快速脱EXEStealth + ACProtect篇[原创]-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

快速脱EXEStealth + ACProtect篇[原创]

发表于: 2005-11-6 05:01 5741

快速脱EXEStealth + ACProtect篇[原创]

pendan2001 活跃值

2005-11-6 05:01

5741

软件名称：应急日语 1.0
软件语言：简体中文
界面预览：
软件类型：国产软件 / 外语学习
运行环境： Win9x/NT/2000/XP
授权方式：共享版
软件大小： 15.23 MB

http://www.pc286.com/SoftView/SoftView_15715.html

应急日语是一款集日语口语、日语背单词综合日语学习软件。精选了交际用语、日常用语、心情表达、
日语语法句式等四大类共900多句常用日语对话内容以及600多个常用单词的全部内容并以全部真人发音，
运用先进的语音朗读技术，富于娱乐性；使您在使用电脑进行工作、学习或娱乐的同时，就能不知不觉、
轻轻松松地掌握各类日常日语会话及常用日语单词。该方式既摆脱了枯燥的传统学习方法，又充分利用了
在电脑前的各种冗余和等待时间，有效地提高了学习效率，在不知不觉中轻轻松松、迅速提高日语的听力、
口语水平。

加壳方式：EXEStealth 2.72 - 2.73 + ACProtect

忽略所有异常，OD载入
00A29060 > /EB 00          jmp short CJapanes.00A29062//进入OD后停在这！
00A29062 \EB 2F          jmp short CJapanes.00A29093

bp Process32First

009A384C 52             push edx
009A384D 50             push eax
009A384E FF95 C3664000 call dword ptr ss:[ebp+4066C3>
009A3854 0BC0          or eax,eax
009A3856 /0F84 FE000000 je CJapanes.009A395A             //改为JMP 009A395A
009A385C |8DB5 23644000 lea esi,dword ptr ss:[ebp+406>
009A3862 |8BFE          mov edi,esi
009A3864 |8A07          mov al,byte ptr ds:[edi]
009A3866 |0AC0          or al,al
009A3868 |74 12          je short CJapanes.009A387C
009A386A |90             nop
009A386B |90             nop
009A386C |90             nop
009A386D |90             nop
009A386E |3C 5C          cmp al,5C
009A3870 |75 07          jnz short CJapanes.009A3879
009A3872 |90             nop
009A3873 |90             nop
009A3874 |90             nop
009A3875 |90             nop
009A3876 |8BF7          mov esi,edi
009A3878 |46             inc esi
009A3879 |47             inc edi
009A387A  ^|EB E8          jmp short CJapanes.009A3864
009A387C |8BC6          mov eax,esi
009A387E |BF 167A4000    mov edi,CJapanes.00407A16
009A3883 |03FD          add edi,ebp
009A3885 |8B17          mov edx,dword ptr ds:[edi]
009A3887 |66:0BD2       or dx,dx
009A388A |74 22          je short CJapanes.009A38AE
009A388C |90             nop
009A388D |90             nop
009A388E |90             nop
009A388F |90             nop
009A3890 |0AD2          or dl,dl
009A3892 |74 07          je short CJapanes.009A389B
009A3894 |90             nop
009A3895 |90             nop
009A3896 |90             nop
009A3897 |90             nop
009A3898 |47             inc edi
009A3899  ^|EB EA          jmp short CJapanes.009A3885
009A389B |47             inc edi
009A389C |8BF0          mov esi,eax
009A389E |E8 29F1FFFF    call CJapanes.009A29CC
009A38A3 |80FE 01       cmp dh,1
009A38A6 |74 1C          je short CJapanes.009A38C4
009A38A8 |90             nop
009A38A9 |90             nop
009A38AA |90             nop
009A38AB |90             nop
009A38AC  ^|EB D7          jmp short CJapanes.009A3885
009A38AE |B8 FF634000    mov eax,CJapanes.004063FF
009A38B3 |03C5          add eax,ebp
009A38B5 |50             push eax
009A38B6 |FFB5 FB634000 push dword ptr ss:[ebp+4063FB>
009A38BC |FF95 C7664000 call dword ptr ss:[ebp+4066C7>
009A38C2  ^|EB 90          jmp short CJapanes.009A3854
009A38C4 |60             pushad
009A38C5 |E8 D6EAFFFF    call CJapanes.009A23A0
009A38CA |8DBD 58CD4000 lea edi,dword ptr ss:[ebp+40C>
009A38D0 |B8 05000000    mov eax,5
009A38D5 |E8 50E8FFFF    call CJapanes.009A212A
009A38DA |0BC0          or eax,eax
009A38DC |74 28          je short CJapanes.009A3906
009A38DE |90             nop
009A38DF |90             nop
009A38E0 |90             nop
009A38E1 |90             nop
009A38E2 |48             dec eax
009A38E3 |0BC0          or eax,eax
009A38E5 |74 2A          je short CJapanes.009A3911
009A38E7 |90             nop
009A38E8 |90             nop
009A38E9 |90             nop
009A38EA |90             nop
009A38EB |48             dec eax
009A38EC |0BC0          or eax,eax
009A38EE |74 2C          je short CJapanes.009A391C
009A38F0 |90             nop
009A38F1 |90             nop
009A38F2 |90             nop
009A38F3 |90             nop
009A38F4 |48             dec eax
009A38F5 |0BC0          or eax,eax
009A38F7 |74 2E          je short CJapanes.009A3927
009A38F9 |90             nop
009A38FA |90             nop
009A38FB |90             nop
009A38FC |90             nop
009A38FD |48             dec eax
009A38FE |0BC0          or eax,eax
009A3900 |74 30          je short CJapanes.009A3932
009A3902 |90             nop
009A3903 |90             nop
009A3904 |90             nop
009A3905 |90             nop
009A3906 |8DBD 0C914100 lea edi,dword ptr ss:[ebp+419>
009A390C |EB 2A          jmp short CJapanes.009A3938
009A390E |90             nop
009A390F |90             nop
009A3910 |90             nop
009A3911 |8DBD A2A94000 lea edi,dword ptr ss:[ebp+40A>
009A3917 |EB 1F          jmp short CJapanes.009A3938
009A3919 |90             nop
009A391A |90             nop
009A391B |90             nop
009A391C |8DBD 8D674000 lea edi,dword ptr ss:[ebp+406>
009A3922 |EB 14          jmp short CJapanes.009A3938
009A3924 |90             nop
009A3925 |90             nop
009A3926 |90             nop
009A3927 |8DBD 63A24000 lea edi,dword ptr ss:[ebp+40A>
009A392D |EB 09          jmp short CJapanes.009A3938
009A392F |90             nop
009A3930 |90             nop
009A3931 |90             nop
009A3932 |8DBD 3AC84000 lea edi,dword ptr ss:[ebp+40C>
009A3938 |B8 00010000    mov eax,100
009A393D |E8 E8E7FFFF    call CJapanes.009A212A
009A3942 |8BC8          mov ecx,eax
009A3944 |41             inc ecx
009A3945 |B8 00010000    mov eax,100
009A394A |E8 DBE7FFFF    call CJapanes.009A212A
009A394F |03F8          add edi,eax
009A3951 |E8 E8E7FFFF    call CJapanes.009A213E
009A3956 |AB             stos dword ptr es:[edi]  //这里让你死翘翘！
009A3957  ^|E2 F8          loopd short CJapanes.009A3951
009A3959 |61             popad
009A395A \FFB5 FB634000 push dword ptr ss:[ebp+4063FB>
009A3960 FF95 CB664000 call dword ptr ss:[ebp+4066CB>
009A3966 60             pushad
009A3967 E8 00000000    call CJapanes.009A396C
009A396C 5E             pop esi
009A396D 83EE 06       sub esi,6
009A3970 B9 40010000    mov ecx,140
009A3975 29CE          sub esi,ecx
009A3977 BA 45C57664    mov edx,6476C545
009A397C C1E9 02       shr ecx,2
009A397F 83E9 02       sub ecx,2
009A3982 83F9 00       cmp ecx,0
009A3985 7C 1A          jl short CJapanes.009A39A1

bp GetProcAddress

0083F055 8985 4D050000 mov dword ptr ss:[ebp+54D],ea>; kernel32.VirtualAlloc
0083F05B 8D5D 6B       lea ebx,dword ptr ss:[ebp+6B]
0083F05E 53             push ebx
0083F05F 57             push edi
0083F060 FF95 490F0000 call dword ptr ss:[ebp+F49]
0083F066 8985 51050000 mov dword ptr ss:[ebp+551],ea>
0083F06C 8D45 77       lea eax,dword ptr ss:[ebp+77]
0083F06F /FFE0          jmp eax                      ; CJapanes.0083F08A

0083F08A 8B9D 31050000 mov ebx,dword ptr ss:[ebp+531>
0083F090 0BDB          or ebx,ebx
0083F092 74 0A          je short CJapanes.0083F09E
0083F09E 8DB5 69050000 lea esi,dword ptr ss:[ebp+569>
0083F0A4 833E 00       cmp dword ptr ds:[esi],0
0083F0A7 0F84 21010000 je CJapanes.0083F1CE
0083F0AD 6A 04          push 4
0083F0AF 68 00100000    push 1000
0083F0B4 68 00180000    push 1800
0083F0B9 6A 00          push 0
0083F0BB FF95 4D050000 call dword ptr ss:[ebp+54D]
0083F0C1 8985 56010000 mov dword ptr ss:[ebp+156],ea>
0083F0C7 8B46 04       mov eax,dword ptr ds:[esi+4]
0083F0CA 05 0E010000    add eax,10E
0083F0CF 6A 04          push 4
0083F0D1 68 00100000    push 1000
0083F0D6 50             push eax
0083F0D7 6A 00          push 0
0083F0D9 FF95 4D050000 call dword ptr ss:[ebp+54D]
0083F0DF 8985 52010000 mov dword ptr ss:[ebp+152],ea>
0083F0E5 56             push esi
0083F0E6 8B1E          mov ebx,dword ptr ds:[esi]
0083F0E8 039D 22040000 add ebx,dword ptr ss:[ebp+422>
0083F0EE FFB5 56010000 push dword ptr ss:[ebp+156]
0083F0F4 FF76 04       push dword ptr ds:[esi+4]
0083F0F7 50             push eax
0083F0F8 53             push ebx
0083F0F9 E8 6E050000    call CJapanes.0083F66C
0083F0FE B3 01          mov bl,1
0083F100 80FB 00       cmp bl,0
0083F103 75 5E          jnz short CJapanes.0083F163
0083F105 FE85 EC000000 inc byte ptr ss:[ebp+EC]
0083F10B 8B3E          mov edi,dword ptr ds:[esi]
0083F10D 03BD 22040000 add edi,dword ptr ss:[ebp+422>
0083F113 FF37          push dword ptr ds:[edi]
0083F115 C607 C3       mov byte ptr ds:[edi],0C3
0083F118 FFD7          call edi
0083F11A 8F07          pop dword ptr ds:[edi]
0083F11C 50             push eax
0083F11D 51             push ecx
0083F11E 56             push esi
0083F11F 53             push ebx
0083F120 8BC8          mov ecx,eax
0083F122 83E9 06       sub ecx,6
0083F125 8BB5 52010000 mov esi,dword ptr ss:[ebp+152>
0083F12B 33DB          xor ebx,ebx
0083F12D 0BC9          or ecx,ecx
0083F12F 74 2E          je short CJapanes.0083F15F
0083F131 78 2C          js short CJapanes.0083F15F
0083F133 AC             lods byte ptr ds:[esi]
0083F134 3C E8          cmp al,0E8
0083F136 74 0A          je short CJapanes.0083F142
0083F138 EB 00          jmp short CJapanes.0083F13A
0083F13A 3C E9          cmp al,0E9
0083F13C 74 04          je short CJapanes.0083F142
0083F13E 43             inc ebx
0083F13F 49             dec ecx
0083F140  ^ EB EB          jmp short CJapanes.0083F12D
0083F142 8B06          mov eax,dword ptr ds:[esi]
0083F144 EB 0A          jmp short CJapanes.0083F150
0083F146 803E 00       cmp byte ptr ds:[esi],0
0083F149  ^ 75 F3          jnz short CJapanes.0083F13E
0083F14B 24 00          and al,0
0083F14D C1C0 18       rol eax,18
0083F150 2BC3          sub eax,ebx
0083F152 8906          mov dword ptr ds:[esi],eax
0083F154 83C3 05       add ebx,5
0083F157 83C6 04       add esi,4
0083F15A 83E9 05       sub ecx,5
0083F15D  ^ EB CE          jmp short CJapanes.0083F12D
0083F15F 5B             pop ebx
0083F160 5E             pop esi
0083F161 59             pop ecx
0083F162 58             pop eax
0083F163 EB 08          jmp short CJapanes.0083F16D
0083F165 0000          add byte ptr ds:[eax],al
0083F167 8201 00       add byte ptr ds:[ecx],0
0083F16A 0081 018BC88B add byte ptr ds:[ecx+8BC88B01>
0083F170 3E:03BD 2204000>add edi,dword ptr ds:[ebp+422>
0083F177 8BB5 52010000 mov esi,dword ptr ss:[ebp+152>
0083F17D C1F9 02       sar ecx,2
0083F180 F3:A5          rep movs dword ptr es:[edi],d>
0083F182 8BC8          mov ecx,eax
0083F184 83E1 03       and ecx,3
0083F187 F3:A4          rep movs byte ptr es:[edi],by>
0083F189 5E             pop esi
0083F18A 68 00800000    push 8000
0083F18F 6A 00          push 0
0083F191 FFB5 52010000 push dword ptr ss:[ebp+152]
0083F197 FF95 51050000 call dword ptr ss:[ebp+551]
0083F19D 83C6 08       add esi,8
0083F1A0 833E 00       cmp dword ptr ds:[esi],0
0083F1A3  ^ 0F85 1EFFFFFF jnz CJapanes.0083F0C7
0083F1A9 68 00800000    push 8000
0083F1AE 6A 00          push 0
0083F1B0 FFB5 56010000 push dword ptr ss:[ebp+156]
0083F1B6 FF95 51050000 call dword ptr ss:[ebp+551]
0083F1BC 8B9D 31050000 mov ebx,dword ptr ss:[ebp+531>
0083F1C2 0BDB          or ebx,ebx
0083F1C4 74 08          je short CJapanes.0083F1CE
0083F1C6 8B03          mov eax,dword ptr ds:[ebx]
0083F1C8 8785 35050000 xchg dword ptr ss:[ebp+535],e>
0083F1CE 8B95 22040000 mov edx,dword ptr ss:[ebp+422>
0083F1D4 8B85 2D050000 mov eax,dword ptr ss:[ebp+52D>
0083F1DA 2BD0          sub edx,eax
0083F1DC 74 79          je short CJapanes.0083F257
0083F1DE 8BC2          mov eax,edx
0083F1E0 C1E8 10       shr eax,10
0083F1E3 33DB          xor ebx,ebx
0083F1E5 8BB5 39050000 mov esi,dword ptr ss:[ebp+539>
0083F1EB 03B5 22040000 add esi,dword ptr ss:[ebp+422>
0083F1F1 833E 00       cmp dword ptr ds:[esi],0
0083F1F4 74 61          je short CJapanes.0083F257
0083F1F6 8B4E 04       mov ecx,dword ptr ds:[esi+4]
0083F1F9 83E9 08       sub ecx,8
0083F1FC D1E9          shr ecx,1
0083F1FE 8B3E          mov edi,dword ptr ds:[esi]
0083F200 03BD 22040000 add edi,dword ptr ss:[ebp+422>
0083F206 83C6 08       add esi,8
0083F209 66:8B1E       mov bx,word ptr ds:[esi]
0083F20C C1EB 0C       shr ebx,0C
0083F20F 83FB 01       cmp ebx,1
0083F212 74 0C          je short CJapanes.0083F220
0083F214 83FB 02       cmp ebx,2
0083F217 74 16          je short CJapanes.0083F22F
0083F219 83FB 03       cmp ebx,3
0083F21C 74 20          je short CJapanes.0083F23E
0083F21E EB 2C          jmp short CJapanes.0083F24C
0083F220 66:8B1E       mov bx,word ptr ds:[esi]
0083F223 81E3 FF0F0000 and ebx,0FFF
0083F229 66:01041F    add word ptr ds:[edi+ebx],ax
0083F22D EB 1D          jmp short CJapanes.0083F24C
0083F22F 66:8B1E       mov bx,word ptr ds:[esi]
0083F232 81E3 FF0F0000 and ebx,0FFF
0083F238 66:01141F    add word ptr ds:[edi+ebx],dx
0083F23C EB 0E          jmp short CJapanes.0083F24C
0083F23E 66:8B1E       mov bx,word ptr ds:[esi]
0083F241 81E3 FF0F0000 and ebx,0FFF
0083F247 01141F       add dword ptr ds:[edi+ebx],ed>
0083F24A EB 00          jmp short CJapanes.0083F24C
0083F24C 66:830E FF    or word ptr ds:[esi],0FFFF
0083F250 83C6 02       add esi,2
0083F253  ^ E2 B4          loopd short CJapanes.0083F209
0083F255  ^ EB 9A          jmp short CJapanes.0083F1F1
0083F257 8B95 22040000 mov edx,dword ptr ss:[ebp+422>
0083F25D 8BB5 41050000 mov esi,dword ptr ss:[ebp+541>
0083F263 0BF6          or esi,esi
0083F265 74 11          je short CJapanes.0083F278
0083F267 03F2          add esi,edx
0083F269 AD             lods dword ptr ds:[esi]
0083F26A 0BC0          or eax,eax
0083F26C 74 0A          je short CJapanes.0083F278
0083F26E 03C2          add eax,edx
0083F270 8BF8          mov edi,eax
0083F272 66:AD          lods word ptr ds:[esi]
0083F274 66:AB          stos word ptr es:[edi]
0083F276  ^ EB F1          jmp short CJapanes.0083F269
0083F278 BE 60AD3C00    mov esi,3CAD60
0083F27D 8B95 22040000 mov edx,dword ptr ss:[ebp+422>
0083F283 03F2          add esi,edx
0083F285 8B46 0C       mov eax,dword ptr ds:[esi+C]
0083F288 85C0          test eax,eax
0083F28A 0F84 0A010000 je CJapanes.0083F39A
0083F290 03C2          add eax,edx
0083F292 8BD8          mov ebx,eax
0083F294 50             push eax
0083F295 FF95 4D0F0000 call dword ptr ss:[ebp+F4D]
0083F29B 85C0          test eax,eax
0083F29D 75 07          jnz short CJapanes.0083F2A6
0083F29F 53             push ebx
0083F2A0 FF95 510F0000 call dword ptr ss:[ebp+F51]
0083F2A6 8985 45050000 mov dword ptr ss:[ebp+545],ea>
0083F2AC C785 49050000 0>mov dword ptr ss:[ebp+549],0
0083F2B6 8B95 22040000 mov edx,dword ptr ss:[ebp+422>
0083F2BC 8B06          mov eax,dword ptr ds:[esi]
0083F2BE 85C0          test eax,eax
0083F2C0 75 03          jnz short CJapanes.0083F2C5
0083F2C2 8B46 10       mov eax,dword ptr ds:[esi+10]
0083F2C5 03C2          add eax,edx
0083F2C7 0385 49050000 add eax,dword ptr ss:[ebp+549>
0083F2CD 8B18          mov ebx,dword ptr ds:[eax]
0083F2CF 8B7E 10       mov edi,dword ptr ds:[esi+10]
0083F2D2 03FA          add edi,edx
0083F2D4 03BD 49050000 add edi,dword ptr ss:[ebp+549>
0083F2DA 85DB          test ebx,ebx
0083F2DC 0F84 A2000000 je CJapanes.0083F384
0083F2E2 F7C3 00000080 test ebx,80000000
0083F2E8 75 04          jnz short CJapanes.0083F2EE
0083F2EA 03DA          add ebx,edx
0083F2EC 43             inc ebx
0083F2ED 43             inc ebx
0083F2EE 53             push ebx
0083F2EF 81E3 FFFFFF7F and ebx,7FFFFFFF
0083F2F5 53             push ebx
0083F2F6 FFB5 45050000 push dword ptr ss:[ebp+545]
0083F2FC FF95 490F0000 call dword ptr ss:[ebp+F49]
0083F302 85C0          test eax,eax
0083F304 5B             pop ebx
0083F305 75 6F          jnz short CJapanes.0083F376
0083F307 F7C3 00000080 test ebx,80000000
0083F30D 75 19          jnz short CJapanes.0083F328
0083F30F 57             push edi
0083F310 8B46 0C       mov eax,dword ptr ds:[esi+C]
0083F313 0385 22040000 add eax,dword ptr ss:[ebp+422>
0083F319 50             push eax
0083F31A 53             push ebx
0083F31B 8D85 75040000 lea eax,dword ptr ss:[ebp+475>
0083F321 50             push eax
0083F322 57             push edi
0083F323 E9 98000000    jmp CJapanes.0083F3C0
0083F328 81E3 FFFFFF7F and ebx,7FFFFFFF
0083F32E 8B85 26040000 mov eax,dword ptr ss:[ebp+426>
0083F334 3985 45050000 cmp dword ptr ss:[ebp+545],ea>
0083F33A 75 24          jnz short CJapanes.0083F360
0083F33C 57             push edi
0083F33D 8BD3          mov edx,ebx
0083F33F 4A             dec edx
0083F340 C1E2 02       shl edx,2
0083F343 8B9D 45050000 mov ebx,dword ptr ss:[ebp+545>
0083F349 8B7B 3C       mov edi,dword ptr ds:[ebx+3C]
0083F34C 8B7C3B 78    mov edi,dword ptr ds:[ebx+edi>
0083F350 035C3B 1C    add ebx,dword ptr ds:[ebx+edi>
0083F354 8B0413       mov eax,dword ptr ds:[ebx+edx>
0083F357 0385 45050000 add eax,dword ptr ss:[ebp+545>
0083F35D 5F             pop edi
0083F35E EB 16          jmp short CJapanes.0083F376
0083F360 57             push edi
0083F361 8B46 0C       mov eax,dword ptr ds:[esi+C]
0083F364 0385 22040000 add eax,dword ptr ss:[ebp+422>
0083F36A 50             push eax
0083F36B 53             push ebx
0083F36C 8D85 C6040000 lea eax,dword ptr ss:[ebp+4C6>
0083F372 50             push eax
0083F373 57             push edi
0083F374 EB 4A          jmp short CJapanes.0083F3C0
0083F376 8907          mov dword ptr ds:[edi],eax
0083F378 8385 49050000 0>add dword ptr ss:[ebp+549],4
0083F37F  ^ E9 32FFFFFF    jmp CJapanes.0083F2B6
0083F384 8906          mov dword ptr ds:[esi],eax
0083F386 8946 0C       mov dword ptr ds:[esi+C],eax
0083F389 8946 10       mov dword ptr ds:[esi+10],eax
0083F38C 83C6 14       add esi,14
0083F38F 8B95 22040000 mov edx,dword ptr ss:[ebp+422>
0083F395  ^ E9 EBFEFFFF    jmp CJapanes.0083F285
0083F39A B8 F07D3C00    mov eax,3C7DF0
0083F39F 50             push eax
0083F3A0 0385 22040000 add eax,dword ptr ss:[ebp+422>
0083F3A6 59             pop ecx
0083F3A7 0BC9          or ecx,ecx
0083F3A9 8985 A8030000 mov dword ptr ss:[ebp+3A8],ea>
0083F3AF 61             popad
0083F3B0 75 08          jnz short CJapanes.0083F3BA
0083F3B2 B8 01000000    mov eax,1
0083F3B7 C2 0C00       retn 0C
0083F3BA 68 F07D7C00    push CJapanes.007C7DF0  //F4直接来这里
0083F3BF C3             retn
返回到 007C7DF0 (CJapanes.007C7DF0)

进入第2层壳 UPX

007C7DF0 60             pushad
007C7DF1 BE 00206000    mov esi,CJapanes.00602000
007C7DF6 8DBE 00F0DFFF lea edi,dword ptr ds:[esi+FFD>
007C7DFC 57             push edi
007C7DFD 83CD FF       or ebp,FFFFFFFF
007C7E00 EB 10          jmp short CJapanes.007C7E12
007C7E02 90             nop
007C7E03 90             nop
007C7E04 90             nop
007C7E05 90             nop
007C7E06 90             nop
007C7E07 90             nop
007C7E08 8A06          mov al,byte ptr ds:[esi]
007C7E0A 46             inc esi
007C7E0B 8807          mov byte ptr ds:[edi],al
007C7E0D 47             inc edi
007C7E0E 01DB          add ebx,ebx
007C7E10 75 07          jnz short CJapanes.007C7E19
007C7E12 8B1E          mov ebx,dword ptr ds:[esi]
007C7E14 83EE FC       sub esi,-4
007C7E17 11DB          adc ebx,ebx
007C7E19  ^ 72 ED          jb short CJapanes.007C7E08
007C7E1B B8 01000000    mov eax,1
007C7E20 01DB          add ebx,ebx
007C7E22 75 07          jnz short CJapanes.007C7E2B
007C7E24 8B1E          mov ebx,dword ptr ds:[esi]
007C7E26 83EE FC       sub esi,-4
007C7E29 11DB          adc ebx,ebx
007C7E2B 11C0          adc eax,eax
007C7E2D 01DB          add ebx,ebx
007C7E2F 73 0B          jnb short CJapanes.007C7E3C
007C7E31 75 19          jnz short CJapanes.007C7E4C
007C7E33 8B1E          mov ebx,dword ptr ds:[esi]
007C7E35 83EE FC       sub esi,-4
007C7E38 11DB          adc ebx,ebx
007C7E3A 72 10          jb short CJapanes.007C7E4C
007C7E3C 48             dec eax
007C7E3D 01DB          add ebx,ebx
007C7E3F 75 07          jnz short CJapanes.007C7E48
007C7E41 8B1E          mov ebx,dword ptr ds:[esi]
007C7E43 83EE FC       sub esi,-4
007C7E46 11DB          adc ebx,ebx
007C7E48 11C0          adc eax,eax
007C7E4A  ^ EB D4          jmp short CJapanes.007C7E20
007C7E4C 31C9          xor ecx,ecx
007C7E4E 83E8 03       sub eax,3
007C7E51 72 11          jb short CJapanes.007C7E64
007C7E53 C1E0 08       shl eax,8
007C7E56 8A06          mov al,byte ptr ds:[esi]
007C7E58 46             inc esi
007C7E59 83F0 FF       xor eax,FFFFFFFF
007C7E5C 74 78          je short CJapanes.007C7ED6
007C7E5E D1F8          sar eax,1
007C7E60 89C5          mov ebp,eax
007C7E62 EB 0B          jmp short CJapanes.007C7E6F
007C7E64 01DB          add ebx,ebx
007C7E66 75 07          jnz short CJapanes.007C7E6F
007C7E68 8B1E          mov ebx,dword ptr ds:[esi]
007C7E6A 83EE FC       sub esi,-4
007C7E6D 11DB          adc ebx,ebx
007C7E6F 11C9          adc ecx,ecx
007C7E71 01DB          add ebx,ebx
007C7E73 75 07          jnz short CJapanes.007C7E7C
007C7E75 8B1E          mov ebx,dword ptr ds:[esi]
007C7E77 83EE FC       sub esi,-4
007C7E7A 11DB          adc ebx,ebx
007C7E7C 11C9          adc ecx,ecx
007C7E7E 75 20          jnz short CJapanes.007C7EA0
007C7E80 41             inc ecx
007C7E81 01DB          add ebx,ebx
007C7E83 75 07          jnz short CJapanes.007C7E8C
007C7E85 8B1E          mov ebx,dword ptr ds:[esi]
007C7E87 83EE FC       sub esi,-4
007C7E8A 11DB          adc ebx,ebx
007C7E8C 11C9          adc ecx,ecx
007C7E8E 01DB          add ebx,ebx
007C7E90  ^ 73 EF          jnb short CJapanes.007C7E81
007C7E92 75 09          jnz short CJapanes.007C7E9D
007C7E94 8B1E          mov ebx,dword ptr ds:[esi]
007C7E96 83EE FC       sub esi,-4
007C7E99 11DB          adc ebx,ebx
007C7E9B  ^ 73 E4          jnb short CJapanes.007C7E81
007C7E9D 83C1 02       add ecx,2
007C7EA0 81FD 00FBFFFF cmp ebp,-500
007C7EA6 83D1 01       adc ecx,1
007C7EA9 8D142F       lea edx,dword ptr ds:[edi+ebp>
007C7EAC 83FD FC       cmp ebp,-4
007C7EAF 76 0F          jbe short CJapanes.007C7EC0
007C7EB1 8A02          mov al,byte ptr ds:[edx]
007C7EB3 42             inc edx
007C7EB4 8807          mov byte ptr ds:[edi],al
007C7EB6 47             inc edi
007C7EB7 49             dec ecx
007C7EB8  ^ 75 F7          jnz short CJapanes.007C7EB1
007C7EBA  ^ E9 4FFFFFFF    jmp CJapanes.007C7E0E
007C7EBF 90             nop
007C7EC0 8B02          mov eax,dword ptr ds:[edx]
007C7EC2 83C2 04       add edx,4
007C7EC5 8907          mov dword ptr ds:[edi],eax
007C7EC7 83C7 04       add edi,4
007C7ECA 83E9 04       sub ecx,4
007C7ECD  ^ 77 F1          ja short CJapanes.007C7EC0
007C7ECF 01CF          add edi,ecx
007C7ED1  ^ E9 38FFFFFF    jmp CJapanes.007C7E0E
007C7ED6 5E             pop esi
007C7ED7 8DBE 00503C00 lea edi,dword ptr ds:[esi+3C5>
007C7EDD 8B07          mov eax,dword ptr ds:[edi]
007C7EDF 09C0          or eax,eax
007C7EE1 74 3C          je short CJapanes.007C7F1F
007C7EE3 8B5F 04       mov ebx,dword ptr ds:[edi+4]
007C7EE6 8D8430 609D3C00 lea eax,dword ptr ds:[eax+esi>
007C7EED 01F3          add ebx,esi
007C7EEF 50             push eax
007C7EF0 83C7 08       add edi,8
007C7EF3 FF96 649E3C00 call dword ptr ds:[esi+3C9E64>
007C7EF9 95             xchg eax,ebp
007C7EFA 8A07          mov al,byte ptr ds:[edi]
007C7EFC 47             inc edi
007C7EFD 08C0          or al,al
007C7EFF  ^ 74 DC          je short CJapanes.007C7EDD
007C7F01 89F9          mov ecx,edi
007C7F03 57             push edi
007C7F04 48             dec eax
007C7F05 F2:AE          repne scas byte ptr es:[edi]
007C7F07 55             push ebp
007C7F08 FF96 689E3C00 call dword ptr ds:[esi+3C9E68>
007C7F0E 09C0          or eax,eax
007C7F10 74 07          je short CJapanes.007C7F19
007C7F12 8903          mov dword ptr ds:[ebx],eax
007C7F14 83C3 04       add ebx,4
007C7F17  ^ EB E1          jmp short CJapanes.007C7EFA
007C7F19 FF96 6C9E3C00 call dword ptr ds:[esi+3C9E6C>
007C7F1F 61             popad
007C7F20  ^ E9 DC40F1FF    jmp CJapanes.006DC001          // //F4直接来这里

006DC001 60             pushad
006DC002 E8 03000000    call CJapanes.006DC00A
006DC007  - E9 EB045D45    jmp 45CAC4F7
006DC00C 55             push ebp
006DC00D C3             retn

006DC00A 5D             pop ebp                      ; CJapanes.006DC007
006DC00B 45             inc ebp
006DC00C 55             push ebp
006DC00D C3             retn
006DC008 /EB 04          jmp short CJapanes.006DC00E
006DC00E E8 01000000    call CJapanes.006DC014

进入第3层壳
006DC014 5D             pop ebp                      ; CJapanes.006DC013
006DC015 BB EDFFFFFF    mov ebx,-13
006DC01A 03DD          add ebx,ebp
006DC01C 81EB 00C02D00 sub ebx,2DC000
006DC022 83BD 22040000 0>cmp dword ptr ss:[ebp+422],0
006DC029 899D 22040000 mov dword ptr ss:[ebp+422],eb>
006DC02F 0F85 65030000 jnz CJapanes.006DC39A
006DC035 8D85 2E040000 lea eax,dword ptr ss:[ebp+42E>
006DC03B 50             push eax
006DC03C FF95 4D0F0000 call dword ptr ss:[ebp+F4D]
006DC042 8985 26040000 mov dword ptr ss:[ebp+426],ea>
006DC048 8BF8          mov edi,eax
006DC04A 8D5D 5E       lea ebx,dword ptr ss:[ebp+5E]
006DC04D 53             push ebx
006DC04E 50             push eax
006DC04F FF95 490F0000 call dword ptr ss:[ebp+F49]
006DC055 8985 4D050000 mov dword ptr ss:[ebp+54D],ea>
006DC05B 8D5D 6B       lea ebx,dword ptr ss:[ebp+6B]
006DC05E 53             push ebx
006DC05F 57             push edi
006DC060 FF95 490F0000 call dword ptr ss:[ebp+F49]
006DC066 8985 51050000 mov dword ptr ss:[ebp+551],ea>
006DC06C 8D45 77       lea eax,dword ptr ss:[ebp+77]
006DC06F FFE0          jmp eax
006DC071 56             push esi
006DC072 6972 74 75616C4>imul esi,dword ptr ds:[edx+74>
006DC079 6C             ins byte ptr es:[edi],dx
006DC07A 6C             ins byte ptr es:[edi],dx
006DC07B 6F             outs dx,dword ptr es:[edi]
006DC07C 6300          arpl word ptr ds:[eax],ax
006DC07E 56             push esi
006DC07F 6972 74 75616C4>imul esi,dword ptr ds:[edx+74>
006DC086 72 65          jb short CJapanes.006DC0ED
006DC088 65:008B 9D31050>add byte ptr gs:[ebx+5319D],c>
006DC08F 000B          add byte ptr ds:[ebx],cl
006DC091 DB             ???                         ; 未知命令
006DC092 74 0A          je short CJapanes.006DC09E
006DC094 8B03          mov eax,dword ptr ds:[ebx]
006DC096 8785 35050000 xchg dword ptr ss:[ebp+535],e>
006DC09C 8903          mov dword ptr ds:[ebx],eax
006DC09E 8DB5 69050000 lea esi,dword ptr ss:[ebp+569>
006DC0A4 833E 00       cmp dword ptr ds:[esi],0
006DC0A7 0F84 21010000 je CJapanes.006DC1CE
006DC0AD 6A 04          push 4
006DC0AF 68 00100000    push 1000
006DC0B4 68 00180000    push 1800
006DC0B9 6A 00          push 0
006DC0BB FF95 4D050000 call dword ptr ss:[ebp+54D]
006DC0C1 8985 56010000 mov dword ptr ss:[ebp+156],ea>
006DC0C7 8B46 04       mov eax,dword ptr ds:[esi+4]
006DC0CA 05 0E010000    add eax,10E
006DC0CF 6A 04          push 4
006DC0D1 68 00100000    push 1000
006DC0D6 50             push eax
006DC0D7 6A 00          push 0
006DC0D9 FF95 4D050000 call dword ptr ss:[ebp+54D]
006DC0DF 8985 52010000 mov dword ptr ss:[ebp+152],ea>
006DC0E5 56             push esi
006DC0E6 8B1E          mov ebx,dword ptr ds:[esi]
006DC0E8 039D 22040000 add ebx,dword ptr ss:[ebp+422>
006DC0EE FFB5 56010000 push dword ptr ss:[ebp+156]
006DC0F4 FF76 04       push dword ptr ds:[esi+4]
006DC0F7 50             push eax
006DC0F8 53             push ebx
006DC0F9 E8 6E050000    call CJapanes.006DC66C
006DC0FE B3 00          mov bl,0
006DC100 80FB 00       cmp bl,0
006DC103 75 5E          jnz short CJapanes.006DC163
006DC105 FE85 EC000000 inc byte ptr ss:[ebp+EC]
006DC10B 8B3E          mov edi,dword ptr ds:[esi]
006DC10D 03BD 22040000 add edi,dword ptr ss:[ebp+422>
006DC113 FF37          push dword ptr ds:[edi]
006DC115 C607 C3       mov byte ptr ds:[edi],0C3
006DC118 FFD7          call edi
006DC11A 8F07          pop dword ptr ds:[edi]
006DC11C 50             push eax
006DC11D 51             push ecx
006DC11E 56             push esi
006DC11F 53             push ebx
006DC120 8BC8          mov ecx,eax
006DC122 83E9 06       sub ecx,6
006DC125 8BB5 52010000 mov esi,dword ptr ss:[ebp+152>
006DC12B 33DB          xor ebx,ebx
006DC12D 0BC9          or ecx,ecx
006DC12F 74 2E          je short CJapanes.006DC15F
006DC131 78 2C          js short CJapanes.006DC15F
006DC133 AC             lods byte ptr ds:[esi]
006DC134 3C E8          cmp al,0E8
006DC136 74 0A          je short CJapanes.006DC142
006DC138 EB 00          jmp short CJapanes.006DC13A
006DC13A 3C E9          cmp al,0E9
006DC13C 74 04          je short CJapanes.006DC142
006DC13E 43             inc ebx
006DC13F 49             dec ecx
006DC140  ^ EB EB          jmp short CJapanes.006DC12D
006DC142 8B06          mov eax,dword ptr ds:[esi]
006DC144 EB 0A          jmp short CJapanes.006DC150
006DC146 803E 00       cmp byte ptr ds:[esi],0
006DC149  ^ 75 F3          jnz short CJapanes.006DC13E
006DC14B 24 00          and al,0
006DC14D C1C0 18       rol eax,18
006DC150 2BC3          sub eax,ebx
006DC152 8906          mov dword ptr ds:[esi],eax
006DC154 83C3 05       add ebx,5
006DC157 83C6 04       add esi,4
006DC15A 83E9 05       sub ecx,5
006DC15D  ^ EB CE          jmp short CJapanes.006DC12D
006DC15F 5B             pop ebx
006DC160 5E             pop esi
006DC161 59             pop ecx
006DC162 58             pop eax
006DC163 EB 08          jmp short CJapanes.006DC16D
006DC165 0000          add byte ptr ds:[eax],al
006DC167 0000          add byte ptr ds:[eax],al
006DC169 0000          add byte ptr ds:[eax],al
006DC16B 0000          add byte ptr ds:[eax],al
006DC16D 8BC8          mov ecx,eax
006DC16F 8B3E          mov edi,dword ptr ds:[esi]
006DC171 03BD 22040000 add edi,dword ptr ss:[ebp+422>
006DC177 8BB5 52010000 mov esi,dword ptr ss:[ebp+152>
006DC17D C1F9 02       sar ecx,2
006DC180 F3:A5          rep movs dword ptr es:[edi],d>
006DC182 8BC8          mov ecx,eax
006DC184 83E1 03       and ecx,3
006DC187 F3:A4          rep movs byte ptr es:[edi],by>
006DC189 5E             pop esi
006DC18A 68 00800000    push 8000
006DC18F 6A 00          push 0
006DC191 FFB5 52010000 push dword ptr ss:[ebp+152]
006DC197 FF95 51050000 call dword ptr ss:[ebp+551]
006DC19D 83C6 08       add esi,8
006DC1A0 833E 00       cmp dword ptr ds:[esi],0
006DC1A3  ^ 0F85 1EFFFFFF jnz CJapanes.006DC0C7
006DC1A9 68 00800000    push 8000
006DC1AE 6A 00          push 0
006DC1B0 FFB5 56010000 push dword ptr ss:[ebp+156]
006DC1B6 FF95 51050000 call dword ptr ss:[ebp+551]
006DC1BC 8B9D 31050000 mov ebx,dword ptr ss:[ebp+531>
006DC1C2 0BDB          or ebx,ebx
006DC1C4 74 08          je short CJapanes.006DC1CE
006DC1C6 8B03          mov eax,dword ptr ds:[ebx]
006DC1C8 8785 35050000 xchg dword ptr ss:[ebp+535],e>
006DC1CE 8B95 22040000 mov edx,dword ptr ss:[ebp+422>
006DC1D4 8B85 2D050000 mov eax,dword ptr ss:[ebp+52D>
006DC1DA 2BD0          sub edx,eax
006DC1DC 74 79          je short CJapanes.006DC257
006DC1DE 8BC2          mov eax,edx
006DC1E0 C1E8 10       shr eax,10
006DC1E3 33DB          xor ebx,ebx
006DC1E5 8BB5 39050000 mov esi,dword ptr ss:[ebp+539>
006DC1EB 03B5 22040000 add esi,dword ptr ss:[ebp+422>
006DC1F1 833E 00       cmp dword ptr ds:[esi],0
006DC1F4 74 61          je short CJapanes.006DC257
006DC1F6 8B4E 04       mov ecx,dword ptr ds:[esi+4]
006DC1F9 83E9 08       sub ecx,8
006DC1FC D1E9          shr ecx,1
006DC1FE 8B3E          mov edi,dword ptr ds:[esi]
006DC200 03BD 22040000 add edi,dword ptr ss:[ebp+422>
006DC206 83C6 08       add esi,8
006DC209 66:8B1E       mov bx,word ptr ds:[esi]
006DC20C C1EB 0C       shr ebx,0C
006DC20F 83FB 01       cmp ebx,1
006DC212 74 0C          je short CJapanes.006DC220
006DC214 83FB 02       cmp ebx,2
006DC217 74 16          je short CJapanes.006DC22F
006DC219 83FB 03       cmp ebx,3
006DC21C 74 20          je short CJapanes.006DC23E
006DC21E EB 2C          jmp short CJapanes.006DC24C
006DC220 66:8B1E       mov bx,word ptr ds:[esi]
006DC223 81E3 FF0F0000 and ebx,0FFF
006DC229 66:01041F    add word ptr ds:[edi+ebx],ax
006DC22D EB 1D          jmp short CJapanes.006DC24C
006DC22F 66:8B1E       mov bx,word ptr ds:[esi]
006DC232 81E3 FF0F0000 and ebx,0FFF
006DC238 66:01141F    add word ptr ds:[edi+ebx],dx
006DC23C EB 0E          jmp short CJapanes.006DC24C
006DC23E 66:8B1E       mov bx,word ptr ds:[esi]
006DC241 81E3 FF0F0000 and ebx,0FFF
006DC247 01141F       add dword ptr ds:[edi+ebx],ed>
006DC24A EB 00          jmp short CJapanes.006DC24C
006DC24C 66:830E FF    or word ptr ds:[esi],0FFFF
006DC250 83C6 02       add esi,2
006DC253  ^ E2 B4          loopd short CJapanes.006DC209
006DC255  ^ EB 9A          jmp short CJapanes.006DC1F1
006DC257 8B95 22040000 mov edx,dword ptr ss:[ebp+422>
006DC25D 8BB5 41050000 mov esi,dword ptr ss:[ebp+541>
006DC263 0BF6          or esi,esi
006DC265 74 11          je short CJapanes.006DC278
006DC267 03F2          add esi,edx
006DC269 AD             lods dword ptr ds:[esi]
006DC26A 0BC0          or eax,eax
006DC26C 74 0A          je short CJapanes.006DC278
006DC26E 03C2          add eax,edx
006DC270 8BF8          mov edi,eax
006DC272 66:AD          lods word ptr ds:[esi]
006DC274 66:AB          stos word ptr es:[edi]
006DC276  ^ EB F1          jmp short CJapanes.006DC269
006DC278 BE 607D2600    mov esi,267D60
006DC27D 8B95 22040000 mov edx,dword ptr ss:[ebp+422>
006DC283 03F2          add esi,edx
006DC285 8B46 0C       mov eax,dword ptr ds:[esi+C]
006DC288 85C0          test eax,eax
006DC28A 0F84 0A010000 je CJapanes.006DC39A
006DC290 03C2          add eax,edx
006DC292 8BD8          mov ebx,eax
006DC294 50             push eax
006DC295 FF95 4D0F0000 call dword ptr ss:[ebp+F4D]
006DC29B 85C0          test eax,eax
006DC29D 75 07          jnz short CJapanes.006DC2A6
006DC29F 53             push ebx
006DC2A0 FF95 510F0000 call dword ptr ss:[ebp+F51]
006DC2A6 8985 45050000 mov dword ptr ss:[ebp+545],ea>
006DC2AC C785 49050000 0>mov dword ptr ss:[ebp+549],0
006DC2B6 8B95 22040000 mov edx,dword ptr ss:[ebp+422>
006DC2BC 8B06          mov eax,dword ptr ds:[esi]
006DC2BE 85C0          test eax,eax
006DC2C0 75 03          jnz short CJapanes.006DC2C5
006DC2C2 8B46 10       mov eax,dword ptr ds:[esi+10]
006DC2C5 03C2          add eax,edx
006DC2C7 0385 49050000 add eax,dword ptr ss:[ebp+549>
006DC2CD 8B18          mov ebx,dword ptr ds:[eax]
006DC2CF 8B7E 10       mov edi,dword ptr ds:[esi+10]
006DC2D2 03FA          add edi,edx
006DC2D4 03BD 49050000 add edi,dword ptr ss:[ebp+549>
006DC2DA 85DB          test ebx,ebx
006DC2DC 0F84 A2000000 je CJapanes.006DC384
006DC2E2 F7C3 00000080 test ebx,80000000
006DC2E8 75 04          jnz short CJapanes.006DC2EE
006DC2EA 03DA          add ebx,edx
006DC2EC 43             inc ebx
006DC2ED 43             inc ebx
006DC2EE 53             push ebx
006DC2EF 81E3 FFFFFF7F and ebx,7FFFFFFF
006DC2F5 53             push ebx
006DC2F6 FFB5 45050000 push dword ptr ss:[ebp+545]
006DC2FC FF95 490F0000 call dword ptr ss:[ebp+F49]
006DC302 85C0          test eax,eax
006DC304 5B             pop ebx
006DC305 75 6F          jnz short CJapanes.006DC376
006DC307 F7C3 00000080 test ebx,80000000
006DC30D 75 19          jnz short CJapanes.006DC328
006DC30F 57             push edi
006DC310 8B46 0C       mov eax,dword ptr ds:[esi+C]
006DC313 0385 22040000 add eax,dword ptr ss:[ebp+422>
006DC319 50             push eax
006DC31A 53             push ebx
006DC31B 8D85 75040000 lea eax,dword ptr ss:[ebp+475>
006DC321 50             push eax
006DC322 57             push edi
006DC323 E9 98000000    jmp CJapanes.006DC3C0
006DC328 81E3 FFFFFF7F and ebx,7FFFFFFF
006DC32E 8B85 26040000 mov eax,dword ptr ss:[ebp+426>
006DC334 3985 45050000 cmp dword ptr ss:[ebp+545],ea>
006DC33A 75 24          jnz short CJapanes.006DC360
006DC33C 57             push edi
006DC33D 8BD3          mov edx,ebx
006DC33F 4A             dec edx
006DC340 C1E2 02       shl edx,2
006DC343 8B9D 45050000 mov ebx,dword ptr ss:[ebp+545>
006DC349 8B7B 3C       mov edi,dword ptr ds:[ebx+3C]
006DC34C 8B7C3B 78    mov edi,dword ptr ds:[ebx+edi>
006DC350 035C3B 1C    add ebx,dword ptr ds:[ebx+edi>
006DC354 8B0413       mov eax,dword ptr ds:[ebx+edx>
006DC357 0385 45050000 add eax,dword ptr ss:[ebp+545>
006DC35D 5F             pop edi
006DC35E EB 16          jmp short CJapanes.006DC376
006DC360 57             push edi
006DC361 8B46 0C       mov eax,dword ptr ds:[esi+C]
006DC364 0385 22040000 add eax,dword ptr ss:[ebp+422>
006DC36A 50             push eax
006DC36B 53             push ebx
006DC36C 8D85 C6040000 lea eax,dword ptr ss:[ebp+4C6>
006DC372 50             push eax
006DC373 57             push edi
006DC374 EB 4A          jmp short CJapanes.006DC3C0
006DC376 8907          mov dword ptr ds:[edi],eax
006DC378 8385 49050000 0>add dword ptr ss:[ebp+549],4
006DC37F  ^ E9 32FFFFFF    jmp CJapanes.006DC2B6
006DC384 8906          mov dword ptr ds:[esi],eax
006DC386 8946 0C       mov dword ptr ds:[esi+C],eax
006DC389 8946 10       mov dword ptr ds:[esi+10],eax
006DC38C 83C6 14       add esi,14
006DC38F 8B95 22040000 mov edx,dword ptr ss:[ebp+422>
006DC395  ^ E9 EBFEFFFF    jmp CJapanes.006DC285
006DC39A B8 604A2600    mov eax,264A60
006DC39F 50             push eax
006DC3A0 0385 22040000 add eax,dword ptr ss:[ebp+422>
006DC3A6 59             pop ecx
006DC3A7 0BC9          or ecx,ecx
006DC3A9 8985 A8030000 mov dword ptr ss:[ebp+3A8],ea>
006DC3AF 61             popad
006DC3B0 75 08          jnz short CJapanes.006DC3BA
006DC3B2 B8 01000000    mov eax,1
006DC3B7 C2 0C00       retn 0C
006DC3BA 68 604A6600    push CJapanes.00664A60    // //F4直接来这里
006DC3BF C3             retn
返回到 00664A60 (CJapanes.00664A60)

进入第4层壳还是UPX

00664A60 60             pushad
00664A61 BE 00205700    mov esi,CJapanes.00572000
00664A66 8DBE 00F0E8FF lea edi,dword ptr ds:[esi+FFE>
00664A6C C787 CC601B00 1>mov dword ptr ds:[edi+1B60CC]>
00664A76 57             push edi
00664A77 83CD FF       or ebp,FFFFFFFF
00664A7A EB 0E          jmp short CJapanes.00664A8A
00664A7C 90             nop
00664A7D 90             nop
00664A7E 90             nop
00664A7F 90             nop
00664A80 8A06          mov al,byte ptr ds:[esi]
00664A82 46             inc esi
00664A83 8807          mov byte ptr ds:[edi],al
00664A85 47             inc edi
00664A86 01DB          add ebx,ebx
00664A88 75 07          jnz short CJapanes.00664A91
00664A8A 8B1E          mov ebx,dword ptr ds:[esi]
00664A8C 83EE FC       sub esi,-4
00664A8F 11DB          adc ebx,ebx
00664A91  ^ 72 ED          jb short CJapanes.00664A80
00664A93 B8 01000000    mov eax,1
00664A98 01DB          add ebx,ebx
00664A9A 75 07          jnz short CJapanes.00664AA3
00664A9C 8B1E          mov ebx,dword ptr ds:[esi]
00664A9E 83EE FC       sub esi,-4
00664AA1 11DB          adc ebx,ebx
00664AA3 11C0          adc eax,eax
00664AA5 01DB          add ebx,ebx
00664AA7 73 0B          jnb short CJapanes.00664AB4
00664AA9 75 19          jnz short CJapanes.00664AC4
00664AAB 8B1E          mov ebx,dword ptr ds:[esi]
00664AAD 83EE FC       sub esi,-4
00664AB0 11DB          adc ebx,ebx
00664AB2 72 10          jb short CJapanes.00664AC4
00664AB4 48             dec eax
00664AB5 01DB          add ebx,ebx
00664AB7 75 07          jnz short CJapanes.00664AC0
00664AB9 8B1E          mov ebx,dword ptr ds:[esi]
00664ABB 83EE FC       sub esi,-4
00664ABE 11DB          adc ebx,ebx
00664AC0 11C0          adc eax,eax
00664AC2  ^ EB D4          jmp short CJapanes.00664A98
00664AC4 31C9          xor ecx,ecx
00664AC6 83E8 03       sub eax,3
00664AC9 72 11          jb short CJapanes.00664ADC
00664ACB C1E0 08       shl eax,8
00664ACE 8A06          mov al,byte ptr ds:[esi]
00664AD0 46             inc esi
00664AD1 83F0 FF       xor eax,FFFFFFFF
00664AD4 74 78          je short CJapanes.00664B4E
00664AD6 D1F8          sar eax,1
00664AD8 89C5          mov ebp,eax
00664ADA EB 0B          jmp short CJapanes.00664AE7
00664ADC 01DB          add ebx,ebx
00664ADE 75 07          jnz short CJapanes.00664AE7
00664AE0 8B1E          mov ebx,dword ptr ds:[esi]
00664AE2 83EE FC       sub esi,-4
00664AE5 11DB          adc ebx,ebx
00664AE7 11C9          adc ecx,ecx
00664AE9 01DB          add ebx,ebx
00664AEB 75 07          jnz short CJapanes.00664AF4
00664AED 8B1E          mov ebx,dword ptr ds:[esi]
00664AEF 83EE FC       sub esi,-4
00664AF2 11DB          adc ebx,ebx
00664AF4 11C9          adc ecx,ecx
00664AF6 75 20          jnz short CJapanes.00664B18
00664AF8 41             inc ecx
00664AF9 01DB          add ebx,ebx
00664AFB 75 07          jnz short CJapanes.00664B04
00664AFD 8B1E          mov ebx,dword ptr ds:[esi]
00664AFF 83EE FC       sub esi,-4
00664B02 11DB          adc ebx,ebx
00664B04 11C9          adc ecx,ecx
00664B06 01DB          add ebx,ebx
00664B08  ^ 73 EF          jnb short CJapanes.00664AF9
00664B0A 75 09          jnz short CJapanes.00664B15
00664B0C 8B1E          mov ebx,dword ptr ds:[esi]
00664B0E 83EE FC       sub esi,-4
00664B11 11DB          adc ebx,ebx
00664B13  ^ 73 E4          jnb short CJapanes.00664AF9
00664B15 83C1 02       add ecx,2
00664B18 81FD 00FBFFFF cmp ebp,-500
00664B1E 83D1 01       adc ecx,1
00664B21 8D142F       lea edx,dword ptr ds:[edi+ebp>
00664B24 83FD FC       cmp ebp,-4
00664B27 76 0F          jbe short CJapanes.00664B38
00664B29 8A02          mov al,byte ptr ds:[edx]
00664B2B 42             inc edx
00664B2C 8807          mov byte ptr ds:[edi],al
00664B2E 47             inc edi
00664B2F 49             dec ecx
00664B30  ^ 75 F7          jnz short CJapanes.00664B29
00664B32  ^ E9 4FFFFFFF    jmp CJapanes.00664A86
00664B37 90             nop
00664B38 8B02          mov eax,dword ptr ds:[edx]
00664B3A 83C2 04       add edx,4
00664B3D 8907          mov dword ptr ds:[edi],eax
00664B3F 83C7 04       add edi,4
00664B42 83E9 04       sub ecx,4
00664B45  ^ 77 F1          ja short CJapanes.00664B38
00664B47 01CF          add edi,ecx
00664B49  ^ E9 38FFFFFF    jmp CJapanes.00664A86
00664B4E 5E             pop esi
00664B4F 89F7          mov edi,esi
00664B51 B9 25E00000    mov ecx,0E025
00664B56 8A07          mov al,byte ptr ds:[edi]
00664B58 47             inc edi
00664B59 2C E8          sub al,0E8
00664B5B 3C 01          cmp al,1
00664B5D  ^ 77 F7          ja short CJapanes.00664B56
00664B5F 803F 25       cmp byte ptr ds:[edi],25
00664B62  ^ 75 F2          jnz short CJapanes.00664B56
00664B64 8B07          mov eax,dword ptr ds:[edi]
00664B66 8A5F 04       mov bl,byte ptr ds:[edi+4]
00664B69 66:C1E8 08    shr ax,8
00664B6D C1C0 10       rol eax,10
00664B70 86C4          xchg ah,al
00664B72 29F8          sub eax,edi
00664B74 80EB E8       sub bl,0E8
00664B77 01F0          add eax,esi
00664B79 8907          mov dword ptr ds:[edi],eax
00664B7B 83C7 05       add edi,5
00664B7E 89D8          mov eax,ebx
00664B80  ^ E2 D9          loopd short CJapanes.00664B5B
00664B82 8DBE 00302500 lea edi,dword ptr ds:[esi+253>
00664B88 8B07          mov eax,dword ptr ds:[edi]
00664B8A 09C0          or eax,eax
00664B8C 74 3C          je short CJapanes.00664BCA
00664B8E 8B5F 04       mov ebx,dword ptr ds:[edi+4]
00664B91 8D8430 606D2600 lea eax,dword ptr ds:[eax+esi>
00664B98 01F3          add ebx,esi
00664B9A 50             push eax
00664B9B 83C7 08       add edi,8
00664B9E FF96 646E2600 call dword ptr ds:[esi+266E64>
00664BA4 95             xchg eax,ebp
00664BA5 8A07          mov al,byte ptr ds:[edi]
00664BA7 47             inc edi
00664BA8 08C0          or al,al
00664BAA  ^ 74 DC          je short CJapanes.00664B88
00664BAC 89F9          mov ecx,edi
00664BAE 57             push edi
00664BAF 48             dec eax
00664BB0 F2:AE          repne scas byte ptr es:[edi]
00664BB2 55             push ebp
00664BB3 FF96 686E2600 call dword ptr ds:[esi+266E68>
00664BB9 09C0          or eax,eax
00664BBB 74 07          je short CJapanes.00664BC4
00664BBD 8903          mov dword ptr ds:[ebx],eax
00664BBF 83C3 04       add ebx,4
00664BC2  ^ EB E1          jmp short CJapanes.00664BA5
00664BC4 FF96 6C6E2600 call dword ptr ds:[esi+266E6C>
00664BCA 83C7 04       add edi,4
00664BCD 8D5E FC       lea ebx,dword ptr ds:[esi-4]
00664BD0 31C0          xor eax,eax
00664BD2 8A07          mov al,byte ptr ds:[edi]
00664BD4 47             inc edi
00664BD5 09C0          or eax,eax
00664BD7 74 22          je short CJapanes.00664BFB
00664BD9 3C EF          cmp al,0EF
00664BDB 77 11          ja short CJapanes.00664BEE
00664BDD 01C3          add ebx,eax
00664BDF 8B03          mov eax,dword ptr ds:[ebx]
00664BE1 86C4          xchg ah,al
00664BE3 C1C0 10       rol eax,10
00664BE6 86C4          xchg ah,al
00664BE8 01F0          add eax,esi
00664BEA 8903          mov dword ptr ds:[ebx],eax
00664BEC  ^ EB E2          jmp short CJapanes.00664BD0
00664BEE 24 0F          and al,0F
00664BF0 C1E0 10       shl eax,10
00664BF3 66:8B07       mov ax,word ptr ds:[edi]
00664BF6 83C7 02       add edi,2
00664BF9  ^ EB E2          jmp short CJapanes.00664BDD
00664BFB 61             popad
00664BFC  - E9 6F17F5FF    jmp CJapanes.005B6370       // //F4直接来这里

OEP

005B6370 55             push ebp //DUMP
005B6371 8BEC          mov ebp,esp
005B6373 83C4 F0       add esp,-10
005B6376 B8 A05F5B00    mov eax,CJapanes.005B5FA0
005B637B E8 000AE5FF    call CJapanes.00406D80
005B6380 8B0D 3CE75B00 mov ecx,dword ptr ds:[5BE73C] ; CJapanes.005BFBEC
005B6386 8B09          mov ecx,dword ptr ds:[ecx]
005B6388 B2 01          mov dl,1
005B638A A1 504F5900    mov eax,dword ptr ds:[594F50]
005B638F E8 A457EBFF    call CJapanes.0046BB38
005B6394 8B15 ECE45B00 mov edx,dword ptr ds:[5BE4EC] ; CJapanes.005C0034

ImportREC修复一下就可以运行了。

用PEID检测为Borland Delphi 6.0 - 7.0

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持

最新回复 (4)
lnn1123 雪币： 234 活跃值： (370) 能力值： ( LV9，RANK：530 ) 在线值：发帖 39 回帖 765 粉丝 0 关注私信	lnn1123 13 2 楼有ACProtect? 2005-11-6 06:17 0
hbqjxhw 雪币： 313 活跃值： (250) 能力值： ( LV9，RANK：650 ) 在线值：发帖 44 回帖 311 粉丝 0 关注私信	hbqjxhw 16 3 楼学习多层壳 2005-11-6 07:43 0
水豆腐雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 103 粉丝 0 关注私信	水豆腐 4 楼 ACProtect? 2005-11-6 09:02 0
闪电狼雪币： 108 活跃值： (42) 能力值： ( LV2，RANK：10 ) 在线值：发帖 16 回帖 709 粉丝 0 关注私信	闪电狼 5 楼好像都是简单壳 2005-11-6 10:19 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

pendan2001

发帖

1180

回帖

170

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (4)
lnn1123 雪币： 234 活跃值： (370) 能力值： ( LV9，RANK：530 ) 在线值：发帖 39 回帖 765 粉丝 0 关注私信	lnn1123 13 2 楼有ACProtect? 2005-11-6 06:17 0
hbqjxhw 雪币： 313 活跃值： (250) 能力值： ( LV9，RANK：650 ) 在线值：发帖 44 回帖 311 粉丝 0 关注私信	hbqjxhw 16 3 楼学习多层壳 2005-11-6 07:43 0
水豆腐雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 103 粉丝 0 关注私信	水豆腐 4 楼 ACProtect? 2005-11-6 09:02 0
闪电狼雪币： 108 活跃值： (42) 能力值： ( LV2，RANK：10 ) 在线值：发帖 16 回帖 709 粉丝 0 关注私信	闪电狼 5 楼好像都是简单壳 2005-11-6 10:19 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复