解老王的壳,
用 bp CreateFileA下断,
会断在
77E7C1F7 > 55 PUSH EBP ; newPhoto.00FB500E
77E7C1F8 8BEC MOV EBP,ESP
77E7C1FA FF75 08 PUSH DWORD PTR SS:[EBP+8]
77E7C1FD E8 65D20000 CALL kernel32.77E89467
77E7C202 85C0 TEST EAX,EAX
77E7C204 75 05 JNZ SHORT kernel32.77E7C20B
77E7C206 83C8 FF OR EAX,FFFFFFFF
77E7C209 EB 1A JMP SHORT kernel32.77E7C225
77E7C20B FF75 20 PUSH DWORD PTR SS:[EBP+20]
77E7C20E FF75 1C PUSH DWORD PTR SS:[EBP+1C]
77E7C211 FF75 18 PUSH DWORD PTR SS:[EBP+18]
77E7C214 FF75 14 PUSH DWORD PTR SS:[EBP+14]
77E7C217 FF75 10 PUSH DWORD PTR SS:[EBP+10]
77E7C21A FF75 0C PUSH DWORD PTR SS:[EBP+C]
77E7C21D FF70 04 PUSH DWORD PTR DS:[EAX+4]
77E7C220 E8 04000000 CALL kernel32.CreateFileW
77E7C225 5D POP EBP
77E7C226 C2 1C00 RETN 1C
77E7C229 > 55 PUSH EBP
77E7C22A 8BEC MOV EBP,ESP
77E7C22C 83EC 5C SUB ESP,5C
77E7C22F 8B45 18 MOV EAX,DWORD PTR SS:[EBP+18]
77E7C232 53 PUSH EBX
77E7C233 56 PUSH ESI
77E7C234 48 DEC EAX
77E7C235 57 PUSH EDI
77E7C236 74 3E JE SHORT kernel32.77E7C276
77E7C238 48 DEC EAX
77E7C239 74 32 JE SHORT kernel32.77E7C26D
77E7C23B 48 DEC EAX
77E7C23C 74 26 JE SHORT kernel32.77E7C264
77E7C23E 48 DEC EAX
77E7C23F 74 1A JE SHORT kernel32.77E7C25B
77E7C241 48 DEC EAX
77E7C242 75 0D JNZ SHORT kernel32.77E7C251
77E7C244 F645 0F 40 TEST BYTE PTR SS:[EBP+F],40
77E7C248 C745 F8 01000000 MOV DWORD PTR SS:[EBP-8],1
77E7C24F 75 2C JNZ SHORT kernel32.77E7C27D
77E7C251 68 0D0000C0 PUSH C000000D
77E7C256 E9 3D020000 JMP kernel32.77E7C498
77E7C25B C745 F8 03000000 MOV DWORD PTR SS:[EBP-8],3
77E7C262 EB 19 JMP SHORT kernel32.77E7C27D
77E7C264 C745 F8 01000000 MOV DWORD PTR SS:[EBP-8],1
77E7C26B EB 10 JMP SHORT kernel32.77E7C27D
77E7C26D C745 F8 05000000 MOV DWORD PTR SS:[EBP-8],5
77E7C274 EB 07 JMP SHORT kernel32.77E7C27D
77E7C276 C745 F8 02000000 MOV DWORD PTR SS:[EBP-8],2
77E7C27D 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
77E7C280 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
77E7C283 57 PUSH EDI
77E7C284 50 PUSH EAX
77E7C285 FF15 3C10E677 CALL DWORD PTR DS:[<&ntdll.RtlInitUnicod>; ntdll.RtlInitUnicodeString
77E7C28B 6A 01 PUSH 1