题目中有多个线程，如图：



其中不必要的检测线程处理掉：



在退出进程处，将其停止。

在此线程的上方有一些函数表的初始化操作，以下摘自IDA：

  fun_arr_412250[0] = (int)call_dec_20_401150;
  fun_arr_412250[1] = (int)call_eq0_401180;
  fun_arr_412250[2] = (int)call_eq_b3_4011B0;
  fun_arr_412250[3] = (int)call_dec_2_401090;
  fun_arr_412250[4] = (int)Failed_4010C0;
  fun_arr_412250[5] = (int)call_dec_3_4010F0;
  fun_arr_412250[6] = (int)call_eq_b3_4011B0;
  fun_arr_412250[7] = (int)call_eq_b1_401120;
  fun_arr_412250[8] = (int)sub_4011E0;
  fun_arr_412250[9] = (int)check_401500;
  fun_arr_412250[10] = (int)sub_401820;
  fun_arr_412250[11] = (int)sub_401B40;

v0 = 0;
  v47 = 0;
  memset(arr_in, 1, 0x1E4u);
  do
  {
    v41 = 2 * v0 + 12;
    v1 = 2 * v0 + 3;
    v42 = 0;
    v38 = 2 * v0 + 3;
    v44 = dword_412158;
    v2 = &arr_in[11 * v0];
    do
    {
      *v2 = arr_4110E0[(11 * (v1 % 11) + v41 % 11 + 127) % 128];
      if ( v0 == v42 )
      {
[COLOR="Red"]        if ( v0 == 10 )
          *v44 = 1;
        else
          *v2 = arr_410EE0[sn[v0]];[/COLOR]
      }
      ++v42;
      --v41;
      v1 = v38 + 1;
      ++v2;
      ++v44;
      ++v38;
    }
    while ( (signed int)v44 < (signed int)&unk_412184 );
    ++v0;
  }
  while ( v0 < 11 );

0x00, 0x2D, 0x42, 0x4C, 0x56, 0x60, 0x6A, 0x74, 0x05, 0x0F, 0x19
0x3B, 0x00, 0x4F, 0x59, 0x6E, 0x78, 0x09, 0x13, 0x1D, 0x27, 0x31
0x53, 0x5D, 0x00, 0x71, 0x02, 0x0C, 0x21, 0x2B, 0x35, 0x3F, 0x49
0x6B, 0x75, 0x06, 0x00, 0x1A, 0x24, 0x2E, 0x38, 0x4D, 0x57, 0x61
0x0A, 0x14, 0x1E, 0x28, 0x00, 0x3C, 0x46, 0x50, 0x5A, 0x64, 0x79
0x17, 0x2C, 0x36, 0x40, 0x4A, 0x00, 0x5E, 0x68, 0x72, 0x03, 0x0D
0x2F, 0x39, 0x43, 0x58, 0x62, 0x6C, 0x00, 0x07, 0x11, 0x1B, 0x25
0x47, 0x51, 0x5B, 0x65, 0x6F, 0x0B, 0x15, 0x00, 0x29, 0x33, 0x3D
0x5F, 0x69, 0x73, 0x04, 0x0E, 0x18, 0x22, 0x37,	0x00, 0x4B, 0x55
0x77, 0x08, 0x12, 0x1C, 0x26, 0x30, 0x3A, 0x44, 0x4E, 0x00, 0x6D
0x16, 0x20, 0x2A, 0x34, 0x3E, 0x48, 0x52, 0x5C, 0x66, 0x70, 0x01

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课