Page 3 of 5 FirstFirst 12345 LastLast
Results 31 to 45 of 68
  1. #31
    Member
    Reputation
    1
    Join Date
    Dec 2011
    Posts
    2
    CoreCoins
    0

    Trade Feedbacks

    Status
    n/a
    Positive
    0 (0%)
    Negative
    0 (0%)


    Donate to Remove Ads, Get ShoutBawx - Elite Forum Access
    Happy Holidays everyone!

    I sent a message to Hex earlier but I think I missed his response due to my pm box being full. Anyone I thought I would introduce myself to everyone here. I am looking into reversing part of the swtor protocol also for the purpose of creating a galactic trade network monitor for statistics on market prices, drop locations, etc.. I would like to collaborate with some of the others reversing the protocol for the purpose of creating an emulated server as our work would go hand in hand.

    Just for some background on myself, I worked for years with the swg emulated servers projects originally for swgemu (way back in the day when we underground hipsters..) and then for ANH for many many years. So anyway I also bring with me many years of emulated server experience and could help out on that front also...

    Anyway just wanted to introduce myself to the community and say happy holidays!

    I hope to work in the future with some of you guys specifically on reverse engineering.


    Furst

  2. #32
    Sergeant
    Reputation
    9
    Join Date
    Feb 2010
    Posts
    42
    CoreCoins
    21

    Trade Feedbacks

    Status
    n/a
    Positive
    0 (0%)
    Negative
    0 (0%)
    about incoming packets

    as far as I understand - this function dispatching incoming packets (already decryptited) to its handlers

    (all addresses based to 0x00400000, f*ck da ASLR)

    Code:
    .text:009D9EE0 sub_9D9EE0 proc near                    ; DATA XREF: .rdata:0105F5C4o
    .text:009D9EE0
    .text:009D9EE0 var_10= dword ptr -10h
    .text:009D9EE0 var_C= dword ptr -0Ch
    .text:009D9EE0 var_4= dword ptr -4
    .text:009D9EE0
    .text:009D9EE0 push    ebp
    .text:009D9EE1 mov     ebp, esp
    .text:009D9EE3 push    0FFFFFFFFh
    .text:009D9EE5 push    offset SEH_9D70B0
    .text:009D9EEA mov     eax, large fs:0
    .text:009D9EF0 push    eax
    .text:009D9EF1 mov     large fs:0, esp
    .text:009D9EF8 push    ecx
    .text:009D9EF9 mov     eax, [ecx+0Ch]
    .text:009D9EFC push    esi
    .text:009D9EFD mov     esi, [eax+80h]
    .text:009D9F03 test    esi, esi
    .text:009D9F05 jz      short loc_9D9F43
    .text:009D9F07 movzx   edx, word ptr [ecx+18h]
    .text:009D9F0B lea     eax, [ecx+1Ch]
    .text:009D9F0E push    eax
    .text:009D9F0F mov     eax, [ecx+14h]
    .text:009D9F12 push    edx
    .text:009D9F13 push    eax
    .text:009D9F14 push    ecx
    .text:009D9F15 mov     ecx, [ecx+10h]
    .text:009D9F18 mov     eax, esp
    .text:009D9F1A mov     [ebp+var_10], esp
    .text:009D9F1D mov     [eax], ecx
    .text:009D9F1F test    ecx, ecx
    .text:009D9F21 jz      short loc_9D9F2C
    .text:009D9F23 push    ecx
    .text:009D9F24 call    sub_9D30E0
    .text:009D9F29 add     esp, 4
    .text:009D9F2C
    .text:009D9F2C loc_9D9F2C:                             ; CODE XREF: sub_9D9EE0+41j
    .text:009D9F2C mov     [ebp+var_4], 0
    .text:009D9F33 mov     eax, [esi]
    .text:009D9F35 mov     [ebp+var_4], 0FFFFFFFFh
    .text:009D9F3C mov     edx, [eax+18h]
    .text:009D9F3F mov     ecx, esi
    .text:009D9F41 call    edx  <----------------------- THIS IS A PACKET PARSE FUNCION CALL
    .text:009D9F43
    .text:009D9F43 loc_9D9F43:                             ; CODE XREF: sub_9D9EE0+25j
    .text:009D9F43 mov     ecx, [ebp+var_C]
    .text:009D9F46 mov     large fs:0, ecx
    .text:009D9F4D pop     esi
    .text:009D9F4E mov     esp, ebp
    .text:009D9F50 pop     ebp
    .text:009D9F51 retn
    .text:009D9F51 sub_9D9EE0 endp

    for example mail packets dispatched to

    Code:
    .text:00654C00 ; int __usercall sub_654C00<eax>(int a1<eax>, int a2<ecx>, int a3<ebx>, int a4<edi>, int a5<esi>, int a6, unsigned int a7, int a8, frame_hz *_v24)
    .text:00654C00 sub_654C00 proc near                    ; DATA XREF: .rdata:0112AAFCo
    .text:00654C00                                         ; .rdata:0112ABCCo ...
    .text:00654C00
    .text:00654C00 var_C0= dword ptr -0C0h
    .text:00654C00 var_BC= dword ptr -0BCh
    .text:00654C00 var_B8= dword ptr -0B8h
    .text:00654C00 var_B0= dword ptr -0B0h
    .text:00654C00 var_AC= dword ptr -0ACh
    .text:00654C00 var_A8= dword ptr -0A8h
    .text:00654C00 var_A4= dword ptr -0A4h
    .text:00654C00 var_A0= dword ptr -0A0h
    .text:00654C00 var_9C= dword ptr -9Ch
    .text:00654C00 var_98= dword ptr -98h
    .text:00654C00 var_94= dword ptr -94h
    .text:00654C00 var_8C= dword ptr -8Ch
    .text:00654C00 var_84= dword ptr -84h
    .text:00654C00 var_7C= dword ptr -7Ch
    .text:00654C00 var_74= dword ptr -74h
    .text:00654C00 var_6C= dword ptr -6Ch
    .text:00654C00 var_64= dword ptr -64h
    .text:00654C00 var_5C= dword ptr -5Ch
    .text:00654C00 var_54= dword ptr -54h
    .text:00654C00 Dst= dword ptr -4Ch
    .text:00654C00 var_3C= dword ptr -3Ch
    .text:00654C00 var_38= dword ptr -38h
    .text:00654C00 var_34= dword ptr -34h
    .text:00654C00 var_30= dword ptr -30h
    .text:00654C00 var_2C= dword ptr -2Ch
    .text:00654C00 var_28= dword ptr -28h
    .text:00654C00 var_24= dword ptr -24h
    .text:00654C00 var_20= dword ptr -20h
    .text:00654C00 var_1C= dword ptr -1Ch
    .text:00654C00 var_18= dword ptr -18h
    .text:00654C00 var_14= dword ptr -14h
    .text:00654C00 var_10= dword ptr -10h
    .text:00654C00 var_C= dword ptr -0Ch
    .text:00654C00 var_4= dword ptr -4
    .text:00654C00 arg_0= dword ptr  8
    .text:00654C00 arg_4= dword ptr  0Ch
    .text:00654C00 arg_8= dword ptr  10h
    .text:00654C00 _v24= dword ptr  14h
    .text:00654C00
    .text:00654C00 push    ebp
    .text:00654C01 mov     ebp, esp
    .text:00654C03 push    0FFFFFFFFh
    .text:00654C05 push    offset SEH_654C00
    .text:00654C0A mov     eax, large fs:0
    .text:00654C10 push    eax
    .text:00654C11 mov     large fs:0, esp
    .text:00654C18 sub     esp, 0B4h
    .text:00654C1E push    ebx
    .text:00654C1F push    esi
    .text:00654C20 push    edi
    .text:00654C21 mov     [ebp+var_10], esp
    .text:00654C24 mov     esi, ecx
    .text:00654C26 mov     [ebp+var_1C], esi
    .text:00654C29 xor     ebx, ebx
    .text:00654C2B mov     [ebp+var_4], ebx
    .text:00654C2E mov     eax, [ebp+arg_4]
    .text:00654C31 cmp     eax, 4C8A105Dh
    .text:00654C36 ja      loc_65510D
    .text:00654C3C jz      loc_655024
    .text:00654C42 cmp     eax, 3BAE5D45h
    .text:00654C47 ja      loc_654F49
    .text:00654C4D jz      loc_654E7F
    .text:00654C53 cmp     eax, 1837678h
    .text:00654C58 jz      loc_654DBB
    .text:00654C5E cmp     eax, 152D0441h
    .text:00654C63 jnz     loc_65542D
    .text:00654C69 mov     [ebp+var_3C], ebx
    .text:00654C6C mov     [ebp+var_38], ebx
    .text:00654C6F mov     [ebp+var_34], ebx
    .text:00654C72 mov     eax, offset word_132616C
    .text:00654C77 mov     [ebp+var_3C], eax
    .text:00654C7A mov     [ebp+var_38], eax
    .text:00654C7D mov     [ebp+var_34], (offset word_132616C+1)
    .text:00654C84 mov     byte ptr [ebp+var_4], 0Dh
    .text:00654C88 lea     ecx, [ebp+Dst]
    .text:00654C8B call    sub_4C09A0
    .text:00654C90 mov     byte ptr [ebp+var_4], 0Eh
    .text:00654C94 mov     byte ptr [ebp+var_4], 0Fh
    .text:00654C98 lea     eax, [ebp+var_24]
    .text:00654C9B push    eax
    .text:00654C9C mov     edi, [ebp+_v24]
    .text:00654C9F mov     ecx, edi
    .text:00654CA1 call    FrameRead_QWORD_thiscall
    .text:00654CA6 lea     ecx, [ebp+var_3C]
    .text:00654CA9 push    ecx
    .text:00654CAA push    edi
    .text:00654CAB call    sub_64B880
    .text:00654CB0 lea     edx, [ebp+Dst]
    .text:00654CB3 push    edx                             ; int
    .text:00654CB4 push    edi                             ; Size
    .text:00654CB5 call    sub_64D730
    .text:00654CBA add     esp, 10h
    .text:00654CBD lea     eax, [ebp+var_2C]
    .text:00654CC0 push    eax
    .text:00654CC1 mov     ecx, edi
    .text:00654CC3 call    FrameRead_QWORD_thiscall
    .text:00654CC8 mov     ecx, edi
    .text:00654CCA call    FrameRead_CheckReadFull_thiscall
    .text:00654CCF mov     [ebp+var_4], 0Eh
    .text:00654CD6 push    ecx
    .text:00654CD7 mov     ecx, esp
    .text:00654CD9 mov     [ebp+_v24], esp
    .text:00654CDC lea     edx, [ebp+arg_0]
    .text:00654CDF push    edx
    .text:00654CE0 call    sub_63FED0
    .text:00654CE5 mov     byte ptr [ebp+var_4], 13h
    .text:00654CE9 mov     byte ptr [ebp+var_4], 0Eh
    .text:00654CED lea     ecx, [ebp+var_18]
    .text:00654CF0 call    sub_A6DD00
    .text:00654CF5 mov     byte ptr [ebp+var_4], 14h
    .text:00654CF9 lea     ecx, [esi+0Ch]
    .text:00654CFC mov     eax, [ecx]
    .text:00654CFE mov     edx, [ebp+var_28]
    .text:00654D01 push    edx
    .text:00654D02 mov     edx, [ebp+var_2C]
    .text:00654D05 push    edx
    .text:00654D06 lea     edx, [ebp+Dst]
    .text:00654D09 push    edx
    .text:00654D0A lea     edx, [ebp+var_3C]
    .text:00654D0D push    edx
    .text:00654D0E mov     edx, [ebp+var_20]
    .text:00654D11 push    edx
    .text:00654D12 mov     edx, [ebp+var_24]
    .text:00654D15 push    edx
    .text:00654D16 lea     edx, [ebp+var_18]
    .text:00654D19 push    edx
    .text:00654D1A mov     eax, [eax+8]
    .text:00654D1D call    eax
    .text:00654D1F mov     byte ptr [ebp+var_4], 0Eh
    .text:00654D23 lea     ecx, [ebp+var_18]
    .text:00654D26 call    sub_646770
    .text:00654D2B mov     byte ptr [ebp+var_4], 0Dh
    .text:00654D2F lea     ecx, [ebp+Dst]
    .text:00654D32 call    sub_64D620
    .text:00654D37 mov     byte ptr [ebp+var_4], bl
    .text:00654D3A lea     ecx, [ebp+var_3C]
    .text:00654D3D call    sub_470C00
    .text:00654D42 jmp     loc_65557C
    .text:00654D47 ; ---------------------------------------------------------------------------
    .text:00654D47
    .text:00654D47 loc_654D47:                             ; DATA XREF: .rdata:01263E3Co
    .text:00654D47 push    0                               ; int
    .text:00654D49 push    offset aMessagetext             ; "MessageText"
    .text:00654D4E lea     ecx, [ebp+var_54]               ; void *
    .text:00654D51 call    sub_47AF60
    .text:00654D56 mov     bl, 11h
    .text:00654D58 mov     byte ptr [ebp+var_4], bl
    .text:00654D5B mov     ecx, [ebp+var_9C]
    .text:00654D61 push    ecx
    .text:00654D62 lea     edx, [ebp+var_54]
    .text:00654D65 push    edx
    .text:00654D66 push    ecx
    .text:00654D67 mov     ecx, esp
    .text:00654D69 mov     [ebp+_v24], esp
    .text:00654D6C lea     eax, [ebp+arg_0]
    .text:00654D6F push    eax
    .text:00654D70 call    sub_63FED0
    .text:00654D75 mov     byte ptr [ebp+var_4], 12h
    .text:00654D79 mov     byte ptr [ebp+var_4], bl
    .text:00654D7C mov     ecx, [ebp+var_1C]
    .text:00654D7F call    sub_9B3150
    .text:00654D84 mov     byte ptr [ebp+var_4], 10h
    .text:00654D88 lea     ecx, [ebp+var_54]
    .text:00654D8B call    sub_97D120
    .text:00654D90 mov     [ebp+var_4], 0Eh
    .text:00654D97 mov     eax, offset loc_654D9D
    .text:00654D9C retn
    .text:00654D9D ; ---------------------------------------------------------------------------
    .text:00654D9D
    .text:00654D9D loc_654D9D:                             ; DATA XREF: sub_654C00+197o
    .text:00654D9D mov     byte ptr [ebp+var_4], 0Dh
    .text:00654DA1 lea     ecx, [ebp+Dst]
    .text:00654DA4 call    sub_64D620
    .text:00654DA9 xor     ebx, ebx
    .text:00654DAB mov     byte ptr [ebp+var_4], bl
    .text:00654DAE lea     ecx, [ebp+var_3C]
    .text:00654DB1 call    sub_470C00
    .text:00654DB6 jmp     loc_65557C
    .text:00654DBB ; ---------------------------------------------------------------------------
    .text:00654DBB
    .text:00654DBB loc_654DBB:                             ; CODE XREF: sub_654C00+58j
    .text:00654DBB mov     byte ptr [ebp+var_4], 7
    .text:00654DBF lea     ecx, [ebp+arg_4]
    .text:00654DC2 push    ecx
    .text:00654DC3 mov     edi, [ebp+_v24]
    .text:00654DC6 mov     ecx, edi
    .text:00654DC8 call    FrameRead_BYTE_thiscall
    .text:00654DCD mov     ecx, edi
    .text:00654DCF call    FrameRead_CheckReadFull_thiscall
    .text:00654DD4 mov     [ebp+var_4], ebx
    .text:00654DD7 push    ecx
    .text:00654DD8 mov     ecx, esp
    .text:00654DDA mov     [ebp+_v24], esp
    .text:00654DDD lea     edx, [ebp+arg_0]
    .text:00654DE0 push    edx
    .text:00654DE1 call    sub_63FED0
    .text:00654DE6 mov     byte ptr [ebp+var_4], 0Bh
    .text:00654DEA mov     byte ptr [ebp+var_4], bl
    .text:00654DED lea     ecx, [ebp+var_18]
    .text:00654DF0 call    sub_A6DD00
    .text:00654DF5 mov     byte ptr [ebp+var_4], 0Ch
    .text:00654DF9 lea     ecx, [esi+0Ch]
    .text:00654DFC mov     eax, [ecx]
    .text:00654DFE mov     edx, [ebp+arg_4]
    .text:00654E01 push    edx
    .text:00654E02 lea     edx, [ebp+var_18]
    .text:00654E05 push    edx
    .text:00654E06 mov     eax, [eax+4]
    .text:00654E09 call    eax
    .text:00654E0B mov     byte ptr [ebp+var_4], bl
    .text:00654E0E lea     ecx, [ebp+var_18]
    .text:00654E11 call    sub_646770
    .text:00654E16 jmp     loc_65557C
    .text:00654E1B ; ---------------------------------------------------------------------------
    .text:00654E1B
    .text:00654E1B loc_654E1B:                             ; DATA XREF: .rdata:01263E2Co
    .text:00654E1B xor     ebx, ebx
    .text:00654E1D push    ebx                             ; int
    .text:00654E1E push    offset aSetmailboxinte          ; "SetMailboxInteraction"
    .text:00654E23 lea     ecx, [ebp+var_7C]               ; void *
    .text:00654E26 call    sub_47AF60
    .text:00654E2B mov     byte ptr [ebp+var_4], 9
    .text:00654E2F mov     ecx, [ebp+var_A8]
    .text:00654E35 push    ecx
    .text:00654E36 lea     edx, [ebp+var_7C]
    .text:00654E39 push    edx
    .text:00654E3A push    ecx
    .text:00654E3B mov     ecx, esp
    .text:00654E3D mov     [ebp+_v24], esp
    .text:00654E40 lea     eax, [ebp+arg_0]
    .text:00654E43 push    eax
    .text:00654E44 call    sub_63FED0
    .text:00654E49 mov     byte ptr [ebp+var_4], 0Ah
    .text:00654E4D mov     byte ptr [ebp+var_4], 9
    .text:00654E51 mov     ecx, [ebp+var_1C]
    .text:00654E54 call    sub_9B3150
    .text:00654E59 mov     byte ptr [ebp+var_4], 8
    .text:00654E5D lea     ecx, [ebp+var_7C]
    .text:00654E60 call    sub_97D120
    .text:00654E65 mov     [ebp+var_4], ebx
    .text:00654E68 mov     eax, offset loc_654E6E
    .text:00654E6D retn
    .text:00654E6E ; ---------------------------------------------------------------------------
    .text:00654E6E
    .text:00654E6E loc_654E6E:                             ; DATA XREF: sub_654C00+268o
    .text:00654E6E                                         ; sub_654C00+343o ...
    .text:00654E6E mov     [ebp+var_4], 0FFFFFFFFh
    .text:00654E75 mov     eax, [ebp+arg_0]
    .text:00654E78 test    eax, eax
    .text:00654E7A jmp     loc_655588
    .text:00654E7F ; ---------------------------------------------------------------------------
    .text:00654E7F
    .text:00654E7F loc_654E7F:                             ; CODE XREF: sub_654C00+4Dj
    .text:00654E7F mov     byte ptr [ebp+var_4], 2Eh
    .text:00654E83 lea     ecx, [ebp+var_24]
    .text:00654E86 push    ecx
    .text:00654E87 mov     edi, [ebp+_v24]
    .text:00654E8A mov     ecx, edi
    .text:00654E8C call    FrameRead_QWORD_thiscall
    .text:00654E91 lea     edx, [ebp+var_18]
    .text:00654E94 push    edx
    .text:00654E95 mov     ecx, edi
    .text:00654E97 call    FrameRead_QWORD_thiscall
    .text:00654E9C mov     ecx, edi
    .text:00654E9E call    FrameRead_CheckReadFull_thiscall
    .text:00654EA3 mov     [ebp+var_4], ebx
    .text:00654EA6 push    ecx
    .text:00654EA7 mov     ecx, esp
    .text:00654EA9 mov     [ebp+_v24], esp
    .text:00654EAC lea     eax, [ebp+arg_0]
    .text:00654EAF push    eax
    .text:00654EB0 call    sub_63FED0
    .text:00654EB5 mov     byte ptr [ebp+var_4], 32h
    .text:00654EB9 mov     byte ptr [ebp+var_4], bl
    .text:00654EBC lea     ecx, [ebp+var_2C]
    .text:00654EBF call    sub_A6DD00
    .text:00654EC4 mov     byte ptr [ebp+var_4], 33h
    .text:00654EC8 lea     ecx, [esi+0Ch]
    .text:00654ECB mov     edx, [ecx]
    .text:00654ECD mov     eax, [ebp+var_14]
    .text:00654ED0 push    eax
    .text:00654ED1 mov     eax, [ebp+var_18]
    .text:00654ED4 push    eax
    .text:00654ED5 mov     eax, [ebp+var_20]
    .text:00654ED8 push    eax
    .text:00654ED9 mov     eax, [ebp+var_24]
    .text:00654EDC push    eax
    .text:00654EDD lea     eax, [ebp+var_2C]
    .text:00654EE0 push    eax
    .text:00654EE1 mov     edx, [edx+1Ch]
    .text:00654EE4 call    edx
    .text:00654EE6 mov     byte ptr [ebp+var_4], bl
    .text:00654EE9 lea     ecx, [ebp+var_2C]
    .text:00654EEC call    sub_646770
    .text:00654EF1 jmp     loc_65557C
    .text:00654EF6 ; ---------------------------------------------------------------------------
    .text:00654EF6
    .text:00654EF6 loc_654EF6:                             ; DATA XREF: .rdata:01263E8Co
    .text:00654EF6 xor     ebx, ebx
    .text:00654EF8 push    ebx                             ; int
    .text:00654EF9 push    offset aPaycodresponse          ; "PayCODResponse"
    .text:00654EFE lea     ecx, [ebp+var_5C]               ; void *
    .text:00654F01 call    sub_47AF60
    .text:00654F06 mov     byte ptr [ebp+var_4], 30h
    .text:00654F0A mov     eax, [ebp+var_BC]
    .text:00654F10 push    eax
    .text:00654F11 lea     ecx, [ebp+var_5C]
    .text:00654F14 push    ecx
    .text:00654F15 push    ecx
    .text:00654F16 mov     ecx, esp
    .text:00654F18 mov     [ebp+_v24], esp
    .text:00654F1B lea     edx, [ebp+arg_0]
    .text:00654F1E push    edx
    .text:00654F1F call    sub_63FED0
    .text:00654F24 mov     byte ptr [ebp+var_4], 31h
    .text:00654F28 mov     byte ptr [ebp+var_4], 30h
    .text:00654F2C mov     ecx, [ebp+var_1C]
    .text:00654F2F call    sub_9B3150
    .text:00654F34 mov     byte ptr [ebp+var_4], 2Fh
    .text:00654F38 lea     ecx, [ebp+var_5C]
    .text:00654F3B call    sub_97D120
    .text:00654F40 mov     [ebp+var_4], ebx
    .text:00654F43 mov     eax, offset loc_654E6E
    .text:00654F48 retn
    .text:00654F49 ; ---------------------------------------------------------------------------
    .text:00654F49
    .text:00654F49 loc_654F49:                             ; CODE XREF: sub_654C00+47j
    .text:00654F49 cmp     eax, 4AA61E6Bh
    .text:00654F4E jnz     loc_65542D
    .text:00654F54 mov     byte ptr [ebp+var_4], 1
    .text:00654F58 lea     eax, [ebp+var_28]
    .text:00654F5B push    eax
    .text:00654F5C mov     edi, [ebp+_v24]
    .text:00654F5F mov     ecx, edi
    .text:00654F61 call    FrameRead_DWORD_thiscall
    .text:00654F66 lea     ecx, [ebp+arg_8]
    .text:00654F69 push    ecx
    .text:00654F6A mov     ecx, edi
    .text:00654F6C call    FrameRead_DWORD_thiscall
    .text:00654F71 lea     edx, [ebp+arg_4]
    .text:00654F74 push    edx
    .text:00654F75 mov     ecx, edi
    .text:00654F77 call    FrameRead_BYTE_thiscall
    .text:00654F7C mov     ecx, edi
    .text:00654F7E call    FrameRead_CheckReadFull_thiscall
    .text:00654F83 mov     [ebp+var_4], ebx
    .text:00654F86 push    ecx
    .text:00654F87 mov     ecx, esp
    .text:00654F89 mov     [ebp+_v24], esp
    .text:00654F8C lea     eax, [ebp+arg_0]
    .text:00654F8F push    eax
    .text:00654F90 call    sub_63FED0
    .text:00654F95 mov     byte ptr [ebp+var_4], 5
    .text:00654F99 mov     byte ptr [ebp+var_4], bl
    .text:00654F9C lea     ecx, [ebp+var_18]
    .text:00654F9F call    sub_A6DD00
    .text:00654FA4 mov     byte ptr [ebp+var_4], 6
    .text:00654FA8 lea     ecx, [esi+0Ch]
    .text:00654FAB mov     edx, [ecx]
    .text:00654FAD mov     eax, [ebp+arg_4]
    .text:00654FB0 push    eax
    .text:00654FB1 mov     eax, [ebp+arg_8]
    .text:00654FB4 push    eax
    .text:00654FB5 mov     eax, [ebp+var_28]
    .text:00654FB8 push    eax
    .text:00654FB9 lea     eax, [ebp+var_18]
    .text:00654FBC push    eax
    .text:00654FBD mov     edx, [edx]
    .text:00654FBF call    edx
    .text:00654FC1 mov     byte ptr [ebp+var_4], bl
    .text:00654FC4 lea     ecx, [ebp+var_18]
    .text:00654FC7 call    sub_646770
    .text:00654FCC jmp     loc_65557C
    .text:00654FD1 ; ---------------------------------------------------------------------------
    .text:00654FD1
    .text:00654FD1 loc_654FD1:                             ; DATA XREF: .rdata:01263E1Co
    .text:00654FD1 xor     ebx, ebx
    .text:00654FD3 push    ebx                             ; int
    .text:00654FD4 push    offset aHasmail                 ; "HasMail"
    .text:00654FD9 lea     ecx, [ebp+var_64]               ; void *
    .text:00654FDC call    sub_47AF60
    .text:00654FE1 mov     byte ptr [ebp+var_4], 3
    .text:00654FE5 mov     eax, [ebp+var_B0]
    .text:00654FEB push    eax
    .text:00654FEC lea     ecx, [ebp+var_64]
    .text:00654FEF push    ecx
    .text:00654FF0 push    ecx
    .text:00654FF1 mov     ecx, esp
    .text:00654FF3 mov     [ebp+_v24], esp
    .text:00654FF6 lea     edx, [ebp+arg_0]
    .text:00654FF9 push    edx
    .text:00654FFA call    sub_63FED0
    .text:00654FFF mov     byte ptr [ebp+var_4], 4
    .text:00655003 mov     byte ptr [ebp+var_4], 3
    .text:00655007 mov     ecx, [ebp+var_1C]
    .text:0065500A call    sub_9B3150
    .text:0065500F mov     byte ptr [ebp+var_4], 2
    .text:00655013 lea     ecx, [ebp+var_64]
    .text:00655016 call    sub_97D120
    .text:0065501B mov     [ebp+var_4], ebx
    .text:0065501E mov     eax, offset loc_654E6E
    .text:00655023 retn
    .text:00655024 ; ---------------------------------------------------------------------------
    .text:00655024
    .text:00655024 loc_655024:                             ; CODE XREF: sub_654C00+3Cj
    .text:00655024 mov     byte ptr [ebp+var_4], 28h
    .text:00655028 lea     eax, [ebp+var_2C]
    .text:0065502B push    eax
    .text:0065502C mov     edi, [ebp+_v24]
    .text:0065502F mov     ecx, edi
    .text:00655031 call    FrameRead_QWORD_thiscall
    .text:00655036 lea     ecx, [ebp+var_24]
    .text:00655039 push    ecx
    .text:0065503A mov     ecx, edi
    .text:0065503C call    FrameRead_QWORD_thiscall
    .text:00655041 lea     edx, [ebp+var_18]
    .text:00655044 push    edx
    .text:00655045 mov     ecx, edi
    .text:00655047 call    FrameRead_QWORD_thiscall
    .text:0065504C mov     ecx, edi
    .text:0065504E call    FrameRead_CheckReadFull_thiscall
    .text:00655053 mov     [ebp+var_4], ebx
    .text:00655056 push    ecx
    .text:00655057 mov     [ebp+_v24], esp
    .text:0065505A mov     eax, esp
    .text:0065505C mov     ecx, [ebp+arg_0]
    .text:0065505F mov     [eax], ecx
    .text:00655061 mov     eax, [ebp+arg_0]
    .text:00655064 cmp     eax, ebx
    .text:00655066 jz      short loc_655071
    .text:00655068 push    eax
    .text:00655069 call    sub_9D30E0
    .text:0065506E add     esp, 4
    .text:00655071
    .text:00655071 loc_655071:                             ; CODE XREF: sub_654C00+466j
    .text:00655071 mov     byte ptr [ebp+var_4], 2Ch
    .text:00655075 mov     byte ptr [ebp+var_4], bl
    .text:00655078 lea     ecx, [ebp+var_34]
    .text:0065507B call    sub_A6DD00
    .text:00655080 mov     byte ptr [ebp+var_4], 2Dh
    .text:00655084 lea     ecx, [esi+0Ch]
    .text:00655087 mov     edx, [ecx]
    .text:00655089 mov     eax, [ebp+var_14]
    .text:0065508C push    eax
    .text:0065508D mov     eax, [ebp+var_18]
    .text:00655090 push    eax
    .text:00655091 mov     eax, [ebp+var_20]
    .text:00655094 push    eax
    .text:00655095 mov     eax, [ebp+var_24]
    .text:00655098 push    eax
    .text:00655099 mov     eax, [ebp+var_28]
    .text:0065509C push    eax
    .text:0065509D mov     eax, [ebp+var_2C]
    .text:006550A0 push    eax
    .text:006550A1 lea     eax, [ebp+var_34]
    .text:006550A4 push    eax
    .text:006550A5 mov     edx, [edx+18h]
    .text:006550A8 call    edx
    .text:006550AA mov     byte ptr [ebp+var_4], bl
    .text:006550AD lea     ecx, [ebp+var_34]
    .text:006550B0 call    sub_646770
    .text:006550B5 jmp     loc_65557C
    .text:006550BA ; ---------------------------------------------------------------------------
    .text:006550BA
    .text:006550BA loc_6550BA:                             ; DATA XREF: .rdata:01263E7Co
    .text:006550BA xor     ebx, ebx
    .text:006550BC push    ebx                             ; int
    .text:006550BD push    offset aCreateresponse          ; "CreateResponse"
    .text:006550C2 lea     ecx, [ebp+var_6C]               ; void *
    .text:006550C5 call    sub_47AF60
    .text:006550CA mov     byte ptr [ebp+var_4], 2Ah
    .text:006550CE mov     eax, [ebp+var_C0]
    .text:006550D4 push    eax
    .text:006550D5 lea     ecx, [ebp+var_6C]
    .text:006550D8 push    ecx
    .text:006550D9 push    ecx
    .text:006550DA mov     ecx, esp
    .text:006550DC mov     [ebp+_v24], esp
    .text:006550DF lea     edx, [ebp+arg_0]
    .text:006550E2 push    edx
    .text:006550E3 call    sub_63FED0
    .text:006550E8 mov     byte ptr [ebp+var_4], 2Bh
    .text:006550EC mov     byte ptr [ebp+var_4], 2Ah
    .text:006550F0 mov     ecx, [ebp+var_1C]
    .text:006550F3 call    sub_9B3150
    .text:006550F8 mov     byte ptr [ebp+var_4], 29h
    .text:006550FC lea     ecx, [ebp+var_6C]
    .text:006550FF call    sub_97D120
    .text:00655104 mov     [ebp+var_4], ebx
    .text:00655107 mov     eax, offset loc_654E6E
    .text:0065510C retn
    .text:0065510D ; ---------------------------------------------------------------------------
    .text:0065510D
    .text:0065510D loc_65510D:                             ; CODE XREF: sub_654C00+36j
    .text:0065510D cmp     eax, 9AB6AF86h
    .text:00655112 ja      loc_655426
    .text:00655118 jz      loc_6552D1
    .text:0065511E cmp     eax, 7D7EC34Ch
    .text:00655123 jz      loc_6551FE
    .text:00655129 cmp     eax, 8F8D4F73h
    .text:0065512E jnz     loc_65542D
    .text:00655134 mov     byte ptr [ebp+var_4], 15h
    .text:00655138 lea     eax, [ebp+var_18]
    .text:0065513B push    eax
    .text:0065513C mov     edi, [ebp+_v24]
    .text:0065513F mov     ecx, edi
    .text:00655141 call    FrameRead_QWORD_thiscall
    .text:00655146 lea     ecx, [ebp+var_34]
    .text:00655149 push    ecx
    .text:0065514A mov     ecx, edi
    .text:0065514C call    FrameRead_QWORD_thiscall
    .text:00655151 mov     ecx, edi
    .text:00655153 call    FrameRead_CheckReadFull_thiscall
    .text:00655158 mov     [ebp+var_4], ebx
    .text:0065515B push    ecx
    .text:0065515C mov     ecx, esp
    .text:0065515E mov     [ebp+_v24], esp
    .text:00655161 lea     edx, [ebp+arg_0]
    .text:00655164 push    edx
    .text:00655165 call    sub_63FED0
    .text:0065516A mov     byte ptr [ebp+var_4], 19h
    .text:0065516E mov     byte ptr [ebp+var_4], bl
    .text:00655171 lea     ecx, [ebp+var_24]
    .text:00655174 call    sub_A6DD00
    .text:00655179 mov     byte ptr [ebp+var_4], 1Ah
    .text:0065517D lea     ecx, [esi+0Ch]
    .text:00655180 mov     eax, [ecx]
    .text:00655182 mov     edx, [ebp+var_30]
    .text:00655185 push    edx
    .text:00655186 mov     edx, [ebp+var_34]
    .text:00655189 push    edx
    .text:0065518A mov     edx, [ebp+var_14]
    .text:0065518D push    edx
    .text:0065518E mov     edx, [ebp+var_18]
    .text:00655191 push    edx
    .text:00655192 lea     edx, [ebp+var_24]
    .text:00655195 push    edx
    .text:00655196 mov     eax, [eax+0Ch]
    .text:00655199 call    eax
    .text:0065519B mov     byte ptr [ebp+var_4], bl
    .text:0065519E lea     ecx, [ebp+var_24]
    .text:006551A1 call    sub_646770
    .text:006551A6 jmp     loc_65557C
    .text:006551AB ; ---------------------------------------------------------------------------
    .text:006551AB
    .text:006551AB loc_6551AB:                             ; DATA XREF: .rdata:01263E4Co
    .text:006551AB xor     ebx, ebx
    .text:006551AD push    ebx                             ; int
    .text:006551AE push    offset aMessagetextfai          ; "MessageTextFailure"
    .text:006551B3 lea     ecx, [ebp+var_74]               ; void *
    .text:006551B6 call    sub_47AF60
    .text:006551BB mov     byte ptr [ebp+var_4], 17h
    .text:006551BF mov     ecx, [ebp+var_AC]
    .text:006551C5 push    ecx
    .text:006551C6 lea     edx, [ebp+var_74]
    .text:006551C9 push    edx
    .text:006551CA push    ecx
    .text:006551CB mov     ecx, esp
    .text:006551CD mov     [ebp+_v24], esp
    .text:006551D0 lea     eax, [ebp+arg_0]
    .text:006551D3 push    eax
    .text:006551D4 call    sub_63FED0
    .text:006551D9 mov     byte ptr [ebp+var_4], 18h
    .text:006551DD mov     byte ptr [ebp+var_4], 17h
    .text:006551E1 mov     ecx, [ebp+var_1C]
    .text:006551E4 call    sub_9B3150
    .text:006551E9 mov     byte ptr [ebp+var_4], 16h
    .text:006551ED lea     ecx, [ebp+var_74]
    .text:006551F0 call    sub_97D120
    .text:006551F5 mov     [ebp+var_4], ebx
    .text:006551F8 mov     eax, offset loc_654E6E
    .text:006551FD retn
    .text:006551FE ; ---------------------------------------------------------------------------
    .text:006551FE
    .text:006551FE loc_6551FE:                             ; CODE XREF: sub_654C00+523j
    .text:006551FE mov     byte ptr [ebp+var_4], 22h
    .text:00655202 lea     ecx, [ebp+var_18]
    .text:00655205 push    ecx
    .text:00655206 mov     edi, [ebp+_v24]
    .text:00655209 mov     ecx, edi
    .text:0065520B call    FrameRead_QWORD_thiscall
    .text:00655210 lea     edx, [ebp+var_34]
    .text:00655213 push    edx
    .text:00655214 mov     ecx, edi
    .text:00655216 call    FrameRead_QWORD_thiscall
    .text:0065521B mov     ecx, edi
    .text:0065521D call    FrameRead_CheckReadFull_thiscall
    .text:00655222 mov     [ebp+var_4], ebx
    .text:00655225 push    ecx
    .text:00655226 mov     ecx, esp
    .text:00655228 mov     [ebp+_v24], esp
    .text:0065522B lea     eax, [ebp+arg_0]
    .text:0065522E push    eax
    .text:0065522F call    sub_63FED0
    .text:00655234 mov     byte ptr [ebp+var_4], 26h
    .text:00655238 mov     byte ptr [ebp+var_4], bl
    .text:0065523B lea     ecx, [ebp+var_24]
    .text:0065523E call    sub_A6DD00
    .text:00655243 mov     byte ptr [ebp+var_4], 27h
    .text:00655247 lea     ecx, [esi+0Ch]
    .text:0065524A mov     edx, [ecx]
    .text:0065524C mov     eax, [ebp+var_30]
    .text:0065524F push    eax
    .text:00655250 mov     eax, [ebp+var_34]
    .text:00655253 push    eax
    .text:00655254 mov     eax, [ebp+var_14]
    .text:00655257 push    eax
    .text:00655258 mov     eax, [ebp+var_18]
    .text:0065525B push    eax
    .text:0065525C lea     eax, [ebp+var_24]
    .text:0065525F push    eax
    .text:00655260 mov     edx, [edx+14h]
    .text:00655263 call    edx
    .text:00655265 mov     byte ptr [ebp+var_4], bl
    .text:00655268 lea     ecx, [ebp+var_24]
    .text:0065526B call    sub_646770
    .text:00655270 jmp     loc_65557C
    .text:00655275 ; ---------------------------------------------------------------------------
    .text:00655275
    .text:00655275 loc_655275:                             ; DATA XREF: .rdata:01263E6Co
    .text:00655275 xor     ebx, ebx
    .text:00655277 push    ebx                             ; int
    .text:00655278 push    offset aDeleteresponse          ; "DeleteResponse"
    .text:0065527D lea     ecx, [ebp+var_84]               ; void *
    .text:00655283 call    sub_47AF60
    .text:00655288 mov     byte ptr [ebp+var_4], 24h
    .text:0065528C mov     eax, [ebp+var_98]
    .text:00655292 push    eax
    .text:00655293 lea     ecx, [ebp+var_84]
    .text:00655299 push    ecx
    .text:0065529A push    ecx
    .text:0065529B mov     ecx, esp
    .text:0065529D mov     [ebp+_v24], esp
    .text:006552A0 lea     edx, [ebp+arg_0]
    .text:006552A3 push    edx
    .text:006552A4 call    sub_63FED0
    .text:006552A9 mov     byte ptr [ebp+var_4], 25h
    .text:006552AD mov     byte ptr [ebp+var_4], 24h
    .text:006552B1 mov     ecx, [ebp+var_1C]
    .text:006552B4 call    sub_9B3150
    .text:006552B9 mov     byte ptr [ebp+var_4], 23h
    .text:006552BD lea     ecx, [ebp+var_84]
    .text:006552C3 call    sub_97D120
    .text:006552C8 mov     [ebp+var_4], ebx
    .text:006552CB mov     eax, offset loc_654E6E
    .text:006552D0 retn
    .text:006552D1 ; ---------------------------------------------------------------------------
    .text:006552D1
    .text:006552D1 loc_6552D1:                             ; CODE XREF: sub_654C00+518j
    .text:006552D1 lea     ecx, [ebp+Dst]
    .text:006552D4 call    sub_4C09A0
    .text:006552D9 mov     byte ptr [ebp+var_4], 34h
    .text:006552DD mov     byte ptr [ebp+var_4], 35h
    .text:006552E1 lea     eax, [ebp+var_24]
    .text:006552E4 push    eax
    .text:006552E5 mov     edi, [ebp+_v24]
    .text:006552E8 mov     ecx, edi
    .text:006552EA call    FrameRead_QWORD_thiscall
    .text:006552EF lea     ecx, [ebp+_v24]
    .text:006552F2 push    ecx
    .text:006552F3 mov     ecx, edi
    .text:006552F5 call    FrameRead_DWORD_thiscall
    .text:006552FA mov     edx, [ebp+_v24]
    .text:006552FD push    edx
    .text:006552FE lea     ecx, [ebp+Dst]
    .text:00655301 call    sub_655790
    .text:00655306 mov     eax, [ebp+_v24]
    .text:00655309 lea     ecx, ds:0[eax*8]
    .text:00655310 push    ecx                             ; Size
    .text:00655311 mov     edx, [ebp+Dst]
    .text:00655314 push    edx                             ; Dst
    .text:00655315 mov     ecx, edi
    .text:00655317 call    FrameRead_BUFF_thiscall
    .text:0065531C lea     eax, [ebp+var_18]
    .text:0065531F push    eax
    .text:00655320 mov     ecx, edi
    .text:00655322 call    FrameRead_QWORD_thiscall
    .text:00655327 lea     ecx, [ebp+var_34]
    .text:0065532A push    ecx
    .text:0065532B mov     ecx, edi
    .text:0065532D call    FrameRead_QWORD_thiscall
    .text:00655332 mov     ecx, edi
    .text:00655334 call    FrameRead_CheckReadFull_thiscall
    .text:00655339 mov     [ebp+var_4], 34h
    .text:00655340 push    ecx
    .text:00655341 mov     [ebp+_v24], esp
    .text:00655344 mov     eax, esp
    .text:00655346 mov     edx, [ebp+arg_0]
    .text:00655349 mov     [eax], edx
    .text:0065534B mov     eax, [ebp+arg_0]
    .text:0065534E cmp     eax, ebx
    .text:00655350 jz      short loc_65535B
    .text:00655352 push    eax
    .text:00655353 call    sub_9D30E0
    .text:00655358 add     esp, 4
    .text:0065535B
    .text:0065535B loc_65535B:                             ; CODE XREF: sub_654C00+750j
    .text:0065535B mov     byte ptr [ebp+var_4], 39h
    .text:0065535F mov     byte ptr [ebp+var_4], 34h
    .text:00655363 lea     ecx, [ebp+var_2C]
    .text:00655366 call    sub_A6DD00
    .text:0065536B mov     byte ptr [ebp+var_4], 3Ah
    .text:0065536F lea     ecx, [esi+0Ch]
    .text:00655372 mov     eax, [ecx]
    .text:00655374 mov     edx, [ebp+var_30]
    .text:00655377 push    edx
    .text:00655378 mov     edx, [ebp+var_34]
    .text:0065537B push    edx
    .text:0065537C mov     edx, [ebp+var_14]
    .text:0065537F push    edx
    .text:00655380 mov     edx, [ebp+var_18]
    .text:00655383 push    edx
    .text:00655384 lea     edx, [ebp+Dst]
    .text:00655387 push    edx
    .text:00655388 mov     edx, [ebp+var_20]
    .text:0065538B push    edx
    .text:0065538C mov     edx, [ebp+var_24]
    .text:0065538F push    edx
    .text:00655390 lea     edx, [ebp+var_2C]
    .text:00655393 push    edx
    .text:00655394 mov     eax, [eax+20h]
    .text:00655397 call    eax
    .text:00655399 mov     byte ptr [ebp+var_4], 34h
    .text:0065539D lea     ecx, [ebp+var_2C]
    .text:006553A0 call    sub_646770
    .text:006553A5 mov     byte ptr [ebp+var_4], bl
    .text:006553A8 lea     ecx, [ebp+Dst]
    .text:006553AB call    sub_424770
    .text:006553B0 jmp     loc_65557C
    .text:006553B5 ; ---------------------------------------------------------------------------
    .text:006553B5
    .text:006553B5 loc_6553B5:                             ; DATA XREF: .rdata:01263E9Co
    .text:006553B5 push    0                               ; int
    .text:006553B7 push    offset aExtractattachm          ; "ExtractAttachmentsResponse"
    .text:006553BC lea     ecx, [ebp+var_94]               ; void *
    .text:006553C2 call    sub_47AF60
    .text:006553C7 mov     bl, 37h
    .text:006553C9 mov     byte ptr [ebp+var_4], bl
    .text:006553CC mov     ecx, [ebp+var_A0]
    .text:006553D2 push    ecx
    .text:006553D3 lea     edx, [ebp+var_94]
    .text:006553D9 push    edx
    .text:006553DA push    ecx
    .text:006553DB mov     ecx, esp
    .text:006553DD mov     [ebp+_v24], esp
    .text:006553E0 lea     eax, [ebp+arg_0]
    .text:006553E3 push    eax
    .text:006553E4 call    sub_63FED0
    .text:006553E9 mov     byte ptr [ebp+var_4], 38h
    .text:006553ED mov     byte ptr [ebp+var_4], bl
    .text:006553F0 mov     ecx, [ebp+var_1C]
    .text:006553F3 call    sub_9B3150
    .text:006553F8 mov     byte ptr [ebp+var_4], 36h
    .text:006553FC lea     ecx, [ebp+var_94]
    .text:00655402 call    sub_97D120
    .text:00655407 mov     [ebp+var_4], 34h
    .text:0065540E mov     eax, offset loc_655414
    .text:00655413 retn
    .text:00655414 ; ---------------------------------------------------------------------------
    .text:00655414
    .text:00655414 loc_655414:                             ; DATA XREF: sub_654C00+80Eo
    .text:00655414 xor     ebx, ebx
    .text:00655416 mov     byte ptr [ebp+var_4], bl
    .text:00655419 lea     ecx, [ebp+Dst]
    .text:0065541C call    sub_424770
    .text:00655421 jmp     loc_65557C
    .text:00655426 ; ---------------------------------------------------------------------------
    .text:00655426
    .text:00655426 loc_655426:                             ; CODE XREF: sub_654C00+512j
    .text:00655426 cmp     eax, 0C4F01C82h
    .text:0065542B jz      short loc_655487
    .text:0065542D
    .text:0065542D loc_65542D:                             ; CODE XREF: sub_654C00+63j
    .text:0065542D                                         ; sub_654C00+34Ej ...
    .text:0065542D mov     ecx, [ebp+_v24]
    .text:00655430 push    ecx
    .text:00655431 mov     edx, [ebp+arg_8]
    .text:00655434 push    edx
    .text:00655435 push    eax
    .text:00655436 push    ecx
    .text:00655437 mov     [ebp+_v24], esp
    .text:0065543A mov     eax, esp
    .text:0065543C mov     ecx, [ebp+arg_0]
    .text:0065543F mov     [eax], ecx
    .text:00655441 mov     eax, [ebp+arg_0]
    .text:00655444 cmp     eax, ebx
    .text:00655446 jz      short loc_655451
    .text:00655448 push    eax
    .text:00655449 call    sub_9D30E0
    .text:0065544E add     esp, 4
    .text:00655451
    .text:00655451 loc_655451:                             ; CODE XREF: sub_654C00+846j
    .text:00655451 mov     byte ptr [ebp+var_4], 3Bh
    .text:00655455 lea     edx, [ebp+var_B8]
    .text:0065545B push    edx
    .text:0065545C mov     byte ptr [ebp+var_4], bl
    .text:0065545F mov     ecx, esi
    .text:00655461 call    sub_9B3420
    .text:00655466 mov     byte ptr [ebp+var_4], 3Ch
    .text:0065546A mov     edx, [esi]
    .text:0065546C push    eax
    .text:0065546D mov     ecx, esi
    .text:0065546F mov     eax, [edx+1Ch]
    .text:00655472 call    eax
    .text:00655474 mov     byte ptr [ebp+var_4], bl
    .text:00655477 lea     ecx, [ebp+var_B8]
    .text:0065547D call    sub_97D120
    .text:00655482 jmp     loc_65557C
    .text:00655487 ; ---------------------------------------------------------------------------
    .text:00655487
    .text:00655487 loc_655487:                             ; CODE XREF: sub_654C00+82Bj
    .text:00655487 lea     ecx, [ebp+Dst]
    .text:0065548A push    ecx
    .text:0065548B call    sub_763D10
    .text:00655490 mov     byte ptr [ebp+var_4], 1Bh
    .text:00655494 mov     byte ptr [ebp+var_4], 1Ch
    .text:00655498 mov     edx, [ebp+arg_0]
    .text:0065549B push    edx
    .text:0065549C mov     edi, [ebp+_v24]
    .text:0065549F push    edi
    .text:006554A0 lea     ecx, [ebp+Dst]
    .text:006554A3 call    sub_655630
    .text:006554A8 add     esp, 8
    .text:006554AB mov     ecx, edi
    .text:006554AD call    FrameRead_CheckReadFull_thiscall
    .text:006554B2 mov     [ebp+var_4], 1Bh
    .text:006554B9 push    ecx
    .text:006554BA mov     [ebp+_v24], esp
    .text:006554BD mov     eax, esp
    .text:006554BF mov     ecx, [ebp+arg_0]
    .text:006554C2 mov     [eax], ecx
    .text:006554C4 mov     eax, [ebp+arg_0]
    .text:006554C7 cmp     eax, ebx
    .text:006554C9 jz      short loc_6554D4
    .text:006554CB push    eax
    .text:006554CC call    sub_9D30E0
    .text:006554D1 add     esp, 4
    .text:006554D4
    .text:006554D4 loc_6554D4:                             ; CODE XREF: sub_654C00+8C9j
    .text:006554D4 mov     byte ptr [ebp+var_4], 20h
    .text:006554D8 mov     byte ptr [ebp+var_4], 1Bh
    .text:006554DC lea     ecx, [ebp+var_34]
    .text:006554DF call    sub_A6DD00
    .text:006554E4 mov     byte ptr [ebp+var_4], 21h
    .text:006554E8 lea     ecx, [esi+0Ch]
    .text:006554EB mov     edx, [ecx]
    .text:006554ED lea     eax, [ebp+Dst]
    .text:006554F0 push    eax
    .text:006554F1 lea     eax, [ebp+var_34]
    .text:006554F4 push    eax
    .text:006554F5 mov     edx, [edx+10h]
    .text:006554F8 call    edx
    .text:006554FA mov     byte ptr [ebp+var_4], 1Bh
    .text:006554FE lea     ecx, [ebp+var_34]
    .text:00655501 call    sub_646770
    .text:00655506 mov     byte ptr [ebp+var_4], bl
    .text:00655509 lea     eax, [ebp+Dst]
    .text:0065550C push    eax
    .text:0065550D jmp     short loc_655577
    .text:0065550F ; ---------------------------------------------------------------------------
    .text:0065550F
    .text:0065550F loc_65550F:                             ; DATA XREF: .rdata:01263E5Co
    .text:0065550F push    0                               ; int
    .text:00655511 push    offset aMessageenvelop          ; "MessageEnvelopes"
    .text:00655516 lea     ecx, [ebp+var_8C]               ; void *
    .text:0065551C call    sub_47AF60
    .text:00655521 mov     bl, 1Eh
    .text:00655523 mov     byte ptr [ebp+var_4], bl
    .text:00655526 mov     ecx, [ebp+var_A4]
    .text:0065552C push    ecx
    .text:0065552D lea     edx, [ebp+var_8C]
    .text:00655533 push    edx
    .text:00655534 push    ecx
    .text:00655535 mov     ecx, esp
    .text:00655537 mov     [ebp+_v24], esp
    .text:0065553A lea     eax, [ebp+arg_0]
    .text:0065553D push    eax
    .text:0065553E call    sub_63FED0
    .text:00655543 mov     byte ptr [ebp+var_4], 1Fh
    .text:00655547 mov     byte ptr [ebp+var_4], bl
    .text:0065554A mov     ecx, [ebp+var_1C]
    .text:0065554D call    sub_9B3150
    .text:00655552 mov     byte ptr [ebp+var_4], 1Dh
    .text:00655556 lea     ecx, [ebp+var_8C]
    .text:0065555C call    sub_97D120
    .text:00655561 mov     [ebp+var_4], 1Bh
    .text:00655568 mov     eax, offset loc_65556E
    .text:0065556D retn
    .text:0065556E ; ---------------------------------------------------------------------------
    .text:0065556E
    .text:0065556E loc_65556E:                             ; DATA XREF: sub_654C00+968o
    .text:0065556E xor     ebx, ebx
    .text:00655570 mov     byte ptr [ebp+var_4], bl
    .text:00655573 lea     ecx, [ebp+Dst]
    .text:00655576 push    ecx
    .text:00655577
    .text:00655577 loc_655577:                             ; CODE XREF: sub_654C00+90Dj
    .text:00655577 call    sub_6555B0
    .text:0065557C
    .text:0065557C loc_65557C:                             ; CODE XREF: sub_654C00+142j
    .text:0065557C                                         ; sub_654C00+1B6j ...
    .text:0065557C mov     [ebp+var_4], 0FFFFFFFFh
    .text:00655583 mov     eax, [ebp+arg_0]
    .text:00655586 cmp     eax, ebx
    .text:00655588
    .text:00655588 loc_655588:                             ; CODE XREF: sub_654C00+27Aj
    .text:00655588 jz      short loc_655593
    .text:0065558A push    eax
    .text:0065558B call    sub_9D30F0
    .text:00655590 add     esp, 4
    .text:00655593
    .text:00655593 loc_655593:                             ; CODE XREF: sub_654C00:loc_655588j
    .text:00655593 mov     ecx, [ebp+var_C]
    .text:00655596 mov     large fs:0, ecx
    .text:0065559D pop     edi
    .text:0065559E pop     esi
    .text:0065559F pop     ebx
    .text:006555A0 mov     esp, ebp
    .text:006555A2 pop     ebp
    .text:006555A3 retn    10h
    .text:006555A3 sub_654C00 endp
    opcodes is like 0x01837678 (f*ck da blizzies this their cata packet opcodes randomization. and everyone, who copied this "feature")

    there it parsed

    for example fresh captured 0x01837678 packet

    Code:
            if ( a7 == 0x1837678 )
            {
              LOBYTE(v90) = 7;
              v14 = arg_frame;
              FrameRead_BYTE_thiscall(arg_frame, (BYTE *)&a7);
              FrameRead_CheckReadFull_thiscall(v14);
    ... only one byte in packet, and this byte "0x01" is in my example

    and routes to the handlers of parsed packet (two calls deep)

    Code:
    .text:007088B0 ; Attributes: bp-based frame
    .text:007088B0
    .text:007088B0 sub_7088B0 proc near                    ; DATA XREF: .rdata:01136920o
    .text:007088B0
    .text:007088B0 var_C= dword ptr -0Ch
    .text:007088B0 var_4= dword ptr -4
    .text:007088B0 arg_0= byte ptr  8
    .text:007088B0
    .text:007088B0 push    ebp
    .text:007088B1 mov     ebp, esp
    .text:007088B3 and     esp, 0FFFFFFF8h
    .text:007088B6 push    0FFFFFFFFh
    .text:007088B8 push    offset SEH_7088B0
    .text:007088BD mov     eax, large fs:0
    .text:007088C3 push    eax
    .text:007088C4 mov     large fs:0, esp
    .text:007088CB push    ecx
    .text:007088CC mov     eax, dword_147B69C
    .text:007088D1 test    eax, eax
    .text:007088D3 jz      loc_7089E1
    .text:007088D9 cmp     dword_147B698, 0
    .text:007088E0 jz      loc_7089E1
    .text:007088E6 cmp     [ebp+arg_0], 0
    .text:007088EA jz      short loc_708964
    .text:007088EC mov     ecx, 1
    .text:007088F1 test    byte ptr dword_14857AC, cl
    .text:007088F7 jnz     short loc_708940
    .text:007088F9 or      dword_14857AC, ecx
    .text:007088FF mov     [esp+10h+var_4], 0
    .text:00708907 push    offset aOnmailboxavail          ; "OnMailboxAvailable"
    .text:0070890C call    sub_5C7000
    .text:00708911 mov     ecx, dword_147B69C
    .text:00708917 add     esp, 4
    .text:0070891A test    ecx, ecx
    .text:0070891C jz      short loc_708928
    .text:0070891E mov     edx, [ecx+4]
    .text:00708921 mov     edx, [edx+4]
    .text:00708924 lea     ecx, [edx+ecx+4]
    .text:00708928
    .text:00708928 loc_708928:                             ; CODE XREF: sub_7088B0+6Cj
    .text:00708928 mov     dword_14857A4, ecx
    .text:0070892E mov     dword_14857A8, eax
    .text:00708933 mov     [esp+10h+var_4], 0FFFFFFFFh
    .text:0070893B mov     eax, dword_147B69C
    .text:00708940
    .text:00708940 loc_708940:                             ; CODE XREF: sub_7088B0+47j
    .text:00708940 mov     ecx, [eax+4]
    .text:00708943 mov     ecx, [ecx+4]
    .text:00708946 mov     edx, dword_147B698
    .text:0070894C add     edx, 48h
    .text:0070894F lea     ecx, [ecx+eax+4]
    .text:00708953 mov     eax, [ecx]
    .text:00708955 push    0
    .text:00708957 push    edx
    .text:00708958 mov     edx, [eax+6Ch]
    .text:0070895B call    edx
    .text:0070895D mov     ecx, offset dword_14857A4
    .text:00708962 jmp     short loc_7089DA
    .text:00708964 ; ---------------------------------------------------------------------------
    .text:00708964
    .text:00708964 loc_708964:                             ; CODE XREF: sub_7088B0+3Aj
    .text:00708964 mov     ecx, 2
    .text:00708969 test    byte ptr dword_14857AC, cl
    .text:0070896F jnz     short loc_7089B8
    .text:00708971 or      dword_14857AC, ecx
    .text:00708977 mov     [esp+10h+var_4], 1
    .text:0070897F push    offset aOnmailboxunava          ; "OnMailboxUnavailable"
    .text:00708984 call    sub_5C7000
    .text:00708989 mov     ecx, dword_147B69C
    .text:0070898F add     esp, 4
    .text:00708992 test    ecx, ecx
    .text:00708994 jz      short loc_7089A0
    .text:00708996 mov     edx, [ecx+4]
    .text:00708999 mov     edx, [edx+4]
    .text:0070899C lea     ecx, [edx+ecx+4]
    .text:007089A0
    .text:007089A0 loc_7089A0:                             ; CODE XREF: sub_7088B0+E4j
    .text:007089A0 mov     dword_148579C, ecx
    .text:007089A6 mov     dword_14857A0, eax
    .text:007089AB mov     [esp+10h+var_4], 0FFFFFFFFh
    .text:007089B3 mov     eax, dword_147B69C
    .text:007089B8
    .text:007089B8 loc_7089B8:                             ; CODE XREF: sub_7088B0+BFj
    .text:007089B8 mov     ecx, [eax+4]
    .text:007089BB mov     ecx, [ecx+4]
    .text:007089BE mov     edx, dword_147B698
    .text:007089C4 add     edx, 48h
    .text:007089C7 lea     ecx, [ecx+eax+4]
    .text:007089CB mov     eax, [ecx]
    .text:007089CD push    0
    .text:007089CF push    edx
    .text:007089D0 mov     edx, [eax+6Ch]
    .text:007089D3 call    edx
    .text:007089D5 mov     ecx, offset dword_148579C
    .text:007089DA
    .text:007089DA loc_7089DA:                             ; CODE XREF: sub_7088B0+B2j
    .text:007089DA push    edx
    .text:007089DB push    eax
    .text:007089DC call    sub_6D9A60
    .text:007089E1
    .text:007089E1 loc_7089E1:                             ; CODE XREF: sub_7088B0+23j
    .text:007089E1                                         ; sub_7088B0+30j
    .text:007089E1 mov     ecx, [esp+10h+var_C]
    .text:007089E5 mov     large fs:0, ecx
    .text:007089EC mov     esp, ebp
    .text:007089EE pop     ebp
    .text:007089EF retn    4
    .text:007089EF sub_7088B0 endp
    or in IDA "pseudocode" view

    Code:
    int __stdcall sub_7088B0(char a1)
    {
      int result; // eax@1
      int v2; // eax@5
      int v3; // ecx@5
      int v4; // eax@8
      int v5; // edx@8
      int v6; // eax@10
      int v7; // ecx@10
      int v8; // [sp-4h] [bp-14h]@8
    
      result = dword_147B69C;
      if ( dword_147B69C && dword_147B698 )
      {
        if ( a1 )
        {
          if ( !(dword_14857AC & 1) )
          {
            dword_14857AC |= 1u;
            v2 = sub_5C7000(L"OnMailboxAvailable");
            v3 = dword_147B69C;
            if ( dword_147B69C )
              v3 = *(_DWORD *)(*(_DWORD *)(dword_147B69C + 4) + 4) + dword_147B69C + 4;
            dword_14857A4 = v3;
            dword_14857A8 = v2;
            result = dword_147B69C;
          }
          v8 = 0;
          v4 = (*(int (__stdcall **)(int))(*(_DWORD *)(*(_DWORD *)(*(_DWORD *)(result + 4) + 4) + result + 4) + 108))(dword_147B698 + 72);
        }
        else
        {
          if ( !(dword_14857AC & 2) )
          {
            dword_14857AC |= 2u;
            v6 = sub_5C7000(L"OnMailboxUnavailable");
            v7 = dword_147B69C;
            if ( dword_147B69C )
              v7 = *(_DWORD *)(*(_DWORD *)(dword_147B69C + 4) + 4) + dword_147B69C + 4;
            dword_148579C = v7;
            dword_14857A0 = v6;
            result = dword_147B69C;
          }
          v8 = 0;
          v4 = (*(int (__stdcall **)(int))(*(_DWORD *)(*(_DWORD *)(*(_DWORD *)(result + 4) + 4) + result + 4) + 108))(dword_147B698 + 72);
        }
        result = sub_6D9A60(v4, v5, v8);
      }
      return result;
    }

    looks like a "OnMailboxAvailable" and "OnMailboxUnavailable" is event handlers names or something like it.
    our captured byte is first argument of this function, so OnMailboxAvailable branch will be executed.

    all ok, this example packet was received just after clicking mailbox.




    next mail packet have 0xC4F01C82 opcode.
    it have quite compicated structure and parsed in nested function calls like

    Code:
    frame_hz *__usercall sub_655630<eax>(int a1<eax>, int a2<ecx>, frame_hz *a3)
    {
      int v3; // edi@1
      unsigned int v5; // [sp+0h] [bp-9Ch]@1
      char v6; // [sp+4h] [bp-98h]@2
      char v7; // [sp+6Ch] [bp-30h]@2
      char v8; // [sp+7Ch] [bp-20h]@2
      char v9; // [sp+84h] [bp-18h]@2
      int v10; // [sp+90h] [bp-Ch]@1
      int (*v11)(); // [sp+94h] [bp-8h]@1
      int v12; // [sp+98h] [bp-4h]@1
    
      v12 = -1;
      v11 = sub_FDDC4D;
      v10 = a1;
      v3 = a2;
      sub_655960(a2);
      FrameRead_DWORD_thiscall(a3, (DWORD *)&v5);
      sub_655800(v3, v5);
      for ( ; v5; --v5 )
      {
        sub_654750(&v6);
        v12 = 0;
        sub_6546B0((int)&v6, a3);
        FrameRead_OStringConstrainedSz_thiscall(a3, (int)&v7, 0, 0xFFFFFFFFu);
        FrameRead_QWORD_thiscall(a3, (int)&v8);
        FrameRead_WORD_thiscall_2(a3, (int)&v9);
        sub_6558D0((int)&v6, v3, *(_DWORD *)(v3 + 4));
        v12 = -1;
        sub_655720(&v6);
      }
      return a3;
    }
    
    
    frame_hz *__usercall sub_6546B0<eax>(int a1<eax>, frame_hz *a2<esi>)
    {
      int v2; // edi@1
      unsigned __int16 v4; // [sp+4h] [bp-4h]@1
    
      v2 = a1;
      FrameRead_QWORD_thiscall(a2, a1);
      FrameRead_WORD_thiscall_2(a2, (int)&v4);
      *(_DWORD *)(v2 + 8) = v4;
      FrameRead_QWORD_thiscall(a2, v2 + 16);
      FrameRead_QWORD_thiscall(a2, v2 + 24);
      FrameRead_OStringConstrainedSz_thiscall(a2, v2 + 32, 0, 0xFFFFFFFFu);
      FrameRead_OStringConstrainedSz_thiscall(a2, v2 + 48, 0, 0xFFFFFFFFu);
      FrameRead_QWORD_thiscall(a2, v2 + 64);
      FrameRead_QWORD_thiscall(a2, v2 + 72);
      FrameRead_QWORD_thiscall(a2, v2 + 80);
      FrameRead_QWORD_thiscall(a2, v2 + 88);
      FrameRead_BYTE_thiscall(a2, (BYTE *)(v2 + 96));
      return a2;
    }
    and it's way goes though

    Code:
    .text:00708F10 push    ebp
    .text:00708F11 mov     ebp, esp
    .text:00708F13 and     esp, 0FFFFFFF8h
    .text:00708F16 mov     eax, large fs:0
    .text:00708F1C push    0FFFFFFFFh
    .text:00708F1E push    offset sub_100BD79
    .text:00708F23 push    eax
    .text:00708F24 mov     large fs:0, esp
    .text:00708F2B sub     esp, 0C0h
    .text:00708F31 cmp     dword_147B69C, 0
    .text:00708F38 push    ebx
    .text:00708F39 push    esi
    .text:00708F3A push    edi
    .text:00708F3B jz      loc_709465
    .text:00708F41 cmp     dword_147B698, 0
    .text:00708F48 jz      loc_709465
    .text:00708F4E test    byte ptr dword_1485798, 1
    .text:00708F55 jnz     short loc_708FA0
    .text:00708F57 or      dword_1485798, 1
    .text:00708F5E mov     [esp+0D8h+var_4], 0
    .text:00708F69 push    offset aOnmailheaders           ; "OnMailHeaders"
    .text:00708F6E call    sub_5C7000
    .text:00708F73 mov     ecx, dword_147B69C

    so, I think any other packtes also routed in same way and it's handler functions can be hooked to extract received data.
    or parser functions can be hooked, frame data can be dumped and parsed by the hands.

    -----------

    also, about anti-debugging.
    there is two functions, catching "int 3" and "int 1" breakpoints, so it must be disabled before any experiments

  3. #33
    Corporal
    Reputation
    6
    Join Date
    Nov 2011
    Posts
    31
    CoreCoins
    0

    Trade Feedbacks

    Status
    n/a
    Positive
    0 (0%)
    Negative
    0 (0%)
    text:009D9F2C mov [ebp+var_4], 0
    .text:009D9F33 mov eax, [esi]
    .text:009D9F35 mov [ebp+var_4], 0FFFFFFFFh
    .text:009D9F3C mov edx, [eax+18h]
    .text:009D9F3F mov ecx, esi
    .text:009D9F41 call edx <----------------------- THIS IS A PACKET PARSE FUNCION CALL
    .text:009D9F43
    This is the method of ObjectSurrogateEventConnectionPDU class.
    There are two methods:
    offset sub_9DAD50 - destructor
    offset sub_9D9EE0 - EventHandler


    Other classes ObjectSurrogateEventConnectionOpen, ..., ObjectSurrogateEventReconfigure, ObjectSurrogateEventConnectionPing, ObjectSurrogateEventConnectionStatus, ...

  4. #34
    Contributor
    Reputation
    260
    Join Date
    Dec 2006
    Posts
    357
    CoreCoins
    0

    Trade Feedbacks

    Status
    n/a
    Positive
    0 (0%)
    Negative
    0 (0%)
    Any updates on this? Perhaps a link to the community?

  5. #35
    Master Sergeant yamashi12's Avatar
    Reputation
    60
    Join Date
    Jan 2011
    Posts
    125
    CoreCoins
    88

    Trade Feedbacks

    Status
    n/a
    Positive
    0 (0%)
    Negative
    0 (0%)
    We have reasons to think that Bioware is trying to access our forums so there will be no public link.

  6. #36
    Member
    Reputation
    1
    Join Date
    Jan 2012
    Posts
    1
    CoreCoins
    0

    Trade Feedbacks

    Status
    n/a
    Positive
    0 (0%)
    Negative
    0 (0%)
    I think that sooner or later you have to put a link because otherwise we will do as players who want to play for free to have a benefit from this server emulator that you are creating

  7. #37
    Banned
    Reputation
    34
    Join Date
    Oct 2008
    Location
    Massachusetts, US
    Posts
    474
    CoreCoins
    0

    Trade Feedbacks

    Status
    n/a
    Positive
    0 (0%)
    Negative
    0 (0%)
    I think that sooner or later you have to put a link
    he just said they will not be sharing the link.. and since its his website, he doesn't HAVE to do anything...

  8. #38
    Corporal
    Reputation
    6
    Join Date
    Nov 2011
    Posts
    31
    CoreCoins
    0

    Trade Feedbacks

    Status
    n/a
    Positive
    0 (0%)
    Negative
    0 (0%)
    I think that sooner or later you have to put a link because otherwise we will do as players who want to play for free to have a benefit from this server emulator that you are creating
    it is very stupid start game server near source code repository...

  9. #39
    Contributor
    Reputation
    260
    Join Date
    Dec 2006
    Posts
    357
    CoreCoins
    0

    Trade Feedbacks

    Status
    n/a
    Positive
    0 (0%)
    Negative
    0 (0%)
    Sent you a PM asking for the link. I will not post it here!

  10. #40
    Sergeant Major drudmaster's Avatar
    Reputation
    64
    Join Date
    Mar 2008
    Posts
    156
    CoreCoins
    0

    Trade Feedbacks

    Status
    n/a
    Positive
    0 (0%)
    Negative
    0 (0%)
    I suppose we won't see a fullblown emulator for a very long time, even without the quest mechanics. But at least some work's being done.

  11. #41
    Corporal
    Reputation
    6
    Join Date
    Nov 2011
    Posts
    31
    CoreCoins
    0

    Trade Feedbacks

    Status
    n/a
    Positive
    0 (0%)
    Negative
    0 (0%)
    At this moment swtor.exe can connect to my shardlist/lastshard server, login to my login-server(from shards list) and redirects to game-server.
    Game-server fully emulates packets for initialization of main objects(biomon, tracker, gameobject, worldobject, auction, chat, mail, timerequester) and character selection stage(from sniffer-dumps).
    But, I think some packets must be changed in charcter selection packet sequence, because i don't see CharacterSelect screen. I have no swtor account for new sniffs, so if anyone can help - welcome.

  12. #42
    Master Sergeant
    Reputation
    29
    Join Date
    Jan 2012
    Posts
    77
    CoreCoins
    72

    Trade Feedbacks

    Status
    n/a
    Positive
    0 (0%)
    Negative
    0 (0%)
    I can provide with as many keys as you need for the game. and My knowledge and my research. If I may ask how have you got the packets decrypted?

    you can add me on skype "the1domo"
    or on msn at domo@willsmithh4x.info
    or my ts3 at 50.76.98.29

  13. #43
    Corporal
    Reputation
    6
    Join Date
    Nov 2011
    Posts
    31
    CoreCoins
    0

    Trade Feedbacks

    Status
    n/a
    Positive
    0 (0%)
    Negative
    0 (0%)
    As i understand my main problem - packet SMSG_GAME_SYSTEM_ClientReplicationTransaction(0x34287945), PM me if anyone have any info about it.

  14. #44
    Corporal
    Reputation
    6
    Join Date
    Nov 2011
    Posts
    31
    CoreCoins
    0

    Trade Feedbacks

    Status
    n/a
    Positive
    0 (0%)
    Negative
    0 (0%)
    Quote Originally Posted by the1domo View Post
    I can provide with as many keys as you need for the game. and My knowledge and my research. If I may ask how have you got the packets decrypted?
    Do you research any sniffer dumps for swtor? First packet for login server(port 8995) - keys request. Second packet - RSA encrypted salsa keys for encryption and decryption. Third and other packets - encrypted with salsa encryption.
    Skip second packet and get keys from process memory.

  15. #45
    Master Sergeant
    Reputation
    29
    Join Date
    Jan 2012
    Posts
    77
    CoreCoins
    72

    Trade Feedbacks

    Status
    n/a
    Positive
    0 (0%)
    Negative
    0 (0%)
    Hello if I may ask what is the base address for those addresses

 

 
Page 3 of 5 FirstFirst 12345 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -4. The time now is 12:28 AM. Powered by vBulletin® Version 4.2.0
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Content Relevant URLs by vBSEO Resources saved on this page: MySQL 21.43%
vBulletin Optimisation provided by vB Optimise (Pro) - vBulletin Mods & Addons Copyright © 2014 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151