QQ游戏日志,偶然和一段代码相遇了,十六进制码反汇编代码如下:
006D0134 65 63 74 69 6F 6E 20 65 72 72 6F 72 20 21 00 00 ection error !..
006D0144 51 00 51 00 53 00 70 00 65 00 65 00 64 00 5F 00 Q.Q.S.p.e.e.d._.
006D0154 6C 00 6F 00 61 00 64 00 65 00 72 00 2E 00 65 00 l.o.a.d.e.r...e.
006D0164 78 00 65 00 00 00 00 00 51 00 51 00 4C 00 6F 00 x.e.....Q.Q.L.o.
006D0174 67 00 69 00 6E 00 2E 00 65 00 78 00 65 00 00 00 g.i.n...e.x.e...
006D0184 6E 74 64 6C 6C 2E 64 6C 6C 00 00 00 4E 74 43 72 ntdll.dll...NtCr
006D0194 65 61 74 65 45 76 65 6E 74 00 00 00 4E 74 53 65 eateEvent...NtSe
006D01A4 74 49 6E 66 6F 72 6D 61 74 69 6F 6E 4F 62 6A 65 tInformationObje
006D01B4 63 74 00 00 4E 74 51 75 65 72 79 45 76 65 6E 74 ct..NtQueryEvent
006D01C4 00 00 00 00 4E 74 51 75 65 72 79 4F 62 6A 65 63 ....NtQueryObjec
006D01D4 74 00 00 00 4F 70 65 6E 4A 6F 62 4F 62 6A 65 63 t...OpenJobObjec
006D01E4 74 57 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C tW..kernel32.dll
006D01F4 00 00 00 00 52 74 6C 49 6E 69 74 41 6E 73 69 53 ....RtlInitAnsiS
006D0204 74 72 69 6E 67 00 00 00 52 74 6C 41 6E 73 69 53 tring...RtlAnsiS
006D0214 74 72 69 6E 67 54 6F 55 6E 69 63 6F 64 65 53 74 tringToUnicodeSt
006D0224 72 69 6E 67 00 00 00 00 52 74 6C 46 72 65 65 55 ring....RtlFreeU
006D0234 6E 69 63 6F 64 65 53 74 72 69 6E 67 00 00 00 00 nicodeString....
006D0244 52 74 6C 49 6E 69 74 55 6E 69 63 6F 64 65 53 74 RtlInitUnicodeSt
006D0254 72 69 6E 67 00 00 00 00 47 6C 6F 62 61 6C 5C 25 ring....Global\%
006D0264 30 38 58 25 30 38 58 25 30 38 58 25 30 38 58 00 08X%08X%08X%08X.
006D0274 25 30 38 58 00 00 00 00 25 30 38 58 00 00 00 00 %08X....%08X....
006D0284 25 30 38 58 00 00 00 00 25 30 38 58 00 00 00 00 %08X....%08X....
006D0294 65 65 65 5F 31 00 00 00 61 61 61 00 61 61 61 5F eee_1...aaa.aaa_
006D02A4 31 00 00 00 61 61 61 00 35 38 2E 32 35 31 2E 31 1...aaa.58.251.1
006D02B4 34 39 2E 31 31 34 00 00 31 31 39 2E 31 34 37 2E 49.114..119.147.
006D02C4 35 2E 31 32 32 00 00 00 36 30 2E 32 38 2E 31 38 5.122...60.28.18
006D02D4 38 2E 31 39 34 00 00 00 74 79 70 65 3D 25 75 26 8.194...type=%u&
006D02E4 6E 75 6D 62 65 72 3D 25 75 26 72 65 73 65 72 76 number=%u&reserv
006D02F4 65 64 3D 25 75 26 75 73 65 72 69 64 3D 25 64 26 ed=%u&userid=%d&
006D0304 75 73 65 72 69 64 32 3D 25 64 26 67 61 6D 65 69 userid2=%d&gamei
006D0314 64 3D 25 64 00 00 00 00 74 79 70 65 3D 25 75 26 d=%d....type=%u&
006D0324 6E 75 6D 62 65 72 3D 25 75 26 72 65 73 65 72 76 number=%u&reserv
006D0334 65 64 3D 25 75 26 75 73 65 72 69 64 3D 25 64 26 ed=%u&userid=%d&
006D0344 75 73 65 72 69 64 32 3D 25 49 36 34 64 26 67 61 userid2=%I64d&ga
006D0354 6D 65 69 64 3D 25 64 00 74 79 70 65 3D 25 75 26 meid=%d.type=%u&
006D0364 6E 75 6D 62 65 72 3D 25 75 26 72 65 73 65 72 76 number=%u&reserv
006D0374 65 64 3D 25 75 26 75 73 65 72 69 64 3D 25 64 26 ed=%u&userid=%d&
006D0384 75 73 65 72 69 64 32 3D 25 64 26 67 61 6D 65 69 userid2=%d&gamei
006D0394 64 3D 25 64 00 00 00 00 31 32 33 34 35 36 37 38 d=%d....12345678
006D03A4 39 41 42 43 44 45 46 00 68 74 74 70 3A 2F 2F 25 9ABCDEF.http://%
006D03B4 73 2F 63 67 69 2D 62 69 6E 2F 66 65 65 64 62 61 s/cgi-bin/feedba
006D03C4 63 6B 3F 69 6E 66 6F 3D 25 73 00 00 68 74 74 70 ck?info=%s..http
006D03D4 3A 2F 2F 67 61 6D 65 73 61 66 65 2E 71 71 2E 63 ://gamesafe.qq.c
006D03E4 6F 6D 2F 7A 7A 2E 68 74 6D 3F 61 3D 25 64 26 62 om/zz.htm?a=%d&b
006D03F4 3D 25 64 26 63 3D 25 64 00 00 00 00 6F 70 65 6E =%d&c=%d....open
006D0404 00 00 00 00 54 45 4E 56 46 20 BE AF B8 E6 C2 EB ....TENVF 警告码
006D0414 20 28 25 64 29 00 00 00 25 73 25 73 00 00 00 00 (%d)...%s%s....
006D0424 25 73 25 73 00 00 00 00 54 50 20 CC E1 CA BE 00 %s%s....TP 提示.
006D0434 B0 B2 C8 AB CF B5 CD B3 BC EC B2 E2 B5 BD B2 BB 安全系统检测到不
006D0444 BC E6 C8 DD B3 CC D0 F2 A3 AC C7 EB B9 D8 B1 D5 兼容程序,请关闭
006D0454 C6 E4 CB FB B7 C7 B1 D8 D2 AA B3 CC D0 F2 BA F3 其他非必要程序后
006D0464 D4 D9 B5 C7 C2 BC D3 CE CF B7 BB F2 D6 D8 C6 F4 再登录游戏或重启
006D0474 BB FA C6 F7 A1 A3 C8 E7 CE DE B7 A8 BD E2 BE F6 机器。如无法解决
006D0484 A3 AC C7 EB C1 AA CF B5 BF CD B7 FE D7 C9 D1 AF ,请联系客服咨询
006D0494 BB F2 B9 D9 B7 BD C2 DB CC B3 B7 B4 C0 A1 A1 A3 或官方论坛反馈。
006D04A4 00 00 00 00 54 50 20 BE AF B8 E6 00 B0 B2 C8 AB ....TP 警告.安全
006D04B4 CF B5 CD B3 B7 A2 CF D6 C4 DA B4 E6 B2 BB D7 E3 系统发现内存不足
006D04C4 A3 AC C7 EB D6 D8 D0 C2 B5 C7 C2 BC D3 CE CF B7 ,请重新登录游戏
006D04D4 BB F2 D6 D8 C6 F4 BB FA C6 F7 A1 A3 00 00 00 00 或重启机器。....
006D04E4 54 50 20 BE AF B8 E6 00 B0 B2 C8 AB CF B5 CD B3 TP 警告.安全系统
006D04F4 BC EC B2 E2 B5 BD C4 FA B5 C4 BB FA C6 F7 D4 F8 检测到您的机器曾
006D0504 C6 F4 B6 AF B9 FD B7 C7 B7 A8 C4 A3 BF E9 A3 AC 启动过非法模块,
006D0514 C7 EB D6 D8 C6 F4 BB FA C6 F7 BA F3 D4 D9 B5 C7 请重启机器后再登
006D0524 C2 BC D3 CE CF B7 A1 A3 00 00 00 00 D2 D4 C8 B7 录游戏。....以确
006D0534 B1 A3 C4 FA B5 C4 D3 CE CF B7 D5 CB BA C5 B0 B2 保您的游戏账号安
006D0544 C8 AB 00 00 B2 A2 CD A8 B9 FD BB D6 B8 B4 B8 C9 全..并通过恢复干
006D0554 BE BB B5 C4 B2 D9 D7 F7 CF B5 CD B3 B5 C8 B4 EB 净的操作系统等措
006D0564 CA A9 C0 B4 C7 E5 C0 ED CF B5 CD B3 BB B7 BE B3 施来清理系统环境
006D0574 00 00 00 00 BD A8 D2 E9 C1 A2 BC B4 D0 DE B8 C4 ....建议立即修改
006D0584 D5 CB BA C5 C3 DC C2 EB B2 A2 CA B9 D3 C3 CA D6 账号密码并使用手
006D0594 BB FA C1 EE C5 C6 BA CD B6 FE BC B6 C3 DC C2 EB 机令牌和二级密码
006D05A4 CC E1 B8 DF D5 CA BB A7 B0 B2 C8 AB D0 D4 00 00 提高帐户安全性..
006D05B4 B0 B2 C8 AB CF B5 CD B3 BC EC B2 E2 B5 BD C4 FA 安全系统检测到您
006D05C4 B5 C4 CF B5 CD B3 BB B7 BE B3 B4 E6 D4 DA D3 CE 的系统环境存在游
006D05D4 CF B7 B5 C1 BA C5 B7 E7 CF D5 00 00 25 73 A3 AC 戏盗号风险..%s,
006D05E4 25 73 A3 AC 25 73 A3 AC 25 73 A3 A1 00 00 00 00 %s,%s,%s!....
006D05F4 53 58 20 CC E1 CA BE C2 EB 20 28 25 64 2C 20 25 SX 提示码 (%d, %
006D0604 64 2C 20 25 64 29 00 00 BB F2 D6 D8 D7 B0 D3 CE d, %d)..或重装游
006D0614 CF B7 BF CD BB A7 B6 CB 00 00 00 00 C7 EB B5 C7 戏客户端....请登
006D0624 C2 BD CC DA D1 B6 D3 CE CF B7 B0 B2 C8 AB B9 D9 陆腾讯游戏安全官
006D0634 CD F8 28 68 74 74 70 3A 2F 2F 67 61 6D 65 73 61 网(http://gamesa
006D0644 66 65 2E 71 71 2E 63 6F 6D 29 CF C2 D4 D8 A1 B0 fe.qq.com)下载“
006D0654 CC DA D1 B6 D3 CE CF B7 C4 BE C2 ED D7 A8 C9 B1 腾讯游戏木马专杀
006D0664 A1 B1 BD F8 D0 D0 D0 DE B8 B4 00 00 B0 B2 C8 AB ”进行修复..安全
006D0674 CF B5 CD B3 BC EC B2 E2 B5 BD D3 CE CF B7 C4 BF 系统检测到游戏目
006D0684 C2 BC CF C2 B4 E6 D4 DA D2 EC B3 A3 CE C4 BC FE 录下存在异常文件
006D0694 00 00 00 00 25 73 A3 AC 25 73 A3 AC 25 73 A3 A1 ....%s,%s,%s!
006D06A4 00 00 00 00 BB F2 D6 D8 D7 B0 D3 CE CF B7 BF CD ....或重装游戏客
006D06B4 BB A7 B6 CB 00 00 00 00 C7 EB BB F1 C8 A1 D5 FD 户端....请获取正
006D06C4 C8 B7 CE C4 BC FE BD F8 D0 D0 CC E6 BB BB 00 00 确文件进行替换..
006D06D4 B0 B2 C8 AB CF B5 CD B3 BC EC B2 E2 B5 BD D3 CE 安全系统检测到游
006D06E4 CF B7 C4 BF C2 BC CF C2 54 65 6E 73 6C 78 2E 64 戏目录下Tenslx.d
006D06F4 61 74 CE C4 BC FE CA DC CB F0 00 00 25 73 A3 AC at文件受损..%s,
006D0704 25 73 A3 AC 25 73 A3 A1 00 00 00 00 B2 A2 BD A8 %s,%s!....并建
006D0714 D2 E9 CA B9 D3 C3 CC DA D1 B6 D3 CE CF B7 C4 BE 议使用腾讯游戏木
006D0724 C2 ED D7 A8 C9 B1 CC E1 B8 DF B0 B2 C8 AB D0 D4 马专杀提高安全性
006D0734 00 00 00 00 C7 EB D1 CF B8 F1 D7 F1 CA D8 D3 CE ....请严格遵守游
006D0744 CF B7 D3 C3 BB A7 D0 AD D2 E9 00 00 D0 E8 D2 AA 戏用户协议..需要
006D0754 D6 D8 C6 F4 BB FA C6 F7 BA F3 D4 D9 B5 C7 C2 BC 重启机器后再登录
006D0764 D3 CE CF B7 00 00 00 00 B0 B2 C8 AB CF B5 CD B3 游戏....安全系统
006D0774 BC EC B2 E2 B5 BD B7 C7 B7 A8 C4 A3 BF E9 00 00 检测到非法模块..
006D0784 25 73 A3 AC 25 73 A3 AC 25 73 A1 A3 25 73 A1 A3 %s,%s,%s。%s。
006D0794 00 00 00 00 53 58 20 BE AF B8 E6 C2 EB 20 28 25 ....SX 警告码 (%
006D07A4 64 2C 20 25 64 2C 20 25 64 29 00 00 C7 EB D6 D8 d, %d, %d)..请重
006D07B4 C6 F4 BB FA C6 F7 BA F3 D4 D9 B5 C7 C2 BD D3 CE 启机器后再登陆游
006D07C4 CF B7 00 00 B0 B2 C8 AB CF B5 CD B3 BC EC B2 E2 戏..安全系统检测
006D07D4 B5 BD D3 CE CF B7 BB B7 BE B3 D2 EC B3 A3 00 00 到游戏环境异常..
006D07E4 25 73 2C 20 25 73 A1 A3 00 00 00 00 54 50 20 BE %s, %s。....TP �
006D07F4 AF B8 E6 C2 EB 20 28 25 64 2C 20 25 64 2C 20 25 媛?(%d, %d, %
006D0804 64 29 00 00 C7 EB D6 D8 C6 F4 BB FA C6 F7 BA F3 d)..请重启机器后
006D0814 D4 D9 B5 C7 C2 BC D3 CE CF B7 A3 AC C8 E7 CE DE 再登录游戏,如无
006D0824 B7 A8 BD E2 BE F6 A3 AC C7 EB C1 AA CF B5 BF CD 法解决,请联系客
006D0834 B7 FE D7 C9 D1 AF BB F2 B9 D9 B7 BD C2 DB CC B3 服咨询或官方论坛
006D0844 B7 B4 C0 A1 A1 A3 00 00 B0 B2 C8 AB CF B5 CD B3 反馈。..安全系统
006D0854 BC EC B2 E2 B5 BD D3 CE CF B7 BB B7 BE B3 D2 EC 检测到游戏环境异
006D0864 B3 A3 00 00 25 73 2C 20 25 73 00 00 54 58 20 BE 常..%s, %s..TX �
006D0874 AF B8 E6 C2 EB 20 28 25 64 2C 20 25 64 2C 20 25 媛?(%d, %d, %
006D0884 64 29 00 00 D2 D4 C8 B7 B1 A3 C4 FA B5 C4 D3 CE d)..以确保您的游
006D0894 CF B7 D5 CB BA C5 B0 B2 C8 AB 00 00 B2 A2 CD A8 戏账号安全..并通
006D08A4 B9 FD BB D6 B8 B4 B8 C9 BE BB B5 C4 B2 D9 D7 F7 过恢复干净的操作
006D08B4 CF B5 CD B3 B5 C8 B4 EB CA A9 C0 B4 C7 E5 C0 ED 系统等措施来清理
006D08C4 CF B5 CD B3 BB B7 BE B3 00 00 00 00 BD A8 D2 E9 系统环境....建议
006D08D4 C1 A2 BC B4 D0 DE B8 C4 D5 CB BA C5 C3 DC C2 EB 立即修改账号密码
006D08E4 B2 A2 CA B9 D3 C3 CA D6 BB FA C1 EE C5 C6 BA CD 并使用手机令牌和
006D08F4 B6 FE BC B6 C3 DC C2 EB CC E1 B8 DF D5 CA BB A7 二级密码提高帐户
006D0904 B0 B2 C8 AB D0 D4 00 00 B0 B2 C8 AB CF B5 CD B3 安全性..安全系统
006D0914 BC EC B2 E2 B5 BD C4 FA B5 C4 CF B5 CD B3 BB B7 检测到您的系统环
006D0924 BE B3 B4 E6 D4 DA D3 CE CF B7 B5 C1 BA C5 B7 E7 境存在游戏盗号风
006D0934 CF D5 00 00 25 73 A3 AC 25 73 A3 AC 25 73 A3 AC 险..%s,%s,%s,
006D0944 25 73 A3 A1 25 73 00 00 53 58 20 CC E1 CA BE C2 %s!%s..SX 提示�
006D0954 EB 20 28 25 64 2C 20 25 64 2C 20 25 64 29 00 00 ?(%d, %d, %d)..
006D0964 BB F2 D6 D8 D7 B0 D3 CE CF B7 BF CD BB A7 B6 CB 或重装游戏客户端
006D0974 00 00 00 00 C7 EB B5 C7 C2 BD CC DA D1 B6 D3 CE ....请登陆腾讯游
006D0984 CF B7 B0 B2 C8 AB B9 D9 CD F8 28 68 74 74 70 3A 戏安全官网(http:
006D0994 2F 2F 67 61 6D 65 73 61 66 65 2E 71 71 2E 63 6F //gamesafe.qq.co
006D09A4 6D 29 CF C2 D4 D8 A1 B0 CC DA D1 B6 D3 CE CF B7 m)下载“腾讯游戏
006D09B4 C4 BE C2 ED D7 A8 C9 B1 A1 B1 BD F8 D0 D0 D0 DE 木马专杀”进行修
006D09C4 B8 B4 00 00 B0 B2 C8 AB CF B5 CD B3 BC EC B2 E2 复..安全系统检测
006D09D4 B5 BD C4 FA B5 C4 D3 CE CF B7 C4 BF C2 BC CF C2 到您的游戏目录下
006D09E4 B4 E6 D4 DA D2 EC B3 A3 CE C4 BC FE 00 00 00 00 存在异常文件....
006D09F4 25 73 A3 AC 25 73 A3 AC 25 73 A3 A1 25 73 00 00 %s,%s,%s!%s..
006D0A04 BB F2 D6 D8 D7 B0 D3 CE CF B7 BF CD BB A7 B6 CB 或重装游戏客户端
006D0A14 00 00 00 00 C7 EB BB F1 C8 A1 D5 FD C8 B7 CE C4 ....请获取正确文
006D0A24 BC FE BD F8 D0 D0 CC E6 BB BB 00 00 B0 B2 C8 AB 件进行替换..安全
006D0A34 CF B5 CD B3 BC EC B2 E2 B5 BD C4 FA B5 C4 D3 CE 系统检测到您的游
006D0A44 CF B7 C4 BF C2 BC CF C2 54 65 6E 73 6C 78 2E 64 戏目录下Tenslx.d
006D0A54 61 74 CE C4 BC FE CA DC CB F0 00 00 25 73 A3 AC at文件受损..%s,
006D0A64 25 73 A3 AC 25 73 A3 A1 25 73 00 00 B2 A2 BD A8 %s,%s!%s..并建
006D0A74 D2 E9 CA B9 D3 C3 CC DA D1 B6 D3 CE CF B7 C4 BE 议使用腾讯游戏木
006D0A84 C2 ED D7 A8 C9 B1 CC E1 B8 DF B0 B2 C8 AB D0 D4 马专杀提高安全性
006D0A94 00 00 00 00 C7 EB D1 CF B8 F1 D7 F1 CA D8 D3 CE ....请严格遵守游
006D0AA4 CF B7 D3 C3 BB A7 D0 AD D2 E9 00 00 D0 E8 D2 AA 戏用户协议..需要
006D0AB4 D6 D8 C6 F4 BB FA C6 F7 BA F3 D4 D9 B5 C7 C2 BC 重启机器后再登录
006D0AC4 D3 CE CF B7 00 00 00 00 B0 B2 C8 AB CF B5 CD B3 游戏....安全系统
006D0AD4 BC EC B2 E2 B5 BD B7 C7 B7 A8 C4 A3 BF E9 00 00 检测到非法模块..
006D0AE4 25 73 A3 AC 25 73 A3 AC 25 73 A1 A3 25 73 A1 A3 %s,%s,%s。%s。
006D0AF4 25 73 00 00 53 58 20 BE AF B8 E6 C2 EB 00 00 00 %s..SX 警告码...
006D0B04 72 65 73 2E 64 6C 6C 00 73 74 61 72 74 5C 54 65 res.dll.start\Te
006D0B14 6E 50 72 6F 74 65 63 74 5C 54 65 6E 53 4C 58 2E nProtect\TenSLX.
006D0B24 64 6C 6C 00 54 65 6E 53 4C 58 2E 64 6C 6C 00 00 dll.TenSLX.dll..
006D0B34 47 65 74 54 53 4F 62 6A 65 63 74 00 47 6C 6F 62 GetTSObject.Glob
006D0B44 61 6C 5C 25 73 5F 25 58 5F 25 64 00 4B 61 72 74 al\%s_%X_%d.Kart
006D0B54 4D 61 70 5F 53 68 61 72 65 64 00 00 B4 ED CE F3 Map_Shared..错误
006D0B64 00 00 00 00 C4 FA B5 C4 B2 D9 D7 F7 CF B5 CD B3 ....您的操作系统
006D0B74 B0 E6 B1 BE B2 BB B7 FB BA CF D3 CE CF B7 D2 AA 版本不符合游戏要
006D0B84 C7 F3 A3 AC B6 D4 36 34 CE BB CF B5 CD B3 D2 AA 求,对64位系统要
006D0B94 C7 F3 D6 C1 C9 D9 56 69 73 74 61 20 53 50 31 BB 求至少Vista SP1�
006D0BA4 F2 B8 FC B8 DF B0 E6 B1 BE A3 A1 00 B4 ED CE F3 蚋甙姹荆?错误
006D0BB4 00 00 00 00 C4 FA B5 C4 B2 D9 D7 F7 CF B5 CD B3 ....您的操作系统
006D0BC4 B0 E6 B1 BE B2 BB B7 FB BA CF D3 CE CF B7 D2 AA 版本不符合游戏要
006D0BD4 C7 F3 A3 AC B6 D4 33 32 CE BB CF B5 CD B3 D2 AA 求,对32位系统要
006D0BE4 C7 F3 D6 C1 C9 D9 57 69 6E 64 6F 77 73 20 32 30 求至少Windows 20
006D0BF4 30 30 BB F2 B8 FC B8 DF B0 E6 B1 BE A3 A1 00 00 00或更高版本!..
006D0C04 4D 65 73 73 61 67 65 42 6F 78 41 00 75 73 65 72 MessageBoxA.user
006D0C14 33 32 2E 64 6C 6C 00 00 4D 65 73 73 61 67 65 42 32.dll..MessageB
006D0C24 6F 78 57 00 75 73 65 72 33 32 2E 64 6C 6C 00 00 oxW.user32.dll..
006D0C34 4F 70 65 6E 54 68 72 65 61 64 00 00 6B 65 72 6E OpenThread..kern
006D0C44 65 6C 33 32 2E 64 6C 6C 00 00 00 00 54 65 72 6D el32.dll....Term
006D0C54 69 6E 61 74 65 54 68 72 65 61 64 00 6B 65 72 6E inateThread.kern
006D0C64 65 6C 33 32 2E 64 6C 6C 00 00 00 00 53 6C 65 65 el32.dll....Slee
006D0C74 70 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C p...kernel32.dll
006D0C84 00 00 00 00 43 72 65 61 74 65 50 72 6F 63 65 73 ....CreateProces
006D0C94 73 41 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C sA..kernel32.dll
006D0CA4 00 00 00 00 52 65 73 75 6D 65 54 68 72 65 61 64 ....ResumeThread
006D0CB4 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C ....kernel32.dll
006D0CC4 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 ....ExitProcess.
006D0CD4 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 kernel32.dll....
006D0CE4 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 LoadLibraryA....
006D0CF4 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 kernel32.dll....
006D0D04 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 LoadLibraryA....
006D0D14 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 kernel32.dll....
006D0D24 4C 6F 61 64 4C 69 62 72 61 72 79 57 00 00 00 00 LoadLibraryW....
006D0D34 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 kernel32.dll....
006D0D44 4C 6F 61 64 4C 69 62 72 61 72 79 45 78 41 00 00 LoadLibraryExA..
006D0D54 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 kernel32.dll....
006D0D64 4C 6F 61 64 4C 69 62 72 61 72 79 45 78 57 00 00 LoadLibraryExW..
006D0D74 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 kernel32.dll....
006D0D84 4C 64 72 4C 6F 61 64 44 6C 6C 00 00 6E 74 64 6C LdrLoadDll..ntdl
006D0D94 6C 2E 64 6C 6C 00 00 00 6B 65 72 6E 65 6C 33 32 l.dll...kernel32
006D0DA4 2E 64 6C 6C 00 00 00 00 69 6D 6D 33 32 2E 64 6C .dll....imm32.dl
006D0DB4 6C 00 00 00 54 45 4E 50 5F 48 49 44 45 5F 53 50 l...TENP_HIDE_SP
006D0DC4 4C 41 53 48 00 00 00 00 54 45 4E 50 5F 48 49 44 LASH....TENP_HID
006D0DD4 45 5F 53 50 4C 41 53 48 00 00 00 00 73 74 61 72 E_SPLASH....star
006D0DE4 74 5C 54 65 6E 50 72 6F 74 65 63 74 5C 54 50 56 t\TenProtect\TPV
006D0DF4 65 72 2E 64 61 74 00 00 54 50 56 65 72 2E 64 61 er.dat..TPVer.da
006D0E04 74 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C t...kernel32.dll
006D0E14 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C ....kernel32.dll
006D0E24 00 00 00 00 54 65 6E 50 72 6F 74 65 63 74 5C 54 ....TenProtect\T
006D0E34 65 6E 53 61 66 65 2E 65 78 65 00 00 47 6C 6F 62 enSafe.exe..Glob
006D0E44 61 6C 5C 54 65 6E 50 5F 54 53 5F 25 64 00 00 00 al\TenP_TS_%d...
006D0E54 54 45 4E 50 5F 4D 49 44 00 00 00 00 54 45 4E 50 TENP_MID....TENP
006D0E64 5F 4D 49 44 00 00 00 00 47 6C 6F 62 61 6C 5C 54 _MID....Global\T
006D0E74 65 6E 50 5F 4D 63 5F 4D 75 5F 30 00 43 4F 4E 49 enP_Mc_Mu_0.CONI
006D0E84 4E 24 00 00 43 4F 4E 4F 55 54 24 00 43 4F 4E 4F N$..CONOUT$.CONO
006D0E94 55 54 24 00 47 6C 6F 62 61 6C 5C 54 65 6E 50 5F UT$.Global\TenP_
006D0EA4 43 72 5F 53 65 5F 25 64 00 00 00 00 54 45 4E 50 Cr_Se_%d....TENP
006D0EB4 5F 48 49 44 45 5F 53 50 4C 41 53 48 00 00 00 00 _HIDE_SPLASH....
006D0EC4 54 45 4E 50 5F 4D 49 44 00 00 00 00 54 45 4E 50 TENP_MID....TENP
006D0ED4 5F 48 49 44 45 5F 53 50 4C 41 53 48 3D 31 00 00 _HIDE_SPLASH=1..
006D0EE4 54 45 4E 50 5F 4D 49 44 3D 25 64 00 47 6C 6F 62 TENP_MID=%d.Glob
006D0EF4 61 6C 5C 54 65 6E 50 5F 43 72 5F 53 65 5F 25 64 al\TenP_Cr_Se_%d
006D0F04 00 00 00 00 54 50 20 50 41 55 53 45 20 34 00 00 ....TP PAUSE 4..
006D0F14 54 50 20 50 41 55 53 45 20 34 00 00 43 72 65 61 TP PAUSE 4..Crea
006D0F24 74 65 54 68 72 65 61 64 00 00 00 00 6B 65 72 6E teThread....kern
006D0F34 65 6C 33 32 2E 64 6C 6C 00 00 00 00 43 72 65 61 el32.dll....Crea
006D0F44 74 65 4F 62 6A 00 00 00 0F 00 00 00 55 00 00 00 teObj...�...U...
006D0F54 CB CE CC E5 00 00 00 00 25 73 20 66 61 69 6C 65 宋体....%s faile
006D0F64 64 20 77 69 74 68 20 65 72 72 6F 72 20 25 64 3A d with error %d:
006D0F74 20 25 73 00 25 73 20 66 61 69 6C 65 64 20 77 69 %s.%s failed wi
006D0F84 74 68 20 65 72 72 6F 72 20 25 64 3A 20 25 73 00 th error %d: %s.
006D0F94 5B 50 50 5D 25 73 00 00 25 73 25 30 38 58 3A 00 [PP]%s..%s%08X:.
006D0FA4 25 73 20 25 30 32 58 00 20 00 00 00 25 73 25 2A %s %02X. ...%s%*
006D0FB4 73 00 00 00 25 73 20 00 25 73 25 73 0A 00 00 00 s...%s .%s%s....
006D0FC4 00 00 00 00 66 66 66 66 66 66 EE 3F 53 70 6C 61 ....ffffff?Spla
006D0FD4 73 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sh..............
006D0FE4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
006421C2 68 08020000 push 208
006421C7 8D8D E8FBFFFF lea ecx, dword ptr [ebp-418]
006421CD 51 push ecx
006421CE 6A 00 push 0
006421D0 6A FF push -1
006421D2 E8 9F600700 call 006B8276 ; jmp 到 PSAPI.GetModuleFileNameExW
006421D7 85C0 test eax, eax
006421D9 75 07 jnz short 006421E2
006421DB 33C0 xor eax, eax
006421DD E9 9C010000 jmp 0064237E
006421E2 6A 5C push 5C
006421E4 8D95 E8FBFFFF lea edx, dword ptr [ebp-418]
006421EA 52 push edx
006421EB E8 703A0000 call 00645C60
006421F0 83C4 08 add esp, 8
006421F3 8945 FC mov dword ptr [ebp-4], eax
006421F6 837D FC 00 cmp dword ptr [ebp-4], 0
006421FA 74 08 je short 00642204
006421FC 8B45 FC mov eax, dword ptr [ebp-4]
006421FF 66:C700 0000 mov word ptr [eax], 0
00642204 6A 00 push 0
00642206 6A 02 push 2
00642208 E8 436C0000 call 00648E50 ; jmp 到 kernel32.CreateToolhelp32Snapshot
0064220D 8945 F8 mov dword ptr [ebp-8], eax
00642210 837D F8 FF cmp dword ptr [ebp-8], -1
00642214 75 07 jnz short 0064221D
00642216 33C0 xor eax, eax
00642218 E9 61010000 jmp 0064237E
0064221D C785 BCF9FFFF 2>mov dword ptr [ebp-644], 22C
00642227 8D8D BCF9FFFF lea ecx, dword ptr [ebp-644]
0064222D 51 push ecx
0064222E 8B55 F8 mov edx, dword ptr [ebp-8]
00642231 52 push edx
00642232 E8 436C0000 call 00648E7A ; jmp 到 kernel32.Process32FirstW
00642237 8985 B8F9FFFF mov dword ptr [ebp-648], eax
0064223D 83BD B8F9FFFF 0>cmp dword ptr [ebp-648], 0
00642244 0F84 24010000 je 0064236E
0064224A FF15 48606C00 call dword ptr [6C6048] ; kernel32.GetCurrentProcessId
00642250 3985 C4F9FFFF cmp dword ptr [ebp-63C], eax
00642256 0F84 F7000000 je 00642353
0064225C 68 44016D00 push 6D0144 ; UNICODE "QQSpeed_loader.exe"
00642261 8D85 E0F9FFFF lea eax, dword ptr [ebp-620]
00642267 50 push eax
00642268 FF15 78626C00 call dword ptr [6C6278] ; msvcrt._wcsicmp
0064226E 83C4 08 add esp, 8
00642271 85C0 test eax, eax
00642273 0F85 DA000000 jnz 00642353
00642279 66:8B0D E474700>mov cx, word ptr [7074E4]
00642280 66:898D A0F5FFF>mov word ptr [ebp-A60], cx
00642287 B9 03010000 mov ecx, 103
0064228C 33C0 xor eax, eax
0064228E 8DBD A2F5FFFF lea edi, dword ptr [ebp-A5E]
00642294 F3:AB rep stos dword ptr es:[edi]
00642296 66:AB stos word ptr es:[edi]
00642298 8B95 C4F9FFFF mov edx, dword ptr [ebp-63C]
0064229E 52 push edx
0064229F 6A 00 push 0
006422A1 68 11040000 push 411
006422A6 FF15 AC616C00 call dword ptr [6C61AC] ; kernel32.OpenProcess
006422AC 8985 B0F9FFFF mov dword ptr [ebp-650], eax
006422B2 83BD B0F9FFFF 0>cmp dword ptr [ebp-650], 0
006422B9 0F84 94000000 je 00642353
006422BF C785 9CF5FFFF 1>mov dword ptr [ebp-A64], 410
006422C9 68 08020000 push 208
006422CE 8D85 A0F5FFFF lea eax, dword ptr [ebp-A60]
006422D4 50 push eax
006422D5 6A 00 push 0
006422D7 8B8D B0F9FFFF mov ecx, dword ptr [ebp-650]
006422DD 51 push ecx
006422DE E8 935F0700 call 006B8276 ; jmp 到 PSAPI.GetModuleFileNameExW
006422E3 85C0 test eax, eax
006422E5 74 5F je short 00642346
006422E7 6A 5C push 5C
006422E9 8D95 A0F5FFFF lea edx, dword ptr [ebp-A60]
006422EF 52 push edx
006422F0 E8 6B390000 call 00645C60
006422F5 83C4 08 add esp, 8
006422F8 8945 FC mov dword ptr [ebp-4], eax
006422FB 837D FC 00 cmp dword ptr [ebp-4], 0
006422FF 74 08 je short 00642309
00642301 8B45 FC mov eax, dword ptr [ebp-4]
00642304 66:C700 0000 mov word ptr [eax], 0
00642309 68 08020000 push 208
0064230E 8D8D A0F5FFFF lea ecx, dword ptr [ebp-A60]
00642314 51 push ecx
00642315 8D95 E8FBFFFF lea edx, dword ptr [ebp-418]
0064231B 52 push edx
0064231C FF15 74626C00 call dword ptr [6C6274] ; msvcrt._wcsnicmp
00642322 83C4 0C add esp, 0C
00642325 85C0 test eax, eax
00642327 75 1D jnz short 00642346
00642329 6A 00 push 0
0064232B 8B85 B0F9FFFF mov eax, dword ptr [ebp-650]
00642331 50 push eax
00642332 FF15 44606C00 call dword ptr [6C6044] ; kernel32.TerminateProcess
00642338 85C0 test eax, eax
0064233A 74 0A je short 00642346
0064233C C785 B4F9FFFF 0>mov dword ptr [ebp-64C], 1
00642346 8B8D B0F9FFFF mov ecx, dword ptr [ebp-650]
0064234C 51 push ecx
0064234D FF15 BC616C00 call dword ptr [6C61BC] ; kernel32.CloseHandle
00642353 8D95 BCF9FFFF lea edx, dword ptr [ebp-644]
00642359 52 push edx
0064235A 8B45 F8 mov eax, dword ptr [ebp-8]
0064235D 50 push eax
0064235E E8 056B0000 call 00648E68 ; jmp 到 kernel32.Process32NextW
00642363 8985 B8F9FFFF mov dword ptr [ebp-648], eax
00642369 ^ E9 CFFEFFFF jmp 0064223D
0064236E 8B4D F8 mov ecx, dword ptr [ebp-8]
00642371 51 push ecx
00642372 FF15 BC616C00 call dword ptr [6C61BC] ; kernel32.CloseHandle
00642378 8B85 B4F9FFFF mov eax, dword ptr [ebp-64C]
0064237E 5F pop edi
0064237F 8BE5 mov esp, ebp
00642381 5D pop ebp
00642382 C3 retn
00642383 55 push ebp
00642384 8BEC mov ebp, esp
00642386 81EC 600A0000 sub esp, 0A60
0064238C 57 push edi
0064238D 66:A1 E8747000 mov ax, word ptr [7074E8]
00642393 66:8985 ECFBFFF>mov word ptr [ebp-414], ax
0064239A B9 03010000 mov ecx, 103
0064239F 33C0 xor eax, eax
006423A1 8DBD EEFBFFFF lea edi, dword ptr [ebp-412]
006423A7 F3:AB rep stos dword ptr es:[edi]
006423A9 66:AB stos word ptr es:[edi]
006423AB C745 FC 0000000>mov dword ptr [ebp-4], 0
006423B2 C785 C0F9FFFF 0>mov dword ptr [ebp-640], 0
006423BC B9 8A000000 mov ecx, 8A
006423C1 33C0 xor eax, eax
006423C3 8DBD C4F9FFFF lea edi, dword ptr [ebp-63C]
006423C9 F3:AB rep stos dword ptr es:[edi]
006423CB C785 BCF9FFFF 0>mov dword ptr [ebp-644], 0
006423D5 C785 B8F9FFFF 0>mov dword ptr [ebp-648], 0
006423DF 68 08020000 push 208
006423E4 8D8D ECFBFFFF lea ecx, dword ptr [ebp-414]
006423EA 51 push ecx
006423EB 6A 00 push 0
006423ED 6A FF push -1
006423EF E8 825E0700 call 006B8276 ; jmp 到 PSAPI.GetModuleFileNameExW
006423F4 85C0 test eax, eax
006423F6 75 07 jnz short 006423FF
006423F8 33C0 xor eax, eax
006423FA E9 54010000 jmp 00642553
006423FF 6A 00 push 0
00642401 6A 02 push 2
00642403 E8 486A0000 call 00648E50 ; jmp 到 kernel32.CreateToolhelp32Snapshot
00642408 8945 FC mov dword ptr [ebp-4], eax
0064240B 837D FC FF cmp dword ptr [ebp-4], -1
0064240F 75 07 jnz short 00642418
00642411 33C0 xor eax, eax
00642413 E9 3B010000 jmp 00642553
00642418 C785 C0F9FFFF 2>mov dword ptr [ebp-640], 22C
00642422 8D95 C0F9FFFF lea edx, dword ptr [ebp-640]
00642428 52 push edx
00642429 8B45 FC mov eax, dword ptr [ebp-4]
0064242C 50 push eax
0064242D E8 486A0000 call 00648E7A ; jmp 到 kernel32.Process32FirstW
00642432 8985 BCF9FFFF mov dword ptr [ebp-644], eax
00642438 83BD BCF9FFFF 0>cmp dword ptr [ebp-644], 0
0064243F 0F84 FE000000 je 00642543
00642445 FF15 48606C00 call dword ptr [6C6048] ; kernel32.GetCurrentProcessId
0064244B 3985 C8F9FFFF cmp dword ptr [ebp-638], eax
00642451 0F84 D1000000 je 00642528
00642457 68 6C016D00 push 6D016C ; UNICODE "QQLogin.exe"
0064245C 8D8D E4F9FFFF lea ecx, dword ptr [ebp-61C]
00642462 51 push ecx
00642463 FF15 78626C00 call dword ptr [6C6278] ; msvcrt._wcsicmp
00642469 83C4 08 add esp, 8
0064246C 85C0 test eax, eax
0064246E 0F85 B4000000 jnz 00642528
00642474 66:8B15 EC74700>mov dx, word ptr [7074EC]
0064247B 66:8995 A4F5FFF>mov word ptr [ebp-A5C], dx
00642482 B9 03010000 mov ecx, 103
00642487 33C0 xor eax, eax
00642489 8DBD A6F5FFFF lea edi, dword ptr [ebp-A5A]
0064248F F3:AB rep stos dword ptr es:[edi]
00642491 66:AB stos word ptr es:[edi]
00642493 8B85 C8F9FFFF mov eax, dword ptr [ebp-638]
00642499 50 push eax
0064249A 6A 00 push 0
0064249C 68 11040000 push 411
006424A1 FF15 AC616C00 call dword ptr [6C61AC] ; kernel32.OpenProcess
006424A7 8985 B4F9FFFF mov dword ptr [ebp-64C], eax
006424AD 83BD B4F9FFFF 0>cmp dword ptr [ebp-64C], 0
006424B4 74 72 je short 00642528
006424B6 C785 A0F5FFFF 1>mov dword ptr [ebp-A60], 410
006424C0 68 08020000 push 208
006424C5 8D8D A4F5FFFF lea ecx, dword ptr [ebp-A5C]
006424CB 51 push ecx
006424CC 6A 00 push 0
006424CE 8B95 B4F9FFFF mov edx, dword ptr [ebp-64C]
006424D4 52 push edx
006424D5 E8 9C5D0700 call 006B8276 ; jmp 到 PSAPI.GetModuleFileNameExW
006424DA 85C0 test eax, eax
006424DC 74 3D je short 0064251B
006424DE 68 08020000 push 208
006424E3 8D85 A4F5FFFF lea eax, dword ptr [ebp-A5C]
006424E9 50 push eax
006424EA 8D8D ECFBFFFF lea ecx, dword ptr [ebp-414]
006424F0 51 push ecx
006424F1 FF15 74626C00 call dword ptr [6C6274] ; msvcrt._wcsnicmp
006424F7 83C4 0C add esp, 0C
006424FA 85C0 test eax, eax
006424FC 75 1D jnz short 0064251B
006424FE 6A 00 push 0
00642500 8B95 B4F9FFFF mov edx, dword ptr [ebp-64C]
00642506 52 push edx
00642507 FF15 44606C00 call dword ptr [6C6044] ; kernel32.TerminateProcess
0064250D 85C0 test eax, eax
0064250F 74 0A je short 0064251B
00642511 C785 B8F9FFFF 0>mov dword ptr [ebp-648], 1
0064251B 8B85 B4F9FFFF mov eax, dword ptr [ebp-64C]
00642521 50 push eax
00642522 FF15 BC616C00 call dword ptr [6C61BC] ; kernel32.CloseHandle
00642528 8D8D C0F9FFFF lea ecx, dword ptr [ebp-640]
0064252E 51 push ecx
0064252F 8B55 FC mov edx, dword ptr [ebp-4]
00642532 52 push edx
00642533 E8 30690000 call 00648E68 ; jmp 到 kernel32.Process32NextW
00642538 8985 BCF9FFFF mov dword ptr [ebp-644], eax
0064253E ^ E9 F5FEFFFF jmp 00642438
00642543 8B45 FC mov eax, dword ptr [ebp-4]
00642546 50 push eax
00642547 FF15 BC616C00 call dword ptr [6C61BC] ; kernel32.CloseHandle
0064254D 8B85 B8F9FFFF mov eax, dword ptr [ebp-648]
00642553 5F pop edi
00642554 8BE5 mov esp, ebp
00642556 5D pop ebp
00642557 C3 retn
00642558 55 push ebp
00642559 8BEC mov ebp, esp
0064255B B8 14110000 mov eax, 1114
00642560 E8 1B6E0500 call 00699380
00642565 FF15 48606C00 call dword ptr [6C6048] ; kernel32.GetCurrentProcessId
0064256B 8945 F0 mov dword ptr [ebp-10], eax
0064256E 8B45 F0 mov eax, dword ptr [ebp-10]
00642571 50 push eax
00642572 6A 00 push 0
00642574 68 10040000 push 410
00642579 FF15 AC616C00 call dword ptr [6C61AC] ; kernel32.OpenProcess
0064257F 8945 F8 mov dword ptr [ebp-8], eax
00642582 837D F8 00 cmp dword ptr [ebp-8], 0
00642586 75 02 jnz short 0064258A
00642588 EB 66 jmp short 006425F0
0064258A 8D4D FC lea ecx, dword ptr [ebp-4]
0064258D 51 push ecx
0064258E 68 00100000 push 1000
00642593 8D95 F0EFFFFF lea edx, dword ptr [ebp-1010]
00642599 52 push edx
0064259A 8B45 F8 mov eax, dword ptr [ebp-8]
0064259D 50 push eax
0064259E E8 CD5C0700 call 006B8270 ; jmp 到 PSAPI.EnumProcessModules
006425A3 85C0 test eax, eax
006425A5 74 3F je short 006425E6
006425A7 C745 F4 0000000>mov dword ptr [ebp-C], 0
006425AE EB 09 jmp short 006425B9
006425B0 8B4D F4 mov ecx, dword ptr [ebp-C]
006425B3 83C1 01 add ecx, 1
006425B6 894D F4 mov dword ptr [ebp-C], ecx
006425B9 8B55 FC mov edx, dword ptr [ebp-4]
006425BC C1EA 02 shr edx, 2
006425BF 3955 F4 cmp dword ptr [ebp-C], edx
006425C2 73 22 jnb short 006425E6
006425C4 68 04010000 push 104
006425C9 8D85 ECEEFFFF lea eax, dword ptr [ebp-1114]
006425CF 50 push eax
006425D0 8B4D F4 mov ecx, dword ptr [ebp-C]
006425D3 8B948D F0EFFFFF mov edx, dword ptr [ebp+ecx*4-1010]
006425DA 52 push edx
006425DB 8B45 F8 mov eax, dword ptr [ebp-8]
006425DE 50 push eax
006425DF E8 985C0700 call 006B827C ; jmp 到 PSAPI.GetModuleFileNameExA
006425E4 ^ EB CA jmp short 006425B0
006425E6 8B4D F8 mov ecx, dword ptr [ebp-8]
006425E9 51 push ecx
006425EA FF15 BC616C00 call dword ptr [6C61BC] ; kernel32.CloseHandle
006425F0 8BE5 mov esp, ebp
006425F2 5D pop ebp
006425F3 C3 retn
006425F4 55 push ebp
006425F5 8BEC mov ebp, esp
006425F7 6A FF push -1
006425F9 68 13526C00 push 6C5213
006425FE 64:A1 00000000 mov eax, dword ptr fs:[0]
00642604 50 push eax
00642605 64:8925 0000000>mov dword ptr fs:[0], esp
0064260C 51 push ecx
0064260D 81EC B4040000 sub esp, 4B4
00642613 53 push ebx
00642614 56 push esi
00642615 57 push edi
00642616 8965 F0 mov dword ptr [ebp-10], esp
00642619 C745 B0 0000000>mov dword ptr [ebp-50], 0
00642620 C785 30FCFFFF 0>mov dword ptr [ebp-3D0], 0
0064262A C685 34FCFFFF 0>mov byte ptr [ebp-3CC], 0
00642631 B9 40000000 mov ecx, 40
00642636 33C0 xor eax, eax
00642638 8DBD 35FCFFFF lea edi, dword ptr [ebp-3CB]
0064263E F3:AB rep stos dword ptr es:[edi]
00642640 66:AB stos word ptr es:[edi]
00642642 AA stos byte ptr es:[edi]
00642643 8B45 08 mov eax, dword ptr [ebp+8]
00642646 83B8 20010000 0>cmp dword ptr [eax+120], 0
0064264D 75 0A jnz short 00642659
0064264F B8 01000000 mov eax, 1
00642654 E9 330A0000 jmp 0064308C
00642659 68 84016D00 push 6D0184 ; ASCII "ntdll.dll"
0064265E FF15 CC616C00 call dword ptr [6C61CC] ; kernel32.GetModuleHandleA
00642664 8945 A4 mov dword ptr [ebp-5C], eax
00642667 837D A4 00 cmp dword ptr [ebp-5C], 0
0064266B 75 07 jnz short 00642674
0064266D 33C0 xor eax, eax
0064266F E9 180A0000 jmp 0064308C
00642674 68 90016D00 push 6D0190 ; ASCII "NtCreateEvent"
00642679 8B4D A4 mov ecx, dword ptr [ebp-5C]
0064267C 51 push ecx
0064267D FF15 D8616C00 call dword ptr [6C61D8] ; kernel32.GetProcAddress
00642683 8945 94 mov dword ptr [ebp-6C], eax
00642686 68 A0016D00 push 6D01A0 ; ASCII "NtSetInformationObject"
0064268B 8B55 A4 mov edx, dword ptr [ebp-5C]
0064268E 52 push edx
0064268F FF15 D8616C00 call dword ptr [6C61D8] ; kernel32.GetProcAddress
00642695 8945 98 mov dword ptr [ebp-68], eax
00642698 68 B8016D00 push 6D01B8 ; ASCII "NtQueryEvent"
0064269D 8B45 A4 mov eax, dword ptr [ebp-5C]
006426A0 50 push eax
006426A1 FF15 D8616C00 call dword ptr [6C61D8] ; kernel32.GetProcAddress
006426A7 8945 A8 mov dword ptr [ebp-58], eax
006426AA 68 C8016D00 push 6D01C8 ; ASCII "NtQueryObject"
006426AF 8B4D A4 mov ecx, dword ptr [ebp-5C]
006426B2 51 push ecx
006426B3 FF15 D8616C00 call dword ptr [6C61D8] ; kernel32.GetProcAddress
006426B9 8945 90 mov dword ptr [ebp-70], eax
006426BC C745 B4 0000000>mov dword ptr [ebp-4C], 0
006426C3 8D55 B4 lea edx, dword ptr [ebp-4C]
006426C6 52 push edx
006426C7 68 D8016D00 push 6D01D8 ; ASCII "OpenJobObjectW"
006426CC 68 E8016D00 push 6D01E8 ; ASCII "kernel32.dll"
006426D1 E8 1CECFFFF call 006412F2
006426D6 C785 40FDFFFF 0>mov dword ptr [ebp-2C0], 0
006426E0 68 F8016D00 push 6D01F8 ; ASCII "RtlInitAnsiString"
006426E5 8B45 A4 mov eax, dword ptr [ebp-5C]
006426E8 50 push eax
006426E9 FF15 D8616C00 call dword ptr [6C61D8] ; kernel32.GetProcAddress
006426EF 8945 EC mov dword ptr [ebp-14], eax
006426F2 68 0C026D00 push 6D020C ; ASCII "RtlAnsiStringToUnicodeString"
006426F7 8B4D A4 mov ecx, dword ptr [ebp-5C]
006426FA 51 push ecx
006426FB FF15 D8616C00 call dword ptr [6C61D8] ; kernel32.GetProcAddress
00642701 8985 44FDFFFF mov dword ptr [ebp-2BC], eax
00642707 68 2C026D00 push 6D022C ; ASCII "RtlFreeUnicodeString"
0064270C 8B55 A4 mov edx, dword ptr [ebp-5C]
0064270F 52 push edx
00642710 FF15 D8616C00 call dword ptr [6C61D8] ; kernel32.GetProcAddress
00642716 8945 AC mov dword ptr [ebp-54], eax
00642719 68 44026D00 push 6D0244 ; ASCII "RtlInitUnicodeString"
0064271E 8B45 A4 mov eax, dword ptr [ebp-5C]
00642721 50 push eax
00642722 FF15 D8616C00 call dword ptr [6C61D8] ; kernel32.GetProcAddress
00642728 8945 9C mov dword ptr [ebp-64], eax
0064272B C745 D0 0000000>mov dword ptr [ebp-30], 0
00642732 C745 A0 0000000>mov dword ptr [ebp-60], 0
00642739 837D 94 00 cmp dword ptr [ebp-6C], 0
0064273D 74 06 je short 00642745
0064273F 837D B4 00 cmp dword ptr [ebp-4C], 0
00642743 75 05 jnz short 0064274A
00642745 E9 CA080000 jmp 00643014
0064274A 837D EC 00 cmp dword ptr [ebp-14], 0
0064274E 74 15 je short 00642765
00642750 83BD 44FDFFFF 0>cmp dword ptr [ebp-2BC], 0
00642757 74 0C je short 00642765
00642759 837D AC 00 cmp dword ptr [ebp-54], 0
0064275D 74 06 je short 00642765
0064275F 837D 9C 00 cmp dword ptr [ebp-64], 0
00642763 75 05 jnz short 0064276A
00642765 E9 AA080000 jmp 00643014
0064276A C745 B8 0000000>mov dword ptr [ebp-48], 0
00642771 C745 8C 0000000>mov dword ptr [ebp-74], 0
00642778 8B4D B4 mov ecx, dword ptr [ebp-4C]
0064277B 894D 84 mov dword ptr [ebp-7C], ecx
0064277E 8B55 B4 mov edx, dword ptr [ebp-4C]
00642781 0355 8C add edx, dword ptr [ebp-74]
00642784 52 push edx
00642785 8B45 84 mov eax, dword ptr [ebp-7C]
00642788 50 push eax
00642789 8D8D 48FDFFFF lea ecx, dword ptr [ebp-2B8]
0064278F 51 push ecx
00642790 E8 AB1D0200 call 00664540
00642795 83C4 0C add esp, 0C
00642798 8B55 89 mov edx, dword ptr [ebp-77]
0064279B 81E2 FF000000 and edx, 0FF
006427A1 8B45 88 mov eax, dword ptr [ebp-78]
006427A4 25 FF000000 and eax, 0FF
006427A9 0345 84 add eax, dword ptr [ebp-7C]
006427AC 03C2 add eax, edx
006427AE 8945 84 mov dword ptr [ebp-7C], eax
006427B1 8B4D 89 mov ecx, dword ptr [ebp-77]
006427B4 81E1 FF000000 and ecx, 0FF
006427BA 8B55 88 mov edx, dword ptr [ebp-78]
006427BD 81E2 FF000000 and edx, 0FF
006427C3 0355 8C add edx, dword ptr [ebp-74]
006427C6 03D1 add edx, ecx
006427C8 8955 8C mov dword ptr [ebp-74], edx
006427CB 8B45 89 mov eax, dword ptr [ebp-77]
006427CE 25 FF000000 and eax, 0FF
006427D3 85C0 test eax, eax
006427D5 0F85 9A000000 jnz 00642875
006427DB 8B8D 66FFFFFF mov ecx, dword ptr [ebp-9A]
006427E1 81E1 FF000000 and ecx, 0FF
006427E7 81F9 FF000000 cmp ecx, 0FF
006427ED 0F85 82000000 jnz 00642875
006427F3 8B95 67FFFFFF mov edx, dword ptr [ebp-99]
006427F9 81E2 FF000000 and edx, 0FF
006427FF 83FA 15 cmp edx, 15
00642802 75 71 jnz short 00642875
00642804 8B85 68FFFFFF mov eax, dword ptr [ebp-98]
0064280A 25 FF000000 and eax, 0FF
0064280F 8B8D 69FFFFFF mov ecx, dword ptr [ebp-97]
00642815 81E1 FF000000 and ecx, 0FF
0064281B C1E1 08 shl ecx, 8
0064281E 0BC1 or eax, ecx
00642820 8B95 6AFFFFFF mov edx, dword ptr [ebp-96]
00642826 81E2 FF000000 and edx, 0FF
0064282C C1E2 10 shl edx, 10
0064282F 0BC2 or eax, edx
00642831 8B8D 6BFFFFFF mov ecx, dword ptr [ebp-95]
00642837 81E1 FF000000 and ecx, 0FF
0064283D C1E1 18 shl ecx, 18
00642840 0BC1 or eax, ecx
00642842 8985 2CFCFFFF mov dword ptr [ebp-3D4], eax
00642848 C745 FC 0000000>mov dword ptr [ebp-4], 0
0064284F 8B95 2CFCFFFF mov edx, dword ptr [ebp-3D4]
00642855 8B02 mov eax, dword ptr [edx]
00642857 8985 2CFCFFFF mov dword ptr [ebp-3D4], eax
0064285D EB 06 jmp short 00642865
0064285F B8 65286400 mov eax, 642865
00642864 C3 retn
00642865 C745 FC FFFFFFF>mov dword ptr [ebp-4], -1
0064286C C745 B8 0100000>mov dword ptr [ebp-48], 1
00642873 EB 7C jmp short 006428F1
00642875 837D B8 00 cmp dword ptr [ebp-48], 0
00642879 74 76 je short 006428F1
0064287B 8B4D 89 mov ecx, dword ptr [ebp-77]
0064287E 81E1 FF000000 and ecx, 0FF
00642884 85C9 test ecx, ecx
00642886 75 69 jnz short 006428F1
00642888 8B95 66FFFFFF mov edx, dword ptr [ebp-9A]
0064288E 81E2 FF000000 and edx, 0FF
00642894 81FA E8000000 cmp edx, 0E8
0064289A 75 55 jnz short 006428F1
0064289C 8B85 67FFFFFF mov eax, dword ptr [ebp-99]
006428A2 25 FF000000 and eax, 0FF
006428A7 8B8D 68FFFFFF mov ecx, dword ptr [ebp-98]
006428AD 81E1 FF000000 and ecx, 0FF
006428B3 C1E1 08 shl ecx, 8
006428B6 0BC1 or eax, ecx
006428B8 8B95 69FFFFFF mov edx, dword ptr [ebp-97]
006428BE 81E2 FF000000 and edx, 0FF
006428C4 C1E2 10 shl edx, 10
006428C7 0BC2 or eax, edx
006428C9 8B8D 6AFFFFFF mov ecx, dword ptr [ebp-96]
006428CF 81E1 FF000000 and ecx, 0FF
006428D5 C1E1 18 shl ecx, 18
006428D8 0BC1 or eax, ecx
006428DA 8985 28FCFFFF mov dword ptr [ebp-3D8], eax
006428E0 8B55 84 mov edx, dword ptr [ebp-7C]
006428E3 0395 28FCFFFF add edx, dword ptr [ebp-3D8]
006428E9 8995 40FDFFFF mov dword ptr [ebp-2C0], edx
006428EF EB 0D jmp short 006428FE
006428F1 817D 8C 8813000>cmp dword ptr [ebp-74], 1388
006428F8 ^ 0F82 80FEFFFF jb 0064277E
006428FE 83BD 40FDFFFF 0>cmp dword ptr [ebp-2C0], 0
00642905 75 05 jnz short 0064290C
00642907 E9 08070000 jmp 00643014
0064290C C745 8C 0000000>mov dword ptr [ebp-74], 0
00642913 8B45 94 mov eax, dword ptr [ebp-6C]
00642916 8945 84 mov dword ptr [ebp-7C], eax
00642919 8B4D 94 mov ecx, dword ptr [ebp-6C]
0064291C 034D 8C add ecx, dword ptr [ebp-74]
0064291F 51 push ecx
00642920 8B55 84 mov edx, dword ptr [ebp-7C]
00642923 52 push edx
00642924 8D85 48FDFFFF lea eax, dword ptr [ebp-2B8]
0064292A 50 push eax
0064292B E8 101C0200 call 00664540
00642930 83C4 0C add esp, 0C
00642933 8B4D 89 mov ecx, dword ptr [ebp-77]
00642936 81E1 FF000000 and ecx, 0FF
0064293C 8B55 88 mov edx, dword ptr [ebp-78]
0064293F 81E2 FF000000 and edx, 0FF
00642945 0355 84 add edx, dword ptr [ebp-7C]
00642948 03D1 add edx, ecx
0064294A 8955 84 mov dword ptr [ebp-7C], edx
0064294D 8B45 89 mov eax, dword ptr [ebp-77]
00642950 25 FF000000 and eax, 0FF
00642955 8B4D 88 mov ecx, dword ptr [ebp-78]
00642958 81E1 FF000000 and ecx, 0FF
0064295E 034D 8C add ecx, dword ptr [ebp-74]
00642961 03C8 add ecx, eax
00642963 894D 8C mov dword ptr [ebp-74], ecx
00642966 8B55 89 mov edx, dword ptr [ebp-77]
00642969 81E2 FF000000 and edx, 0FF
0064296F 85D2 test edx, edx
00642971 75 35 jnz short 006429A8
00642973 8B85 66FFFFFF mov eax, dword ptr [ebp-9A]
00642979 25 FF000000 and eax, 0FF
0064297E 3D C2000000 cmp eax, 0C2
00642983 75 23 jnz short 006429A8
00642985 8B8D 67FFFFFF mov ecx, dword ptr [ebp-99]
0064298B 81E1 FF000000 and ecx, 0FF
00642991 83F9 14 cmp ecx, 14
00642994 75 12 jnz short 006429A8
00642996 8B95 68FFFFFF mov edx, dword ptr [ebp-98]
0064299C 81E2 FF000000 and edx, 0FF
006429A2 85D2 test edx, edx
006429A4 75 02 jnz short 006429A8
006429A6 EB 0A jmp short 006429B2
006429A8 837D 8C 32 cmp dword ptr [ebp-74], 32
006429AC ^ 0F82 67FFFFFF jb 00642919
006429B2 6A 40 push 40
006429B4 68 00300000 push 3000
006429B9 8B45 8C mov eax, dword ptr [ebp-74]
006429BC 50 push eax
006429BD 6A 00 push 0
006429BF FF15 58606C00 call dword ptr [6C6058] ; kernel32.VirtualAlloc
006429C5 8945 D0 mov dword ptr [ebp-30], eax
006429C8 837D D0 00 cmp dword ptr [ebp-30], 0
006429CC 75 05 jnz short 006429D3
006429CE E9 41060000 jmp 00643014
006429D3 8B4D 8C mov ecx, dword ptr [ebp-74]
006429D6 51 push ecx
006429D7 8B55 94 mov edx, dword ptr [ebp-6C]
006429DA 52 push edx
006429DB 8B45 D0 mov eax, dword ptr [ebp-30]
006429DE 50 push eax
006429DF E8 4C690500 call 00699330 ; jmp 到 msvcrt.memcpy
006429E4 83C4 0C add esp, 0C
006429E7 C745 8C 0000000>mov dword ptr [ebp-74], 0
006429EE 8B4D 98 mov ecx, dword ptr [ebp-68]
006429F1 894D 84 mov dword ptr [ebp-7C], ecx
006429F4 8B55 98 mov edx, dword ptr [ebp-68]
006429F7 0355 8C add edx, dword ptr [ebp-74]
006429FA 52 push edx
006429FB 8B45 84 mov eax, dword ptr [ebp-7C]
006429FE 50 push eax
006429FF 8D8D 48FDFFFF lea ecx, dword ptr [ebp-2B8]
00642A05 51 push ecx
00642A06 E8 351B0200 call 00664540
00642A0B 83C4 0C add esp, 0C
00642A0E 8B55 89 mov edx, dword ptr [ebp-77]
00642A11 81E2 FF000000 and edx, 0FF
00642A17 8B45 88 mov eax, dword ptr [ebp-78]
00642A1A 25 FF000000 and eax, 0FF
00642A1F 0345 84 add eax, dword ptr [ebp-7C]
00642A22 03C2 add eax, edx
00642A24 8945 84 mov dword ptr [ebp-7C], eax
00642A27 8B4D 89 mov ecx, dword ptr [ebp-77]
00642A2A 81E1 FF000000 and ecx, 0FF
00642A30 8B55 88 mov edx, dword ptr [ebp-78]
00642A33 81E2 FF000000 and edx, 0FF
00642A39 0355 8C add edx, dword ptr [ebp-74]
00642A3C 03D1 add edx, ecx
00642A3E 8955 8C mov dword ptr [ebp-74], edx
00642A41 8B45 89 mov eax, dword ptr [ebp-77]
00642A44 25 FF000000 and eax, 0FF
00642A49 85C0 test eax, eax
00642A4B 75 36 jnz short 00642A83
00642A4D 8B8D 66FFFFFF mov ecx, dword ptr [ebp-9A]
00642A53 81E1 FF000000 and ecx, 0FF
00642A59 81F9 C2000000 cmp ecx, 0C2
00642A5F 75 22 jnz short 00642A83
00642A61 8B95 67FFFFFF mov edx, dword ptr [ebp-99]
00642A67 81E2 FF000000 and edx, 0FF
00642A6D 83FA 14 cmp edx, 14
00642A70 75 11 jnz short 00642A83
00642A72 8B85 68FFFFFF mov eax, dword ptr [ebp-98]
00642A78 25 FF000000 and eax, 0FF
00642A7D 85C0 test eax, eax
00642A7F 75 02 jnz short 00642A83
00642A81 EB 0A jmp short 00642A8D
00642A83 837D 8C 32 cmp dword ptr [ebp-74], 32
00642A87 ^ 0F82 67FFFFFF jb 006429F4
00642A8D 6A 40 push 40
00642A8F 68 00300000 push 3000
00642A94 8B4D 8C mov ecx, dword ptr [ebp-74]
00642A97 51 push ecx
00642A98 6A 00 push 0
00642A9A FF15 58606C00 call dword ptr [6C6058] ; kernel32.VirtualAlloc
00642AA0 8945 A0 mov dword ptr [ebp-60], eax
00642AA3 837D A0 00 cmp dword ptr [ebp-60], 0
00642AA7 75 05 jnz short 00642AAE
00642AA9 E9 66050000 jmp 00643014
00642AAE 8B55 8C mov edx, dword ptr [ebp-74]
00642AB1 52 push edx
00642AB2 8B45 98 mov eax, dword ptr [ebp-68]
00642AB5 50 push eax
00642AB6 8B4D A0 mov ecx, dword ptr [ebp-60]
00642AB9 51 push ecx
00642ABA E8 71680500 call 00699330 ; jmp 到 msvcrt.memcpy
00642ABF 83C4 0C add esp, 0C
00642AC2 C745 8C 0000000>mov dword ptr [ebp-74], 0
00642AC9 8B55 A8 mov edx, dword ptr [ebp-58]
00642ACC 8955 84 mov dword ptr [ebp-7C], edx
00642ACF 8B45 A8 mov eax, dword ptr [ebp-58]
00642AD2 0345 8C add eax, dword ptr [ebp-74]
00642AD5 50 push eax
00642AD6 8B4D 84 mov ecx, dword ptr [ebp-7C]
00642AD9 51 push ecx
00642ADA 8D95 48FDFFFF lea edx, dword ptr [ebp-2B8]
00642AE0 52 push edx
00642AE1 E8 5A1A0200 call 00664540
00642AE6 83C4 0C add esp, 0C
00642AE9 8B45 89 mov eax, dword ptr [ebp-77]
00642AEC 25 FF000000 and eax, 0FF
00642AF1 8B4D 88 mov ecx, dword ptr [ebp-78]
00642AF4 81E1 FF000000 and ecx, 0FF
00642AFA 034D 84 add ecx, dword ptr [ebp-7C]
00642AFD 03C8 add ecx, eax
00642AFF 894D 84 mov dword ptr [ebp-7C], ecx
00642B02 8B55 89 mov edx, dword ptr [ebp-77]
00642B05 81E2 FF000000 and edx, 0FF
00642B0B 8B45 88 mov eax, dword ptr [ebp-78]
00642B0E 25 FF000000 and eax, 0FF
00642B13 0345 8C add eax, dword ptr [ebp-74]
00642B16 03C2 add eax, edx
00642B18 8945 8C mov dword ptr [ebp-74], eax
00642B1B 8B4D 89 mov ecx, dword ptr [ebp-77]
00642B1E 81E1 FF000000 and ecx, 0FF
00642B24 85C9 test ecx, ecx
00642B26 75 36 jnz short 00642B5E
00642B28 8B95 66FFFFFF mov edx, dword ptr [ebp-9A]
00642B2E 81E2 FF000000 and edx, 0FF
00642B34 81FA C2000000 cmp edx, 0C2
00642B3A 75 22 jnz short 00642B5E
00642B3C 8B85 67FFFFFF mov eax, dword ptr [ebp-99]
00642B42 25 FF000000 and eax, 0FF
00642B47 83F8 14 cmp eax, 14
00642B4A 75 12 jnz short 00642B5E
00642B4C 8B8D 68FFFFFF mov ecx, dword ptr [ebp-98]
00642B52 81E1 FF000000 and ecx, 0FF
00642B58 85C9 test ecx, ecx
00642B5A 75 02 jnz short 00642B5E
00642B5C EB 0A jmp short 00642B68
00642B5E 837D 8C 32 cmp dword ptr [ebp-74], 32
00642B62 ^ 0F82 67FFFFFF jb 00642ACF
00642B68 6A 40 push 40
00642B6A 68 00300000 push 3000
00642B6F 8B55 8C mov edx, dword ptr [ebp-74]
00642B72 52 push edx
00642B73 6A 00 push 0
00642B75 FF15 58606C00 call dword ptr [6C6058] ; kernel32.VirtualAlloc
00642B7B A3 AC6C7000 mov dword ptr [706CAC], eax
00642B80 833D AC6C7000 0>cmp dword ptr [706CAC], 0
00642B87 75 05 jnz short 00642B8E
00642B89 E9 86040000 jmp 00643014
00642B8E 8B45 8C mov eax, dword ptr [ebp-74]
00642B91 50 push eax
00642B92 8B4D A8 mov ecx, dword ptr [ebp-58]
00642B95 51 push ecx
00642B96 8B15 AC6C7000 mov edx, dword ptr [706CAC]
00642B9C 52 push edx
00642B9D E8 8E670500 call 00699330 ; jmp 到 msvcrt.memcpy
00642BA2 83C4 0C add esp, 0C
00642BA5 C745 8C 0000000>mov dword ptr [ebp-74], 0
00642BAC 8B45 90 mov eax, dword ptr [ebp-70]
00642BAF 8945 84 mov dword ptr [ebp-7C], eax
00642BB2 8B4D 90 mov ecx, dword ptr [ebp-70]
00642BB5 034D 8C add ecx, dword ptr [ebp-74]
00642BB8 51 push ecx
00642BB9 8B55 84 mov edx, dword ptr [ebp-7C]
00642BBC 52 push edx
00642BBD 8D85 48FDFFFF lea eax, dword ptr [ebp-2B8]
00642BC3 50 push eax
00642BC4 E8 77190200 call 00664540
00642BC9 83C4 0C add esp, 0C
00642BCC 8B4D 89 mov ecx, dword ptr [ebp-77]
00642BCF 81E1 FF000000 and ecx, 0FF
00642BD5 8B55 88 mov edx, dword ptr [ebp-78]
00642BD8 81E2 FF000000 and edx, 0FF
00642BDE 0355 84 add edx, dword ptr [ebp-7C]
00642BE1 03D1 add edx, ecx
00642BE3 8955 84 mov dword ptr [ebp-7C], edx
00642BE6 8B45 89 mov eax, dword ptr [ebp-77]
00642BE9 25 FF000000 and eax, 0FF
00642BEE 8B4D 88 mov ecx, dword ptr [ebp-78]
00642BF1 81E1 FF000000 and ecx, 0FF
00642BF7 034D 8C add ecx, dword ptr [ebp-74]
00642BFA 03C8 add ecx, eax
00642BFC 894D 8C mov dword ptr [ebp-74], ecx
00642BFF 8B55 89 mov edx, dword ptr [ebp-77]
00642C02 81E2 FF000000 and edx, 0FF
00642C08 85D2 test edx, edx
00642C0A 75 35 jnz short 00642C41
00642C0C 8B85 66FFFFFF mov eax, dword ptr [ebp-9A]
00642C12 25 FF000000 and eax, 0FF
00642C17 3D C2000000 cmp eax, 0C2
00642C1C 75 23 jnz short 00642C41
00642C1E 8B8D 67FFFFFF mov ecx, dword ptr [ebp-99]
00642C24 81E1 FF000000 and ecx, 0FF
00642C2A 83F9 14 cmp ecx, 14
00642C2D 75 12 jnz short 00642C41
00642C2F 8B95 68FFFFFF mov edx, dword ptr [ebp-98]
00642C35 81E2 FF000000 and edx, 0FF
00642C3B 85D2 test edx, edx
00642C3D 75 02 jnz short 00642C41
00642C3F EB 0A jmp short 00642C4B
00642C41 837D 8C 32 cmp dword ptr [ebp-74], 32
00642C45 ^ 0F82 67FFFFFF jb 00642BB2
00642C4B 6A 40 push 40
00642C4D 68 00300000 push 3000
00642C52 8B45 8C mov eax, dword ptr [ebp-74]
00642C55 50 push eax
00642C56 6A 00 push 0
00642C58 FF15 58606C00 call dword ptr [6C6058] ; kernel32.VirtualAlloc
00642C5E A3 B06C7000 mov dword ptr [706CB0], eax
00642C63 833D B06C7000 0>cmp dword ptr [706CB0], 0
00642C6A 75 05 jnz short 00642C71
00642C6C E9 A3030000 jmp 00643014
00642C71 8B4D 8C mov ecx, dword ptr [ebp-74]
00642C74 51 push ecx
00642C75 8B55 90 mov edx, dword ptr [ebp-70]
00642C78 52 push edx
00642C79 A1 B06C7000 mov eax, dword ptr [706CB0]
00642C7E 50 push eax
00642C7F E8 AC660500 call 00699330 ; jmp 到 msvcrt.memcpy
00642C84 83C4 0C add esp, 0C
00642C87 C745 CC 0000000>mov dword ptr [ebp-34], 0
00642C8E C785 38FDFFFF 0>mov dword ptr [ebp-2C8], 0
00642C98 8B4D 08 mov ecx, dword ptr [ebp+8]
00642C9B 8B91 1C010000 mov edx, dword ptr [ecx+11C]
00642CA1 81F2 28140000 xor edx, 1428
00642CA7 81F2 42860000 xor edx, 8642
00642CAD 81F2 57280000 xor edx, 2857
00642CB3 81E2 FFFFFF00 and edx, 0FFFFFF
00642CB9 81E2 FFFF0000 and edx, 0FFFF
00642CBF 8B85 38FDFFFF mov eax, dword ptr [ebp-2C8]
00642CC5 25 FF000000 and eax, 0FF
00642CCA 25 FFFF0000 and eax, 0FFFF
00642CCF C1E0 18 shl eax, 18
00642CD2 0BD0 or edx, eax
00642CD4 8995 30FCFFFF mov dword ptr [ebp-3D0], edx
00642CDA 8D8D 08FCFFFF lea ecx, dword ptr [ebp-3F8]
00642CE0 51 push ecx
00642CE1 6A 04 push 4
00642CE3 8D95 30FCFFFF lea edx, dword ptr [ebp-3D0]
00642CE9 52 push edx
00642CEA E8 41740500 call 0069A130
00642CEF 83C4 0C add esp, 0C
00642CF2 8B85 08FCFFFF mov eax, dword ptr [ebp-3F8]
00642CF8 8985 44FBFFFF mov dword ptr [ebp-4BC], eax
00642CFE 8B8D 0CFCFFFF mov ecx, dword ptr [ebp-3F4]
00642D04 898D 4CFBFFFF mov dword ptr [ebp-4B4], ecx
00642D0A 8B95 10FCFFFF mov edx, dword ptr [ebp-3F0]
00642D10 8995 50FBFFFF mov dword ptr [ebp-4B0], edx
00642D16 8B85 14FCFFFF mov eax, dword ptr [ebp-3EC]
00642D1C 8985 64FBFFFF mov dword ptr [ebp-49C], eax
00642D22 8B8D 44FBFFFF mov ecx, dword ptr [ebp-4BC]
00642D28 81F1 42860000 xor ecx, 8642
00642D2E 890D 106E7000 mov dword ptr [706E10], ecx
00642D34 8B95 4CFBFFFF mov edx, dword ptr [ebp-4B4]
00642D3A 81F2 42860000 xor edx, 8642
00642D40 8915 146E7000 mov dword ptr [706E14], edx
00642D46 8B85 50FBFFFF mov eax, dword ptr [ebp-4B0]
00642D4C 35 42860000 xor eax, 8642
00642D51 A3 186E7000 mov dword ptr [706E18], eax
00642D56 8B8D 64FBFFFF mov ecx, dword ptr [ebp-49C]
00642D5C 81F1 42860000 xor ecx, 8642
00642D62 890D 1C6E7000 mov dword ptr [706E1C], ecx
00642D68 8B95 64FBFFFF mov edx, dword ptr [ebp-49C]
00642D6E 52 push edx
00642D6F 8B85 50FBFFFF mov eax, dword ptr [ebp-4B0]
00642D75 50 push eax
00642D76 8B8D 4CFBFFFF mov ecx, dword ptr [ebp-4B4]
00642D7C 51 push ecx
00642D7D 8B95 44FBFFFF mov edx, dword ptr [ebp-4BC]
00642D83 52 push edx
00642D84 68 5C026D00 push 6D025C ; ASCII "Global\%08X%08X%08X%08X"
00642D89 68 03010000 push 103
00642D8E 8D85 34FCFFFF lea eax, dword ptr [ebp-3CC]
00642D94 50 push eax
00642D95 FF15 F0636C00 call dword ptr [6C63F0] ; msvcrt._snprintf
00642D9B 83C4 1C add esp, 1C
00642D9E 8D8D 34FCFFFF lea ecx, dword ptr [ebp-3CC]
00642DA4 51 push ecx
00642DA5 8D55 BC lea edx, dword ptr [ebp-44]
00642DA8 52 push edx
00642DA9 FF55 EC call dword ptr [ebp-14]
00642DAC 6A 01 push 1
00642DAE 8D45 BC lea eax, dword ptr [ebp-44]
00642DB1 50 push eax
00642DB2 8D4D C4 lea ecx, dword ptr [ebp-3C]
00642DB5 51 push ecx
00642DB6 FF95 44FDFFFF call dword ptr [ebp-2BC]
00642DBC 8985 3CFDFFFF mov dword ptr [ebp-2C4], eax
00642DC2 C785 48FBFFFF 8>mov dword ptr [ebp-4B8], 80
00642DCC C785 54FBFFFF 0>mov dword ptr [ebp-4AC], 0
00642DD6 8D95 68FBFFFF lea edx, dword ptr [ebp-498]
00642DDC 52 push edx
00642DDD E8 AE730000 call 0064A190
00642DE2 83C4 04 add esp, 4
00642DE5 85C0 test eax, eax
00642DE7 75 36 jnz short 00642E1F
00642DE9 68 9C000000 push 9C
00642DEE 6A 00 push 0
00642DF0 8D85 68FBFFFF lea eax, dword ptr [ebp-498]
00642DF6 50 push eax
00642DF7 E8 3A650500 call 00699336 ; jmp 到 msvcrt.memset
00642DFC 83C4 0C add esp, 0C
00642DFF C785 68FBFFFF 9>mov dword ptr [ebp-498], 9C
00642E09 8D8D 68FBFFFF lea ecx, dword ptr [ebp-498]
00642E0F 51 push ecx
00642E10 FF15 54606C00 call dword ptr [6C6054] ; kernel32.GetVersionExA
00642E16 85C0 test eax, eax
00642E18 75 05 jnz short 00642E1F
00642E1A E9 F5010000 jmp 00643014
00642E1F 83BD 78FBFFFF 0>cmp dword ptr [ebp-488], 2
00642E26 74 05 je short 00642E2D
00642E28 E9 E7010000 jmp 00643014
00642E2D 83BD 6CFBFFFF 0>cmp dword ptr [ebp-494], 6
00642E34 72 1B jb short 00642E51
00642E36 8B95 40FDFFFF mov edx, dword ptr [ebp-2C0]
00642E3C 8995 40FBFFFF mov dword ptr [ebp-4C0], edx
00642E42 8D85 54FBFFFF lea eax, dword ptr [ebp-4AC]
00642E48 50 push eax
00642E49 FF95 40FBFFFF call dword ptr [ebp-4C0]
00642E4F EB 18 jmp short 00642E69
00642E51 8B8D 40FDFFFF mov ecx, dword ptr [ebp-2C0]
00642E57 898D 3CFBFFFF mov dword ptr [ebp-4C4], ecx
00642E5D FF95 3CFBFFFF call dword ptr [ebp-4C4]
00642E63 8985 54FBFFFF mov dword ptr [ebp-4AC], eax
00642E69 C745 D4 1800000>mov dword ptr [ebp-2C], 18
00642E70 8B95 54FBFFFF mov edx, dword ptr [ebp-4AC]
00642E76 8955 D8 mov dword ptr [ebp-28], edx
00642E79 8B85 48FBFFFF mov eax, dword ptr [ebp-4B8]
00642E7F 8945 E0 mov dword ptr [ebp-20], eax
00642E82 8D4D C4 lea ecx, dword ptr [ebp-3C]
00642E85 894D DC mov dword ptr [ebp-24], ecx
00642E88 C745 E4 0000000>mov dword ptr [ebp-1C], 0
00642E8F C745 E8 0000000>mov dword ptr [ebp-18], 0
00642E96 8B55 D0 mov edx, dword ptr [ebp-30]
00642E99 8995 04FCFFFF mov dword ptr [ebp-3FC], edx
00642E9F 8B45 A0 mov eax, dword ptr [ebp-60]
00642EA2 8985 58FBFFFF mov dword ptr [ebp-4A8], eax
00642EA8 C785 60FBFFFF 0>mov dword ptr [ebp-4A0], 0
00642EB2 6A 00 push 0
00642EB4 6A 00 push 0
00642EB6 8D4D D4 lea ecx, dword ptr [ebp-2C]
00642EB9 51 push ecx
00642EBA 68 03001F00 push 1F0003
00642EBF 8D95 60FBFFFF lea edx, dword ptr [ebp-4A0]
00642EC5 52 push edx
00642EC6 FF95 04FCFFFF call dword ptr [ebp-3FC]
00642ECC 8985 3CFDFFFF mov dword ptr [ebp-2C4], eax
00642ED2 81BD 3CFDFFFF 0>cmp dword ptr [ebp-2C4], C0000005
00642EDC 75 6B jnz short 00642F49
00642EDE 68 00800000 push 8000
00642EE3 6A 00 push 0
00642EE5 A1 AC6C7000 mov eax, dword ptr [706CAC]
00642EEA 50 push eax
00642EEB FF15 50606C00 call dword ptr [6C6050] ; kernel32.VirtualFree
00642EF1 68 00800000 push 8000
00642EF6 6A 00 push 0
00642EF8 8B0D B06C7000 mov ecx, dword ptr [706CB0]
00642EFE 51 push ecx
00642EFF FF15 50606C00 call dword ptr [6C6050] ; kernel32.VirtualFree
00642F05 8B55 94 mov edx, dword ptr [ebp-6C]
00642F08 8995 04FCFFFF mov dword ptr [ebp-3FC], edx
00642F0E 8B45 98 mov eax, dword ptr [ebp-68]
00642F11 8985 58FBFFFF mov dword ptr [ebp-4A8], eax
00642F17 8B4D A8 mov ecx, dword ptr [ebp-58]
00642F1A 890D AC6C7000 mov dword ptr [706CAC], ecx
00642F20 8B55 90 mov edx, dword ptr [ebp-70]
00642F23 8915 B06C7000 mov dword ptr [706CB0], edx
00642F29 6A 00 push 0
00642F2B 6A 00 push 0
00642F2D 8D45 D4 lea eax, dword ptr [ebp-2C]
00642F30 50 push eax
00642F31 68 03001F00 push 1F0003
00642F36 8D8D 60FBFFFF lea ecx, dword ptr [ebp-4A0]
00642F3C 51 push ecx
00642F3D FF95 04FCFFFF call dword ptr [ebp-3FC]
00642F43 8985 3CFDFFFF mov dword ptr [ebp-2C4], eax
00642F49 8D55 C4 lea edx, dword ptr [ebp-3C]
00642F4C 52 push edx
00642F4D FF55 AC call dword ptr [ebp-54]
00642F50 8B85 60FBFFFF mov eax, dword ptr [ebp-4A0]
00642F56 A3 0C6E7000 mov dword ptr [706E0C], eax
00642F5B C685 5CFBFFFF 0>mov byte ptr [ebp-4A4], 0
00642F62 C685 5DFBFFFF 0>mov byte ptr [ebp-4A3], 1
00642F69 6A 02 push 2
00642F6B 8D8D 5CFBFFFF lea ecx, dword ptr [ebp-4A4]
00642F71 51 push ecx
00642F72 6A 04 push 4
00642F74 8B95 60FBFFFF mov edx, dword ptr [ebp-4A0]
00642F7A 52 push edx
00642F7B FF95 58FBFFFF call dword ptr [ebp-4A8]
00642F81 81BD 3CFDFFFF 0>cmp dword ptr [ebp-2C4], 40000000
00642F8B 74 0C je short 00642F99
00642F8D 81BD 3CFDFFFF 3>cmp dword ptr [ebp-2C4], C0000035
00642F97 75 09 jnz short 00642FA2
00642F99 C745 B0 0000000>mov dword ptr [ebp-50], 0
00642FA0 EB 30 jmp short 00642FD2
00642FA2 83BD 3CFDFFFF 0>cmp dword ptr [ebp-2C4], 0
00642FA9 7C 09 jl short 00642FB4
00642FAB C745 B0 0100000>mov dword ptr [ebp-50], 1
00642FB2 EB 51 jmp short 00643005
00642FB4 81BD 3CFDFFFF 2>cmp dword ptr [ebp-2C4], C0000022
00642FBE 75 09 jnz short 00642FC9
00642FC0 C745 B0 0100000>mov dword ptr [ebp-50], 1
00642FC7 EB 3C jmp short 00643005
00642FC9 C745 B0 0100000>mov dword ptr [ebp-50], 1
00642FD0 EB 33 jmp short 00643005
00642FD2 8B85 38FDFFFF mov eax, dword ptr [ebp-2C8]
00642FD8 83C0 01 add eax, 1
00642FDB 8985 38FDFFFF mov dword ptr [ebp-2C8], eax
00642FE1 8B4D 08 mov ecx, dword ptr [ebp+8]
00642FE4 8B91 A8000000 mov edx, dword ptr [ecx+A8]
00642FEA 83C2 01 add edx, 1
00642FED 8B45 08 mov eax, dword ptr [ebp+8]
00642FF0 8B88 20010000 mov ecx, dword ptr [eax+120]
00642FF6 0FAFCA imul ecx, edx
00642FF9 398D 38FDFFFF cmp dword ptr [ebp-2C8], ecx
00642FFF ^ 0F82 93FCFFFF jb 00642C98
00643005 8B95 38FDFFFF mov edx, dword ptr [ebp-2C8]
0064300B 83EA 01 sub edx, 1
0064300E 8915 E86C7000 mov dword ptr [706CE8], edx
00643014 68 00800000 push 8000
00643019 6A 00 push 0
0064301B 8B45 D0 mov eax, dword ptr [ebp-30]
0064301E 50 push eax
0064301F FF15 50606C00 call dword ptr [6C6050] ; kernel32.VirtualFree
00643025 68 00800000 push 8000
0064302A 6A 00 push 0
0064302C 8B4D A0 mov ecx, dword ptr [ebp-60]
0064302F 51 push ecx
00643030 FF15 50606C00 call dword ptr [6C6050] ; kernel32.VirtualFree
00643036 837D B0 00 cmp dword ptr [ebp-50], 0
0064303A 75 4D jnz short 00643089
0064303C 833D AC6C7000 0>cmp dword ptr [706CAC], 0
00643043 74 1E je short 00643063
00643045 68 00800000 push 8000
0064304A 6A 00 push 0
0064304C 8B15 AC6C7000 mov edx, dword ptr [706CAC]
00643052 52 push edx
00643053 FF15 50606C00 call dword ptr [6C6050] ; kernel32.VirtualFree
00643059 C705 AC6C7000 0>mov dword ptr [706CAC], 0
00643063 833D B06C7000 0>cmp dword ptr [706CB0], 0
0064306A 74 1D je short 00643089
0064306C 68 00800000 push 8000
00643071 6A 00 push 0
00643073 A1 B06C7000 mov eax, dword ptr [706CB0]
00643078 50 push eax
00643079 FF15 50606C00 call dword ptr [6C6050] ; kernel32.VirtualFree
0064307F C705 B06C7000 0>mov dword ptr [706CB0], 0
00643089 8B45 B0 mov eax, dword ptr [ebp-50]
0064308C 8B4D F4 mov ecx, dword ptr [ebp-C]
0064308F 64:890D 0000000>mov dword ptr fs:[0], ecx
00643096 5F pop edi
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
,好像上面涉及到保护,你跟一下QQ游戏嘛,我现在不方便分析,还是论坛主页下的一个OllyCe,修改代码都不能保存文件,这是人家的电脑本子,上面有网银,不敢乱下载文件。
