100014BC 55 push ebp
100014BD 53 push ebx
100014BE 9C pushfd
100014BF 56 push esi
100014C0 51 push ecx
100014C1 57 push edi
100014C2 50 push eax
100014C3 57 push edi
100014C4 52 push edx
100014C5 68 00000000 push 0
100014CA 8B7424 28 mov esi,dword ptr ss:[esp+28]
100014CE BA 00D00410 mov edx,hid.1004D000
100014D3 FF15 DCA30410 call dword ptr ds:[<&KERNEL32.GetCurrentThreadId>] ; kernel32.GetCurrentThreadId
100014D9 89C3 mov ebx,eax
100014DB B9 00010000 mov ecx,100
100014E0 89D7 mov edi,edx
100014E2 9C pushfd
100014E3 FC cld
100014E4 F2:AF repne scas dword ptr es:[edi]
100014E6 74 0D je short hid.100014F5
100014E8 B8 00010000 mov eax,100
100014ED 91 xchg eax,ecx
100014EE 89D7 mov edi,edx
100014F0 F2:AF repne scas dword ptr es:[edi]
100014F2 895F FC mov dword ptr ds:[edi-4],ebx
100014F5 89FD mov ebp,edi
100014F7 29D7 sub edi,edx
100014F9 D1E7 shl edi,1
100014FB 8DBCFA C0030000 lea edi,dword ptr ds:[edx+edi*8+3C0]
10001502 9D popfd
10001503 89F3 mov ebx,esi
10001505 033424 add esi,dword ptr ss:[esp]
10001508 8A16 mov dl,byte ptr ds:[esi]
1000150A 30DA xor dl,bl
1000150C 80F2 9D xor dl,9D
1000150F 46 inc esi
10001510 80C2 73 add dl,73
10001513 C0C2 05 rol dl,5
10001516 80C2 6B add dl,6B
10001519 30D3 xor bl,dl
1000151B 0FB6C2 movzx eax,dl
1000151E 8D0C85 9A160010 lea ecx,dword ptr ds:[eax*4+1000169A]
10001525 FF21 jmp dword ptr ds:[ecx]
10001527 58 pop eax
10001528 66:FF30 push word ptr ds:[eax]
1000152B ^ E9 D8FFFFFF jmp hid.10001508
10001530 66:5A pop dx
10001532 66:59 pop cx
10001534 66:D3EA shr dx,cl
10001537 66:52 push dx
10001539 9C pushfd
1000153A ^ E9 C9FFFFFF jmp hid.10001508
1000153F 5A pop edx
10001540 66:59 pop cx
10001542 D3EA shr edx,cl
10001544 52 push edx
10001545 9C pushfd
10001546 ^ E9 BDFFFFFF jmp hid.10001508
1000154B 5A pop edx
1000154C 36:8A02 mov al,byte ptr ss:[edx]
1000154F 66:50 push ax
10001551 ^ E9 B2FFFFFF jmp hid.10001508
10001556 59 pop ecx
10001557 66:0FB611 movzx dx,byte ptr ds:[ecx]
1000155B 66:52 push dx
1000155D ^ E9 A6FFFFFF jmp hid.10001508
10001562 0FB706 movzx eax,word ptr ds:[esi]
10001565 66:29D8 sub ax,bx
10001568 66:F7D8 neg ax
1000156B 66:2D 7017 sub ax,1770
1000156F 66:C1C0 08 rol ax,8
10001573 86C4 xchg ah,al
10001575 83C6 02 add esi,2
10001578 66:C1C0 03 rol ax,3
1000157C 66:29C3 sub bx,ax
1000157F 66:50 push ax
10001581 ^ E9 82FFFFFF jmp hid.10001508
10001586 59 pop ecx
10001587 66:58 pop ax
10001589 8801 mov byte ptr ds:[ecx],al
1000158B ^ E9 78FFFFFF jmp hid.10001508
10001590 0FB606 movzx eax,byte ptr ds:[esi]
10001593 00D8 add al,bl
10001595 F6D8 neg al
10001597 F6D0 not al
10001599 34 DE xor al,0DE
1000159B 04 CC add al,0CC
1000159D 00C3 add bl,al
1000159F 66:50 push ax
100015A1 46 inc esi
100015A2 ^ E9 61FFFFFF jmp hid.10001508
100015A7 58 pop eax
100015A8 66:59 pop cx
100015AA D3E0 shl eax,cl
100015AC 50 push eax
100015AD 9C pushfd
100015AE ^ E9 55FFFFFF jmp hid.10001508
100015B3 C745 FC 00000000 mov dword ptr ss:[ebp-4],0
100015BA 5A pop edx
100015BB 5A pop edx
100015BC 5F pop edi
100015BD 58 pop eax
100015BE 5D pop ebp
100015BF 59 pop ecx
100015C0 5E pop esi
100015C1 9D popfd
100015C2 5B pop ebx
100015C3 5D pop ebp
100015C4 C3 retn
100015C5 58 pop eax
100015C6 5A pop edx
100015C7 66:59 pop cx
100015C9 0FA5D0 shld eax,edx,cl
100015CC 50 push eax
100015CD 9C pushfd
100015CE ^ E9 35FFFFFF jmp hid.10001508
100015D3 8A06 mov al,byte ptr ds:[esi]
100015D5 28D8 sub al,bl
100015D7 2C 47 sub al,47
100015D9 F6D0 not al
100015DB FEC8 dec al
100015DD F6D0 not al
100015DF F6D8 neg al
100015E1 28C3 sub bl,al
100015E3 8A0407 mov al,byte ptr ds:[edi+eax]
100015E6 46 inc esi
100015E7 66:50 push ax
100015E9 ^ E9 1AFFFFFF jmp hid.10001508
100015EE 80E0 3C and al,3C
100015F1 8F0407 pop dword ptr ds:[edi+eax]
100015F4 ^ E9 0FFFFFFF jmp hid.10001508
100015F9 54 push esp
100015FA ^ E9 09FFFFFF jmp hid.10001508
100015FF 66:58 pop ax
10001601 66:59 pop cx
10001603 66:D3E0 shl ax,cl
10001606 66:50 push ax
10001608 9C pushfd
10001609 ^ E9 FAFEFFFF jmp hid.10001508
1000160E 5A pop edx
1000160F 011424 add dword ptr ss:[esp],edx
10001612 9C pushfd
10001613 ^ E9 F0FEFFFF jmp hid.10001508
10001618 5E pop esi
10001619 ^ E9 E5FEFFFF jmp hid.10001503
1000161E 66:58 pop ax
10001620 66:59 pop cx
10001622 D2E0 shl al,cl
10001624 66:50 push ax
10001626 9C pushfd
10001627 ^ E9 DCFEFFFF jmp hid.10001508
1000162C F71424 not dword ptr ss:[esp]
1000162F 66:5A pop dx
10001631 66:211424 and word ptr ss:[esp],dx
10001635 9C pushfd
10001636 ^ E9 CDFEFFFF jmp hid.10001508
1000163B 58 pop eax
1000163C 5A pop edx
1000163D 66:59 pop cx
1000163F 0FADD0 shrd eax,edx,cl
10001642 50 push eax
10001643 9C pushfd
10001644 ^ E9 BFFEFFFF jmp hid.10001508
10001649 58 pop eax
1000164A 26:8F00 pop dword ptr es:[eax]
1000164D ^ E9 B6FEFFFF jmp hid.10001508
10001652 66:5A pop dx
10001654 66:58 pop ax
10001656 F6D2 not dl
10001658 F6D0 not al
1000165A 20C2 and dl,al
1000165C 66:52 push dx
1000165E 9C pushfd
1000165F ^ E9 A4FEFFFF jmp hid.10001508
10001664 58 pop eax
10001665 8F00 pop dword ptr ds:[eax]
10001667 ^ E9 9CFEFFFF jmp hid.10001508
1000166C 0FB606 movzx eax,byte ptr ds:[esi]
1000166F 28D8 sub al,bl
10001671 FEC8 dec al
10001673 46 inc esi
10001674 F6D0 not al
10001676 FEC0 inc al
10001678 F6D0 not al
1000167A 28C3 sub bl,al
1000167C 66:8F0407 pop word ptr ds:[edi+eax]
10001680 ^ E9 83FEFFFF jmp hid.10001508
10001685 66:5C pop sp 在此设断,无狗程序返回了,有狗则运行钩挂程序
10001687 ^ E9 7CFEFFFF jmp hid.10001508
1000168C 66:5A pop dx
1000168E 66:59 pop cx
10001690 D2EA shr dl,cl
10001692 66:52 push dx
10001694 9C pushfd
10001695 ^ E9 6EFEFFFF jmp hid.10001508
[课程]FART 脱壳王!加量不加价!FART作者讲授!
