401c75+3: movzx eax, byte ptr [eax]
00401c78+3: mov byte ptr [ebp - 5], al
00401c7b+7: mov dword ptr [ebp - 4], 0
00401c82+2: jmp 0x401cba
00401cba+0: ???
00401cba+4: cmp dword ptr [ebp - 4], 0x1e
00401cbe+2: jle 0x401c84
00401c84+3: mov edx, dword ptr [ebp - 4]
00401c87+3: mov eax, dword ptr [ebp + 8]
00401c8a+2: add eax, edx
00401c8c+3: movzx eax, byte ptr [eax]
00401c8f+3: shr al, 4
00401c92+2: mov ecx, eax
00401c94+3: mov eax, dword ptr [ebp - 4]
00401c97+3: lea edx, [eax + 1]
00401c9a+3: mov eax, dword ptr [ebp + 8]
00401c9d+2: add eax, edx
00401c9f+3: movzx eax, byte ptr [eax]
00401ca2+3: movzx eax, al
00401ca5+3: shl eax, 4
00401ca8+2: or ecx, eax
00401caa+3: mov edx, dword ptr [ebp - 4]
00401cad+3: mov eax, dword ptr [ebp + 8]
00401cb0+2: add eax, edx
00401cb2+2: mov edx, ecx
00401cb4+2: mov byte ptr [eax], dl
00401cb6+4: add dword ptr [ebp - 4], 1
00401cc0+3: mov eax, dword ptr [ebp + 8]
00401cc3+3: add eax, 0x1f
00401cc6+3: movzx eax, byte ptr [eax]
00401cc9+3: shr al, 4
00401ccc+2: mov edx, eax
00401cce+4: movzx eax, byte ptr [ebp - 5]
00401cd2+3: shl eax, 4
00401cd5+2: or edx, eax
00401cd7+3: mov eax, dword ptr [ebp + 8]
00401cda+3: add eax, 0x1f
00401cdd+2: mov byte ptr [eax], dl
00401cdf+1: nop
00401ce0+1: leave
00401ce1+1: ret
00401dfb+3: mov eax, dword ptr [ebp + 8]
00401dfe+3: mov dword ptr [esp], eax
00401e01+5: call 0x401ce2
00401ce2+1: push ebp
00401ce3+2: mov ebp, esp
00401ce5+6: sub esp, 0xc0
00401ceb+7: mov dword ptr [ebp - 0x10], 0x43a04c
00401cf2+7: mov dword ptr [ebp - 4], 0
00401cf9+2: jmp 0x401d24
00401d24+0: ???
00401d24+4: cmp dword ptr [ebp - 4], 0x1f
00401d28+2: jle 0x401cfb
00401cfb+3: mov eax, dword ptr [ebp - 4]
00401cfe+3: mov edx, dword ptr [ebp - 4]
00401d01+7: mov dword ptr [ebp + eax*4 - 0x94], edx
00401d08+3: mov edx, dword ptr [ebp - 4]
00401d0b+3: mov eax, dword ptr [ebp + 8]
00401d0e+2: add eax, edx
00401d10+3: movzx eax, byte ptr [eax]
00401d13+6: lea ecx, [ebp - 0xb4]
00401d19+3: mov edx, dword ptr [ebp - 4]
00401d1c+2: add edx, ecx
00401d1e+2: mov byte ptr [edx], al
00401d20+4: add dword ptr [ebp - 4], 1
00401d2a+7: mov dword ptr [ebp - 8], 0
00401d31+2: jmp 0x401d9e
00401d9e+0: ???
00401d9e+3: mov edx, dword ptr [ebp - 8]
00401da1+3: mov eax, dword ptr [ebp - 0x10]
00401da4+2: add eax, edx
00401da6+3: movzx eax, byte ptr [eax]
00401da9+2: test al, al
00401dab+2: jne 0x401d33
00401d33+3: mov eax, dword ptr [ebp - 8]
00401d36+1: cdq
00401d37+3: shr edx, 0x1b
00401d3a+2: add eax, edx
00401d3c+3: and eax, 0x1f
00401d3f+2: sub eax, edx
00401d41+7: mov eax, dword ptr [ebp + eax*4 - 0x94]
00401d48+3: mov byte ptr [ebp - 0x11], al
00401d4b+3: mov edx, dword ptr [ebp - 8]
00401d4e+3: mov eax, dword ptr [ebp - 0x10]
00401d51+2: add eax, edx
00401d53+3: movzx eax, byte ptr [eax]
00401d56+3: movzx eax, al
00401d59+3: and eax, 0x1f
00401d5c+2: mov ecx, eax
00401d5e+3: mov eax, dword ptr [ebp - 8]
00401d61+1: cdq
00401d62+3: shr edx, 0x1b
00401d65+2: add eax, edx
00401d67+3: and eax, 0x1f
00401d6a+2: sub eax, edx
00401d6c+2: mov edx, eax
00401d6e+7: mov eax, dword ptr [ebp + ecx*4 - 0x94]
00401d75+7: mov dword ptr [ebp + edx*4 - 0x94], eax
00401d7c+3: mov edx, dword ptr [ebp - 8]
00401d7f+3: mov eax, dword ptr [ebp - 0x10]
00401d82+2: add eax, edx
00401d84+3: movzx eax, byte ptr [eax]
00401d87+3: movzx eax, al
00401d8a+3: and eax, 0x1f
00401d8d+2: mov edx, eax
00401d8f+4: movzx eax, byte ptr [ebp - 0x11]
00401d93+7: mov dword ptr [ebp + edx*4 - 0x94], eax
00401d9a+4: add dword ptr [ebp - 8], 1
00401dad+7: mov dword ptr [ebp - 0xc], 0
00401db4+2: jmp 0x401dd6
00401dd6+0: ???
00401dd6+4: cmp dword ptr [ebp - 0xc], 0x1f
00401dda+2: jle 0x401db6
00401db6+3: mov eax, dword ptr [ebp - 0xc]
00401db9+7: mov eax, dword ptr [ebp + eax*4 - 0x94]
00401dc0+3: mov ecx, dword ptr [ebp - 0xc]
00401dc3+3: mov edx, dword ptr [ebp + 8]
00401dc6+2: add edx, ecx
00401dc8+8: movzx eax, byte ptr [ebp + eax - 0xb4]
00401dd0+2: mov byte ptr [edx], al
00401dd2+4: add dword ptr [ebp - 0xc], 1
00401ddc+1: nop
00401ddd+1: leave
00401dde+1: ret
00401e06+1: nop
00401e07+1: leave
00401e08+1: ret
00401e23+4: add dword ptr [ebp - 4], 1
00401e2d+1: nop
00401e2e+1: leave
00401e2f+1: ret
00401e48+8: mov dword ptr [esp + 8], 0x20
00401e50+3: mov eax, dword ptr [ebp + 8]
00401e53+4: mov dword ptr [esp + 4], eax
00401e57+3: mov eax, dword ptr [ebp - 0xc]
00401e5a+3: mov dword ptr [esp], eax
00401e5d+5: call 0x436e5c
00436e5c+0: ???
00436e5c+6: jmp dword ptr [0x43d1d4]
77487975+0: ???
00401e62+2: test eax, eax
00401e64+3: sete al
00401e67+1: leave
00401e68+1: ret
00401ea6+3: mov byte ptr [ebp - 9], al
00401ea9+4: cmp byte ptr [ebp - 9], 0
00401ead+2: je 0x401ebd
00401ebd+0: ???
00401ebd+7: mov dword ptr [esp], 0x43a180
00401ec4+5: call 0x436e44
774e8d2c+0: ???
00401ec9+5: mov eax, 0
00401ece+1: leave
00401ecf+1: ret
0040159b+0: ???
	BITS 32

	_printf: equ 0x0043C3E0
	_WriteProcessMemory: equ 0x0043C400

	_base:

	hook_WriteProcessMemory:
	push ebp
	mov ebp, esp

	push ebx
	push edi
	push esi

	call get_pc_bx
	.off:
	add ebx, _base - .off

	mov eax, [ebp + 0x0c] ; lpBaseAddress
	mov edi, [ebp + 0x10] ; lpBuffer
	mov ecx, [ebp + 0x14] ; nSize
	lea esi, [edi + ecx]

	; call printf
	push ecx
	push eax
	lea eax, [ebx + dump_fmt - _base]
	push eax
	call printf
	add esp, 0xc

	jmp .loop_cond
	.loop:
	movzx eax, byte [edi]
	lea edx, [ebx + hex_fmt - _base]
	push eax
	push edx
	call printf
	add esp, 0x8
	inc edi
	.loop_cond:
	cmp edi, esi
	jl .loop

	lea eax, [ebx + newline_fmt - _base]
	push eax
	call printf
	add esp, 0x4

	pop esi
	pop edi
	pop ebx
	pop ebp
	jmp WriteProcessMemory

	;.text:0040182F add esp, 70h
	;.text:00401832 pop esi
	;.text:00401833 pop edi
	;.text:00401834 pop ebp
	;.text:00401835 retn
	tail_handle_exc:
	call get_pc_ax
	.off:
	add eax, exc_fmt - .off
	push dword [ebp - 0xc] ; addr
	push dword [ebp - 0x60] ; exc_code
	push eax
	call printf
	add esp, 0x7c
	pop esi
	pop edi
	pop ebp
	ret


	get_pc_ax:
	mov eax, [esp + 0]
	ret
	get_pc_bx:
	mov ebx, [esp + 0]
	ret

	dump_fmt: db "Write @ %p", 0xa, " ", 0

	hex_fmt: db "%02hhx ", 0

	newline_fmt: db 0xa, 0

	exc_fmt: db "Cont 0x%08x from @ %p", 0xa, 0

	printf:
	mov eax, _printf
	jmp [eax]

	WriteProcessMemory:
	mov eax, _WriteProcessMemory
	jmp [eax]
	#!/usr/bin/python3

	import capstone as cs
	md = cs.Cs(arch=cs.CS_ARCH_X86, mode=cs.CS_MODE_32)
	md.detail = True

	def get_insn(mem, addr):
	data = []
	for i in range(16):
	if addr + i not in mem:
	break
	data.append(mem[addr + i])
	data = bytes(data)
	try:
	return next(md.disasm(data, addr))
	except:
	return None

	last_ip = 0

	commit_insn = {}
	exe_mem = {}
	with open('log2') as f:
	f.readline()
	while True:
	line = f.readline()
	if 'Cont' in line:
	addr = int(line.split(' @ ')[1], 16)
	insn = get_insn(exe_mem, addr)
	if insn:
	insn_str = '{} {}'.format(insn.insn_name(), insn.op_str)
	#print('{:08x}+{}: {}'.format(addr, insn.size, insn_str))
	if 'ud2' not in insn_str:
	if addr not in commit_insn:
	print('{:08x}+{}: {}'.format(addr, insn.size, insn_str))
	elif commit_insn[addr] != insn_str:
	print('!!{:08x}+{}: {}'.format(addr, insn.size, insn_str))
	commit_insn[addr] = insn_str
	else:
	print('{:08x}+0: ???'.format(addr))
	elif 'Write' in line:
	addr = int(line.split(' @ ')[1], 16)
	line = f.readline()
	data = [int(x, 16) for x in line.strip().split(' ')]
	for off in range(len(data)):
	exe_mem[addr + off] = data[off]
	elif not line:
	break
	#!/bin/bash

	set -e

	patch () {
	echo -ne "$2" > tmp
	dd conv=notrunc if=tmp of=watchmen.exe seek=$(($1)) bs=1
	rm tmp
	}


	nasm hook.asm
	patch 0xc2e '\xe9\x18\x04\x03\x00'
	patch 0x1401 '\xb8\xf4\x1b'
	patch 0x147a '\xb8\xf4\x1b'
	dd conv=notrunc if=hook of=watchmen.exe seek=$((0x30ff4)) bs=1
	00401e69+1: push ebp
	00401e6a+2: mov ebp, esp
	00401e6c+3: sub esp, 0x48
	00401e6f+7: mov dword ptr [esp], 0x43a0cc
	00401e76+5: call 0x436e44
	00436e44+0: ???
	00436e44+6: jmp dword ptr [0x43d1e0]
	774e8d2c+0: ???
	00401e7b+3: lea eax, [ebp - 0x2a]
	00401e7e+4: mov dword ptr [esp + 4], eax
	00401e82+7: mov dword ptr [esp], 0x43a12f
	00401e89+5: call 0x436e3c
	00436e3c+0: ???
	00436e3c+6: jmp dword ptr [0x43d1e4]
	774e68f1+0: ???
	00401e8e+5: mov eax, dword ptr [0x43d1a8]
	00401e93+3: mov dword ptr [esp], eax
	00401e96+5: call 0x436e84
	00436e84+0: ???
	00436e84+6: jmp dword ptr [0x43d1c0]
	77484142+0: ???
	00401e9b+3: lea eax, [ebp - 0x2a]
	00401e9e+3: mov dword ptr [esp], eax
	00401ea1+5: call 0x401e30
	00401e30+0: ???
	00401e30+1: push ebp
	00401e31+2: mov ebp, esp
	00401e33+3: sub esp, 0x28
	00401e36+7: mov dword ptr [ebp - 0xc], 0x43a0a8
	00401e3d+3: mov eax, dword ptr [ebp + 8]
	00401e40+3: mov dword ptr [esp], eax
	00401e43+5: call 0x401e09
	00401e09+0: ???
	00401e09+1: push ebp
	00401e0a+2: mov ebp, esp
	00401e0c+3: sub esp, 0x14
	00401e0f+7: mov dword ptr [ebp - 4], 0
	00401e16+2: jmp 0x401e27
	00401e27+0: ???
	00401e27+4: cmp dword ptr [ebp - 4], 0xf
	00401e2b+2: jle 0x401e18
	00401e18+3: mov eax, dword ptr [ebp + 8]
	00401e1b+3: mov dword ptr [esp], eax
	00401e1e+5: call 0x401ddf
	00401ddf+0: ???
	00401ddf+1: push ebp
	00401de0+2: mov ebp, esp
	00401de2+3: sub esp, 4
	00401de5+3: mov eax, dword ptr [ebp + 8]
	00401de8+3: mov dword ptr [esp], eax
	00401deb+5: call 0x401c20
	00401c20+0: ???
	00401c20+1: push ebp
	00401c21+2: mov ebp, esp
	00401c23+1: push ebx
	00401c24+3: sub esp, 0x10
	00401c27+7: mov dword ptr [ebp - 0xc], 0x43a010
	00401c2e+7: mov dword ptr [ebp - 8], 0
	00401c35+2: jmp 0x401c5f
	00401c5f+0: ???
	00401c5f+4: cmp dword ptr [ebp - 8], 0x1f
	00401c63+2: jle 0x401c37
	00401c37+3: mov edx, dword ptr [ebp - 8]
	00401c3a+3: mov eax, dword ptr [ebp + 8]
	00401c3d+2: add eax, edx
	00401c3f+3: movzx ebx, byte ptr [eax]
	00401c42+3: mov edx, dword ptr [ebp - 8]
	00401c45+3: mov eax, dword ptr [ebp - 0xc]
	00401c48+2: add eax, edx
	00401c4a+3: movzx ecx, byte ptr [eax]
	00401c4d+3: mov edx, dword ptr [ebp - 8]
	00401c50+3: mov eax, dword ptr [ebp + 8]
	00401c53+2: add eax, edx
	00401c55+2: xor ebx, ecx
	00401c57+2: mov edx, ebx
	00401c59+2: mov byte ptr [eax], dl
	00401c5b+4: add dword ptr [ebp - 8], 1
	00401c65+1: nop
	00401c66+3: add esp, 0x10
	00401c69+1: pop ebx
	00401c6a+1: pop ebp
	00401c6b+1: ret
	00401df0+3: mov eax, dword ptr [ebp + 8]
	00401df3+3: mov dword ptr [esp], eax
	00401df6+5: call 0x401c6c
	00401c6c+1: push ebp
	00401c6d+2: mov ebp, esp
	00401c6f+3: sub esp, 0x10
	00401c72+3: mov eax, dword ptr [ebp + 8]
	00401c75+3: movzx eax, byte ptr [eax]
	00401c78+3: mov byte ptr [ebp - 5], al
	00401c7b+7: mov dword ptr [ebp - 4], 0
	00401c82+2: jmp 0x401cba
	00401cba+0: ???
	00401cba+4: cmp dword ptr [ebp - 4], 0x1e
	00401cbe+2: jle 0x401c84
	00401c84+3: mov edx, dword ptr [ebp - 4]
	00401c87+3: mov eax, dword ptr [ebp + 8]
	00401c8a+2: add eax, edx
	00401c8c+3: movzx eax, byte ptr [eax]
	00401c8f+3: shr al, 4
	00401c92+2: mov ecx, eax
	00401c94+3: mov eax, dword ptr [ebp - 4]
	00401c97+3: lea edx, [eax + 1]
	00401c9a+3: mov eax, dword ptr [ebp + 8]
	00401c9d+2: add eax, edx
	00401c9f+3: movzx eax, byte ptr [eax]
	00401ca2+3: movzx eax, al
	00401ca5+3: shl eax, 4
	00401ca8+2: or ecx, eax
	00401caa+3: mov edx, dword ptr [ebp - 4]
	00401cad+3: mov eax, dword ptr [ebp + 8]
	00401cb0+2: add eax, edx
	00401cb2+2: mov edx, ecx
	00401cb4+2: mov byte ptr [eax], dl
	00401cb6+4: add dword ptr [ebp - 4], 1
	00401cc0+3: mov eax, dword ptr [ebp + 8]
	00401cc3+3: add eax, 0x1f
	00401cc6+3: movzx eax, byte ptr [eax]
	00401cc9+3: shr al, 4
	00401ccc+2: mov edx, eax
	00401cce+4: movzx eax, byte ptr [ebp - 5]
	00401cd2+3: shl eax, 4
	00401cd5+2: or edx, eax
	00401cd7+3: mov eax, dword ptr [ebp + 8]
	00401cda+3: add eax, 0x1f
	00401cdd+2: mov byte ptr [eax], dl
	00401cdf+1: nop
	00401ce0+1: leave
	00401ce1+1: ret
	00401dfb+3: mov eax, dword ptr [ebp + 8]
	00401dfe+3: mov dword ptr [esp], eax
	00401e01+5: call 0x401ce2
	00401ce2+1: push ebp
	00401ce3+2: mov ebp, esp
	00401ce5+6: sub esp, 0xc0
	00401ceb+7: mov dword ptr [ebp - 0x10], 0x43a04c
	00401cf2+7: mov dword ptr [ebp - 4], 0
	00401cf9+2: jmp 0x401d24
	00401d24+0: ???
	00401d24+4: cmp dword ptr [ebp - 4], 0x1f
	00401d28+2: jle 0x401cfb
	00401cfb+3: mov eax, dword ptr [ebp - 4]
	00401cfe+3: mov edx, dword ptr [ebp - 4]
	00401d01+7: mov dword ptr [ebp + eax*4 - 0x94], edx
	00401d08+3: mov edx, dword ptr [ebp - 4]
	00401d0b+3: mov eax, dword ptr [ebp + 8]
	00401d0e+2: add eax, edx
	00401d10+3: movzx eax, byte ptr [eax]
	00401d13+6: lea ecx, [ebp - 0xb4]
	00401d19+3: mov edx, dword ptr [ebp - 4]
	00401d1c+2: add edx, ecx
	00401d1e+2: mov byte ptr [edx], al
	00401d20+4: add dword ptr [ebp - 4], 1
	00401d2a+7: mov dword ptr [ebp - 8], 0
	00401d31+2: jmp 0x401d9e
	00401d9e+0: ???
	00401d9e+3: mov edx, dword ptr [ebp - 8]
	00401da1+3: mov eax, dword ptr [ebp - 0x10]
	00401da4+2: add eax, edx
	00401da6+3: movzx eax, byte ptr [eax]
	00401da9+2: test al, al
	00401dab+2: jne 0x401d33
	00401d33+3: mov eax, dword ptr [ebp - 8]
	00401d36+1: cdq
	00401d37+3: shr edx, 0x1b
	00401d3a+2: add eax, edx
	00401d3c+3: and eax, 0x1f
	00401d3f+2: sub eax, edx
	00401d41+7: mov eax, dword ptr [ebp + eax*4 - 0x94]
	00401d48+3: mov byte ptr [ebp - 0x11], al
	00401d4b+3: mov edx, dword ptr [ebp - 8]
	00401d4e+3: mov eax, dword ptr [ebp - 0x10]
	00401d51+2: add eax, edx
	00401d53+3: movzx eax, byte ptr [eax]
	00401d56+3: movzx eax, al
	00401d59+3: and eax, 0x1f
	00401d5c+2: mov ecx, eax
	00401d5e+3: mov eax, dword ptr [ebp - 8]
	00401d61+1: cdq
	00401d62+3: shr edx, 0x1b
	00401d65+2: add eax, edx
	00401d67+3: and eax, 0x1f
	00401d6a+2: sub eax, edx
	00401d6c+2: mov edx, eax
	00401d6e+7: mov eax, dword ptr [ebp + ecx*4 - 0x94]
	00401d75+7: mov dword ptr [ebp + edx*4 - 0x94], eax
	00401d7c+3: mov edx, dword ptr [ebp - 8]
	00401d7f+3: mov eax, dword ptr [ebp - 0x10]
	00401d82+2: add eax, edx
	00401d84+3: movzx eax, byte ptr [eax]
	00401d87+3: movzx eax, al
	00401d8a+3: and eax, 0x1f
	00401d8d+2: mov edx, eax
	00401d8f+4: movzx eax, byte ptr [ebp - 0x11]
	00401d93+7: mov dword ptr [ebp + edx*4 - 0x94], eax
	00401d9a+4: add dword ptr [ebp - 8], 1
	00401dad+7: mov dword ptr [ebp - 0xc], 0
	00401db4+2: jmp 0x401dd6
	00401dd6+0: ???
	00401dd6+4: cmp dword ptr [ebp - 0xc], 0x1f
	00401dda+2: jle 0x401db6
	00401db6+3: mov eax, dword ptr [ebp - 0xc]
	00401db9+7: mov eax, dword ptr [ebp + eax*4 - 0x94]
	00401dc0+3: mov ecx, dword ptr [ebp - 0xc]
	00401dc3+3: mov edx, dword ptr [ebp + 8]
	00401dc6+2: add edx, ecx
	00401dc8+8: movzx eax, byte ptr [ebp + eax - 0xb4]
	00401dd0+2: mov byte ptr [edx], al
	00401dd2+4: add dword ptr [ebp - 0xc], 1
	00401ddc+1: nop
	00401ddd+1: leave
	00401dde+1: ret
	00401e06+1: nop
	00401e07+1: leave
	00401e08+1: ret
	00401e23+4: add dword ptr [ebp - 4], 1
	00401e2d+1: nop
	00401e2e+1: leave
	00401e2f+1: ret
	00401e48+8: mov dword ptr [esp + 8], 0x20
	00401e50+3: mov eax, dword ptr [ebp + 8]
	00401e53+4: mov dword ptr [esp + 4], eax
	00401e57+3: mov eax, dword ptr [ebp - 0xc]
	00401e5a+3: mov dword ptr [esp], eax
	00401e5d+5: call 0x436e5c
	00436e5c+0: ???
	00436e5c+6: jmp dword ptr [0x43d1d4]
	77487975+0: ???
	00401e62+2: test eax, eax
	00401e64+3: sete al
	00401e67+1: leave
	00401e68+1: ret
	00401ea6+3: mov byte ptr [ebp - 9], al
	00401ea9+4: cmp byte ptr [ebp - 9], 0
	00401ead+2: je 0x401ebd
	00401ebd+0: ???
	00401ebd+7: mov dword ptr [esp], 0x43a180
	00401ec4+5: call 0x436e44
	774e8d2c+0: ???
	00401ec9+5: mov eax, 0
	00401ece+1: leave
	00401ecf+1: ret
	0040159b+0: ???