小弟没有上传能力,我自己的下载地址:http://219.132.142.14:1234/file/jiaocheng9.rar
里面有三个主程序,一个是双壳原版的,一个是一层壳的,一个是无壳的,因为我的汇编才粗学,找到一处可能是算法过程的代码但是无法理解,请高手帮个忙,谢谢了.
00438850 55 push ebp
00438851 8BEC mov ebp,esp
00438853 83EC 18 sub esp,18
00438856 68 56184000 push <jmp.&MSVBVM60.__vbaExceptHandler>
0043885B 64:A1 00000000 mov eax,dword ptr fs:[0]
00438861 50 push eax
00438862 64:8925 00000000 mov dword ptr fs:[0],esp
00438869 B8 CC000000 mov eax,0CC
0043886E E8 DD8FFCFF call <jmp.&MSVBVM60.__vbaChkstk>
00438873 53 push ebx
00438874 56 push esi
00438875 57 push edi
00438876 8965 E8 mov dword ptr ss:[ebp-18],esp
00438879 C745 EC D8114000 mov dword ptr ss:[ebp-14],无壳.004011D8
00438880 8B45 08 mov eax,dword ptr ss:[ebp+8]
00438883 83E0 01 and eax,1
00438886 8945 F0 mov dword ptr ss:[ebp-10],eax
00438889 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
0043888C 83E1 FE and ecx,FFFFFFFE
0043888F 894D 08 mov dword ptr ss:[ebp+8],ecx
00438892 C745 F4 00000000 mov dword ptr ss:[ebp-C],0
00438899 8B55 08 mov edx,dword ptr ss:[ebp+8]
0043889C 8B02 mov eax,dword ptr ds:[edx]
0043889E 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
004388A1 51 push ecx
004388A2 FF50 04 call dword ptr ds:[eax+4]
004388A5 C745 FC 01000000 mov dword ptr ss:[ebp-4],1
004388AC 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
004388AF 52 push edx
004388B0 68 FF000000 push 0FF
004388B5 FF15 CC104000 call dword ptr ds:[<&MSVBVM60.__vbaFixs>; MSVBVM60.__vbaFixstrConstruct
004388BB C745 FC 02000000 mov dword ptr ss:[ebp-4],2
004388C2 C745 FC 03000000 mov dword ptr ss:[ebp-4],3
004388C9 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
004388CC 50 push eax
004388CD FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaLenB>; MSVBVM60.__vbaLenBstr
004388D3 50 push eax
004388D4 8B4D D4 mov ecx,dword ptr ss:[ebp-2C]
004388D7 51 push ecx
004388D8 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
004388DB 52 push edx
004388DC FF15 7C114000 call dword ptr ds:[<&MSVBVM60.__vbaStrT>; MSVBVM60.__vbaStrToAnsi
004388E2 50 push eax
004388E3 E8 90E9FCFF call 无壳.00407278
004388E8 FF15 54104000 call dword ptr ds:[<&MSVBVM60.__vbaSetS>; MSVBVM60.__vbaSetSystemError
004388EE 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
004388F1 50 push eax
004388F2 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
004388F5 51 push ecx
004388F6 FF15 04114000 call dword ptr ds:[<&MSVBVM60.__vbaStrT>; MSVBVM60.__vbaStrToUnicode
004388FC 50 push eax
004388FD 8B55 D4 mov edx,dword ptr ss:[ebp-2C]
00438900 52 push edx
00438901 6A 00 push 0
00438903 FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaLset>; MSVBVM60.__vbaLsetFixstr
00438909 8D45 C0 lea eax,dword ptr ss:[ebp-40]
0043890C 50 push eax
0043890D 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00438910 51 push ecx
00438911 6A 02 push 2
00438913 FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeStrList
00438919 83C4 0C add esp,0C
0043891C C745 FC 04000000 mov dword ptr ss:[ebp-4],4
00438923 66:C745 DC 0100 mov word ptr ss:[ebp-24],1
00438929 C745 FC 05000000 mov dword ptr ss:[ebp-4],5
00438930 C745 B4 01000000 mov dword ptr ss:[ebp-4C],1
00438937 C745 AC 02000000 mov dword ptr ss:[ebp-54],2
0043893E 8B55 D4 mov edx,dword ptr ss:[ebp-2C]
00438941 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00438944 FF15 54114000 call dword ptr ds:[<&MSVBVM60.__vbaStrC>; MSVBVM60.__vbaStrCopy
0043894A 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
0043894D 8955 84 mov dword ptr ss:[ebp-7C],edx
00438950 C785 7CFFFFFF 08>mov dword ptr ss:[ebp-84],4008
0043895A 8D45 AC lea eax,dword ptr ss:[ebp-54]
0043895D 50 push eax
0043895E 0FBF4D DC movsx ecx,word ptr ss:[ebp-24]
00438962 51 push ecx
00438963 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-84]
00438969 52 push edx
0043896A 8D45 9C lea eax,dword ptr ss:[ebp-64]
0043896D 50 push eax
0043896E FF15 9C104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
00438974 8B4D C4 mov ecx,dword ptr ss:[ebp-3C]
00438977 51 push ecx
00438978 8B55 D4 mov edx,dword ptr ss:[ebp-2C]
0043897B 52 push edx
0043897C 6A 00 push 0
0043897E FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaLset>; MSVBVM60.__vbaLsetFixstr
00438984 8D45 9C lea eax,dword ptr ss:[ebp-64]
00438987 50 push eax
00438988 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
0043898B 51 push ecx
0043898C FF15 28114000 call dword ptr ds:[<&MSVBVM60.__vbaStrV>; MSVBVM60.__vbaStrVarVal
00438992 50 push eax
00438993 FF15 38104000 call dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
00438999 33D2 xor edx,edx
0043899B 66:3D 2800 cmp ax,28
0043899F 0F9FC2 setg dl
004389A2 F7DA neg edx
004389A4 66:8995 50FFFFFF mov word ptr ss:[ebp-B0],dx
004389AB 8D45 C0 lea eax,dword ptr ss:[ebp-40]
004389AE 50 push eax
004389AF 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
004389B2 51 push ecx
004389B3 6A 02 push 2
004389B5 FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeStrList
004389BB 83C4 0C add esp,0C
004389BE 8D55 9C lea edx,dword ptr ss:[ebp-64]
004389C1 52 push edx
004389C2 8D45 AC lea eax,dword ptr ss:[ebp-54]
004389C5 50 push eax
004389C6 6A 02 push 2
004389C8 FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeVarList
004389CE 83C4 0C add esp,0C
004389D1 0FBF8D 50FFFFFF movsx ecx,word ptr ss:[ebp-B0]
004389D8 85C9 test ecx,ecx
004389DA 74 1E je short 无壳.004389FA
004389DC C745 FC 06000000 mov dword ptr ss:[ebp-4],6
004389E3 66:8B55 DC mov dx,word ptr ss:[ebp-24]
004389E7 66:83C2 01 add dx,1
004389EB 0F80 21050000 jo 无壳.00438F12
004389F1 66:8955 DC mov word ptr ss:[ebp-24],dx
004389F5 ^E9 2FFFFFFF jmp 无壳.00438929
004389FA C745 FC 08000000 mov dword ptr ss:[ebp-4],8
00438A01 66:8B45 DC mov ax,word ptr ss:[ebp-24]
00438A05 66:2D 0100 sub ax,1
00438A09 0F80 03050000 jo 无壳.00438F12
00438A0F 66:8945 B4 mov word ptr ss:[ebp-4C],ax
00438A13 C745 AC 02000000 mov dword ptr ss:[ebp-54],2
00438A1A 8B55 D4 mov edx,dword ptr ss:[ebp-2C]
00438A1D 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00438A20 FF15 54114000 call dword ptr ds:[<&MSVBVM60.__vbaStrC>; MSVBVM60.__vbaStrCopy
00438A26 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00438A29 894D 84 mov dword ptr ss:[ebp-7C],ecx
00438A2C C785 7CFFFFFF 08>mov dword ptr ss:[ebp-84],4008
00438A36 8D55 AC lea edx,dword ptr ss:[ebp-54]
00438A39 52 push edx
00438A3A 6A 01 push 1
00438A3C 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
00438A42 50 push eax
00438A43 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
00438A46 51 push ecx
00438A47 FF15 9C104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
00438A4D 8B55 C4 mov edx,dword ptr ss:[ebp-3C]
00438A50 52 push edx
00438A51 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
00438A54 50 push eax
00438A55 6A 00 push 0
00438A57 FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaLset>; MSVBVM60.__vbaLsetFixstr
00438A5D C785 64FFFFFF A8>mov dword ptr ss:[ebp-9C],无壳.004072A8 ; UNICODE "\system32\dao350.dll"
00438A67 C785 5CFFFFFF 08>mov dword ptr ss:[ebp-A4],8
00438A71 6A 00 push 0
00438A73 6A FF push -1
00438A75 6A 01 push 1
00438A77 68 E4724000 push 无壳.004072E4
00438A7C 68 D8724000 push 无壳.004072D8 ; UNICODE "\\"
00438A81 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
00438A84 51 push ecx
00438A85 8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-A4]
00438A8B 52 push edx
00438A8C 8D45 8C lea eax,dword ptr ss:[ebp-74]
00438A8F 50 push eax
00438A90 FF15 2C114000 call dword ptr ds:[<&MSVBVM60.__vbaVarC>; MSVBVM60.__vbaVarCat
00438A96 50 push eax
00438A97 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00438A9A 51 push ecx
00438A9B FF15 28114000 call dword ptr ds:[<&MSVBVM60.__vbaStrV>; MSVBVM60.__vbaStrVarVal
00438AA1 50 push eax
00438AA2 FF15 08114000 call dword ptr ds:[<&MSVBVM60.#712>] ; MSVBVM60.rtcReplace
00438AA8 8BD0 mov edx,eax
00438AAA 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00438AAD FF15 A4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrM>; MSVBVM60.__vbaStrMove
00438AB3 8D55 C0 lea edx,dword ptr ss:[ebp-40]
00438AB6 52 push edx
00438AB7 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
00438ABA 50 push eax
00438ABB 6A 02 push 2
00438ABD FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeStrList
00438AC3 83C4 0C add esp,0C
00438AC6 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
00438AC9 51 push ecx
00438ACA 8D55 9C lea edx,dword ptr ss:[ebp-64]
00438ACD 52 push edx
00438ACE 8D45 AC lea eax,dword ptr ss:[ebp-54]
00438AD1 50 push eax
00438AD2 6A 03 push 3
00438AD4 FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeVarList
00438ADA 83C4 10 add esp,10
00438ADD C745 FC 09000000 mov dword ptr ss:[ebp-4],9
00438AE4 833D F4164400 00 cmp dword ptr ds:[4416F4],0
00438AEB 75 1C jnz short 无壳.00438B09
00438AED 68 F4164400 push 无壳.004416F4
00438AF2 68 08734000 push 无壳.00407308
00438AF7 FF15 40114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>; MSVBVM60.__vbaNew2
00438AFD C785 2CFFFFFF F4>mov dword ptr ss:[ebp-D4],无壳.004416F4
00438B07 EB 0A jmp short 无壳.00438B13
00438B09 C785 2CFFFFFF F4>mov dword ptr ss:[ebp-D4],无壳.004416F4
00438B13 8B8D 2CFFFFFF mov ecx,dword ptr ss:[ebp-D4]
00438B19 8B11 mov edx,dword ptr ds:[ecx]
00438B1B 8995 50FFFFFF mov dword ptr ss:[ebp-B0],edx
00438B21 8D45 BC lea eax,dword ptr ss:[ebp-44]
00438B24 50 push eax
00438B25 8B8D 50FFFFFF mov ecx,dword ptr ss:[ebp-B0]
00438B2B 8B11 mov edx,dword ptr ds:[ecx]
00438B2D 8B85 50FFFFFF mov eax,dword ptr ss:[ebp-B0]
00438B33 50 push eax
00438B34 FF52 14 call dword ptr ds:[edx+14]
00438B37 DBE2 fclex
00438B39 8985 4CFFFFFF mov dword ptr ss:[ebp-B4],eax
00438B3F 83BD 4CFFFFFF 00 cmp dword ptr ss:[ebp-B4],0
00438B46 7D 23 jge short 无壳.00438B6B
00438B48 6A 14 push 14
00438B4A 68 F8724000 push 无壳.004072F8
00438B4F 8B8D 50FFFFFF mov ecx,dword ptr ss:[ebp-B0]
00438B55 51 push ecx
00438B56 8B95 4CFFFFFF mov edx,dword ptr ss:[ebp-B4]
00438B5C 52 push edx
00438B5D FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaHres>; MSVBVM60.__vbaHresultCheckObj
00438B63 8985 28FFFFFF mov dword ptr ss:[ebp-D8],eax
00438B69 EB 0A jmp short 无壳.00438B75
00438B6B C785 28FFFFFF 00>mov dword ptr ss:[ebp-D8],0
00438B75 8B45 BC mov eax,dword ptr ss:[ebp-44]
00438B78 8985 48FFFFFF mov dword ptr ss:[ebp-B8],eax
00438B7E 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00438B81 51 push ecx
00438B82 8B95 48FFFFFF mov edx,dword ptr ss:[ebp-B8]
00438B88 8B02 mov eax,dword ptr ds:[edx]
00438B8A 8B8D 48FFFFFF mov ecx,dword ptr ss:[ebp-B8]
00438B90 51 push ecx
00438B91 FF50 50 call dword ptr ds:[eax+50]
00438B94 DBE2 fclex
00438B96 8985 44FFFFFF mov dword ptr ss:[ebp-BC],eax
00438B9C 83BD 44FFFFFF 00 cmp dword ptr ss:[ebp-BC],0
00438BA3 7D 23 jge short 无壳.00438BC8
00438BA5 6A 50 push 50
00438BA7 68 18734000 push 无壳.00407318
00438BAC 8B95 48FFFFFF mov edx,dword ptr ss:[ebp-B8]
00438BB2 52 push edx
00438BB3 8B85 44FFFFFF mov eax,dword ptr ss:[ebp-BC]
00438BB9 50 push eax
00438BBA FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaHres>; MSVBVM60.__vbaHresultCheckObj
00438BC0 8985 24FFFFFF mov dword ptr ss:[ebp-DC],eax
00438BC6 EB 0A jmp short 无壳.00438BD2
00438BC8 C785 24FFFFFF 00>mov dword ptr ss:[ebp-DC],0
00438BD2 6A 00 push 0
00438BD4 6A FF push -1
00438BD6 6A 01 push 1
00438BD8 68 E4724000 push 无壳.004072E4
00438BDD 68 D8724000 push 无壳.004072D8 ; UNICODE "\\"
00438BE2 8B4D C4 mov ecx,dword ptr ss:[ebp-3C]
00438BE5 51 push ecx
00438BE6 68 2C734000 push 无壳.0040732C ; UNICODE "\dao350.dll"
00438BEB FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaStrC>; MSVBVM60.__vbaStrCat
00438BF1 8BD0 mov edx,eax
00438BF3 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00438BF6 FF15 A4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrM>; MSVBVM60.__vbaStrMove
00438BFC 50 push eax
00438BFD FF15 08114000 call dword ptr ds:[<&MSVBVM60.#712>] ; MSVBVM60.rtcReplace
00438C03 8BD0 mov edx,eax
00438C05 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
00438C08 FF15 A4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrM>; MSVBVM60.__vbaStrMove
00438C0E 8D55 C0 lea edx,dword ptr ss:[ebp-40]
00438C11 52 push edx
00438C12 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
00438C15 50 push eax
00438C16 6A 02 push 2
00438C18 FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeStrList
00438C1E 83C4 0C add esp,0C
00438C21 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00438C24 FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeObj
00438C2A C745 FC 0A000000 mov dword ptr ss:[ebp-4],0A
00438C31 6A FF push -1
00438C33 FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaOnEr>; MSVBVM60.__vbaOnError
00438C39 C745 FC 0B000000 mov dword ptr ss:[ebp-4],0B
00438C40 8B4D CC mov ecx,dword ptr ss:[ebp-34]
00438C43 51 push ecx
00438C44 8B55 D8 mov edx,dword ptr ss:[ebp-28]
00438C47 52 push edx
00438C48 FF15 5C114000 call dword ptr ds:[<&MSVBVM60.#576>] ; MSVBVM60.rtcFileCopy
00438C4E C745 FC 0C000000 mov dword ptr ss:[ebp-4],0C
00438C55 68 48734000 push 无壳.00407348 ; UNICODE "regsvr32 /s "
00438C5A 8B45 CC mov eax,dword ptr ss:[ebp-34]
00438C5D 50 push eax
00438C5E FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaStrC>; MSVBVM60.__vbaStrCat
00438C64 8BD0 mov edx,eax
00438C66 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
00438C69 FF15 A4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrM>; MSVBVM60.__vbaStrMove
00438C6F C745 FC 0D000000 mov dword ptr ss:[ebp-4],0D
00438C76 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
00438C79 894D 84 mov dword ptr ss:[ebp-7C],ecx
00438C7C C785 7CFFFFFF 08>mov dword ptr ss:[ebp-84],4008
00438C86 6A 00 push 0
00438C88 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-84]
00438C8E 52 push edx
00438C8F FF15 E8104000 call dword ptr ds:[<&MSVBVM60.#600>] ; MSVBVM60.rtcShell
00438C95 DD9D 54FFFFFF fstp qword ptr ss:[ebp-AC]
00438C9B C745 FC 0E000000 mov dword ptr ss:[ebp-4],0E
00438CA2 BA 68734000 mov edx,无壳.00407368
00438CA7 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00438CAA FF15 54114000 call dword ptr ds:[<&MSVBVM60.__vbaStrC>; MSVBVM60.__vbaStrCopy
00438CB0 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
00438CB3 50 push eax
00438CB4 6A 4F push 4F
00438CB6 E8 65100000 call 无壳.00439D20
00438CBB 66:8945 D0 mov word ptr ss:[ebp-30],ax
00438CBF 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00438CC2 FF15 C8114000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeStr
00438CC8 C745 FC 0F000000 mov dword ptr ss:[ebp-4],0F
00438CCF 833D F4164400 00 cmp dword ptr ds:[4416F4],0
00438CD6 75 1C jnz short 无壳.00438CF4
00438CD8 68 F4164400 push 无壳.004416F4
00438CDD 68 08734000 push 无壳.00407308
00438CE2 FF15 40114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>; MSVBVM60.__vbaNew2
00438CE8 C785 20FFFFFF F4>mov dword ptr ss:[ebp-E0],无壳.004416F4
00438CF2 EB 0A jmp short 无壳.00438CFE
00438CF4 C785 20FFFFFF F4>mov dword ptr ss:[ebp-E0],无壳.004416F4
00438CFE 8B8D 20FFFFFF mov ecx,dword ptr ss:[ebp-E0]
00438D04 8B11 mov edx,dword ptr ds:[ecx]
00438D06 8995 50FFFFFF mov dword ptr ss:[ebp-B0],edx
00438D0C 8B45 08 mov eax,dword ptr ss:[ebp+8]
00438D0F 50 push eax
00438D10 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00438D13 51 push ecx
00438D14 FF15 80104000 call dword ptr ds:[<&MSVBVM60.__vbaObjS>; MSVBVM60.__vbaObjSetAddref
00438D1A 50 push eax
00438D1B 8B95 50FFFFFF mov edx,dword ptr ss:[ebp-B0]
00438D21 8B02 mov eax,dword ptr ds:[edx]
00438D23 8B8D 50FFFFFF mov ecx,dword ptr ss:[ebp-B0]
00438D29 51 push ecx
00438D2A FF50 10 call dword ptr ds:[eax+10]
00438D2D DBE2 fclex
00438D2F 8985 4CFFFFFF mov dword ptr ss:[ebp-B4],eax
00438D35 83BD 4CFFFFFF 00 cmp dword ptr ss:[ebp-B4],0
00438D3C 7D 23 jge short 无壳.00438D61
00438D3E 6A 10 push 10
00438D40 68 F8724000 push 无壳.004072F8
00438D45 8B95 50FFFFFF mov edx,dword ptr ss:[ebp-B0]
00438D4B 52 push edx
00438D4C 8B85 4CFFFFFF mov eax,dword ptr ss:[ebp-B4]
00438D52 50 push eax
00438D53 FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaHres>; MSVBVM60.__vbaHresultCheckObj
00438D59 8985 1CFFFFFF mov dword ptr ss:[ebp-E4],eax
00438D5F EB 0A jmp short 无壳.00438D6B
00438D61 C785 1CFFFFFF 00>mov dword ptr ss:[ebp-E4],0
00438D6B 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00438D6E FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeObj
00438D74 C745 FC 10000000 mov dword ptr ss:[ebp-4],10
00438D7B 833D 48104400 00 cmp dword ptr ds:[441048],0
00438D82 75 1C jnz short 无壳.00438DA0
00438D84 68 48104400 push 无壳.00441048
00438D89 68 1C564000 push 无壳.0040561C
00438D8E FF15 40114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>; MSVBVM60.__vbaNew2
00438D94 C785 18FFFFFF 48>mov dword ptr ss:[ebp-E8],无壳.00441048
00438D9E EB 0A jmp short 无壳.00438DAA
00438DA0 C785 18FFFFFF 48>mov dword ptr ss:[ebp-E8],无壳.00441048
00438DAA 8B8D 18FFFFFF mov ecx,dword ptr ss:[ebp-E8]
00438DB0 8B11 mov edx,dword ptr ds:[ecx]
00438DB2 8995 50FFFFFF mov dword ptr ss:[ebp-B0],edx
00438DB8 C785 74FFFFFF 04>mov dword ptr ss:[ebp-8C],80020004
00438DC2 C785 6CFFFFFF 0A>mov dword ptr ss:[ebp-94],0A
00438DCC C745 84 04000280 mov dword ptr ss:[ebp-7C],80020004
00438DD3 C785 7CFFFFFF 0A>mov dword ptr ss:[ebp-84],0A
00438DDD B8 10000000 mov eax,10
00438DE2 E8 698AFCFF call <jmp.&MSVBVM60.__vbaChkstk>
00438DE7 8BC4 mov eax,esp
00438DE9 8B8D 6CFFFFFF mov ecx,dword ptr ss:[ebp-94]
00438DEF 8908 mov dword ptr ds:[eax],ecx
00438DF1 8B95 70FFFFFF mov edx,dword ptr ss:[ebp-90]
00438DF7 8950 04 mov dword ptr ds:[eax+4],edx
00438DFA 8B8D 74FFFFFF mov ecx,dword ptr ss:[ebp-8C]
00438E00 8948 08 mov dword ptr ds:[eax+8],ecx
00438E03 8B95 78FFFFFF mov edx,dword ptr ss:[ebp-88]
00438E09 8950 0C mov dword ptr ds:[eax+C],edx
00438E0C B8 10000000 mov eax,10
00438E11 E8 3A8AFCFF call <jmp.&MSVBVM60.__vbaChkstk>
00438E16 8BC4 mov eax,esp
00438E18 8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-84]
00438E1E 8908 mov dword ptr ds:[eax],ecx
00438E20 8B55 80 mov edx,dword ptr ss:[ebp-80]
00438E23 8950 04 mov dword ptr ds:[eax+4],edx
00438E26 8B4D 84 mov ecx,dword ptr ss:[ebp-7C]
00438E29 8948 08 mov dword ptr ds:[eax+8],ecx
00438E2C 8B55 88 mov edx,dword ptr ss:[ebp-78]
00438E2F 8950 0C mov dword ptr ds:[eax+C],edx
00438E32 8B85 50FFFFFF mov eax,dword ptr ss:[ebp-B0]
00438E38 8B08 mov ecx,dword ptr ds:[eax]
00438E3A 8B95 50FFFFFF mov edx,dword ptr ss:[ebp-B0]
00438E40 52 push edx
00438E41 FF91 B0020000 call dword ptr ds:[ecx+2B0]
00438E47 DBE2 fclex
00438E49 8985 4CFFFFFF mov dword ptr ss:[ebp-B4],eax
00438E4F 83BD 4CFFFFFF 00 cmp dword ptr ss:[ebp-B4],0
00438E56 7D 26 jge short 无壳.00438E7E
00438E58 68 B0020000 push 2B0
00438E5D 68 30774000 push 无壳.00407730
00438E62 8B85 50FFFFFF mov eax,dword ptr ss:[ebp-B0]
00438E68 50 push eax
00438E69 8B8D 4CFFFFFF mov ecx,dword ptr ss:[ebp-B4]
00438E6F 51 push ecx
00438E70 FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaHres>; MSVBVM60.__vbaHresultCheckObj
00438E76 8985 14FFFFFF mov dword ptr ss:[ebp-EC],eax
00438E7C EB 0A jmp short 无壳.00438E88
00438E7E C785 14FFFFFF 00>mov dword ptr ss:[ebp-EC],0
00438E88 C745 F0 00000000 mov dword ptr ss:[ebp-10],0
00438E8F 9B wait
00438E90 68 F08E4300 push 无壳.00438EF0
00438E95 EB 34 jmp short 无壳.00438ECB
00438E97 8D55 C0 lea edx,dword ptr ss:[ebp-40]
00438E9A 52 push edx
00438E9B 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
00438E9E 50 push eax
00438E9F 6A 02 push 2
00438EA1 FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeStrList
00438EA7 83C4 0C add esp,0C
00438EAA 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00438EAD FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeObj
00438EB3 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
00438EB6 51 push ecx
00438EB7 8D55 9C lea edx,dword ptr ss:[ebp-64]
00438EBA 52 push edx
00438EBB 8D45 AC lea eax,dword ptr ss:[ebp-54]
00438EBE 50 push eax
00438EBF 6A 03 push 3
00438EC1 FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeVarList
00438EC7 83C4 10 add esp,10
00438ECA C3 retn
00438ECB 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
00438ECE FF15 C8114000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeStr
00438ED4 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00438ED7 FF15 C8114000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeStr
00438EDD 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00438EE0 FF15 C8114000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeStr
00438EE6 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
00438EE9 FF15 C8114000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeStr
00438EEF C3 retn
00438EF0 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00438EF3 8B11 mov edx,dword ptr ds:[ecx]
00438EF5 8B45 08 mov eax,dword ptr ss:[ebp+8]
00438EF8 50 push eax
00438EF9 FF52 08 call dword ptr ds:[edx+8]
00438EFC 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00438EFF 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00438F02 64:890D 00000000 mov dword ptr fs:[0],ecx
00438F09 5F pop edi
00438F0A 5E pop esi
00438F0B 5B pop ebx
00438F0C 8BE5 mov esp,ebp
00438F0E 5D pop ebp
00438F0F C2 0400 retn 4
00438F12 FF15 34114000 call dword ptr ds:[<&MSVBVM60.__vbaErro>; MSVBVM60.__vbaErrorOverflow
00438F18 CC int3
00438F19 CC int3
00438F1A CC int3
00438F1B CC int3
00438F1C CC int3
00438F1D CC int3
00438F1E CC int3
00438F1F CC int3
00438F20 55 push ebp
00438F21 8BEC mov ebp,esp
00438F23 83EC 18 sub esp,18
00438F26 68 56184000 push <jmp.&MSVBVM60.__vbaExceptHandler>
00438F2B 64:A1 00000000 mov eax,dword ptr fs:[0]
00438F31 50 push eax
00438F32 64:8925 00000000 mov dword ptr fs:[0],esp
00438F39 B8 D0000000 mov eax,0D0
00438F3E E8 0D89FCFF call <jmp.&MSVBVM60.__vbaChkstk>
00438F43 53 push ebx
00438F44 56 push esi
00438F45 57 push edi
00438F46 8965 E8 mov dword ptr ss:[ebp-18],esp
00438F49 C745 EC 40124000 mov dword ptr ss:[ebp-14],无壳.00401240
00438F50 C745 F0 00000000 mov dword ptr ss:[ebp-10],0
00438F57 C745 F4 00000000 mov dword ptr ss:[ebp-C],0
00438F5E C745 FC 01000000 mov dword ptr ss:[ebp-4],1
00438F65 C745 FC 02000000 mov dword ptr ss:[ebp-4],2
00438F6C 6A FF push -1
00438F6E FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaOnEr>; MSVBVM60.__vbaOnError
00438F74 C745 FC 03000000 mov dword ptr ss:[ebp-4],3
00438F7B 8D45 B8 lea eax,dword ptr ss:[ebp-48]
00438F7E 50 push eax
00438F7F E8 40E5FCFF call 无壳.004074C4
00438F84 FF15 54104000 call dword ptr ds:[<&MSVBVM60.__vbaSetS>; MSVBVM60.__vbaSetSystemError
00438F8A C745 FC 04000000 mov dword ptr ss:[ebp-4],4
00438F91 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00438F94 898D 60FFFFFF mov dword ptr ss:[ebp-A0],ecx
00438F9A C785 58FFFFFF 03>mov dword ptr ss:[ebp-A8],4003
00438FA4 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
00438FAA 52 push edx
00438FAB 8D45 98 lea eax,dword ptr ss:[ebp-68]
00438FAE 50 push eax
00438FAF FF15 84114000 call dword ptr ds:[<&MSVBVM60.#613>] ; MSVBVM60.rtcVarStrFromVar
00438FB5 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00438FB8 898D 50FFFFFF mov dword ptr ss:[ebp-B0],ecx
00438FBE C785 48FFFFFF 03>mov dword ptr ss:[ebp-B8],4003
00438FC8 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
00438FCE 52 push edx
00438FCF 8D45 88 lea eax,dword ptr ss:[ebp-78]
00438FD2 50 push eax
00438FD3 FF15 84114000 call dword ptr ds:[<&MSVBVM60.#613>] ; MSVBVM60.rtcVarStrFromVar
00438FD9 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
00438FDC 51 push ecx
00438FDD 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
00438FE0 52 push edx
00438FE1 FF15 28114000 call dword ptr ds:[<&MSVBVM60.__vbaStrV>; MSVBVM60.__vbaStrVarVal
00438FE7 50 push eax
00438FE8 FF15 44104000 call dword ptr ds:[<&MSVBVM60.#519>] ; MSVBVM60.rtcTrimBstr
00438FEE 8BD0 mov edx,eax
00438FF0 8D4D AC lea ecx,dword ptr ss:[ebp-54]
00438FF3 FF15 A4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrM>; MSVBVM60.__vbaStrMove
00438FF9 50 push eax
00438FFA 8D45 88 lea eax,dword ptr ss:[ebp-78]
00438FFD 50 push eax
00438FFE 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
00439001 51 push ecx
00439002 FF15 28114000 call dword ptr ds:[<&MSVBVM60.__vbaStrV>; MSVBVM60.__vbaStrVarVal
00439008 50 push eax
00439009 FF15 44104000 call dword ptr ds:[<&MSVBVM60.#519>] ; MSVBVM60.rtcTrimBstr
0043900F 8BD0 mov edx,eax
00439011 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00439014 FF15 A4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrM>; MSVBVM60.__vbaStrMove
0043901A 50 push eax
0043901B FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaStrC>; MSVBVM60.__vbaStrCat
00439021 8BD0 mov edx,eax
00439023 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00439026 FF15 A4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrM>; MSVBVM60.__vbaStrMove
0043902C 8D55 A8 lea edx,dword ptr ss:[ebp-58]
0043902F 52 push edx
00439030 8D45 AC lea eax,dword ptr ss:[ebp-54]
00439033 50 push eax
00439034 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
00439037 51 push ecx
00439038 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
0043903B 52 push edx
0043903C 6A 04 push 4
0043903E FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeStrList
00439044 83C4 14 add esp,14
00439047 8D45 88 lea eax,dword ptr ss:[ebp-78]
0043904A 50 push eax
0043904B 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
0043904E 51 push ecx
0043904F 6A 02 push 2
00439051 FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeVarList
00439057 83C4 0C add esp,0C
0043905A C745 FC 05000000 mov dword ptr ss:[ebp-4],5
00439061 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
00439064 8995 60FFFFFF mov dword ptr ss:[ebp-A0],edx
0043906A C785 58FFFFFF 03>mov dword ptr ss:[ebp-A8],4003
00439074 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-A8]
0043907A 50 push eax
0043907B 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
0043907E 51 push ecx
0043907F FF15 84114000 call dword ptr ds:[<&MSVBVM60.#613>] ; MSVBVM60.rtcVarStrFromVar
00439085 8D55 98 lea edx,dword ptr ss:[ebp-68]
00439088 52 push edx
00439089 FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrV>; MSVBVM60.__vbaStrVarMove
0043908F 8BD0 mov edx,eax
00439091 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00439094 FF15 A4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrM>; MSVBVM60.__vbaStrMove
0043909A 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
0043909D FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeVar
004390A3 C745 FC 06000000 mov dword ptr ss:[ebp-4],6
004390AA FF15 68114000 call dword ptr ds:[<&MSVBVM60.#685>] ; MSVBVM60.rtcErrObj
004390B0 8945 A0 mov dword ptr ss:[ebp-60],eax
004390B3 C745 98 09000000 mov dword ptr ss:[ebp-68],9
004390BA 8D45 98 lea eax,dword ptr ss:[ebp-68]
004390BD 50 push eax
004390BE FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaBool>; MSVBVM60.__vbaBoolVarNull
004390C4 66:8985 24FFFFFF mov word ptr ss:[ebp-DC],ax
004390CB 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
004390CE FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeVar
004390D4 0FBF8D 24FFFFFF movsx ecx,word ptr ss:[ebp-DC]
004390DB 85C9 test ecx,ecx
004390DD 0F84 B1000000 je 无壳.00439194
004390E3 C745 FC 07000000 mov dword ptr ss:[ebp-4],7
004390EA C785 70FFFFFF 04>mov dword ptr ss:[ebp-90],80020004
004390F4 C785 68FFFFFF 0A>mov dword ptr ss:[ebp-98],0A
004390FE C745 80 04000280 mov dword ptr ss:[ebp-80],80020004
00439105 C785 78FFFFFF 0A>mov dword ptr ss:[ebp-88],0A
0043910F C785 50FFFFFF 84>mov dword ptr ss:[ebp-B0],无壳.00407A84
00439119 C785 48FFFFFF 08>mov dword ptr ss:[ebp-B8],8
00439123 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
00439129 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0043912C FF15 78114000 call dword ptr ds:[<&MSVBVM60.__vbaVarD>; MSVBVM60.__vbaVarDup
00439132 C785 60FFFFFF 10>mov dword ptr ss:[ebp-A0],无壳.00407A10
0043913C C785 58FFFFFF 08>mov dword ptr ss:[ebp-A8],8
00439146 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
0043914C 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
0043914F FF15 78114000 call dword ptr ds:[<&MSVBVM60.__vbaVarD>; MSVBVM60.__vbaVarDup
00439155 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
0043915B 52 push edx
0043915C 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-88]
00439162 50 push eax
00439163 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
00439166 51 push ecx
00439167 6A 10 push 10
00439169 8D55 98 lea edx,dword ptr ss:[ebp-68]
0043916C 52 push edx
0043916D FF15 70104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
00439173 8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98]
00439179 50 push eax
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课