00408FFB /$ 24 DF AND AL,0DF ; 这个地方应该就是加密算法
00408FFD |. 88C1 MOV CL,AL
00408FFF |. B8 01000000 MOV EAX,1
00409004 |. 8B5D F8 MOV EBX,DWORD PTR SS:[EBP-8]
00409007 |. 3B5D 08 CMP EBX,DWORD PTR SS:[EBP+8]
0040900A |. 77 5C JA SHORT rtsedit.00409068
0040900C |. FF45 F8 INC DWORD PTR SS:[EBP-8]
0040900F |. 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C]
00409012 |. 8D34DE LEA ESI,DWORD PTR DS:[ESI+EBX*8]
00409015 |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
00409017 |. 0FB65E 04 MOVZX EBX,BYTE PTR DS:[ESI+4]
0040901B |. FF249D 229040>JMP DWORD PTR DS:[EBX*4+409022]
00409022 |. 16914000 DD rtsedit.00409116 ; 分支表 被用于 0040901B
00409026 |. 66904000 DD rtsedit.00409066
0040902A |. 7D914000 DD rtsedit.0040917D
0040902E |. 3B924000 DD rtsedit.0040923B
00409032 |. AD914000 DD rtsedit.004091AD
00409036 |. 1D924000 DD rtsedit.0040921D
0040903A |. FD914000 DD rtsedit.004091FD
0040903E |. 66904000 DD rtsedit.00409066
00409042 |. 66904000 DD rtsedit.00409066
00409046 |. 66904000 DD rtsedit.00409066
0040904A |. BE914000 DD rtsedit.004091BE
0040904E |. E1914000 DD rtsedit.004091E1
00409052 |. 37924000 DD rtsedit.00409237
00409056 |. 8C914000 DD rtsedit.0040918C
0040905A |. 66904000 DD rtsedit.00409066
0040905E |. C5914000 DD rtsedit.004091C5
00409062 |. 7A904000 DD rtsedit.0040907A
00409066 |> 31C0 XOR EAX,EAX
00409068 |> E8 40020000 CALL rtsedit.004092AD
0040906D |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
00409070 |. 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]
00409073 |. 29D1 SUB ECX,EDX
00409075 |. E8 DEFDFFFF CALL rtsedit.00408E58
0040907A |> 8D5D D0 LEA EBX,DWORD PTR SS:[EBP-30]
0040907D |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
0040907F |. 8913 MOV DWORD PTR DS:[EBX],EDX
00409081 |. 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4]
00409084 |. 8953 04 MOV DWORD PTR DS:[EBX+4],EDX
00409087 |. 80F9 44 CMP CL,44
0040908A |. 74 11 JE SHORT rtsedit.0040909D
0040908C |. 80F9 55 CMP CL,55
0040908F |. 74 2A JE SHORT rtsedit.004090BB
00409091 |. 80F9 58 CMP CL,58
00409094 |.^ 75 D0 JNZ SHORT rtsedit.00409066
00409096 |. B9 10000000 MOV ECX,10
0040909B |. EB 23 JMP SHORT rtsedit.004090C0
0040909D |> F743 04 00000>TEST DWORD PTR DS:[EBX+4],80000000
004090A4 |. 74 15 JE SHORT rtsedit.004090BB
004090A6 |. F71B NEG DWORD PTR DS:[EBX]
004090A8 |. 8353 04 00 ADC DWORD PTR DS:[EBX+4],0
004090AC |. F75B 04 NEG DWORD PTR DS:[EBX+4]
004090AF |. E8 07000000 CALL rtsedit.004090BB
004090B4 |. B0 2D MOV AL,2D
004090B6 |. 41 INC ECX
004090B7 |. 4E DEC ESI
004090B8 |. 8806 MOV BYTE PTR DS:[ESI],AL
004090BA |. C3 RETN
004090BB |$ B9 0A000000 MOV ECX,0A
004090C0 |> 8D75 AF LEA ESI,DWORD PTR SS:[EBP-51]
004090C3 |> 51 /PUSH ECX
004090C4 |. 6A 00 |PUSH 0
004090C6 |. 51 |PUSH ECX
004090C7 |. 8B03 |MOV EAX,DWORD PTR DS:[EBX]
004090C9 |. 8B53 04 |MOV EDX,DWORD PTR DS:[EBX+4]
004090CC |. E8 D0D0FFFF |CALL rtsedit.004061A1
004090D1 |. 59 |POP ECX
004090D2 |. 92 |XCHG EAX,EDX
004090D3 |. 80C2 30 |ADD DL,30
004090D6 |. 80FA 3A |CMP DL,3A
004090D9 |. 72 03 |JB SHORT rtsedit.004090DE
004090DB |. 80C2 07 |ADD DL,7
004090DE |> 4E |DEC ESI
004090DF |. 8816 |MOV BYTE PTR DS:[ESI],DL
004090E1 |. 51 |PUSH ECX
004090E2 |. 6A 00 |PUSH 0
004090E4 |. 51 |PUSH ECX
004090E5 |. 8B03 |MOV EAX,DWORD PTR DS:[EBX]
004090E7 |. 8B53 04 |MOV EDX,DWORD PTR DS:[EBX+4]
004090EA |. E8 BDCFFFFF |CALL rtsedit.004060AC
004090EF |. 59 |POP ECX
004090F0 |. 8903 |MOV DWORD PTR DS:[EBX],EAX
004090F2 |. 8953 04 |MOV DWORD PTR DS:[EBX+4],EDX
004090F5 |. 09D0 |OR EAX,EDX
004090F7 |.^ 75 CA \JNZ SHORT rtsedit.004090C3
004090F9 |. 8D4D AF LEA ECX,DWORD PTR SS:[EBP-51]
004090FC |. 29F1 SUB ECX,ESI
004090FE |. 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
00409101 |. 83FA 10 CMP EDX,10
00409104 |. 72 01 JB SHORT rtsedit.00409107
00409106 |. C3 RETN
00409107 |> 29CA SUB EDX,ECX
00409109 |. 76 0A JBE SHORT rtsedit.00409115
0040910B |. 01D1 ADD ECX,EDX
0040910D |. B0 30 MOV AL,30
0040910F |> 4E /DEC ESI
00409110 |. 8806 |MOV BYTE PTR DS:[ESI],AL
00409112 |. 4A |DEC EDX
00409113 |.^ 75 FA \JNZ SHORT rtsedit.0040910F
00409115 |> C3 RETN
00409116 |> 80F9 44 CMP CL,44
00409119 |. 74 15 JE SHORT rtsedit.00409130
0040911B |. 80F9 55 CMP CL,55
0040911E |. 74 22 JE SHORT rtsedit.00409142
00409120 |. 80F9 58 CMP CL,58
00409123 |.^ 0F85 3DFFFFFF JNZ rtsedit.00409066
00409129 |. B9 10000000 MOV ECX,10
0040912E |. EB 17 JMP SHORT rtsedit.00409147
00409130 |> 09C0 OR EAX,EAX
00409132 |. 79 0E JNS SHORT rtsedit.00409142
00409134 |. F7D8 NEG EAX
00409136 |. E8 07000000 CALL rtsedit.00409142
0040913B |. B0 2D MOV AL,2D
0040913D |. 41 INC ECX
0040913E |. 4E DEC ESI
0040913F |. 8806 MOV BYTE PTR DS:[ESI],AL
00409141 |. C3 RETN
00409142 |$ B9 0A000000 MOV ECX,0A
00409147 |> 8D75 9F LEA ESI,DWORD PTR SS:[EBP-61]
0040914A |> 31D2 /XOR EDX,EDX
0040914C |. F7F1 |DIV ECX
0040914E |. 80C2 30 |ADD DL,30
00409151 |. 80FA 3A |CMP DL,3A
00409154 |. 72 03 |JB SHORT rtsedit.00409159
00409156 |. 80C2 07 |ADD DL,7
00409159 |> 4E |DEC ESI
0040915A |. 8816 |MOV BYTE PTR DS:[ESI],DL
0040915C |. 09C0 |OR EAX,EAX
0040915E |.^ 75 EA \JNZ SHORT rtsedit.0040914A
00409160 |. 8D4D 9F LEA ECX,DWORD PTR SS:[EBP-61]
00409163 |. 29F1 SUB ECX,ESI
00409165 |. 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
00409168 |. 83FA 10 CMP EDX,10
0040916B |. 72 01 JB SHORT rtsedit.0040916E
0040916D |. C3 RETN
0040916E |> 29CA SUB EDX,ECX
00409170 |. 76 0A JBE SHORT rtsedit.0040917C
00409172 |. 01D1 ADD ECX,EDX
00409174 |. B0 30 MOV AL,30
00409176 |> 4E /DEC ESI
00409177 |. 8806 |MOV BYTE PTR DS:[ESI],AL
00409179 |. 4A |DEC EDX
0040917A |.^ 75 FA \JNZ SHORT rtsedit.00409176
0040917C |> C3 RETN
0040917D |> 80F9 53 CMP CL,53
00409180 |.^ 0F85 E0FEFFFF JNZ rtsedit.00409066
00409186 |. B9 01000000 MOV ECX,1
0040918B |. C3 RETN
0040918C |> 80F9 53 CMP CL,53
0040918F |.^ 0F85 D1FEFFFF JNZ rtsedit.00409066
00409195 |. 66:8338 01 CMP WORD PTR DS:[EAX],1
00409199 |. 76 0F JBE SHORT rtsedit.004091AA
0040919B |. 89C2 MOV EDX,EAX
0040919D |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004091A0 |. E8 0BFDFFFF CALL rtsedit.00408EB0
004091A5 |. 8B75 F4 MOV ESI,DWORD PTR SS:[EBP-C]
004091A8 |. EB 42 JMP SHORT rtsedit.004091EC
004091AA |> 31C9 XOR ECX,ECX
004091AC |. C3 RETN
004091AD |> 80F9 53 CMP CL,53
004091B0 |.^ 0F85 B0FEFFFF JNZ rtsedit.00409066
004091B6 |. 89C6 MOV ESI,EAX
004091B8 |. AC LODS BYTE PTR DS:[ESI]
004091B9 |. 0FB6C8 MOVZX ECX,AL
004091BC |. EB 35 JMP SHORT rtsedit.004091F3
004091BE |> BE 3C3E4000 MOV ESI,rtsedit.00403E3C
004091C3 |. EB 05 JMP SHORT rtsedit.004091CA
004091C5 |> BE 9C3E4000 MOV ESI,rtsedit.00403E9C ; 入口地址
004091CA |> 80F9 53 CMP CL,53
004091CD |.^ 0F85 93FEFFFF JNZ rtsedit.00409066
004091D3 |. 89C2 MOV EDX,EAX
004091D5 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004091D8 |. FFD6 CALL ESI
004091DA |. 8B75 F0 MOV ESI,DWORD PTR SS:[EBP-10]
004091DD |. 89F0 MOV EAX,ESI
004091DF |. EB 0B JMP SHORT rtsedit.004091EC
004091E1 |> 80F9 53 CMP CL,53
004091E4 |.^ 0F85 7CFEFFFF JNZ rtsedit.00409066
004091EA |. 89C6 MOV ESI,EAX
004091EC |> 09F6 OR ESI,ESI
004091EE |.^ 74 BA JE SHORT rtsedit.004091AA
004091F0 |. 8B4E FC MOV ECX,DWORD PTR DS:[ESI-4]
004091F3 |> 3B4D E0 CMP ECX,DWORD PTR SS:[EBP-20]
004091F6 |. 77 01 JA SHORT rtsedit.004091F9
004091F8 |. C3 RETN
004091F9 |> 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]
004091FC |. C3 RETN
004091FD |> 80F9 53 CMP CL,53
00409200 |.^ 0F85 60FEFFFF JNZ rtsedit.00409066
00409206 |. 89C6 MOV ESI,EAX
00409208 |. 57 PUSH EDI
00409209 |. 89C7 MOV EDI,EAX
0040920B |. 30C0 XOR AL,AL
0040920D |. 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]
00409210 |. E3 05 JECXZ SHORT rtsedit.00409217
00409212 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00409214 |. 75 01 JNZ SHORT rtsedit.00409217
00409216 |. 4F DEC EDI
00409217 |> 89F9 MOV ECX,EDI
00409219 |. 29F1 SUB ECX,ESI
0040921B |. 5F POP EDI
0040921C |. C3 RETN
0040921D |> 80F9 50 CMP CL,50
00409220 |.^ 0F85 40FEFFFF JNZ rtsedit.00409066
00409226 |. C745 E0 08000>MOV DWORD PTR SS:[EBP-20],8
0040922D |. B9 10000000 MOV ECX,10
00409232 |.^ E9 10FFFFFF JMP rtsedit.00409147
00409237 |> B7 01 MOV BH,1
00409239 |. EB 02 JMP SHORT rtsedit.0040923D
0040923B |> B7 00 MOV BH,0
0040923D |> 89C6 MOV ESI,EAX
0040923F |. B3 00 MOV BL,0
00409241 |. 80F9 47 CMP CL,47
00409244 |. 74 3F JE SHORT rtsedit.00409285
00409246 |. B3 01 MOV BL,1
00409248 |. 80F9 45 CMP CL,45
0040924B |. 74 38 JE SHORT rtsedit.00409285
0040924D |. B3 02 MOV BL,2
0040924F |. 80F9 46 CMP CL,46
00409252 |. 74 12 JE SHORT rtsedit.00409266
00409254 |. B3 03 MOV BL,3
00409256 |. 80F9 4E CMP CL,4E
00409259 |. 74 0B JE SHORT rtsedit.00409266
0040925B |. 80F9 4D CMP CL,4D
0040925E |.^ 0F85 02FEFFFF JNZ rtsedit.00409066
00409264 |. B3 04 MOV BL,4
00409266 |> B8 12000000 MOV EAX,12
0040926B |. 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
0040926E |. 39C2 CMP EDX,EAX
00409270 |. 76 25 JBE SHORT rtsedit.00409297
00409272 |. BA 02000000 MOV EDX,2
00409277 |. 80F9 4D CMP CL,4D
0040927A |. 75 1B JNZ SHORT rtsedit.00409297
0040927C |. 0FB615 F4E44A>MOVZX EDX,BYTE PTR DS:[4AE4F4]
00409283 |. EB 12 JMP SHORT rtsedit.00409297
00409285 |> 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00409288 |. BA 03000000 MOV EDX,3
0040928D |. 83F8 12 CMP EAX,12
00409290 |. 76 05 JBE SHORT rtsedit.00409297
00409292 |. B8 0F000000 MOV EAX,0F
00409297 |> 53 PUSH EBX ; /Arg3
00409298 |. 50 PUSH EAX ; |Arg2
00409299 |. 52 PUSH EDX ; |Arg1
0040929A |. 8D45 8F LEA EAX,DWORD PTR SS:[EBP-71] ; |
0040929D |. 89F2 MOV EDX,ESI ; |
0040929F |. 0FB6CF MOVZX ECX,BH ; |
004092A2 |. E8 4F3A0000 CALL rtsedit.0040CCF6 ; \rtsedit.0040CCF6
004092A7 |. 89C1 MOV ECX,EAX
004092A9 |. 8D75 8F LEA ESI,DWORD PTR SS:[EBP-71]
004092AC \. C3 RETN
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课