Using Hashed Passwords in Gunz

[Linear88]

Is it actually possible to encrypt passwords in dbo.Login to make them encrypted through SHA1?

I've been looking around and I've found the HashBytes function.

How do I make Gunz read the encrypted password?

I know it has to be related with some stored procedure and in MatchServer.

[MentaL]

[ThievingSix]

The only way I know of is to either hash the password as it goes out from Gunz or as it comes into matchserver. Either way you'll have to hook some packets.

[Linear88]

How do I do that?

[Solaire]

Either hook MatchLogin (clientsided) or the serversided login function (don't know it for sure). Make it sent the password, but hashed. Or make it hashed serversided.

[CobraCom]

The way is easy.

- PwInput() //* Remake the password into an md5 hash.

same on register pages. md($password).

Problem is finding it. I managed it once though, but I had to delete the logins on my db to re-design it.

[death4u2]

yea i wa thinking about that also.

offtopic: Cobra go to msn i think the forum got hacked.

[ThePhailure772]

Yes it is possible to hash the passwords sent.What everyone is saying is true, but you also have to edit the column value on the Login table.

[Linear88]

@Phail: I know the column value, its binary(20) for SHA1.

Found a piece of code from the runnable, any idea on what to do with it?

Spoiler:

0051E1B3 |. 68 B0396000 PUSH Gunz.006039B0 ; ASCII "Login Match Server"
0051E1B8 |. 68 A4396000 PUSH Gunz.006039A4 ; ASCII "Match.Login"
0051E1BD |. 68 E9030000 PUSH 3E9
0051E1C2 |. 8BC8 MOV ECX,EAX
0051E1C4 |. E8 E797FEFF CALL Gunz.005079B0
0051E1C9 |. 8BF8 MOV EDI,EAX
0051E1CB |. EB 02 JMP SHORT Gunz.0051E1CF
0051E1CD |> 33FF XOR EDI,EDI
0051E1CF |> 57 PUSH EDI ; /Arg1
0051E1D0 |. 8BCD MOV ECX,EBP ; |
0051E1D2 |. 897424 24 MOV DWORD PTR SS:[ESP+24],ESI ; |
0051E1D6 |. E8 C56DFFFF CALL Gunz.00514FA0 ; \Gunz.00514FA0
0051E1DB |. 6A 58 PUSH 58
0051E1DD |. E8 CD0D0B00 CALL Gunz.005CEFAF
0051E1E2 |. 83C4 04 ADD ESP,4
0051E1E5 |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
0051E1E9 |. 3BC3 CMP EAX,EBX
0051E1EB |. C74424 20 2B00>MOV DWORD PTR SS:[ESP+20],2B
0051E1F3 |. 74 10 JE SHORT Gunz.0051E205
0051E1F5 |. 68 9C396000 PUSH Gunz.0060399C ; ASCII "UserID"
0051E1FA |. 6A 04 PUSH 4
0051E1FC |. 8BC8 MOV ECX,EAX
0051E1FE |. E8 1D8DFEFF CALL Gunz.00506F20
0051E203 |. EB 02 JMP SHORT Gunz.0051E207
0051E205 |> 33C0 XOR EAX,EAX
0051E207 |> 50 PUSH EAX
0051E208 |. 8BCF MOV ECX,EDI
0051E20A |. 897424 24 MOV DWORD PTR SS:[ESP+24],ESI
0051E20E |. E8 8DA1FEFF CALL Gunz.005083A0
0051E213 |. 6A 58 PUSH 58
0051E215 |. E8 950D0B00 CALL Gunz.005CEFAF
0051E21A |. 83C4 04 ADD ESP,4
0051E21D |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
0051E221 |. 3BC3 CMP EAX,EBX
0051E223 |. C74424 20 2C00>MOV DWORD PTR SS:[ESP+20],2C
0051E22B |. 74 10 JE SHORT Gunz.0051E23D
0051E22D |. 68 90396000 PUSH Gunz.00603990 ; ASCII "Password"
0051E232 |. 6A 04 PUSH 4
0051E234 |. 8BC8 MOV ECX,EAX
0051E236 |. E8 E58CFEFF CALL Gunz.00506F20
0051E23B |. EB 02 JMP SHORT Gunz.0051E23F
0051E23D |> 33C0 XOR EAX,EAX
0051E23F |> 50 PUSH EAX
0051E240 |. 8BCF MOV ECX,EDI
0051E242 |. 897424 24 MOV DWORD PTR SS:[ESP+24],ESI
0051E246 |. E8 55A1FEFF CALL Gunz.005083A0
0051E24B |. 6A 58 PUSH 58
0051E24D |. E8 5D0D0B00 CALL Gunz.005CEFAF
0051E252 |. 83C4 04 ADD ESP,4
0051E255 |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
0051E259 |. 3BC3 CMP EAX,EBX
0051E25B |. C74424 20 2D00>MOV DWORD PTR SS:[ESP+20],2D
0051E263 |. 74 0F JE SHORT Gunz.0051E274
0051E265 |. 68 80396000 PUSH Gunz.00603980 ; ASCII "CommandVersion"
0051E26A |. 53 PUSH EBX
0051E26B |. 8BC8 MOV ECX,EAX
0051E26D |. E8 AE8CFEFF CALL Gunz.00506F20
0051E272 |. EB 02 JMP SHORT Gunz.0051E276
0051E274 |> 33C0 XOR EAX,EAX
0051E276 |> 50 PUSH EAX
0051E277 |. 8BCF MOV ECX,EDI
0051E279 |. 897424 24 MOV DWORD PTR SS:[ESP+24],ESI
0051E27D |. E8 1EA1FEFF CALL Gunz.005083A0
0051E282 |. 6A 58 PUSH 58
0051E284 |. E8 260D0B00 CALL Gunz.005CEFAF
0051E289 |. 83C4 04 ADD ESP,4
0051E28C |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
0051E290 |. 3BC3 CMP EAX,EBX
0051E292 |. C74424 20 2E00>MOV DWORD PTR SS:[ESP+20],2E
0051E29A |. 74 10 JE SHORT Gunz.0051E2AC
0051E29C |. 68 70396000 PUSH Gunz.00603970 ; ASCII "nChecksumPack"
0051E2A1 |. 6A 01 PUSH 1
0051E2A3 |. 8BC8 MOV ECX,EAX
0051E2A5 |. E8 768CFEFF CALL Gunz.00506F20
0051E2AA |. EB 02 JMP SHORT Gunz.0051E2AE
0051E2AC |> 33C0 XOR EAX,EAX
0051E2AE |> 50 PUSH EAX
0051E2AF |. 8BCF MOV ECX,EDI
0051E2B1 |. 897424 24 MOV DWORD PTR SS:[ESP+24],ESI
0051E2B5 |. E8 E6A0FEFF CALL Gunz.005083A0
0051E2BA |. 6A 58 PUSH 58
0051E2BC |. E8 EE0C0B00 CALL Gunz.005CEFAF
0051E2C1 |. 83C4 04 ADD ESP,4
0051E2C4 |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
0051E2C8 |. 3BC3 CMP EAX,EBX
0051E2CA |. C74424 20 2F00>MOV DWORD PTR SS:[ESP+20],2F
0051E2D2 |. 74 10 JE SHORT Gunz.0051E2E4
0051E2D4 |. 68 64396000 PUSH Gunz.00603964 ; ASCII "MD5Value"
0051E2D9 |. 6A 0A PUSH 0A
0051E2DB |. 8BC8 MOV ECX,EAX
0051E2DD |. E8 3E8CFEFF CALL Gunz.00506F20
0051E2E2 |. EB 02 JMP SHORT Gunz.0051E2E6
0051E2E4 |> 33C0 XOR EAX,EAX
0051E2E6 |> 50 PUSH EAX
0051E2E7 |. 8BCF MOV ECX,EDI
0051E2E9 |. 897424 24 MOV DWORD PTR SS:[ESP+24],ESI
0051E2ED |. E8 AEA0FEFF CALL Gunz.005083A0
0051E2F2 |. 68 1C020000 PUSH 21C
0051E2F7 |. E8 B30C0B00 CALL Gunz.005CEFAF
0051E2FC |. 83C4 04 ADD ESP,4
0051E2FF |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
0051E303 |. 3BC3 CMP EAX,EBX
0051E305 |. C74424 20 3000>MOV DWORD PTR SS:[ESP+20],30
0051E30D |. 74 1C JE SHORT Gunz.0051E32B
0051E30F |. 6A 01 PUSH 1
0051E311 |. 68 54396000 PUSH Gunz.00603954 ; ASCII "Response Login"
0051E316 |. 68 40396000 PUSH Gunz.00603940 ; ASCII "Match.ResponseLogin"
0051E31B |. 68 EA030000 PUSH 3EA
0051E320 |. 8BC8 MOV ECX,EAX
0051E322 |. E8 8996FEFF CALL Gunz.005079B0
0051E327 |. 8BF8 MOV EDI,EAX
0051E329 |. EB 02 JMP SHORT Gunz.0051E32D
0051E32B |> 33FF XOR EDI,EDI
0051E32D |> 57 PUSH EDI ; /Arg1
0051E32E |. 8BCD MOV ECX,EBP ; |
0051E330 |. 897424 24 MOV DWORD PTR SS:[ESP+24],ESI ; |
0051E334 |. E8 676CFFFF CALL Gunz.00514FA0 ; \Gunz.00514FA0

[ThePhailure772]

No, the column should be a varchar(128). Also, that's the packet id, you're in the networking protocol for GunZ. If you can do C++, I'll help you write a quick detour on login.

Since I had to reformat and needed to rewrite this...


MD5 Libraries: http://www.md5hashing.com/c++/

Code:

DWORD ZPostLoginAddr = 0x004C3E20;
CDetour ZPostLoginDet;

void __cdecl ZPostLoginHook ( char *szUserID, char *szPassword, DWORD dwVersion, DWORD dwFileList )
{
	md5wrapper md5;
	ZPostLoginDet.Ret ( false );
	ZPostLoginDet.Org ( szUserID, md5.getHashFromString ( szPassword ).c_str( ) , dwVersion , dwFileList );
}

Just use it with Lance Vorgin's detour class.

[ThievingSix]

Why the hell do you need a md5 library....just the build in windows function..

Code:

const
  ADVAPI32 = 'advapi32.dll';
  function CryptAcquireContext(phProv: PULONG; pszContainer: PAnsiChar; pszProvider: PAnsiChar; dwProvType: DWORD; dwFlags: DWORD): BOOL; stdcall; external ADVAPI32 name 'CryptAcquireContextA';
  function CryptCreateHash(hProv: ULONG; Algid: ULONG; hKey: ULONG; dwFlags: DWORD; phHash: PULONG): BOOL; stdcall; external ADVAPI32 name 'CryptCreateHash';
  function CryptHashData(hHash: ULONG; const pbData: PBYTE; dwDataLen: DWORD; dwFlags: DWORD): BOOL; stdcall; external ADVAPI32 name 'CryptHashData';
  function CryptGetHashParam(hHash: ULONG; dwParam: DWORD; pbData: PBYTE; pdwDataLen: PDWORD; dwFlags: DWORD): BOOL; stdcall; external ADVAPI32 name 'CryptGetHashParam';
  function CryptDestroyHash(hHash: ULONG): BOOL; stdcall; external ADVAPI32 name 'CryptDestroyHash';
  function CryptReleaseContext(hProv: ULONG; dwFlags: DWORD): BOOL; stdcall; external ADVAPI32 name 'CryptReleaseContext';

function MD5(const Input: String): String;
const
  HP_HASHVAL = $0002;
  PROV_RSA_FULL = 1;
  CRYPT_VERIFYCONTEXT = $F0000000;
  CRYPT_MACHINE_KEYSET = $00000020;
  ALG_CLASS_HASH = (4 SHL 13) ;
  ALG_TYPE_ANY = 0;
  ALG_SID_MD5 = 3;
  CALG_MD5 = (ALG_CLASS_HASH Or ALG_TYPE_ANY Or ALG_SID_MD5) ;
var
  hCryptProvider : ULONG;
  hHash : ULONG;
  bHash : Array[0..$7F] Of Byte;
  dwHashLen : DWORD;
  pbContent : PByte;
  cnt : Integer;
begin
  dwHashLen := 16;
  pbContent := Pointer(PChar(Input)) ;
  Result := '';
  If CryptAcquireContext(@hCryptProvider,nil,nil,PROV_RSA_FULL,CRYPT_VERIFYCONTEXT Or CRYPT_MACHINE_KEYSET) Then
    begin
    If CryptCreateHash(hCryptProvider,CALG_MD5,0,0,@hHash) Then
      begin
      If CryptHashData(hHash,pbContent,Length(Input),0) Then
        begin
        If CryptGetHashParam(hHash,HP_HASHVAL,@bHash[0],@dwHashLen,0) Then
          begin
          For cnt := 0 To dwHashLen - 1 Do
            begin
            Result := Result + Format('%.2x',[bHash[cnt]]) ;
          end;
        end;
      end;
      CryptDestroyHash(hHash) ;
    end;
    CryptReleaseContext(hCryptProvider, 0) ;
  end;
  Result := AnsiLowerCase(Result) ;
end;

[Linear88]

Found a code in OllyDbg.

Code:

Spoiler:

004C6A39 . E8 E2D3FFFF CALL Gunz.004C3E20
004C6A3E . 68 94555F00 PUSH Gunz.005F5594 ; ASCII "Login Posted"

To the CALL:

Spoiler:

004C3E20 /$ 6A FF PUSH -1
004C3E22 |. 68 4FB25D00 PUSH Gunz.005DB24F ; SE handler installation
004C3E27 |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004C3E2D |. 50 PUSH EAX
004C3E2E |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
004C3E35 |. 51 PUSH ECX
004C3E36 |. 53 PUSH EBX
004C3E37 |. 55 PUSH EBP
004C3E38 |. 56 PUSH ESI
004C3E39 |. 57 PUSH EDI
004C3E3A |. 6A 10 PUSH 10
004C3E3C |. 6A 01 PUSH 1
004C3E3E |. E8 4D310700 CALL Gunz.00536F90
004C3E43 |. 6A 00 PUSH 0
004C3E45 |. 50 PUSH EAX
004C3E46 |. 894424 20 MOV DWORD PTR SS:[ESP+20],EAX
004C3E4A |. E8 81310700 CALL Gunz.00536FD0
004C3E4F |. 8B4C24 40 MOV ECX,DWORD PTR SS:[ESP+40]
004C3E53 |. 8B11 MOV EDX,DWORD PTR DS:[ECX]
004C3E55 |. 8910 MOV DWORD PTR DS:[EAX],EDX
004C3E57 |. 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4]
004C3E5A |. 8950 04 MOV DWORD PTR DS:[EAX+4],EDX
004C3E5D |. 8B51 08 MOV EDX,DWORD PTR DS:[ECX+8]
004C3E60 |. 8950 08 MOV DWORD PTR DS:[EAX+8],EDX
004C3E63 |. 8B49 0C MOV ECX,DWORD PTR DS:[ECX+C]
004C3E66 |. 68 E9030000 PUSH 3E9
004C3E6B |. 8948 0C MOV DWORD PTR DS:[EAX+C],ECX
004C3E6E |. E8 EDFCFFFF CALL Gunz.004C3B60
004C3E73 |. 6A 0C PUSH 0C
004C3E75 |. 8BF0 MOV ESI,EAX
004C3E77 |. E8 33B11000 CALL Gunz.005CEFAF
004C3E7C |. 83C4 18 ADD ESP,18
004C3E7F |. 894424 30 MOV DWORD PTR SS:[ESP+30],EAX
004C3E83 |. 85C0 TEST EAX,EAX
004C3E85 |. C74424 1C 0000>MOV DWORD PTR SS:[ESP+1C],0
004C3E8D |. 74 0E JE SHORT Gunz.004C3E9D
004C3E8F |. 8B5424 24 MOV EDX,DWORD PTR SS:[ESP+24]
004C3E93 |. 52 PUSH EDX
004C3E94 |. 8BC8 MOV ECX,EAX
004C3E96 |. E8 351F0400 CALL Gunz.00505DD0
004C3E9B |. EB 02 JMP SHORT Gunz.004C3E9F
004C3E9D |> 33C0 XOR EAX,EAX
004C3E9F |> 83CF FF OR EDI,FFFFFFFF
004C3EA2 |. 50 PUSH EAX
004C3EA3 |. 8BCE MOV ECX,ESI
004C3EA5 |. 897C24 20 MOV DWORD PTR SS:[ESP+20],EDI
004C3EA9 |. E8 523D0400 CALL Gunz.00507C00
004C3EAE |. 6A 0C PUSH 0C
004C3EB0 |. E8 FAB01000 CALL Gunz.005CEFAF
004C3EB5 |. 83C4 04 ADD ESP,4
004C3EB8 |. 894424 30 MOV DWORD PTR SS:[ESP+30],EAX
004C3EBC |. 85C0 TEST EAX,EAX
004C3EBE |. C74424 1C 0100>MOV DWORD PTR SS:[ESP+1C],1
004C3EC6 |. 74 0E JE SHORT Gunz.004C3ED6
004C3EC8 |. 8B4C24 28 MOV ECX,DWORD PTR SS:[ESP+28]
004C3ECC |. 51 PUSH ECX
004C3ECD |. 8BC8 MOV ECX,EAX
004C3ECF |. E8 FC1E0400 CALL Gunz.00505DD0
004C3ED4 |. EB 02 JMP SHORT Gunz.004C3ED8
004C3ED6 |> 33C0 XOR EAX,EAX
004C3ED8 |> 50 PUSH EAX
004C3ED9 |. 8BCE MOV ECX,ESI
004C3EDB |. 897C24 20 MOV DWORD PTR SS:[ESP+20],EDI
004C3EDF |. E8 1C3D0400 CALL Gunz.00507C00
004C3EE4 |. 8B1D 74615E00 MOV EBX,DWORD PTR DS:[<&KERNEL32.EnterCr>; ntdll.RtlEnterCriticalSection
004C3EEA |. 68 F4C76600 PUSH Gunz.0066C7F4 ; /pCriticalSection = Gunz.0066C7F4
004C3EEF |. FFD3 CALL EBX ; \EnterCriticalSection
004C3EF1 |. 8B3D F0C76600 MOV EDI,DWORD PTR DS:[66C7F0]
004C3EF7 |. 85FF TEST EDI,EDI
004C3EF9 |. 74 0B JE SHORT Gunz.004C3F06
004C3EFB |. 8B57 08 MOV EDX,DWORD PTR DS:[EDI+8]
004C3EFE |. 8915 F0C76600 MOV DWORD PTR DS:[66C7F0],EDX
004C3F04 |. EB 0C JMP SHORT Gunz.004C3F12
004C3F06 |> 6A 10 PUSH 10
004C3F08 |. E8 A2B01000 CALL Gunz.005CEFAF
004C3F0D |. 83C4 04 ADD ESP,4
004C3F10 |. 8BF8 MOV EDI,EAX
004C3F12 |> 8B2D 78615E00 MOV EBP,DWORD PTR DS:[<&KERNEL32.LeaveCr>; ntdll.RtlLeaveCriticalSection
004C3F18 |. 68 F4C76600 PUSH Gunz.0066C7F4 ; /pCriticalSection = Gunz.0066C7F4
004C3F1D |. FFD5 CALL EBP ; \LeaveCriticalSection
004C3F1F |. 897C24 30 MOV DWORD PTR SS:[ESP+30],EDI
004C3F23 |. 85FF TEST EDI,EDI
004C3F25 |. C74424 1C 0200>MOV DWORD PTR SS:[ESP+1C],2
004C3F2D |. 74 0B JE SHORT Gunz.004C3F3A
004C3F2F |. 6A 38 PUSH 38
004C3F31 |. 8BCF MOV ECX,EDI
004C3F33 |. E8 181C0400 CALL Gunz.00505B50
004C3F38 |. EB 02 JMP SHORT Gunz.004C3F3C
004C3F3A |> 33C0 XOR EAX,EAX
004C3F3C |> 50 PUSH EAX
004C3F3D |. 8BCE MOV ECX,ESI
004C3F3F |. C74424 20 FFFF>MOV DWORD PTR SS:[ESP+20],-1
004C3F47 |. E8 B43C0400 CALL Gunz.00507C00
004C3F4C |. 68 60C76600 PUSH Gunz.0066C760
004C3F51 |. FFD3 CALL EBX
004C3F53 |. 8B3D 5CC76600 MOV EDI,DWORD PTR DS:[66C75C]
004C3F59 |. 85FF TEST EDI,EDI
004C3F5B |. 74 0A JE SHORT Gunz.004C3F67
004C3F5D |. 8B47 08 MOV EAX,DWORD PTR DS:[EDI+8]
004C3F60 |. A3 5CC76600 MOV DWORD PTR DS:[66C75C],EAX
004C3F65 |. EB 0C JMP SHORT Gunz.004C3F73
004C3F67 |> 6A 10 PUSH 10
004C3F69 |. E8 41B01000 CALL Gunz.005CEFAF
004C3F6E |. 83C4 04 ADD ESP,4
004C3F71 |. 8BF8 MOV EDI,EAX
004C3F73 |> 68 60C76600 PUSH Gunz.0066C760
004C3F78 |. FFD5 CALL EBP
004C3F7A |. 897C24 30 MOV DWORD PTR SS:[ESP+30],EDI
004C3F7E |. 85FF TEST EDI,EDI
004C3F80 |. C74424 1C 0300>MOV DWORD PTR SS:[ESP+1C],3
004C3F88 |. 74 0E JE SHORT Gunz.004C3F98
004C3F8A |. 8B4C24 2C MOV ECX,DWORD PTR SS:[ESP+2C]
004C3F8E |. 51 PUSH ECX
004C3F8F |. 8BCF MOV ECX,EDI
004C3F91 |. E8 8A1C0400 CALL Gunz.00505C20
004C3F96 |. EB 02 JMP SHORT Gunz.004C3F9A
004C3F98 |> 33C0 XOR EAX,EAX
004C3F9A |> 83CD FF OR EBP,FFFFFFFF
004C3F9D |. 50 PUSH EAX
004C3F9E |. 8BCE MOV ECX,ESI
004C3FA0 |. 896C24 20 MOV DWORD PTR SS:[ESP+20],EBP
004C3FA4 |. E8 573C0400 CALL Gunz.00507C00
004C3FA9 |. 6A 10 PUSH 10
004C3FAB |. E8 FFAF1000 CALL Gunz.005CEFAF
004C3FB0 |. 8BF8 MOV EDI,EAX
004C3FB2 |. 83C4 04 ADD ESP,4
004C3FB5 |. 897C24 30 MOV DWORD PTR SS:[ESP+30],EDI
004C3FB9 |. 85FF TEST EDI,EDI
004C3FBB |. 8B5C24 10 MOV EBX,DWORD PTR SS:[ESP+10]
004C3FBF |. C74424 1C 0400>MOV DWORD PTR SS:[ESP+1C],4
004C3FC7 |. 74 14 JE SHORT Gunz.004C3FDD
004C3FC9 |. 53 PUSH EBX
004C3FCA |. E8 31300700 CALL Gunz.00537000
004C3FCF |. 83C4 04 ADD ESP,4
004C3FD2 |. 50 PUSH EAX
004C3FD3 |. 53 PUSH EBX
004C3FD4 |. 8BCF MOV ECX,EDI
004C3FD6 |. E8 55200400 CALL Gunz.00506030
004C3FDB |. EB 02 JMP SHORT Gunz.004C3FDF
004C3FDD |> 33C0 XOR EAX,EAX
004C3FDF |> 50 PUSH EAX
004C3FE0 |. 8BCE MOV ECX,ESI
004C3FE2 |. 896C24 20 MOV DWORD PTR SS:[ESP+20],EBP
004C3FE6 |. E8 153C0400 CALL Gunz.00507C00
004C3FEB |. 56 PUSH ESI
004C3FEC |. E8 0FF0FFFF CALL Gunz.004C3000
004C3FF1 |. 53 PUSH EBX
004C3FF2 |. E8 C92F0700 CALL Gunz.00536FC0
004C3FF7 |. 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
004C3FFB |. 83C4 08 ADD ESP,8
004C3FFE |. 5F POP EDI
004C3FFF |. 5E POP ESI
004C4000 |. 5D POP EBP
004C4001 |. 5B POP EBX
004C4002 |. 64:890D 000000>MOV DWORD PTR FS:[0],ECX
004C4009 |. 83C4 10 ADD ESP,10
004C400C \. C3 RETN

And I'm not really sure about how to use C++, didn't really learn it yet.

I have Visual C++ 2005 Express Edition though.