Credits to uNrEaL
I feel it's time to add some more information to this, as apparently no one is even attempting to put forth some noteworthy discussion here.
Let's kick this up a notch. Code: .text:004026AE ; int __stdcall sub_4026AE(char *Dest)
.text:004026AE sub_4026AE proc near ; CODE XREF: sub_44478E+1F1p
.text:004026AE ; sub_44478E+61Ap ...
.text:004026AE
.text:004026AE var_8CC = byte ptr -8CCh
.text:004026AE Dst = byte ptr -0CCh
.text:004026AE Dest = dword ptr 8
.text:004026AE
.text:004026AE 55 push ebp
.text:004026AF 8D 6C 24 8C lea ebp, [esp-74h]
.text:004026B3 81 EC CC 08 00 00 sub esp, 8CCh
.text:004026B9 56 push esi
.text:004026BA 57 push edi
.text:004026BB 33 F6 xor esi, esi
.text:004026BD 56 push esi ; Origin
.text:004026BE 56 push esi ; Offset
.text:004026BF 8B F9 mov edi, ecx
.text:004026C1 E8 8A FE FF FF call sub_402550
.text:004026C6 85 C0 test eax, eax
.text:004026C8 74 57 jz short loc_402721
.text:004026CA 8D 4D A8 lea ecx, [ebp+74h+Dst] ; Dst
.text:004026CD E8 17 FD FF FF call sub_4023E9
.text:004026D2 56 push esi
.text:004026D3 8D 4D A8 lea ecx, [ebp+74h+Dst] // ecx is the pointer to the md5 class (below)
.text:004026D6 E8 E5 FA FF FF call MD5Init
.text:004026DB BE 00 08 00 00 mov esi, 800h
.text:004026E0 EB 0D jmp short loc_4026EF
.text:004026E2 ; ---------------------------------------------------------------------------
.text:004026E2
.text:004026E2 loc_4026E2: ; CODE XREF: sub_4026AE+56j
.text:004026E2 50 push eax
.text:004026E3 8D 85 A8 F7 FF FF lea eax, [ebp+74h+var_8CC]
.text:004026E9 50 push eax
.text:004026EA E8 15 FB FF FF call ScanFunction // (below)
.text:004026EF
.text:004026EF loc_4026EF: ; CODE XREF: sub_4026AE+32j
.text:004026EF 8D 85 A8 F7 FF FF lea eax, [ebp+74h+var_8CC]
.text:004026F5 56 push esi
.text:004026F6 8B CF mov ecx, edi
.text:004026F8 50 push eax
.text:004026F9 E8 F5 FE FF FF call sub_4025F3
.text:004026FE 83 F8 01 cmp eax, 1
.text:00402701 8D 4D A8 lea ecx, [ebp+74h+Dst]
.text:00402704 7D DC jge short loc_4026E2
.text:00402706 E8 86 FB FF FF call sub_402291
.text:0040270B 8D 4D A8 lea ecx, [ebp+74h+Dst] // (code below) notice that here ecx gets set to the pointer of the class again (proving that this is a class member function)
.text:0040270E E8 AA FC FF FF call MD5Crypt
.text:00402713 50 push eax ; Source
.text:00402714 FF 75 7C push [ebp+74h+Dest] ; Dest
.text:00402717 E8 C4 B2 04 00 call _strcpy
.text:0040271C 59 pop ecx
.text:0040271D 33 C0 xor eax, eax
.text:0040271F 59 pop ecx
.text:00402720 40 inc eax
.text:00402721
.text:00402721 loc_402721: ; CODE XREF: sub_4026AE+1Aj
.text:00402721 5F pop edi
.text:00402722 5E pop esi
.text:00402723 83 C5 74 add ebp, 74h
.text:00402726 C9 leave
.text:00402727 C2 04 00 retn 4
.text:00402727 sub_4026AE endp
Code: .text:004023BD MD5Crypt proc near ; CODE XREF: sub_4026AE+60p
.text:004023BD ; sub_417510+80p ...
.text:004023BD 53 push ebx
.text:004023BE 56 push esi
.text:004023BF 8B F1 mov esi, ecx
.text:004023C1 57 push edi
.text:004023C2 C6 06 00 mov byte ptr [esi], 0
.text:004023C5 33 FF xor edi, edi
.text:004023C7 8B DE mov ebx, esi
.text:004023C9
.text:004023C9 loc_4023C9: ; CODE XREF: MD5Crypt+24j
.text:004023C9 33 C0 xor eax, eax
.text:004023CB 8A 84 3E BC 00 00 00 mov al, [esi+edi+0BCh]
.text:004023D2 53 push ebx
.text:004023D3 50 push eax
.text:004023D4 E8 89 F0 FF FF call sub_401462
.text:004023D9 47 inc edi
.text:004023DA 43 inc ebx
.text:004023DB 59 pop ecx
.text:004023DC 43 inc ebx
.text:004023DD 83 FF 10 cmp edi, 10h
.text:004023E0 59 pop ecx
.text:004023E1 7C E6 jl short loc_4023C9
.text:004023E3 5F pop edi
.text:004023E4 8B C6 mov eax, esi // EAX now holds the return hash string
.text:004023E6 5E pop esi // after ESI is popped, it holds the value of the string that was md5 hashed
.text:004023E7 5B pop ebx
.text:004023E8 C3 retn
.text:004023E8 MD5Crypt endp
Code: .text:004021C0 MD5Init proc near ; CODE XREF: ScanCaller+1Dp
.text:004021C0 ; sub_4026AE+28p ...
.text:004021C0
.text:004021C0 arg_0 = dword ptr 4
.text:004021C0
.text:004021C0 8B 44 24 04 mov eax, [esp+arg_0]
.text:004021C4 8B D0 mov edx, eax
.text:004021C6 6B D2 0B imul edx, 0Bh
.text:004021C9 81 C2 01 23 45 67 add edx, 67452301h
.text:004021CF 89 51 6C mov [ecx+6Ch], edx
.text:004021D2 8B D0 mov edx, eax
.text:004021D4 83 61 68 00 and dword ptr [ecx+68h], 0
.text:004021D8 6B D2 47 imul edx, 47h
.text:004021DB 83 61 64 00 and dword ptr [ecx+64h], 0
.text:004021DF 81 EA 77 54 32 10 sub edx, 10325477h
.text:004021E5 89 51 70 mov [ecx+70h], edx
.text:004021E8 8B D0 mov edx, eax
.text:004021EA 6B C0 61 imul eax, 61h
.text:004021ED 6B D2 25 imul edx, 25h
.text:004021F0 81 EA 02 23 45 67 sub edx, 67452302h
.text:004021F6 05 76 54 32 10 add eax, 10325476h
.text:004021FB 89 51 74 mov [ecx+74h], edx
.text:004021FE 89 41 78 mov [ecx+78h], eax
.text:00402201 C2 04 00 retn 4
.text:00402201 MD5Init endp
Code: .text:00402204 ScanFunction proc near ; CODE XREF: sub_402291+2Ep
.text:00402204 ; ScanCaller+2Cp ...
.text:00402204
.text:00402204 var_40 = dword ptr -40h
.text:00402204 arg_0 = dword ptr 8
.text:00402204 arg_4 = dword ptr 0Ch // arg_0 is the address to scan, arg_4 is the scan size
.text:00402204
.text:00402204 55 push ebp
.text:00402205 8B EC mov ebp, esp
.text:00402207 83 EC 40 sub esp, 40h
.text:0040220A 56 push esi
.text:0040220B 8B F1 mov esi, ecx
.text:0040220D 8B 4E 64 mov ecx, [esi+64h]
.text:00402210 57 push edi
.text:00402211 8B 7D 0C mov edi, [ebp+arg_4]
.text:00402214 8B C1 mov eax, ecx
.text:00402216 C1 E8 03 shr eax, 3
.text:00402219 8D 14 F9 lea edx, [ecx+edi*8]
.text:0040221C 83 E0 3F and eax, 3Fh
.text:0040221F 3B D1 cmp edx, ecx
.text:00402221 73 03 jnb short loc_402226
.text:00402223 FF 46 68 inc dword ptr [esi+68h]
.text:00402226
.text:00402226 loc_402226: ; CODE XREF: ScanFunction+1Dj
.text:00402226 8B CF mov ecx, edi
.text:00402228 C1 E9 1D shr ecx, 1Dh
.text:0040222B 01 4E 68 add [esi+68h], ecx
.text:0040222E 85 FF test edi, edi
.text:00402230 89 56 64 mov [esi+64h], edx
.text:00402233 74 56 jz short loc_40228B
.text:00402235 89 7D 0C mov [ebp+arg_4], edi
.text:00402238 8B 7D 08 mov edi, [ebp+arg_0]
.text:0040223B 53 push ebx
.text:0040223C
.text:0040223C loc_40223C: ; CODE XREF: ScanFunction+84j
.text:0040223C 8A 0F mov cl, [edi] // here is where the byte is actually read (edi holds the address) [cl holds the byte that's read]
.text:0040223E 88 4C 06 7C mov [esi+eax+7Ch], cl
.text:00402242 40 inc eax
.text:00402243 47 inc edi
.text:00402244 83 F8 40 cmp eax, 40h
.text:00402247 75 3C jnz short loc_402285
.text:00402249 33 C9 xor ecx, ecx
.text:0040224B 8D 46 7E lea eax, [esi+7Eh]
.text:0040224E
.text:0040224E loc_40224E: ; CODE XREF: ScanFunction+6Ej
.text:0040224E 0F B6 58 FF movzx ebx, byte ptr [eax-1]
.text:00402252 33 D2 xor edx, edx
.text:00402254 8A 70 01 mov dh, [eax+1]
.text:00402257 8A 10 mov dl, [eax]
.text:00402259 83 C0 04 add eax, 4
.text:0040225C C1 E2 08 shl edx, 8
.text:0040225F 0B D3 or edx, ebx
.text:00402261 0F B6 58 FA movzx ebx, byte ptr [eax-6]
.text:00402265 C1 E2 08 shl edx, 8
.text:00402268 0B D3 or edx, ebx
.text:0040226A 89 54 8D C0 mov [ebp+ecx*4+var_40], edx
.text:0040226E 41 inc ecx
.text:0040226F 83 F9 10 cmp ecx, 10h
.text:00402272 72 DA jb short loc_40224E
.text:00402274 8D 45 C0 lea eax, [ebp+var_40]
.text:00402277 50 push eax
.text:00402278 8D 46 6C lea eax, [esi+6Ch]
.text:0040227B 50 push eax
.text:0040227C 8B CE mov ecx, esi
.text:0040227E E8 03 F6 FF FF call sub_401886
.text:00402283 33 C0 xor eax, eax
.text:00402285
.text:00402285 loc_402285: ; CODE XREF: ScanFunction+43j
.text:00402285 FF 4D 0C dec [ebp+arg_4]
.text:00402288 75 B2 jnz short loc_40223C
.text:0040228A 5B pop ebx
.text:0040228B
.text:0040228B loc_40228B: ; CODE XREF: ScanFunction+2Fj
.text:0040228B 5F pop edi
.text:0040228C 5E pop esi
.text:0040228D C9 leave
.text:0040228E C2 08 00 retn 8
.text:0040228E ScanFunction endp
 |