最近在学习脱壳于是找个加壳程序eXPressor 1.71玩玩！！！！
    先找来eXPressor.v1.4.5我想以前作者写的程序可能间单一点吧。
    很快来到oep看其特征应该是vc 6.0写的吧

0042C9FE    55              push ebp                                 ; kernel32.7C817077
0042C9FF    8BEC            mov ebp,esp
0042CA01    6A FF           push -0x1
0042CA03    68 68594500     push eXPresso.00455968
0042CA08    68 F0164300     push eXPresso.004316F0
0042CA0D    64:A1 00000000  mov eax,dword ptr fs:[0]
0042CA13    50              push eax
0042CA14    64:8925 0000000>mov dword ptr fs:[0],esp
0042CA1B    83EC 58         sub esp,0x58
0042CA1E    53              push ebx
0042CA1F    56              push esi
0042CA20    57              push edi
0042CA21    8965 E8         mov dword ptr ss:[ebp-0x18],esp
0042CA24    FF15 5C134500   call dword ptr ds:[0x45135C]             ; kernel32.GetVersion

0049CB37    FF15 18534C00   call dword ptr ds:[0x4C5318]             ; kernel32.GetStartupInfoA
0049CB3D    C745 FC FEFFFFF>mov dword ptr ss:[ebp-0x4],-0x2
0049CB44    BF 94000000     mov edi,0x94

0049CB23    6A 60           push 0x60
0049CB25    68 68264F00     push eXPresso.004F2668
0049CB2A    E8 95120000     call eXPresso.0049DDC4
0049CB2F    8365 FC 00      and dword ptr ss:[ebp-0x4],0x0
0049CB33    8D45 90         lea eax,dword ptr ss:[ebp-0x70]
0049CB36    50              push eax
0049CB37    FF15 18534C00   call dword ptr ds:[0x4C5318]             ; kernel32.GetStartupInfoA
0049CB3D    C745 FC FEFFFFF>mov dword ptr ss:[ebp-0x4],-0x2
0049CB44    BF 94000000     mov edi,0x94
0049CB49    57              push edi
0049CB4A    6A 00           push 0x0
0049CB4C    8B1D EC514C00   mov ebx,dword ptr ds:[0x4C51EC]
0049CB52    FFD3            call ebx
0049CB54    50              push eax
0049CB55    FF15 B0514C00   call dword ptr ds:[0x4C51B0]             ; ntdll.RtlAllocateHeap

0040116B    FF15 A8534C00   call dword ptr ds:[0x4C53A8]             ; kernel32.SetHandleCount
00401171    8BF0            mov esi,eax
00401173    85F6            test esi,esi
00401175    74 2D           je XeXPresso.004011A4
00401177    57              push edi
00401178    53              push ebx
00401179    E8 94EE7400     call 00B50012

00C117B2   /EB 01           jmp X00C117B5
00C117B4   |8841 42         mov byte ptr ds:[ecx+0x42],al
00C117B7    837D 10 00      cmp dword ptr ss:[ebp+0x10],0x0
00C117BB  ^ 75 EE           jnz X00C117AB
00C117BD    8BC6            mov eax,esi
00C117BF    5E              pop esi
00C117C0    5D              pop ebp
00C117C1    C3              retn

00C617B2   /EB 01           jmp X00C617B5
00C617B4   |8841 42         mov byte ptr ds:[ecx+0x42],al
00C617B7    837D 10 00      cmp dword ptr ss:[ebp+0x10],0x0
00C617BB  ^ 75 EE           jnz X00C617AB
00C617BD    8BC6            mov eax,esi
00C617BF    5E              pop esi
00C617C0    5D              pop ebp
00C617C1    C3              retn

00C652B0    59              pop ecx                                  ; ADVAPI32.RegDeleteValueA
00C652B1    59              pop ecx
00C652B2    85C0            test eax,eax
00C652B4    75 17           jnz X00C652CD
00C652B6    6A 04           push 0x4
00C652B8    8D85 4CFDFFFF   lea eax,dword ptr ss:[ebp-0x2B4]
00C652BE    50              push eax
00C652BF    FFB5 CCFDFFFF   push dword ptr ss:[ebp-0x234]
00C652C5    E8 CFC4FFFF     call 00C61799

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课