-
-
[旧帖] [求助]请求帮我看看这个脱壳过程哪里错了? 0.00雪花
-
发表于: 2008-3-25 13:38 3706
-
这个程序用PEiD检测显示加了
ASProtect 1.2x - 1.3x [Registered] -> Alexey Solodovnikov
但是在脱了第一层以后,再用PEiD检测显示加了
ASPack 2.12 -> Alexey Solodovnikov
-----------------------------------
脱壳说明:
F7单步步入
F8单步步过
F4运行到选定地址
----------------------------------
00401000 > 68 01704400 push 00447001
00401005 E8 01000000 call 0040100B
;;F7
0040100B C3 retn
0040100A C3 retn
00447001 60 pushad
00447002 E8 03000000 call 0044700A
;;F7
0044700A 5D pop ebp ; 1.00447007
0044700B 45 inc ebp
0044700C 55 push ebp
0044700D C3 retn
00447008 /EB 04 jmp short 0044700E
0044700E E8 01000000 call 00447014
;;F7
00447014 5D pop ebp ; 1.00447013
00447015 BB EDFFFFFF mov ebx, -13
0044701A 03DD add ebx, ebp
0044701C 81EB 00700400 sub ebx, 47000
00447022 807D 4D 01 cmp byte ptr [ebp+4D], 1
00447026 75 0C jnz short 00447034
00447034 8D45 53 lea eax, dword ptr [ebp+53]
00447037 50 push eax
00447038 53 push ebx
00447039 FFB5 F1090000 push dword ptr [ebp+9F1]
0044703F 8D45 35 lea eax, dword ptr [ebp+35]
00447042 50 push eax
00447043 E9 82000000 jmp 004470CA
004470CA /E9 0D000000 jmp 004470DC
004470DC E8 0F000000 call 004470F0
;;F7
004470F0 BF 36BDE773 mov edi, 73E7BD36
004470F5 5E pop esi
004470F6 57 push edi
004470F7 E9 05000000 jmp 00447101
00447101 5F pop edi
00447102 81C6 78080000 add esi, 878
00447108 68 E6DF7747 push 4777DFE6
0044710D 5A pop edx
0044710E B9 ED010000 mov ecx, 1ED
00447113 B6 BD mov dh, 0BD
00447115 8B1E mov ebx, dword ptr [esi]
00447117 8BC2 mov eax, edx
00447119 81C3 03B9C14D add ebx, 4DC1B903
0044711F E8 12000000 call 00447136
;;F7
00447136 B8 15FC0300 mov eax, 3FC15
0044713B 5A pop edx
0044713C 81EB 80E02C7D sub ebx, 7D2CE080
00447142 68 F68FB87D push 7DB88FF6
00447147 8AC6 mov al, dh
00447149 5A pop edx
0044714A 81F3 B9C6821B xor ebx, 1B82C6B9
00447150 BF DA720073 mov edi, 730072DA
00447155 53 push ebx
00447156 8BD0 mov edx, eax
00447158 8F06 pop dword ptr [esi]
0044715A 0FB7C3 movzx eax, bx
0044715D 83EE 02 sub esi, 2
00447160 4E dec esi
00447161 4E dec esi
00447162 E9 0B000000 jmp 00447172
00447172 49 dec ecx
00447173 /0F85 0F000000 jnz 00447188
00447188 /0F83 04000000 jnb 00447192
00447192 ^\E9 7EFFFFFF jmp 00447115
;;这里一直循环执行,所以F4到
004471A9 8BCB mov ecx, ebx
004471AB E8 0A000000 call 004471BA
;;F7
004471BA 0FB7CF movzx ecx, di
004471BD 5F pop edi
004471BE E9 10000000 jmp 004471D3
004471D3 81C7 AC070000 add edi, 7AC
004471D9 E8 0B000000 call 004471E9
;;F7
004471E9 5A pop edx ; 1.004471DE
004471EA BB 00000000 mov ebx, 0
004471EF 81EA BFF7C031 sub edx, 31C0F7BF
004471F5 8B041F mov eax, dword ptr [edi+ebx]
004471F8 0FBFF6 movsx esi, si
004471FB 81F0 464DCE69 xor eax, 69CE4D46
00447201 0F8E 03000000 jle 0044720A
00447207 0FB7CB movzx ecx, bx
0044720A 81C0 076B8672 add eax, 72866B07
00447210 E8 0A000000 call 0044721F
;;F7
0044721F 50 push eax
00447220 52 push edx
00447221 59 pop ecx
00447222 5E pop esi
00447223 5A pop edx
00447224 81C0 34E44146 add eax, 4641E434
0044722A 50 push eax
0044722B 66:B9 ABE6 mov cx, 0E6AB
0044722F 8F041F pop dword ptr [edi+ebx]
00447232 66:8BCA mov cx, dx
00447235 83EB 01 sub ebx, 1
00447238 0FBFF6 movsx esi, si
0044723B 4B dec ebx
0044723C 4B dec ebx
0044723D 4B dec ebx
0044723E BA 76796614 mov edx, 14667976
00447243 81FB 18F9FFFF cmp ebx, -6E8
00447249 0F85 18000000 jnz 00447267
;;F4
0044724F BA 505A7A10 mov edx, 107A5A50
00447254 /E9 1F000000 jmp 00447278
00447278 0FBFC0 movsx eax, ax
0044727B E8 0C000000 call 0044728C
;;F7
0044728C /E9 0B000000 jmp 0044729C
0044729C 59 pop ecx ; 1.00447280
0044729D B7 A3 mov bh, 0A3
0044729F 81C1 D9060000 add ecx, 6D9
004472A5 E8 05000000 call 004472AF
;;F7
004472AF 66:B8 D7BC mov ax, 0BCD7
004472B3 5B pop ebx ; 1.004472AA
004472B4 BF 00000000 mov edi, 0
004472B9 E8 0E000000 call 004472CC
;;F7
004472CC 81CB D544C151 or ebx, 51C144D5
004472D2 58 pop eax
004472D3 FF340F push dword ptr [edi+ecx]
004472D6 81C6 24CADD37 add esi, 37DDCA24
004472DC 5A pop edx
004472DD 8BF3 mov esi, ebx
004472DF 81F2 22F1CB5C xor edx, 5CCBF122
004472E5 BE 450D9E07 mov esi, 79E0D45
004472EA 81C2 B3379A48 add edx, 489A37B3
004472F0 66:81D8 6628 sbb ax, 2866
004472F5 81EA 7071146E sub edx, 6E147170
004472FB 53 push ebx
004472FC 8BC6 mov eax, esi
004472FE 5B pop ebx
004472FF 891439 mov dword ptr [ecx+edi], edx
00447302 0FBFF0 movsx esi, ax
00447305 68 6D82FB6E push 6EFB826D
0044730A 5B pop ebx
0044730B 83EF 04 sub edi, 4
0044730E 66:8BC7 mov ax, di
00447311 81FF E8F9FFFF cmp edi, -618
00447317 0F85 19000000 jnz 00447336
;;F4
0044731D /0F8C 08000000 jl 0044732B
00447323 52 push edx
00447324 68 9E53F163 push 63F1539E
00447329 5B pop ebx
0044732A 58 pop eax
0044732B E9 15000000 jmp 00447345
00447345 68 F9928710 push 108792F9
0044734A 5B pop ebx
0044734B E8 0F000000 call 0044735F
;;F7
0044735F /E9 0D000000 jmp 00447371
00447371 5F pop edi ; 1.00447350
00447372 81C3 4DCF160E add ebx, 0E16CF4D
00447378 81C7 0A060000 add edi, 60A
0044737E E9 05000000 jmp 00447388
00447388 BA 00000000 mov edx, 0
0044738D BB 26EFFC0D mov ebx, 0DFCEF26
00447392 FF343A push dword ptr [edx+edi]
00447395 56 push esi
00447396 8BCA mov ecx, edx
00447398 5B pop ebx
00447399 58 pop eax
0044739A 0FB7F3 movzx esi, bx
0044739D 81C0 A8D9556B add eax, 6B55D9A8
004473A3 0F88 06000000 js 004473AF
004473A9 68 62913229 push 29329162
004473AE 5B pop ebx
004473AF 81C0 C10CCF5B add eax, 5BCF0CC1
004473B5 8BDE mov ebx, esi
004473B7 81F0 666C510B xor eax, 0B516C66
004473BD BE 9D46AE6D mov esi, 6DAE469D
004473C2 890417 mov dword ptr [edi+edx], eax
004473C5 /0F8F 06000000 jg 004473D1
004473CB |81DE 6A76A91F sbb esi, 1FA9766A
004473D1 \66:81F6 A44F xor si, 4FA4
004473D6 81EA C2689E6F sub edx, 6F9E68C2
004473DC BE 2F1DE22B mov esi, 2BE21D2F
004473E1 81C2 BE689E6F add edx, 6F9E68BE
004473E7 81C6 28C34F1A add esi, 1A4FC328
004473ED 81FA D4FAFFFF cmp edx, -52C
004473F3 0F85 22000000 jnz 0044741B
;;F4
004473F9 /E9 09000000 jmp 00447407
00447407 /E9 26000000 jmp 00447432
00447432 E8 00000000 call 00447437
;;F8
00447437 5D pop ebp ; 1.00447437
00447438 5B pop ebx
00447439 895D 5B mov dword ptr [ebp+5B], ebx
0044743C 5B pop ebx
0044743D 895D 5F mov dword ptr [ebp+5F], ebx
00447440 58 pop eax
00447441 8985 0D040000 mov dword ptr [ebp+40D], eax
00447447 58 pop eax
00447448 807D 5A 01 cmp byte ptr [ebp+5A], 1
0044744C 75 59 jnz short 004474A7
004474A7 E8 9C020000 call 00447748
;;F8
004474AC FC cld
004474AD 8DB5 8C000000 lea esi, dword ptr [ebp+8C]
004474B3 AD lods dword ptr [esi]
004474B4 0BC0 or eax, eax
004474B6 74 1B je short 004474D3
004474B8 8BF8 mov edi, eax
004474BA B9 0C000000 mov ecx, 0C
004474BF F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
004474C1 EB 10 jmp short 004474D3
004474D3 89A5 29040000 mov dword ptr [ebp+429], esp
004474D9 6A 40 push 40
004474DB 68 00100000 push 1000
004474E0 FFB5 08040000 push dword ptr [ebp+408]
004474E6 6A 00 push 0
004474E8 FF95 F0030000 call dword ptr [ebp+3F0] ; kernel32.VirtualAlloc
;;F8
004474EE 8985 CC010000 mov dword ptr [ebp+1CC], eax
004474F4 8B9D 00040000 mov ebx, dword ptr [ebp+400]
004474FA 039D 0D040000 add ebx, dword ptr [ebp+40D]
00447500 50 push eax
00447501 53 push ebx
00447502 E8 04010000 call 0044760B
;;F8
00447507 6A 40 push 40
00447509 68 00100000 push 1000
0044750E FFB5 08040000 push dword ptr [ebp+408]
00447514 6A 00 push 0
00447516 FF95 F0030000 call dword ptr [ebp+3F0] ; kernel32.VirtualAlloc
;;F8
0044751C 8985 31040000 mov dword ptr [ebp+431], eax
00447522 8985 D0010000 mov dword ptr [ebp+1D0], eax
00447528 64:67:A1 0000 mov eax, dword ptr fs:[0]
0044752D 8985 2D040000 mov dword ptr [ebp+42D], eax
00447533 8B55 5B mov edx, dword ptr [ebp+5B]
00447536 8B85 D0010000 mov eax, dword ptr [ebp+1D0]
0044753C 8902 mov dword ptr [edx], eax
0044753E 8B85 08040000 mov eax, dword ptr [ebp+408]
00447544 8942 04 mov dword ptr [edx+4], eax
00447547 8D85 9F030000 lea eax, dword ptr [ebp+39F]
0044754D 8B40 55 mov eax, dword ptr [eax+55]
00447550 8942 08 mov dword ptr [edx+8], eax
00447553 8B85 EC030000 mov eax, dword ptr [ebp+3EC]
00447559 8942 10 mov dword ptr [edx+10], eax
0044755C 8B85 E8030000 mov eax, dword ptr [ebp+3E8]
00447562 8942 14 mov dword ptr [edx+14], eax
00447565 8B95 CC010000 mov edx, dword ptr [ebp+1CC]
0044756B BB F8010000 mov ebx, 1F8
00447570 8B7C1A 0C mov edi, dword ptr [edx+ebx+C]
00447574 0BFF or edi, edi
00447576 74 1E je short 00447596
00447578 8B4C1A 10 mov ecx, dword ptr [edx+ebx+10]
0044757C 0BC9 or ecx, ecx
0044757E 74 11 je short 00447591
00447580 03BD D0010000 add edi, dword ptr [ebp+1D0]
00447586 8B741A 14 mov esi, dword ptr [edx+ebx+14]
0044758A 03F2 add esi, edx
0044758C C1F9 02 sar ecx, 2
0044758F F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
00447591 83C3 28 add ebx, 28
00447594 ^ EB DA jmp short 00447570
;;F4
00447596 8B85 CC010000 mov eax, dword ptr [ebp+1CC]
0044759C 50 push eax
0044759D 8B95 D0010000 mov edx, dword ptr [ebp+1D0]
004475A3 52 push edx
004475A4 8B18 mov ebx, dword ptr [eax]
004475A6 03DA add ebx, edx
004475A8 8B85 E4030000 mov eax, dword ptr [ebp+3E4]
004475AE 8903 mov dword ptr [ebx], eax
004475B0 8B85 E8030000 mov eax, dword ptr [ebp+3E8]
004475B6 8943 04 mov dword ptr [ebx+4], eax
004475B9 8B85 EC030000 mov eax, dword ptr [ebp+3EC]
004475BF 8943 08 mov dword ptr [ebx+8], eax
004475C2 5F pop edi
004475C3 5E pop esi
004475C4 8B46 04 mov eax, dword ptr [esi+4]
004475C7 03C7 add eax, edi
004475C9 8985 C7010000 mov dword ptr [ebp+1C7], eax
004475CF 8B55 5B mov edx, dword ptr [ebp+5B]
004475D2 8B85 C7010000 mov eax, dword ptr [ebp+1C7]
004475D8 8942 0C mov dword ptr [edx+C], eax
004475DB 8D9D 0D040000 lea ebx, dword ptr [ebp+40D]
004475E1 53 push ebx
004475E2 6A 00 push 0
004475E4 6A 00 push 0
004475E6 6A 01 push 1
004475E8 57 push edi
004475E9 8B5E 08 mov ebx, dword ptr [esi+8]
004475EC 03DF add ebx, edi
004475EE 53 push ebx
004475EF 68 00800000 push 8000
004475F4 6A 00 push 0
004475F6 56 push esi
004475F7 FF95 F4030000 call dword ptr [ebp+3F4] ; kernel32.VirtualFree
;;F8
004475FD 68 00E0A000 push 0A0E000
00447602 C3 retn
;;F8
00A0E000 90 nop
00A0E001 60 pushad
00A0E002 E8 40060000 call 00A0E647
;;F8
00A0E007 /EB 44 jmp short 00A0E04D
00A0E04D BB 44294400 mov ebx, 442944
00A0E052 03DD add ebx, ebp
00A0E054 2B9D 71294400 sub ebx, dword ptr [ebp+442971]
00A0E05A 83BD D8304400 00 cmp dword ptr [ebp+4430D8], 0
00A0E061 899D 2F2E4400 mov dword ptr [ebp+442E2F], ebx
00A0E067 0F85 3E050000 jnz 00A0E5AB
00A0E06D 8D85 E0304400 lea eax, dword ptr [ebp+4430E0]
00A0E073 50 push eax
00A0E074 FF95 EC314400 call dword ptr [ebp+4431EC] ; kernel32.GetModuleHandleA
;;F8
00A0E07A 8985 DC304400 mov dword ptr [ebp+4430DC], eax ; kernel32.77E40000
00A0E080 8BF8 mov edi, eax
00A0E082 8D9D ED304400 lea ebx, dword ptr [ebp+4430ED]
00A0E088 53 push ebx
00A0E089 50 push eax
00A0E08A FF95 E8314400 call dword ptr [ebp+4431E8] ; kernel32.GetProcAddress
;;F8
00A0E090 8985 79294400 mov dword ptr [ebp+442979], eax ; kernel32.VirtualAlloc
00A0E096 8D9D FA304400 lea ebx, dword ptr [ebp+4430FA]
00A0E09C 53 push ebx
00A0E09D 57 push edi
00A0E09E FF95 E8314400 call dword ptr [ebp+4431E8] ; kernel32.GetProcAddress
;;F8
00A0E0A4 8985 7D294400 mov dword ptr [ebp+44297D], eax ; kernel32.VirtualFree
00A0E0AA 8B85 2F2E4400 mov eax, dword ptr [ebp+442E2F]
00A0E0B0 8985 D8304400 mov dword ptr [ebp+4430D8], eax
00A0E0B6 6A 04 push 4
00A0E0B8 68 00100000 push 1000
00A0E0BD 68 46050000 push 546
00A0E0C2 6A 00 push 0
00A0E0C4 FF95 79294400 call dword ptr [ebp+442979] ; kernel32.VirtualAlloc
;;F8
00A0E0CA 8985 75294400 mov dword ptr [ebp+442975], eax
00A0E0D0 8D9D 452A4400 lea ebx, dword ptr [ebp+442A45]
00A0E0D6 50 push eax
00A0E0D7 53 push ebx
00A0E0D8 E8 74050000 call 00A0E651
;;F8
00A0E0DD 8BC8 mov ecx, eax
00A0E0DF 8DBD 452A4400 lea edi, dword ptr [ebp+442A45]
00A0E0E5 8BB5 75294400 mov esi, dword ptr [ebp+442975]
00A0E0EB F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
00A0E0ED 8B85 75294400 mov eax, dword ptr [ebp+442975]
00A0E0F3 68 00800000 push 8000
00A0E0F8 6A 00 push 0
00A0E0FA 50 push eax
00A0E0FB FF95 7D294400 call dword ptr [ebp+44297D] ; kernel32.VirtualFree
;;F8
00A0E101 8D85 512C4400 lea eax, dword ptr [ebp+442C51]
00A0E107 50 push eax
00A0E108 C3 retn
;;F8
00A0E30D 8B9D 552A4400 mov ebx, dword ptr [ebp+442A55]
00A0E313 0BDB or ebx, ebx
00A0E315 74 0A je short 00A0E321
00A0E321 8DB5 712A4400 lea esi, dword ptr [ebp+442A71]
00A0E327 833E 00 cmp dword ptr [esi], 0
00A0E32A 0F84 D3000000 je 00A0E403
00A0E330 8DB5 712A4400 lea esi, dword ptr [ebp+442A71]
00A0E336 8B46 04 mov eax, dword ptr [esi+4]
00A0E339 6A 04 push 4
00A0E33B 68 00100000 push 1000
00A0E340 50 push eax
00A0E341 6A 00 push 0
00A0E343 FF95 79294400 call dword ptr [ebp+442979] ; kernel32.VirtualAlloc
;;F8
00A0E349 8985 75294400 mov dword ptr [ebp+442975], eax
00A0E34F 56 push esi
00A0E350 8B1E mov ebx, dword ptr [esi]
00A0E352 039D D8304400 add ebx, dword ptr [ebp+4430D8]
00A0E358 50 push eax
00A0E359 53 push ebx
00A0E35A E8 F2020000 call 00A0E651
;;F8
00A0E35F 80BD 70294400 00 cmp byte ptr [ebp+442970], 0
00A0E366 75 4C jnz short 00A0E3B4
00A0E368 FE85 70294400 inc byte ptr [ebp+442970]
00A0E36E 8B3E mov edi, dword ptr [esi]
00A0E370 03BD D8304400 add edi, dword ptr [ebp+4430D8]
00A0E376 FF37 push dword ptr [edi]
00A0E378 C607 C3 mov byte ptr [edi], 0C3
00A0E37B FFD7 call edi
;;F8
00A0E37D 8F07 pop dword ptr [edi]
00A0E37F 50 push eax
00A0E380 51 push ecx
00A0E381 56 push esi
00A0E382 53 push ebx
00A0E383 8BC8 mov ecx, eax
00A0E385 83E9 06 sub ecx, 6
00A0E388 8BB5 75294400 mov esi, dword ptr [ebp+442975]
00A0E38E 33DB xor ebx, ebx
00A0E390 0BC9 or ecx, ecx
00A0E392 74 1C je short 00A0E3B0
00A0E394 /78 1A js short 00A0E3B0
00A0E396 AC lods byte ptr [esi]
00A0E397 3C E8 cmp al, 0E8
00A0E399 74 08 je short 00A0E3A3
00A0E39B 3C E9 cmp al, 0E9
00A0E39D 74 04 je short 00A0E3A3
00A0E39F 43 inc ebx
00A0E3A0 49 dec ecx
00A0E3A1 ^ EB ED jmp short 00A0E390
;;F4
00A0E3B0 5B pop ebx ; 009C1000
00A0E3B1 5E pop esi
00A0E3B2 59 pop ecx
00A0E3B3 58 pop eax
00A0E3B4 8BC8 mov ecx, eax
00A0E3B6 8B3E mov edi, dword ptr [esi]
00A0E3B8 03BD D8304400 add edi, dword ptr [ebp+4430D8]
00A0E3BE 8BB5 75294400 mov esi, dword ptr [ebp+442975]
00A0E3C4 C1F9 02 sar ecx, 2
00A0E3C7 F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
00A0E3C9 8BC8 mov ecx, eax
00A0E3CB 83E1 03 and ecx, 3
00A0E3CE F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
00A0E3D0 5E pop esi
00A0E3D1 8B85 75294400 mov eax, dword ptr [ebp+442975]
00A0E3D7 68 00800000 push 8000
00A0E3DC 6A 00 push 0
00A0E3DE 50 push eax
00A0E3DF FF95 7D294400 call dword ptr [ebp+44297D] ; kernel32.VirtualFree
;;F8
00A0E3E5 83C6 08 add esi, 8
00A0E3E8 833E 00 cmp dword ptr [esi], 0
00A0E3EB ^ 0F85 45FFFFFF jnz 00A0E336
;;F4
00A0E3F1 8B9D 552A4400 mov ebx, dword ptr [ebp+442A55]
00A0E3F7 0BDB or ebx, ebx
00A0E3F9 /74 08 je short 00A0E403
00A0E3FB |8B03 mov eax, dword ptr [ebx]
00A0E3FD |8785 592A4400 xchg dword ptr [ebp+442A59], eax
00A0E403 \8B95 D8304400 mov edx, dword ptr [ebp+4430D8]
00A0E409 8B85 512A4400 mov eax, dword ptr [ebp+442A51]
00A0E40F 2BD0 sub edx, eax
00A0E411 74 75 je short 00A0E488
00A0E413 8BC2 mov eax, edx
00A0E415 C1E8 10 shr eax, 10
00A0E418 33DB xor ebx, ebx
00A0E41A 8BB5 5D2A4400 mov esi, dword ptr [ebp+442A5D]
00A0E420 03B5 D8304400 add esi, dword ptr [ebp+4430D8]
00A0E426 833E 00 cmp dword ptr [esi], 0
00A0E429 74 5D je short 00A0E488
00A0E42B 8B4E 04 mov ecx, dword ptr [esi+4]
00A0E42E 83E9 08 sub ecx, 8
00A0E431 D1E9 shr ecx, 1
00A0E433 8B3E mov edi, dword ptr [esi]
00A0E435 03BD D8304400 add edi, dword ptr [ebp+4430D8]
00A0E43B 83C6 08 add esi, 8
00A0E43E 66:8B1E mov bx, word ptr [esi]
00A0E441 C1EB 0C shr ebx, 0C
00A0E444 83FB 01 cmp ebx, 1
00A0E447 74 0C je short 00A0E455
00A0E449 83FB 02 cmp ebx, 2
00A0E44C 74 16 je short 00A0E464
00A0E44E 83FB 03 cmp ebx, 3
00A0E451 74 20 je short 00A0E473
00A0E473 66:8B1E mov bx, word ptr [esi]
00A0E476 81E3 FF0F0000 and ebx, 0FFF
00A0E47C 01141F add dword ptr [edi+ebx], edx
00A0E47F EB 00 jmp short 00A0E481
00A0E481 83C6 02 add esi, 2
00A0E484 ^ E2 B8 loopd short 00A0E43E
;;F4
00A0E488 8BB5 612A4400 mov esi, dword ptr [ebp+442A61]
00A0E48E 8B95 D8304400 mov edx, dword ptr [ebp+4430D8]
00A0E494 03F2 add esi, edx
00A0E496 8B46 0C mov eax, dword ptr [esi+C]
00A0E499 85C0 test eax, eax
00A0E49B 0F84 0A010000 je 00A0E5AB
00A0E4A1 03C2 add eax, edx
00A0E4A3 8BD8 mov ebx, eax
00A0E4A5 50 push eax
00A0E4A6 FF95 EC314400 call dword ptr [ebp+4431EC] ; kernel32.GetModuleHandleA
;;f8
00A0E4AC 85C0 test eax, eax ; kernel32.77E40000
00A0E4AE /75 07 jnz short 00A0E4B7
00A0E4B0 |53 push ebx
00A0E4B1 |FF95 F0314400 call dword ptr [ebp+4431F0]
00A0E4B7 \8985 4D294400 mov dword ptr [ebp+44294D], eax
00A0E4BD C785 51294400 00000000 mov dword ptr [ebp+442951], 0
00A0E4C7 8B95 D8304400 mov edx, dword ptr [ebp+4430D8]
00A0E4CD 8B06 mov eax, dword ptr [esi]
00A0E4CF 85C0 test eax, eax
00A0E4D1 75 03 jnz short 00A0E4D6
00A0E4D3 8B46 10 mov eax, dword ptr [esi+10]
00A0E4D6 03C2 add eax, edx
00A0E4D8 0385 51294400 add eax, dword ptr [ebp+442951]
00A0E4DE 8B18 mov ebx, dword ptr [eax]
00A0E4E0 8B7E 10 mov edi, dword ptr [esi+10]
00A0E4E3 03FA add edi, edx
00A0E4E5 03BD 51294400 add edi, dword ptr [ebp+442951]
00A0E4EB 85DB test ebx, ebx
00A0E4ED 0F84 A2000000 je 00A0E595
00A0E4F3 F7C3 00000080 test ebx, 80000000
00A0E4F9 75 04 jnz short 00A0E4FF
00A0E4FB 03DA add ebx, edx
00A0E4FD 43 inc ebx
00A0E4FE 43 inc ebx
00A0E4FF 53 push ebx
00A0E500 81E3 FFFFFF7F and ebx, 7FFFFFFF
00A0E506 53 push ebx
00A0E507 FFB5 4D294400 push dword ptr [ebp+44294D]
00A0E50D FF95 E8314400 call dword ptr [ebp+4431E8] ; kernel32.GetProcAddress
;;F8
00A0E513 85C0 test eax, eax ; kernel32.GetCurrentThreadId
00A0E515 5B pop ebx
00A0E516 75 6F jnz short 00A0E587
00A0E587 8907 mov dword ptr [edi], eax ; kernel32.GetCurrentThreadId
00A0E589 8385 51294400 04 add dword ptr [ebp+442951], 4
00A0E590 ^ E9 32FFFFFF jmp 00A0E4C7
;;F4
00A0E595 8906 mov dword ptr [esi], eax
00A0E597 8946 0C mov dword ptr [esi+C], eax
00A0E59A 8946 10 mov dword ptr [esi+10], eax
00A0E59D 83C6 14 add esi, 14
00A0E5A0 8B95 D8304400 mov edx, dword ptr [ebp+4430D8]
00A0E5A6 ^ E9 EBFEFFFF jmp 00A0E496
;;F4
00A0E5AB 8B85 652A4400 mov eax, dword ptr [ebp+442A65]
00A0E5B1 50 push eax
00A0E5B2 0385 D8304400 add eax, dword ptr [ebp+4430D8]
00A0E5B8 5B pop ebx
00A0E5B9 0BDB or ebx, ebx
00A0E5BB 8985 112F4400 mov dword ptr [ebp+442F11], eax
00A0E5C1 61 popad
00A0E5C2 /75 08 jnz short 00A0E5CC
;;跳转已实现
00A0E5C4 |B8 01000000 mov eax, 1
00A0E5C9 |C2 0C00 retn 0C
00A0E5CC \68 B0E59F00 push 9FE5B0
00A0E5D1 C3 retn
;;F8
009FE5B0 55 push ebp ; 1.00447437
009FE5B1 8BEC mov ebp, esp
009FE5B3 83C4 B4 add esp, -4C
009FE5B6 B8 B8E29F00 mov eax, 9FE2B8
009FE5BB E8 C877FCFF call 009C5D88
;;F8
009FE5C0 E8 FB4FFCFF call 009C35C0
;;F7
009C35C0 53 push ebx
009C35C1 56 push esi
009C35C2 57 push edi
009C35C3 55 push ebp
009C35C4 BB 9C04A000 mov ebx, 0A0049C
009C35C9 BE 3000A000 mov esi, 0A00030
009C35CE BF 3400A000 mov edi, 0A00034
009C35D3 807B 24 00 cmp byte ptr [ebx+24], 0
009C35D7 75 16 jnz short 009C35EF
009C35EF 833D 3800A000 00 cmp dword ptr [A00038], 0
009C35F6 74 47 je short 009C363F
009C363F 807B 24 02 cmp byte ptr [ebx+24], 2
009C3643 75 0A jnz short 009C364F
009C3645 833E 00 cmp dword ptr [esi], 0
009C3648 75 05 jnz short 009C364F
009C364A 33C0 xor eax, eax
009C364C 8943 0C mov dword ptr [ebx+C], eax
009C364F E8 48FDFFFF call 009C339C
;;F8
009C3654 807B 24 01 cmp byte ptr [ebx+24], 1
009C3658 76 05 jbe short 009C365F
009C365A 833E 00 cmp dword ptr [esi], 0
009C365D 74 1D je short 009C367C
009C367C E8 F3FCFFFF call 009C3374
;;F8
009C3681 807B 24 01 cmp byte ptr [ebx+24], 1
009C3685 /75 03 jnz short 009C368A
;;跳转已实现
009C3687 |FF53 28 call dword ptr [ebx+28]
009C368A \807B 24 00 cmp byte ptr [ebx+24], 0
009C368E /74 05 je short 009C3695
009C3690 E8 F7FEFFFF call 009C358C
;;F7
009C358C BF 9C04A000 mov edi, 0A0049C
009C3591 8B1D B404A000 mov ebx, dword ptr [A004B4]
009C3597 8B2D B004A000 mov ebp, dword ptr [A004B0]
009C359D FF77 1C push dword ptr [edi+1C]
009C35A0 FF77 20 push dword ptr [edi+20]
009C35A3 8B37 mov esi, dword ptr [edi]
009C35A5 B9 0B000000 mov ecx, 0B
009C35AA F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
009C35AC 5F pop edi
009C35AD 5E pop esi
009C35AE 31C0 xor eax, eax
009C35B0 8705 3000A000 xchg dword ptr [A00030], eax
009C35B6 F7D8 neg eax
009C35B8 19C0 sbb eax, eax
009C35BA 40 inc eax
009C35BB C9 leave
009C35BC C2 0C00 retn 0C
;;F8
009FD510 55 push ebp ; 1.00447437
009FD511 8BEC mov ebp, esp
009FD513 53 push ebx
009FD514 56 push esi
009FD515 57 push edi
009FD516 A1 BCFA9F00 mov eax, dword ptr [9FFABC]
009FD51B 8B55 08 mov edx, dword ptr [ebp+8]
009FD51E 8910 mov dword ptr [eax], edx
009FD520 A1 BCFA9F00 mov eax, dword ptr [9FFABC]
009FD525 8B00 mov eax, dword ptr [eax]
009FD527 8B00 mov eax, dword ptr [eax]
009FD529 8B15 D4FA9F00 mov edx, dword ptr [9FFAD4]
009FD52F 8902 mov dword ptr [edx], eax
009FD531 E8 6A6AFEFF call 009E3FA0
;;F8
009FD536 33C0 xor eax, eax
009FD538 55 push ebp
009FD539 68 72D59F00 push 9FD572
009FD53E 64:FF30 push dword ptr fs:[eax]
009FD541 64:8920 mov dword ptr fs:[eax], esp
009FD544 68 E8EB9C00 push 9CEBE8 ; ASCII "h轙*;h?"
009FD549 68 ACD59F00 push 9FD5AC
009FD54E 68 5CC89F00 push 9FC85C
009FD553 68 ACCC9F00 push 9FCCAC
009FD558 68 84C59F00 push 9FC584
009FD55D 68 D4BF9F00 push 9FBFD4
009FD562 68 94D29F00 push 9FD294
009FD567 C3 retn
;;F8
009FD294 55 push ebp
009FD295 8BEC mov ebp, esp
009FD297 83C4 F4 add esp, -0C
009FD29A 53 push ebx
009FD29B 56 push esi
009FD29C 57 push edi
009FD29D A1 6CFA9F00 mov eax, dword ptr [9FFA6C]
009FD2A2 C600 C9 mov byte ptr [eax], 0C9
009FD2A5 B2 01 mov dl, 1
009FD2A7 A1 F4419E00 mov eax, dword ptr [9E41F4]
009FD2AC E8 F76FFEFF call 009E42A8
;;F8
009FD2B1 A3 3882A000 mov dword ptr [A08238], eax
009FD2B6 B2 01 mov dl, 1
009FD2B8 A1 F4419E00 mov eax, dword ptr [9E41F4]
009FD2BD E8 E66FFEFF call 009E42A8
;;F8
009FD2C2 8945 FC mov dword ptr [ebp-4], eax
009FD2C5 A1 50FA9F00 mov eax, dword ptr [9FFA50]
009FD2CA BA A4000000 mov edx, 0A4
009FD2CF E8 388EFCFF call 009C610C
;;F8
009FD2D4 B2 01 mov dl, 1
009FD2D6 A1 84C69E00 mov eax, dword ptr [9EC684]
009FD2DB E8 74F4FEFF call 009EC754
;;F8
009FD2E0 8B15 DCF99F00 mov edx, dword ptr [9FF9DC]
009FD2E6 8902 mov dword ptr [edx], eax
009FD2E8 B2 01 mov dl, 1
009FD2EA A1 6CD89E00 mov eax, dword ptr [9ED86C]
009FD2EF E8 D005FFFF call 009ED8C4
;;F8
009FD2F4 A3 3482A000 mov dword ptr [A08234], eax
009FD2F9 B2 01 mov dl, 1
009FD2FB A1 7C809E00 mov eax, dword ptr [9E807C]
009FD300 E8 F3ADFEFF call 009E80F8
;;F8
009FD305 A3 7082A000 mov dword ptr [A08270], eax
009FD30A B2 01 mov dl, 1
009FD30C A1 DC859F00 mov eax, dword ptr [9F85DC]
009FD311 E8 3AB4FFFF call 009F8750
;;F8
009FD316 A3 7482A000 mov dword ptr [A08274], eax
009FD31B A1 BCFA9F00 mov eax, dword ptr [9FFABC]
009FD320 8B00 mov eax, dword ptr [eax]
009FD322 8A00 mov al, byte ptr [eax]
009FD324 8B15 14FA9F00 mov edx, dword ptr [9FFA14]
009FD32A 8802 mov byte ptr [edx], al
009FD32C A1 BCFA9F00 mov eax, dword ptr [9FFABC]
009FD331 8B00 mov eax, dword ptr [eax]
009FD333 83E8 11 sub eax, 11
009FD336 8B15 BCFA9F00 mov edx, dword ptr [9FFABC]
009FD33C 8B12 mov edx, dword ptr [edx]
009FD33E 8B12 mov edx, dword ptr [edx]
009FD340 0350 04 add edx, dword ptr [eax+4]
009FD343 0350 08 add edx, dword ptr [eax+8]
009FD346 A1 B0FA9F00 mov eax, dword ptr [9FFAB0]
009FD34B 8910 mov dword ptr [eax], edx
009FD34D A1 B0FA9F00 mov eax, dword ptr [9FFAB0]
009FD352 8B00 mov eax, dword ptr [eax]
009FD354 8B55 FC mov edx, dword ptr [ebp-4]
009FD357 8942 04 mov dword ptr [edx+4], eax
009FD35A A1 B0FA9F00 mov eax, dword ptr [9FFAB0]
009FD35F 8B00 mov eax, dword ptr [eax]
009FD361 8B15 3882A000 mov edx, dword ptr [A08238]
009FD367 8942 04 mov dword ptr [edx+4], eax
009FD36A A1 6CFA9F00 mov eax, dword ptr [9FFA6C]
009FD36F C600 E5 mov byte ptr [eax], 0E5
009FD372 A1 3882A000 mov eax, dword ptr [A08238]
009FD377 50 push eax
009FD378 E8 8770FEFF call 009E4404
;;F8
009FD37D A1 A0FA9F00 mov eax, dword ptr [9FFAA0]
009FD382 8B80 98000000 mov eax, dword ptr [eax+98]
009FD388 50 push eax
009FD389 8B45 FC mov eax, dword ptr [ebp-4]
009FD38C 50 push eax
009FD38D E8 F270FEFF call 009E4484
;;F8
009FD392 8BD8 mov ebx, eax
009FD394 85DB test ebx, ebx
009FD396 74 12 je short 009FD3AA
009FD398 8B4B 04 mov ecx, dword ptr [ebx+4]
009FD39B 8D53 0C lea edx, dword ptr [ebx+C]
009FD39E A1 40F99F00 mov eax, dword ptr [9FF940]
009FD3A3 E8 508DFCFF call 009C60F8
;;F8
009FD3A8 /EB 0A jmp short 009FD3B4
009FD3AA |68 08D59F00 push 9FD508 ; ASCII "100",CR,LF
009FD3AF |E8 9C83FDFF call 009D5750
009FD3B4 \A1 6CFA9F00 mov eax, dword ptr [9FFA6C]
009FD3B9 C600 E4 mov byte ptr [eax], 0E4
009FD3BC A1 DCF99F00 mov eax, dword ptr [9FF9DC]
009FD3C1 8B00 mov eax, dword ptr [eax]
009FD3C3 E8 4CF9FEFF call 009ECD14
;;F8
009FD3C8 A1 A0FA9F00 mov eax, dword ptr [9FFAA0]
009FD3CD 8B40 1C mov eax, dword ptr [eax+1C]
009FD3D0 50 push eax
009FD3D1 8B45 FC mov eax, dword ptr [ebp-4]
009FD3D4 50 push eax
009FD3D5 E8 AA70FEFF call 009E4484
;;F8
009FD3DA 8BD8 mov ebx, eax
009FD3DC 85DB test ebx, ebx
009FD3DE 74 24 je short 009FD404
009FD3E0 8D45 F4 lea eax, dword ptr [ebp-C]
009FD3E3 50 push eax
009FD3E4 8D4D F8 lea ecx, dword ptr [ebp-8]
009FD3E7 8BD3 mov edx, ebx
009FD3E9 8B45 FC mov eax, dword ptr [ebp-4]
009FD3EC E8 5B74FEFF call 009E484C
;;F8
009FD3F1 8B55 F4 mov edx, dword ptr [ebp-C]
009FD3F4 8B45 F8 mov eax, dword ptr [ebp-8]
009FD3F7 E8 905DFFFF call 009F318C
;;F8
009FD3FC 8B45 F8 mov eax, dword ptr [ebp-8]
009FD3FF E8 6051FCFF call 009C2564
;;F8
009FD404 A1 A0FA9F00 mov eax, dword ptr [9FFAA0]
009FD409 8B40 38 mov eax, dword ptr [eax+38]
009FD40C 50 push eax
009FD40D 8B45 FC mov eax, dword ptr [ebp-4]
009FD410 50 push eax
009FD411 E8 6E70FEFF call 009E4484
;;F8
009FD416 8BD8 mov ebx, eax
009FD418 85DB test ebx, ebx
009FD41A 74 24 je short 009FD440
009FD41C 8D45 F4 lea eax, dword ptr [ebp-C]
009FD41F 50 push eax
009FD420 8D4D F8 lea ecx, dword ptr [ebp-8]
009FD423 8BD3 mov edx, ebx
009FD425 8B45 FC mov eax, dword ptr [ebp-4]
009FD428 E8 1F74FEFF call 009E484C
;;F8
009FD42D 8B55 F4 mov edx, dword ptr [ebp-C]
009FD430 8B45 F8 mov eax, dword ptr [ebp-8]
009FD433 E8 50B1FFFF call 009F8588
;;F8
009FD438 8B45 F8 mov eax, dword ptr [ebp-8]
009FD43B E8 2451FCFF call 009C2564
;;F8
009FD440 A1 6CFA9F00 mov eax, dword ptr [9FFA6C]
009FD445 C600 CA mov byte ptr [eax], 0CA
009FD448 33C0 xor eax, eax
009FD44A A3 3082A000 mov dword ptr [A08230], eax
009FD44F A1 A0FA9F00 mov eax, dword ptr [9FFAA0]
009FD454 8B80 8C000000 mov eax, dword ptr [eax+8C]
009FD45A 50 push eax
009FD45B 8B45 FC mov eax, dword ptr [ebp-4]
009FD45E 50 push eax
009FD45F E8 2070FEFF call 009E4484
;;F8
009FD464 8BD8 mov ebx, eax
009FD466 85DB test ebx, ebx
009FD468 74 48 je short 009FD4B2
009FD46A B8 10270000 mov eax, 2710
009FD46F E8 5054FCFF call 009C28C4
;;F8
009FD474 8945 F4 mov dword ptr [ebp-C], eax
009FD477 8B45 F4 mov eax, dword ptr [ebp-C]
009FD47A E8 CD50FCFF call 009C254C
;;F8
009FD47F 8945 F8 mov dword ptr [ebp-8], eax
009FD482 8B53 04 mov edx, dword ptr [ebx+4]
009FD485 B8 2C82A000 mov eax, 0A0822C
009FD48A E8 99C6FEFF call 009E9B28
;;F8
009FD48F 8B4B 04 mov ecx, dword ptr [ebx+4]
009FD492 8B15 2C82A000 mov edx, dword ptr [A0822C]
009FD498 8D43 0C lea eax, dword ptr [ebx+C]
009FD49B E8 B851FCFF call 009C2658
;;F8
009FD4A0 8B43 04 mov eax, dword ptr [ebx+4]
009FD4A3 A3 3082A000 mov dword ptr [A08230], eax
009FD4A8 8B45 F8 mov eax, dword ptr [ebp-8]
009FD4AB E8 B450FCFF call 009C2564
;;F8
009FD4B0 /EB 07 jmp short 009FD4B9
009FD4B2 |33C0 xor eax, eax
009FD4B4 |A3 2C82A000 mov dword ptr [A0822C], eax
009FD4B9 \E8 9EE7FFFF call 009FBC5C
;;F8
009FD4BE 33C0 xor eax, eax
009FD4C0 55 push ebp
009FD4C1 68 DCD49F00 push 9FD4DC
009FD4C6 64:FF30 push dword ptr fs:[eax]
009FD4C9 64:8920 mov dword ptr fs:[eax], esp
009FD4CC EB 01 jmp short 009FD4CF
009FD4CF 0000 add byte ptr [eax], al
;;每次执行到这里,eax的值是0,所以[0]就会有一个异常,然后再执行,就会显示“1.exe 遇到问题需要关闭。”
;;如果没有在隐藏OD的情况下,就会出现“探测到调试器 - 请关闭后重启!Windows NT 用户请注意:已安装了WinIce/SoftIce服务,这意味这你正在运行调试器!”
;;一直无法成功脱去这个壳,请求哪个朋友可以帮忙指点,谢谢!
ASProtect 1.2x - 1.3x [Registered] -> Alexey Solodovnikov
但是在脱了第一层以后,再用PEiD检测显示加了
ASPack 2.12 -> Alexey Solodovnikov
-----------------------------------
脱壳说明:
F7单步步入
F8单步步过
F4运行到选定地址
----------------------------------
00401000 > 68 01704400 push 00447001
00401005 E8 01000000 call 0040100B
;;F7
0040100B C3 retn
0040100A C3 retn
00447001 60 pushad
00447002 E8 03000000 call 0044700A
;;F7
0044700A 5D pop ebp ; 1.00447007
0044700B 45 inc ebp
0044700C 55 push ebp
0044700D C3 retn
00447008 /EB 04 jmp short 0044700E
0044700E E8 01000000 call 00447014
;;F7
00447014 5D pop ebp ; 1.00447013
00447015 BB EDFFFFFF mov ebx, -13
0044701A 03DD add ebx, ebp
0044701C 81EB 00700400 sub ebx, 47000
00447022 807D 4D 01 cmp byte ptr [ebp+4D], 1
00447026 75 0C jnz short 00447034
00447034 8D45 53 lea eax, dword ptr [ebp+53]
00447037 50 push eax
00447038 53 push ebx
00447039 FFB5 F1090000 push dword ptr [ebp+9F1]
0044703F 8D45 35 lea eax, dword ptr [ebp+35]
00447042 50 push eax
00447043 E9 82000000 jmp 004470CA
004470CA /E9 0D000000 jmp 004470DC
004470DC E8 0F000000 call 004470F0
;;F7
004470F0 BF 36BDE773 mov edi, 73E7BD36
004470F5 5E pop esi
004470F6 57 push edi
004470F7 E9 05000000 jmp 00447101
00447101 5F pop edi
00447102 81C6 78080000 add esi, 878
00447108 68 E6DF7747 push 4777DFE6
0044710D 5A pop edx
0044710E B9 ED010000 mov ecx, 1ED
00447113 B6 BD mov dh, 0BD
00447115 8B1E mov ebx, dword ptr [esi]
00447117 8BC2 mov eax, edx
00447119 81C3 03B9C14D add ebx, 4DC1B903
0044711F E8 12000000 call 00447136
;;F7
00447136 B8 15FC0300 mov eax, 3FC15
0044713B 5A pop edx
0044713C 81EB 80E02C7D sub ebx, 7D2CE080
00447142 68 F68FB87D push 7DB88FF6
00447147 8AC6 mov al, dh
00447149 5A pop edx
0044714A 81F3 B9C6821B xor ebx, 1B82C6B9
00447150 BF DA720073 mov edi, 730072DA
00447155 53 push ebx
00447156 8BD0 mov edx, eax
00447158 8F06 pop dword ptr [esi]
0044715A 0FB7C3 movzx eax, bx
0044715D 83EE 02 sub esi, 2
00447160 4E dec esi
00447161 4E dec esi
00447162 E9 0B000000 jmp 00447172
00447172 49 dec ecx
00447173 /0F85 0F000000 jnz 00447188
00447188 /0F83 04000000 jnb 00447192
00447192 ^\E9 7EFFFFFF jmp 00447115
;;这里一直循环执行,所以F4到
004471A9 8BCB mov ecx, ebx
004471AB E8 0A000000 call 004471BA
;;F7
004471BA 0FB7CF movzx ecx, di
004471BD 5F pop edi
004471BE E9 10000000 jmp 004471D3
004471D3 81C7 AC070000 add edi, 7AC
004471D9 E8 0B000000 call 004471E9
;;F7
004471E9 5A pop edx ; 1.004471DE
004471EA BB 00000000 mov ebx, 0
004471EF 81EA BFF7C031 sub edx, 31C0F7BF
004471F5 8B041F mov eax, dword ptr [edi+ebx]
004471F8 0FBFF6 movsx esi, si
004471FB 81F0 464DCE69 xor eax, 69CE4D46
00447201 0F8E 03000000 jle 0044720A
00447207 0FB7CB movzx ecx, bx
0044720A 81C0 076B8672 add eax, 72866B07
00447210 E8 0A000000 call 0044721F
;;F7
0044721F 50 push eax
00447220 52 push edx
00447221 59 pop ecx
00447222 5E pop esi
00447223 5A pop edx
00447224 81C0 34E44146 add eax, 4641E434
0044722A 50 push eax
0044722B 66:B9 ABE6 mov cx, 0E6AB
0044722F 8F041F pop dword ptr [edi+ebx]
00447232 66:8BCA mov cx, dx
00447235 83EB 01 sub ebx, 1
00447238 0FBFF6 movsx esi, si
0044723B 4B dec ebx
0044723C 4B dec ebx
0044723D 4B dec ebx
0044723E BA 76796614 mov edx, 14667976
00447243 81FB 18F9FFFF cmp ebx, -6E8
00447249 0F85 18000000 jnz 00447267
;;F4
0044724F BA 505A7A10 mov edx, 107A5A50
00447254 /E9 1F000000 jmp 00447278
00447278 0FBFC0 movsx eax, ax
0044727B E8 0C000000 call 0044728C
;;F7
0044728C /E9 0B000000 jmp 0044729C
0044729C 59 pop ecx ; 1.00447280
0044729D B7 A3 mov bh, 0A3
0044729F 81C1 D9060000 add ecx, 6D9
004472A5 E8 05000000 call 004472AF
;;F7
004472AF 66:B8 D7BC mov ax, 0BCD7
004472B3 5B pop ebx ; 1.004472AA
004472B4 BF 00000000 mov edi, 0
004472B9 E8 0E000000 call 004472CC
;;F7
004472CC 81CB D544C151 or ebx, 51C144D5
004472D2 58 pop eax
004472D3 FF340F push dword ptr [edi+ecx]
004472D6 81C6 24CADD37 add esi, 37DDCA24
004472DC 5A pop edx
004472DD 8BF3 mov esi, ebx
004472DF 81F2 22F1CB5C xor edx, 5CCBF122
004472E5 BE 450D9E07 mov esi, 79E0D45
004472EA 81C2 B3379A48 add edx, 489A37B3
004472F0 66:81D8 6628 sbb ax, 2866
004472F5 81EA 7071146E sub edx, 6E147170
004472FB 53 push ebx
004472FC 8BC6 mov eax, esi
004472FE 5B pop ebx
004472FF 891439 mov dword ptr [ecx+edi], edx
00447302 0FBFF0 movsx esi, ax
00447305 68 6D82FB6E push 6EFB826D
0044730A 5B pop ebx
0044730B 83EF 04 sub edi, 4
0044730E 66:8BC7 mov ax, di
00447311 81FF E8F9FFFF cmp edi, -618
00447317 0F85 19000000 jnz 00447336
;;F4
0044731D /0F8C 08000000 jl 0044732B
00447323 52 push edx
00447324 68 9E53F163 push 63F1539E
00447329 5B pop ebx
0044732A 58 pop eax
0044732B E9 15000000 jmp 00447345
00447345 68 F9928710 push 108792F9
0044734A 5B pop ebx
0044734B E8 0F000000 call 0044735F
;;F7
0044735F /E9 0D000000 jmp 00447371
00447371 5F pop edi ; 1.00447350
00447372 81C3 4DCF160E add ebx, 0E16CF4D
00447378 81C7 0A060000 add edi, 60A
0044737E E9 05000000 jmp 00447388
00447388 BA 00000000 mov edx, 0
0044738D BB 26EFFC0D mov ebx, 0DFCEF26
00447392 FF343A push dword ptr [edx+edi]
00447395 56 push esi
00447396 8BCA mov ecx, edx
00447398 5B pop ebx
00447399 58 pop eax
0044739A 0FB7F3 movzx esi, bx
0044739D 81C0 A8D9556B add eax, 6B55D9A8
004473A3 0F88 06000000 js 004473AF
004473A9 68 62913229 push 29329162
004473AE 5B pop ebx
004473AF 81C0 C10CCF5B add eax, 5BCF0CC1
004473B5 8BDE mov ebx, esi
004473B7 81F0 666C510B xor eax, 0B516C66
004473BD BE 9D46AE6D mov esi, 6DAE469D
004473C2 890417 mov dword ptr [edi+edx], eax
004473C5 /0F8F 06000000 jg 004473D1
004473CB |81DE 6A76A91F sbb esi, 1FA9766A
004473D1 \66:81F6 A44F xor si, 4FA4
004473D6 81EA C2689E6F sub edx, 6F9E68C2
004473DC BE 2F1DE22B mov esi, 2BE21D2F
004473E1 81C2 BE689E6F add edx, 6F9E68BE
004473E7 81C6 28C34F1A add esi, 1A4FC328
004473ED 81FA D4FAFFFF cmp edx, -52C
004473F3 0F85 22000000 jnz 0044741B
;;F4
004473F9 /E9 09000000 jmp 00447407
00447407 /E9 26000000 jmp 00447432
00447432 E8 00000000 call 00447437
;;F8
00447437 5D pop ebp ; 1.00447437
00447438 5B pop ebx
00447439 895D 5B mov dword ptr [ebp+5B], ebx
0044743C 5B pop ebx
0044743D 895D 5F mov dword ptr [ebp+5F], ebx
00447440 58 pop eax
00447441 8985 0D040000 mov dword ptr [ebp+40D], eax
00447447 58 pop eax
00447448 807D 5A 01 cmp byte ptr [ebp+5A], 1
0044744C 75 59 jnz short 004474A7
004474A7 E8 9C020000 call 00447748
;;F8
004474AC FC cld
004474AD 8DB5 8C000000 lea esi, dword ptr [ebp+8C]
004474B3 AD lods dword ptr [esi]
004474B4 0BC0 or eax, eax
004474B6 74 1B je short 004474D3
004474B8 8BF8 mov edi, eax
004474BA B9 0C000000 mov ecx, 0C
004474BF F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
004474C1 EB 10 jmp short 004474D3
004474D3 89A5 29040000 mov dword ptr [ebp+429], esp
004474D9 6A 40 push 40
004474DB 68 00100000 push 1000
004474E0 FFB5 08040000 push dword ptr [ebp+408]
004474E6 6A 00 push 0
004474E8 FF95 F0030000 call dword ptr [ebp+3F0] ; kernel32.VirtualAlloc
;;F8
004474EE 8985 CC010000 mov dword ptr [ebp+1CC], eax
004474F4 8B9D 00040000 mov ebx, dword ptr [ebp+400]
004474FA 039D 0D040000 add ebx, dword ptr [ebp+40D]
00447500 50 push eax
00447501 53 push ebx
00447502 E8 04010000 call 0044760B
;;F8
00447507 6A 40 push 40
00447509 68 00100000 push 1000
0044750E FFB5 08040000 push dword ptr [ebp+408]
00447514 6A 00 push 0
00447516 FF95 F0030000 call dword ptr [ebp+3F0] ; kernel32.VirtualAlloc
;;F8
0044751C 8985 31040000 mov dword ptr [ebp+431], eax
00447522 8985 D0010000 mov dword ptr [ebp+1D0], eax
00447528 64:67:A1 0000 mov eax, dword ptr fs:[0]
0044752D 8985 2D040000 mov dword ptr [ebp+42D], eax
00447533 8B55 5B mov edx, dword ptr [ebp+5B]
00447536 8B85 D0010000 mov eax, dword ptr [ebp+1D0]
0044753C 8902 mov dword ptr [edx], eax
0044753E 8B85 08040000 mov eax, dword ptr [ebp+408]
00447544 8942 04 mov dword ptr [edx+4], eax
00447547 8D85 9F030000 lea eax, dword ptr [ebp+39F]
0044754D 8B40 55 mov eax, dword ptr [eax+55]
00447550 8942 08 mov dword ptr [edx+8], eax
00447553 8B85 EC030000 mov eax, dword ptr [ebp+3EC]
00447559 8942 10 mov dword ptr [edx+10], eax
0044755C 8B85 E8030000 mov eax, dword ptr [ebp+3E8]
00447562 8942 14 mov dword ptr [edx+14], eax
00447565 8B95 CC010000 mov edx, dword ptr [ebp+1CC]
0044756B BB F8010000 mov ebx, 1F8
00447570 8B7C1A 0C mov edi, dword ptr [edx+ebx+C]
00447574 0BFF or edi, edi
00447576 74 1E je short 00447596
00447578 8B4C1A 10 mov ecx, dword ptr [edx+ebx+10]
0044757C 0BC9 or ecx, ecx
0044757E 74 11 je short 00447591
00447580 03BD D0010000 add edi, dword ptr [ebp+1D0]
00447586 8B741A 14 mov esi, dword ptr [edx+ebx+14]
0044758A 03F2 add esi, edx
0044758C C1F9 02 sar ecx, 2
0044758F F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
00447591 83C3 28 add ebx, 28
00447594 ^ EB DA jmp short 00447570
;;F4
00447596 8B85 CC010000 mov eax, dword ptr [ebp+1CC]
0044759C 50 push eax
0044759D 8B95 D0010000 mov edx, dword ptr [ebp+1D0]
004475A3 52 push edx
004475A4 8B18 mov ebx, dword ptr [eax]
004475A6 03DA add ebx, edx
004475A8 8B85 E4030000 mov eax, dword ptr [ebp+3E4]
004475AE 8903 mov dword ptr [ebx], eax
004475B0 8B85 E8030000 mov eax, dword ptr [ebp+3E8]
004475B6 8943 04 mov dword ptr [ebx+4], eax
004475B9 8B85 EC030000 mov eax, dword ptr [ebp+3EC]
004475BF 8943 08 mov dword ptr [ebx+8], eax
004475C2 5F pop edi
004475C3 5E pop esi
004475C4 8B46 04 mov eax, dword ptr [esi+4]
004475C7 03C7 add eax, edi
004475C9 8985 C7010000 mov dword ptr [ebp+1C7], eax
004475CF 8B55 5B mov edx, dword ptr [ebp+5B]
004475D2 8B85 C7010000 mov eax, dword ptr [ebp+1C7]
004475D8 8942 0C mov dword ptr [edx+C], eax
004475DB 8D9D 0D040000 lea ebx, dword ptr [ebp+40D]
004475E1 53 push ebx
004475E2 6A 00 push 0
004475E4 6A 00 push 0
004475E6 6A 01 push 1
004475E8 57 push edi
004475E9 8B5E 08 mov ebx, dword ptr [esi+8]
004475EC 03DF add ebx, edi
004475EE 53 push ebx
004475EF 68 00800000 push 8000
004475F4 6A 00 push 0
004475F6 56 push esi
004475F7 FF95 F4030000 call dword ptr [ebp+3F4] ; kernel32.VirtualFree
;;F8
004475FD 68 00E0A000 push 0A0E000
00447602 C3 retn
;;F8
00A0E000 90 nop
00A0E001 60 pushad
00A0E002 E8 40060000 call 00A0E647
;;F8
00A0E007 /EB 44 jmp short 00A0E04D
00A0E04D BB 44294400 mov ebx, 442944
00A0E052 03DD add ebx, ebp
00A0E054 2B9D 71294400 sub ebx, dword ptr [ebp+442971]
00A0E05A 83BD D8304400 00 cmp dword ptr [ebp+4430D8], 0
00A0E061 899D 2F2E4400 mov dword ptr [ebp+442E2F], ebx
00A0E067 0F85 3E050000 jnz 00A0E5AB
00A0E06D 8D85 E0304400 lea eax, dword ptr [ebp+4430E0]
00A0E073 50 push eax
00A0E074 FF95 EC314400 call dword ptr [ebp+4431EC] ; kernel32.GetModuleHandleA
;;F8
00A0E07A 8985 DC304400 mov dword ptr [ebp+4430DC], eax ; kernel32.77E40000
00A0E080 8BF8 mov edi, eax
00A0E082 8D9D ED304400 lea ebx, dword ptr [ebp+4430ED]
00A0E088 53 push ebx
00A0E089 50 push eax
00A0E08A FF95 E8314400 call dword ptr [ebp+4431E8] ; kernel32.GetProcAddress
;;F8
00A0E090 8985 79294400 mov dword ptr [ebp+442979], eax ; kernel32.VirtualAlloc
00A0E096 8D9D FA304400 lea ebx, dword ptr [ebp+4430FA]
00A0E09C 53 push ebx
00A0E09D 57 push edi
00A0E09E FF95 E8314400 call dword ptr [ebp+4431E8] ; kernel32.GetProcAddress
;;F8
00A0E0A4 8985 7D294400 mov dword ptr [ebp+44297D], eax ; kernel32.VirtualFree
00A0E0AA 8B85 2F2E4400 mov eax, dword ptr [ebp+442E2F]
00A0E0B0 8985 D8304400 mov dword ptr [ebp+4430D8], eax
00A0E0B6 6A 04 push 4
00A0E0B8 68 00100000 push 1000
00A0E0BD 68 46050000 push 546
00A0E0C2 6A 00 push 0
00A0E0C4 FF95 79294400 call dword ptr [ebp+442979] ; kernel32.VirtualAlloc
;;F8
00A0E0CA 8985 75294400 mov dword ptr [ebp+442975], eax
00A0E0D0 8D9D 452A4400 lea ebx, dword ptr [ebp+442A45]
00A0E0D6 50 push eax
00A0E0D7 53 push ebx
00A0E0D8 E8 74050000 call 00A0E651
;;F8
00A0E0DD 8BC8 mov ecx, eax
00A0E0DF 8DBD 452A4400 lea edi, dword ptr [ebp+442A45]
00A0E0E5 8BB5 75294400 mov esi, dword ptr [ebp+442975]
00A0E0EB F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
00A0E0ED 8B85 75294400 mov eax, dword ptr [ebp+442975]
00A0E0F3 68 00800000 push 8000
00A0E0F8 6A 00 push 0
00A0E0FA 50 push eax
00A0E0FB FF95 7D294400 call dword ptr [ebp+44297D] ; kernel32.VirtualFree
;;F8
00A0E101 8D85 512C4400 lea eax, dword ptr [ebp+442C51]
00A0E107 50 push eax
00A0E108 C3 retn
;;F8
00A0E30D 8B9D 552A4400 mov ebx, dword ptr [ebp+442A55]
00A0E313 0BDB or ebx, ebx
00A0E315 74 0A je short 00A0E321
00A0E321 8DB5 712A4400 lea esi, dword ptr [ebp+442A71]
00A0E327 833E 00 cmp dword ptr [esi], 0
00A0E32A 0F84 D3000000 je 00A0E403
00A0E330 8DB5 712A4400 lea esi, dword ptr [ebp+442A71]
00A0E336 8B46 04 mov eax, dword ptr [esi+4]
00A0E339 6A 04 push 4
00A0E33B 68 00100000 push 1000
00A0E340 50 push eax
00A0E341 6A 00 push 0
00A0E343 FF95 79294400 call dword ptr [ebp+442979] ; kernel32.VirtualAlloc
;;F8
00A0E349 8985 75294400 mov dword ptr [ebp+442975], eax
00A0E34F 56 push esi
00A0E350 8B1E mov ebx, dword ptr [esi]
00A0E352 039D D8304400 add ebx, dword ptr [ebp+4430D8]
00A0E358 50 push eax
00A0E359 53 push ebx
00A0E35A E8 F2020000 call 00A0E651
;;F8
00A0E35F 80BD 70294400 00 cmp byte ptr [ebp+442970], 0
00A0E366 75 4C jnz short 00A0E3B4
00A0E368 FE85 70294400 inc byte ptr [ebp+442970]
00A0E36E 8B3E mov edi, dword ptr [esi]
00A0E370 03BD D8304400 add edi, dword ptr [ebp+4430D8]
00A0E376 FF37 push dword ptr [edi]
00A0E378 C607 C3 mov byte ptr [edi], 0C3
00A0E37B FFD7 call edi
;;F8
00A0E37D 8F07 pop dword ptr [edi]
00A0E37F 50 push eax
00A0E380 51 push ecx
00A0E381 56 push esi
00A0E382 53 push ebx
00A0E383 8BC8 mov ecx, eax
00A0E385 83E9 06 sub ecx, 6
00A0E388 8BB5 75294400 mov esi, dword ptr [ebp+442975]
00A0E38E 33DB xor ebx, ebx
00A0E390 0BC9 or ecx, ecx
00A0E392 74 1C je short 00A0E3B0
00A0E394 /78 1A js short 00A0E3B0
00A0E396 AC lods byte ptr [esi]
00A0E397 3C E8 cmp al, 0E8
00A0E399 74 08 je short 00A0E3A3
00A0E39B 3C E9 cmp al, 0E9
00A0E39D 74 04 je short 00A0E3A3
00A0E39F 43 inc ebx
00A0E3A0 49 dec ecx
00A0E3A1 ^ EB ED jmp short 00A0E390
;;F4
00A0E3B0 5B pop ebx ; 009C1000
00A0E3B1 5E pop esi
00A0E3B2 59 pop ecx
00A0E3B3 58 pop eax
00A0E3B4 8BC8 mov ecx, eax
00A0E3B6 8B3E mov edi, dword ptr [esi]
00A0E3B8 03BD D8304400 add edi, dword ptr [ebp+4430D8]
00A0E3BE 8BB5 75294400 mov esi, dword ptr [ebp+442975]
00A0E3C4 C1F9 02 sar ecx, 2
00A0E3C7 F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
00A0E3C9 8BC8 mov ecx, eax
00A0E3CB 83E1 03 and ecx, 3
00A0E3CE F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
00A0E3D0 5E pop esi
00A0E3D1 8B85 75294400 mov eax, dword ptr [ebp+442975]
00A0E3D7 68 00800000 push 8000
00A0E3DC 6A 00 push 0
00A0E3DE 50 push eax
00A0E3DF FF95 7D294400 call dword ptr [ebp+44297D] ; kernel32.VirtualFree
;;F8
00A0E3E5 83C6 08 add esi, 8
00A0E3E8 833E 00 cmp dword ptr [esi], 0
00A0E3EB ^ 0F85 45FFFFFF jnz 00A0E336
;;F4
00A0E3F1 8B9D 552A4400 mov ebx, dword ptr [ebp+442A55]
00A0E3F7 0BDB or ebx, ebx
00A0E3F9 /74 08 je short 00A0E403
00A0E3FB |8B03 mov eax, dword ptr [ebx]
00A0E3FD |8785 592A4400 xchg dword ptr [ebp+442A59], eax
00A0E403 \8B95 D8304400 mov edx, dword ptr [ebp+4430D8]
00A0E409 8B85 512A4400 mov eax, dword ptr [ebp+442A51]
00A0E40F 2BD0 sub edx, eax
00A0E411 74 75 je short 00A0E488
00A0E413 8BC2 mov eax, edx
00A0E415 C1E8 10 shr eax, 10
00A0E418 33DB xor ebx, ebx
00A0E41A 8BB5 5D2A4400 mov esi, dword ptr [ebp+442A5D]
00A0E420 03B5 D8304400 add esi, dword ptr [ebp+4430D8]
00A0E426 833E 00 cmp dword ptr [esi], 0
00A0E429 74 5D je short 00A0E488
00A0E42B 8B4E 04 mov ecx, dword ptr [esi+4]
00A0E42E 83E9 08 sub ecx, 8
00A0E431 D1E9 shr ecx, 1
00A0E433 8B3E mov edi, dword ptr [esi]
00A0E435 03BD D8304400 add edi, dword ptr [ebp+4430D8]
00A0E43B 83C6 08 add esi, 8
00A0E43E 66:8B1E mov bx, word ptr [esi]
00A0E441 C1EB 0C shr ebx, 0C
00A0E444 83FB 01 cmp ebx, 1
00A0E447 74 0C je short 00A0E455
00A0E449 83FB 02 cmp ebx, 2
00A0E44C 74 16 je short 00A0E464
00A0E44E 83FB 03 cmp ebx, 3
00A0E451 74 20 je short 00A0E473
00A0E473 66:8B1E mov bx, word ptr [esi]
00A0E476 81E3 FF0F0000 and ebx, 0FFF
00A0E47C 01141F add dword ptr [edi+ebx], edx
00A0E47F EB 00 jmp short 00A0E481
00A0E481 83C6 02 add esi, 2
00A0E484 ^ E2 B8 loopd short 00A0E43E
;;F4
00A0E488 8BB5 612A4400 mov esi, dword ptr [ebp+442A61]
00A0E48E 8B95 D8304400 mov edx, dword ptr [ebp+4430D8]
00A0E494 03F2 add esi, edx
00A0E496 8B46 0C mov eax, dword ptr [esi+C]
00A0E499 85C0 test eax, eax
00A0E49B 0F84 0A010000 je 00A0E5AB
00A0E4A1 03C2 add eax, edx
00A0E4A3 8BD8 mov ebx, eax
00A0E4A5 50 push eax
00A0E4A6 FF95 EC314400 call dword ptr [ebp+4431EC] ; kernel32.GetModuleHandleA
;;f8
00A0E4AC 85C0 test eax, eax ; kernel32.77E40000
00A0E4AE /75 07 jnz short 00A0E4B7
00A0E4B0 |53 push ebx
00A0E4B1 |FF95 F0314400 call dword ptr [ebp+4431F0]
00A0E4B7 \8985 4D294400 mov dword ptr [ebp+44294D], eax
00A0E4BD C785 51294400 00000000 mov dword ptr [ebp+442951], 0
00A0E4C7 8B95 D8304400 mov edx, dword ptr [ebp+4430D8]
00A0E4CD 8B06 mov eax, dword ptr [esi]
00A0E4CF 85C0 test eax, eax
00A0E4D1 75 03 jnz short 00A0E4D6
00A0E4D3 8B46 10 mov eax, dword ptr [esi+10]
00A0E4D6 03C2 add eax, edx
00A0E4D8 0385 51294400 add eax, dword ptr [ebp+442951]
00A0E4DE 8B18 mov ebx, dword ptr [eax]
00A0E4E0 8B7E 10 mov edi, dword ptr [esi+10]
00A0E4E3 03FA add edi, edx
00A0E4E5 03BD 51294400 add edi, dword ptr [ebp+442951]
00A0E4EB 85DB test ebx, ebx
00A0E4ED 0F84 A2000000 je 00A0E595
00A0E4F3 F7C3 00000080 test ebx, 80000000
00A0E4F9 75 04 jnz short 00A0E4FF
00A0E4FB 03DA add ebx, edx
00A0E4FD 43 inc ebx
00A0E4FE 43 inc ebx
00A0E4FF 53 push ebx
00A0E500 81E3 FFFFFF7F and ebx, 7FFFFFFF
00A0E506 53 push ebx
00A0E507 FFB5 4D294400 push dword ptr [ebp+44294D]
00A0E50D FF95 E8314400 call dword ptr [ebp+4431E8] ; kernel32.GetProcAddress
;;F8
00A0E513 85C0 test eax, eax ; kernel32.GetCurrentThreadId
00A0E515 5B pop ebx
00A0E516 75 6F jnz short 00A0E587
00A0E587 8907 mov dword ptr [edi], eax ; kernel32.GetCurrentThreadId
00A0E589 8385 51294400 04 add dword ptr [ebp+442951], 4
00A0E590 ^ E9 32FFFFFF jmp 00A0E4C7
;;F4
00A0E595 8906 mov dword ptr [esi], eax
00A0E597 8946 0C mov dword ptr [esi+C], eax
00A0E59A 8946 10 mov dword ptr [esi+10], eax
00A0E59D 83C6 14 add esi, 14
00A0E5A0 8B95 D8304400 mov edx, dword ptr [ebp+4430D8]
00A0E5A6 ^ E9 EBFEFFFF jmp 00A0E496
;;F4
00A0E5AB 8B85 652A4400 mov eax, dword ptr [ebp+442A65]
00A0E5B1 50 push eax
00A0E5B2 0385 D8304400 add eax, dword ptr [ebp+4430D8]
00A0E5B8 5B pop ebx
00A0E5B9 0BDB or ebx, ebx
00A0E5BB 8985 112F4400 mov dword ptr [ebp+442F11], eax
00A0E5C1 61 popad
00A0E5C2 /75 08 jnz short 00A0E5CC
;;跳转已实现
00A0E5C4 |B8 01000000 mov eax, 1
00A0E5C9 |C2 0C00 retn 0C
00A0E5CC \68 B0E59F00 push 9FE5B0
00A0E5D1 C3 retn
;;F8
009FE5B0 55 push ebp ; 1.00447437
009FE5B1 8BEC mov ebp, esp
009FE5B3 83C4 B4 add esp, -4C
009FE5B6 B8 B8E29F00 mov eax, 9FE2B8
009FE5BB E8 C877FCFF call 009C5D88
;;F8
009FE5C0 E8 FB4FFCFF call 009C35C0
;;F7
009C35C0 53 push ebx
009C35C1 56 push esi
009C35C2 57 push edi
009C35C3 55 push ebp
009C35C4 BB 9C04A000 mov ebx, 0A0049C
009C35C9 BE 3000A000 mov esi, 0A00030
009C35CE BF 3400A000 mov edi, 0A00034
009C35D3 807B 24 00 cmp byte ptr [ebx+24], 0
009C35D7 75 16 jnz short 009C35EF
009C35EF 833D 3800A000 00 cmp dword ptr [A00038], 0
009C35F6 74 47 je short 009C363F
009C363F 807B 24 02 cmp byte ptr [ebx+24], 2
009C3643 75 0A jnz short 009C364F
009C3645 833E 00 cmp dword ptr [esi], 0
009C3648 75 05 jnz short 009C364F
009C364A 33C0 xor eax, eax
009C364C 8943 0C mov dword ptr [ebx+C], eax
009C364F E8 48FDFFFF call 009C339C
;;F8
009C3654 807B 24 01 cmp byte ptr [ebx+24], 1
009C3658 76 05 jbe short 009C365F
009C365A 833E 00 cmp dword ptr [esi], 0
009C365D 74 1D je short 009C367C
009C367C E8 F3FCFFFF call 009C3374
;;F8
009C3681 807B 24 01 cmp byte ptr [ebx+24], 1
009C3685 /75 03 jnz short 009C368A
;;跳转已实现
009C3687 |FF53 28 call dword ptr [ebx+28]
009C368A \807B 24 00 cmp byte ptr [ebx+24], 0
009C368E /74 05 je short 009C3695
009C3690 E8 F7FEFFFF call 009C358C
;;F7
009C358C BF 9C04A000 mov edi, 0A0049C
009C3591 8B1D B404A000 mov ebx, dword ptr [A004B4]
009C3597 8B2D B004A000 mov ebp, dword ptr [A004B0]
009C359D FF77 1C push dword ptr [edi+1C]
009C35A0 FF77 20 push dword ptr [edi+20]
009C35A3 8B37 mov esi, dword ptr [edi]
009C35A5 B9 0B000000 mov ecx, 0B
009C35AA F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
009C35AC 5F pop edi
009C35AD 5E pop esi
009C35AE 31C0 xor eax, eax
009C35B0 8705 3000A000 xchg dword ptr [A00030], eax
009C35B6 F7D8 neg eax
009C35B8 19C0 sbb eax, eax
009C35BA 40 inc eax
009C35BB C9 leave
009C35BC C2 0C00 retn 0C
;;F8
009FD510 55 push ebp ; 1.00447437
009FD511 8BEC mov ebp, esp
009FD513 53 push ebx
009FD514 56 push esi
009FD515 57 push edi
009FD516 A1 BCFA9F00 mov eax, dword ptr [9FFABC]
009FD51B 8B55 08 mov edx, dword ptr [ebp+8]
009FD51E 8910 mov dword ptr [eax], edx
009FD520 A1 BCFA9F00 mov eax, dword ptr [9FFABC]
009FD525 8B00 mov eax, dword ptr [eax]
009FD527 8B00 mov eax, dword ptr [eax]
009FD529 8B15 D4FA9F00 mov edx, dword ptr [9FFAD4]
009FD52F 8902 mov dword ptr [edx], eax
009FD531 E8 6A6AFEFF call 009E3FA0
;;F8
009FD536 33C0 xor eax, eax
009FD538 55 push ebp
009FD539 68 72D59F00 push 9FD572
009FD53E 64:FF30 push dword ptr fs:[eax]
009FD541 64:8920 mov dword ptr fs:[eax], esp
009FD544 68 E8EB9C00 push 9CEBE8 ; ASCII "h轙*;h?"
009FD549 68 ACD59F00 push 9FD5AC
009FD54E 68 5CC89F00 push 9FC85C
009FD553 68 ACCC9F00 push 9FCCAC
009FD558 68 84C59F00 push 9FC584
009FD55D 68 D4BF9F00 push 9FBFD4
009FD562 68 94D29F00 push 9FD294
009FD567 C3 retn
;;F8
009FD294 55 push ebp
009FD295 8BEC mov ebp, esp
009FD297 83C4 F4 add esp, -0C
009FD29A 53 push ebx
009FD29B 56 push esi
009FD29C 57 push edi
009FD29D A1 6CFA9F00 mov eax, dword ptr [9FFA6C]
009FD2A2 C600 C9 mov byte ptr [eax], 0C9
009FD2A5 B2 01 mov dl, 1
009FD2A7 A1 F4419E00 mov eax, dword ptr [9E41F4]
009FD2AC E8 F76FFEFF call 009E42A8
;;F8
009FD2B1 A3 3882A000 mov dword ptr [A08238], eax
009FD2B6 B2 01 mov dl, 1
009FD2B8 A1 F4419E00 mov eax, dword ptr [9E41F4]
009FD2BD E8 E66FFEFF call 009E42A8
;;F8
009FD2C2 8945 FC mov dword ptr [ebp-4], eax
009FD2C5 A1 50FA9F00 mov eax, dword ptr [9FFA50]
009FD2CA BA A4000000 mov edx, 0A4
009FD2CF E8 388EFCFF call 009C610C
;;F8
009FD2D4 B2 01 mov dl, 1
009FD2D6 A1 84C69E00 mov eax, dword ptr [9EC684]
009FD2DB E8 74F4FEFF call 009EC754
;;F8
009FD2E0 8B15 DCF99F00 mov edx, dword ptr [9FF9DC]
009FD2E6 8902 mov dword ptr [edx], eax
009FD2E8 B2 01 mov dl, 1
009FD2EA A1 6CD89E00 mov eax, dword ptr [9ED86C]
009FD2EF E8 D005FFFF call 009ED8C4
;;F8
009FD2F4 A3 3482A000 mov dword ptr [A08234], eax
009FD2F9 B2 01 mov dl, 1
009FD2FB A1 7C809E00 mov eax, dword ptr [9E807C]
009FD300 E8 F3ADFEFF call 009E80F8
;;F8
009FD305 A3 7082A000 mov dword ptr [A08270], eax
009FD30A B2 01 mov dl, 1
009FD30C A1 DC859F00 mov eax, dword ptr [9F85DC]
009FD311 E8 3AB4FFFF call 009F8750
;;F8
009FD316 A3 7482A000 mov dword ptr [A08274], eax
009FD31B A1 BCFA9F00 mov eax, dword ptr [9FFABC]
009FD320 8B00 mov eax, dword ptr [eax]
009FD322 8A00 mov al, byte ptr [eax]
009FD324 8B15 14FA9F00 mov edx, dword ptr [9FFA14]
009FD32A 8802 mov byte ptr [edx], al
009FD32C A1 BCFA9F00 mov eax, dword ptr [9FFABC]
009FD331 8B00 mov eax, dword ptr [eax]
009FD333 83E8 11 sub eax, 11
009FD336 8B15 BCFA9F00 mov edx, dword ptr [9FFABC]
009FD33C 8B12 mov edx, dword ptr [edx]
009FD33E 8B12 mov edx, dword ptr [edx]
009FD340 0350 04 add edx, dword ptr [eax+4]
009FD343 0350 08 add edx, dword ptr [eax+8]
009FD346 A1 B0FA9F00 mov eax, dword ptr [9FFAB0]
009FD34B 8910 mov dword ptr [eax], edx
009FD34D A1 B0FA9F00 mov eax, dword ptr [9FFAB0]
009FD352 8B00 mov eax, dword ptr [eax]
009FD354 8B55 FC mov edx, dword ptr [ebp-4]
009FD357 8942 04 mov dword ptr [edx+4], eax
009FD35A A1 B0FA9F00 mov eax, dword ptr [9FFAB0]
009FD35F 8B00 mov eax, dword ptr [eax]
009FD361 8B15 3882A000 mov edx, dword ptr [A08238]
009FD367 8942 04 mov dword ptr [edx+4], eax
009FD36A A1 6CFA9F00 mov eax, dword ptr [9FFA6C]
009FD36F C600 E5 mov byte ptr [eax], 0E5
009FD372 A1 3882A000 mov eax, dword ptr [A08238]
009FD377 50 push eax
009FD378 E8 8770FEFF call 009E4404
;;F8
009FD37D A1 A0FA9F00 mov eax, dword ptr [9FFAA0]
009FD382 8B80 98000000 mov eax, dword ptr [eax+98]
009FD388 50 push eax
009FD389 8B45 FC mov eax, dword ptr [ebp-4]
009FD38C 50 push eax
009FD38D E8 F270FEFF call 009E4484
;;F8
009FD392 8BD8 mov ebx, eax
009FD394 85DB test ebx, ebx
009FD396 74 12 je short 009FD3AA
009FD398 8B4B 04 mov ecx, dword ptr [ebx+4]
009FD39B 8D53 0C lea edx, dword ptr [ebx+C]
009FD39E A1 40F99F00 mov eax, dword ptr [9FF940]
009FD3A3 E8 508DFCFF call 009C60F8
;;F8
009FD3A8 /EB 0A jmp short 009FD3B4
009FD3AA |68 08D59F00 push 9FD508 ; ASCII "100",CR,LF
009FD3AF |E8 9C83FDFF call 009D5750
009FD3B4 \A1 6CFA9F00 mov eax, dword ptr [9FFA6C]
009FD3B9 C600 E4 mov byte ptr [eax], 0E4
009FD3BC A1 DCF99F00 mov eax, dword ptr [9FF9DC]
009FD3C1 8B00 mov eax, dword ptr [eax]
009FD3C3 E8 4CF9FEFF call 009ECD14
;;F8
009FD3C8 A1 A0FA9F00 mov eax, dword ptr [9FFAA0]
009FD3CD 8B40 1C mov eax, dword ptr [eax+1C]
009FD3D0 50 push eax
009FD3D1 8B45 FC mov eax, dword ptr [ebp-4]
009FD3D4 50 push eax
009FD3D5 E8 AA70FEFF call 009E4484
;;F8
009FD3DA 8BD8 mov ebx, eax
009FD3DC 85DB test ebx, ebx
009FD3DE 74 24 je short 009FD404
009FD3E0 8D45 F4 lea eax, dword ptr [ebp-C]
009FD3E3 50 push eax
009FD3E4 8D4D F8 lea ecx, dword ptr [ebp-8]
009FD3E7 8BD3 mov edx, ebx
009FD3E9 8B45 FC mov eax, dword ptr [ebp-4]
009FD3EC E8 5B74FEFF call 009E484C
;;F8
009FD3F1 8B55 F4 mov edx, dword ptr [ebp-C]
009FD3F4 8B45 F8 mov eax, dword ptr [ebp-8]
009FD3F7 E8 905DFFFF call 009F318C
;;F8
009FD3FC 8B45 F8 mov eax, dword ptr [ebp-8]
009FD3FF E8 6051FCFF call 009C2564
;;F8
009FD404 A1 A0FA9F00 mov eax, dword ptr [9FFAA0]
009FD409 8B40 38 mov eax, dword ptr [eax+38]
009FD40C 50 push eax
009FD40D 8B45 FC mov eax, dword ptr [ebp-4]
009FD410 50 push eax
009FD411 E8 6E70FEFF call 009E4484
;;F8
009FD416 8BD8 mov ebx, eax
009FD418 85DB test ebx, ebx
009FD41A 74 24 je short 009FD440
009FD41C 8D45 F4 lea eax, dword ptr [ebp-C]
009FD41F 50 push eax
009FD420 8D4D F8 lea ecx, dword ptr [ebp-8]
009FD423 8BD3 mov edx, ebx
009FD425 8B45 FC mov eax, dword ptr [ebp-4]
009FD428 E8 1F74FEFF call 009E484C
;;F8
009FD42D 8B55 F4 mov edx, dword ptr [ebp-C]
009FD430 8B45 F8 mov eax, dword ptr [ebp-8]
009FD433 E8 50B1FFFF call 009F8588
;;F8
009FD438 8B45 F8 mov eax, dword ptr [ebp-8]
009FD43B E8 2451FCFF call 009C2564
;;F8
009FD440 A1 6CFA9F00 mov eax, dword ptr [9FFA6C]
009FD445 C600 CA mov byte ptr [eax], 0CA
009FD448 33C0 xor eax, eax
009FD44A A3 3082A000 mov dword ptr [A08230], eax
009FD44F A1 A0FA9F00 mov eax, dword ptr [9FFAA0]
009FD454 8B80 8C000000 mov eax, dword ptr [eax+8C]
009FD45A 50 push eax
009FD45B 8B45 FC mov eax, dword ptr [ebp-4]
009FD45E 50 push eax
009FD45F E8 2070FEFF call 009E4484
;;F8
009FD464 8BD8 mov ebx, eax
009FD466 85DB test ebx, ebx
009FD468 74 48 je short 009FD4B2
009FD46A B8 10270000 mov eax, 2710
009FD46F E8 5054FCFF call 009C28C4
;;F8
009FD474 8945 F4 mov dword ptr [ebp-C], eax
009FD477 8B45 F4 mov eax, dword ptr [ebp-C]
009FD47A E8 CD50FCFF call 009C254C
;;F8
009FD47F 8945 F8 mov dword ptr [ebp-8], eax
009FD482 8B53 04 mov edx, dword ptr [ebx+4]
009FD485 B8 2C82A000 mov eax, 0A0822C
009FD48A E8 99C6FEFF call 009E9B28
;;F8
009FD48F 8B4B 04 mov ecx, dword ptr [ebx+4]
009FD492 8B15 2C82A000 mov edx, dword ptr [A0822C]
009FD498 8D43 0C lea eax, dword ptr [ebx+C]
009FD49B E8 B851FCFF call 009C2658
;;F8
009FD4A0 8B43 04 mov eax, dword ptr [ebx+4]
009FD4A3 A3 3082A000 mov dword ptr [A08230], eax
009FD4A8 8B45 F8 mov eax, dword ptr [ebp-8]
009FD4AB E8 B450FCFF call 009C2564
;;F8
009FD4B0 /EB 07 jmp short 009FD4B9
009FD4B2 |33C0 xor eax, eax
009FD4B4 |A3 2C82A000 mov dword ptr [A0822C], eax
009FD4B9 \E8 9EE7FFFF call 009FBC5C
;;F8
009FD4BE 33C0 xor eax, eax
009FD4C0 55 push ebp
009FD4C1 68 DCD49F00 push 9FD4DC
009FD4C6 64:FF30 push dword ptr fs:[eax]
009FD4C9 64:8920 mov dword ptr fs:[eax], esp
009FD4CC EB 01 jmp short 009FD4CF
009FD4CF 0000 add byte ptr [eax], al
;;每次执行到这里,eax的值是0,所以[0]就会有一个异常,然后再执行,就会显示“1.exe 遇到问题需要关闭。”
;;如果没有在隐藏OD的情况下,就会出现“探测到调试器 - 请关闭后重启!Windows NT 用户请注意:已安装了WinIce/SoftIce服务,这意味这你正在运行调试器!”
;;一直无法成功脱去这个壳,请求哪个朋友可以帮忙指点,谢谢!
赞赏
赞赏
雪币:
留言: