C++ 5.0 [Overlay] 如何脱壳?程序pb8.0的。-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

最新回复 (8)
caiweb 雪币： 199 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 41 粉丝 0 关注私信	caiweb 2 楼还有，我分析过，不是e语言的。 2006-9-5 22:27 0
Kisco 雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 43 粉丝 0 关注私信	Kisco 3 楼 C++ 5.0 本身就是一种编程语言啊, 汗~~~~~~~~~~~~~~~ 2006-9-5 22:43 0
caiweb 雪币： 199 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 41 粉丝 0 关注私信	caiweb 4 楼肯定加密了的，字符串全都找不到。 2006-9-6 17:32 0
linex 雪币： 279 活跃值： (145) 能力值： ( LV9，RANK：290 ) 在线值：发帖 11 回帖 267 粉丝 0 关注私信	linex 7 5 楼有些加密壳会伪装成C++的. 2006-9-6 17:35 0
caiweb 雪币： 199 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 41 粉丝 0 关注私信	caiweb 6 楼肯定是pb写的,能用什么加密壳啊？？用OD转来转去转不出来啊。谁帮看看。 2006-9-8 19:38 0
caiweb 雪币： 199 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 41 粉丝 0 关注私信	caiweb 7 楼 10001000 /$ 56 push esi 10001001 \|. 57 push edi 10001002 \|. FF15 08500010 call dword ptr ds:[<&KERNEL32.GetCom>; [GetCommandLineA 10001008 \|. 8BF0 mov esi,eax 1000100A \|. 8A06 mov al,byte ptr ds:[esi] 1000100C \|. 46 inc esi 1000100D \|. 3C 22 cmp al,22 1000100F \|. 75 3E jnz short car_exam.1000104F 10001011 \|. E8 DA000000 call car_exam.100010F0 10001016 \|. 85C0 test eax,eax 10001018 \|. 6A 22 push 22 1000101A \|. 56 push esi 1000101B \|. 74 07 je short car_exam.10001024 1000101D \|. E8 7E070000 call car_exam.100017A0 10001022 \|. EB 05 jmp short car_exam.10001029 10001024 \|> E8 B7060000 call car_exam.100016E0 10001029 \|> 8BD0 mov edx,eax 1000102B \|. 83C4 08 add esp,8 1000102E \|. 85D2 test edx,edx 10001030 \|. 74 44 je short car_exam.10001076 10001032 \|. 8BFA mov edi,edx 10001034 \|. 83C9 FF or ecx,FFFFFFFF 10001037 \|. 33C0 xor eax,eax 10001039 \|. F2:AE repne scas byte ptr es:[edi] 1000103B \|. F7D1 not ecx 1000103D \|. 49 dec ecx 1000103E \|. 83F9 02 cmp ecx,2 10001041 \|. 77 07 ja short car_exam.1000104A 10001043 \|. BE B0840010 mov esi,car_exam.100084B0 10001048 \|. EB 2C jmp short car_exam.10001076 1000104A \|> 8D72 02 lea esi,dword ptr ds:[edx+2] 1000104D \|. EB 27 jmp short car_exam.10001076 1000104F \|> E8 9C000000 call car_exam.100010F0 10001054 \|. 85C0 test eax,eax 10001056 \|. 6A 20 push 20 10001058 \|. 56 push esi 10001059 \|. 74 07 je short car_exam.10001062 1000105B \|. E8 40070000 call car_exam.100017A0 10001060 \|. EB 05 jmp short car_exam.10001067 10001062 \|> E8 79060000 call car_exam.100016E0 10001067 \|> 83C4 08 add esp,8 1000106A \|. BE B4840010 mov esi,car_exam.100084B4 1000106F \|. 85C0 test eax,eax 10001071 \|. 74 03 je short car_exam.10001076 10001073 \|. 8D70 01 lea esi,dword ptr ds:[eax+1] 10001076 \|> 8B4C24 18 mov ecx,dword ptr ss:[esp+18] 1000107A \|. 8B5424 10 mov edx,dword ptr ss:[esp+10] 1000107E \|. 8B4424 0C mov eax,dword ptr ss:[esp+C] 10001082 \|. 6A 00 push 0 10001084 \|. 68 E8030000 push 3E8 10001089 \|. 51 push ecx 1000108A \|. 56 push esi 1000108B \|. 52 push edx 1000108C \|. 50 push eax 1000108D \|. E8 2E060000 call <jmp.&PBVM80.#137> 10001092 \|. 5F pop edi 10001093 \|. 5E pop esi 10001094 \. C2 1000 retn 10 10001097 90 nop 10001098 90 nop 10001099 90 nop 1000109A 90 nop 1000109B 90 nop 1000109C 90 nop 1000109D 90 nop 1000109E 90 nop 1000109F 90 nop 100010A0 . E9 0B000000 jmp car_exam.100010B0 100010A5 90 nop 100010A6 90 nop 100010A7 90 nop 100010A8 90 nop 100010A9 90 nop 100010AA 90 nop 100010AB 90 nop 100010AC 90 nop 100010AD 90 nop 100010AE 90 nop 100010AF 90 nop 100010B0 > E8 0B000000 call car_exam.100010C0 100010B5 . A3 B8840010 mov dword ptr ds:[100084B8],eax 100010BA . C3 retn 100010BB 90 nop 100010BC 90 nop 100010BD 90 nop 100010BE 90 nop 100010BF 90 nop 100010C0 /$ 83EC 14 sub esp,14 100010C3 \|. 8D4424 00 lea eax,dword ptr ss:[esp] 100010C7 \|. 50 push eax ; /pCPInfo 100010C8 \|. 6A 00 push 0 ; \|CodePage = CP_ACP 100010CA \|. FF15 0C500010 call dword ptr ds:[<&KERNEL32.GetCPI>; \GetCPInfo 100010D0 \|. 8B5424 00 mov edx,dword ptr ss:[esp] 100010D4 \|. B9 01000000 mov ecx,1 100010D9 \|. 3BCA cmp ecx,edx 100010DB \|. 1BC0 sbb eax,eax 100010DD \|. F7D8 neg eax 100010DF \|. 83C4 14 add esp,14 100010E2 \. C3 retn 100010E3 90 nop 100010E4 90 nop 100010E5 90 nop 100010E6 90 nop 100010E7 90 nop 100010E8 90 nop 100010E9 90 nop 100010EA 90 nop 100010EB 90 nop 100010EC 90 nop 100010ED 90 nop 100010EE 90 nop 100010EF 90 nop 100010F0 /$ A1 B8840010 mov eax,dword ptr ds:[100084B8] 100010F5 \. C3 retn 100010F6 90 nop 100010F7 90 nop 100010F8 90 nop 100010F9 90 nop 100010FA 90 nop 100010FB 90 nop 100010FC 90 nop 100010FD 90 nop 100010FE 90 nop 100010FF 90 nop 10001100 . 51 push ecx 10001101 . 8B4424 0C mov eax,dword ptr ss:[esp+C] 10001105 . 33D2 xor edx,edx 10001107 . 53 push ebx 10001108 . 55 push ebp 10001109 . 8AD4 mov dl,ah 1000110B . 56 push esi 1000110C . 8BC8 mov ecx,eax 1000110E . 57 push edi 1000110F . 8BEA mov ebp,edx 10001111 . 33FF xor edi,edi 10001113 . 81E1 FF000000 and ecx,0FF 10001119 . 85ED test ebp,ebp 1000111B . 894C24 10 mov dword ptr ss:[esp+10],ecx 1000111F . 75 20 jnz short car_exam.10001141 10001121 . 85C9 test ecx,ecx 10001123 . 75 1C jnz short car_exam.10001141 10001125 . 8B5424 18 mov edx,dword ptr ss:[esp+18] 10001129 . 83C9 FF or ecx,FFFFFFFF 1000112C . 8BFA mov edi,edx 1000112E . 33C0 xor eax,eax 10001130 . F2:AE repne scas byte ptr es:[edi] 10001132 . F7D1 not ecx 10001134 . 49 dec ecx 10001135 . 8BC1 mov eax,ecx 10001137 . 03C2 add eax,edx 10001139 . 5F pop edi 1000113A . 5E pop esi 1000113B . 5D pop ebp 1000113C . 5B pop ebx 1000113D . 59 pop ecx 1000113E . C2 0800 retn 8 10001141 > 8B7424 18 mov esi,dword ptr ss:[esp+18] 10001145 . 33DB xor ebx,ebx 10001147 . 803E 00 cmp byte ptr ds:[esi],0 1000114A . 74 51 je short car_exam.1000119D 1000114C . EB 04 jmp short car_exam.10001152 1000114E > 8B4C24 10 mov ecx,dword ptr ss:[esp+10] 10001152 > 85FF test edi,edi 10001154 . 74 1D je short car_exam.10001173 10001156 . 33FF xor edi,edi 10001158 . 85ED test ebp,ebp 1000115A . 74 39 je short car_exam.10001195 1000115C . 8D46 FF lea eax,dword ptr ds:[esi-1] 1000115F . 33D2 xor edx,edx 10001161 . 8A10 mov dl,byte ptr ds:[eax] 10001163 . 3BD5 cmp edx,ebp 10001165 . 75 2E jnz short car_exam.10001195 10001167 . 33D2 xor edx,edx 10001169 . 8A16 mov dl,byte ptr ds:[esi] 1000116B . 3BD1 cmp edx,ecx 1000116D . 75 26 jnz short car_exam.10001195 1000116F . 8BD8 mov ebx,eax 10001171 . EB 22 jmp short car_exam.10001195 10001173 > 8A06 mov al,byte ptr ds:[esi] 10001175 . 50 push eax ; /TestChar 10001176 . FF15 10500010 call dword ptr ds:[<&KERNEL32.IsDBCS>; \IsDBCSLeadByte 1000117C . 85C0 test eax,eax 1000117E . 74 07 je short car_exam.10001187 10001180 . BF 01000000 mov edi,1 10001185 . EB 0E jmp short car_exam.10001195 10001187 > 8B4424 1C mov eax,dword ptr ss:[esp+1C] 1000118B . 33C9 xor ecx,ecx 1000118D . 8A0E mov cl,byte ptr ds:[esi] 1000118F . 3BC8 cmp ecx,eax 10001191 . 75 02 jnz short car_exam.10001195 10001193 . 8BDE mov ebx,esi 10001195 > 8A46 01 mov al,byte ptr ds:[esi+1] 10001198 . 46 inc esi 10001199 . 84C0 test al,al 1000119B .^ 75 B1 jnz short car_exam.1000114E 1000119D > 5F pop edi 1000119E . 5E pop esi 1000119F . 8BC3 mov eax,ebx 100011A1 . 5D pop ebp 100011A2 . 5B pop ebx 100011A3 . 59 pop ecx 100011A4 . C2 0800 retn 8 100011A7 90 nop 100011A8 90 nop 100011A9 90 nop 100011AA 90 nop 100011AB 90 nop 100011AC 90 nop 100011AD 90 nop 100011AE 90 nop 100011AF 90 nop 100011B0 /$ 51 push ecx 100011B1 \|. 8B4424 0C mov eax,dword ptr ss:[esp+C] 100011B5 \|. 53 push ebx 100011B6 \|. 33C9 xor ecx,ecx 100011B8 \|. 55 push ebp 100011B9 \|. 56 push esi 100011BA \|. 8ACC mov cl,ah 100011BC \|. 57 push edi 100011BD \|. 8BD8 mov ebx,eax 100011BF \|. 33FF xor edi,edi 100011C1 \|. 8BE9 mov ebp,ecx 100011C3 \|. 81E3 FF000000 and ebx,0FF 100011C9 \|. 3BEF cmp ebp,edi 100011CB \|. 75 20 jnz short car_exam.100011ED 100011CD \|. 3BDF cmp ebx,edi 100011CF \|. 75 1C jnz short car_exam.100011ED 100011D1 \|. 8B5424 18 mov edx,dword ptr ss:[esp+18] 100011D5 \|. 83C9 FF or ecx,FFFFFFFF 100011D8 \|. 8BFA mov edi,edx 100011DA \|. 33C0 xor eax,eax 100011DC \|. F2:AE repne scas byte ptr es:[edi] 100011DE \|. F7D1 not ecx 100011E0 \|. 49 dec ecx 100011E1 \|. 8BC1 mov eax,ecx 100011E3 \|. 03C2 add eax,edx 100011E5 \|. 5F pop edi 100011E6 \|. 5E pop esi 100011E7 \|. 5D pop ebp 100011E8 \|. 5B pop ebx 100011E9 \|. 59 pop ecx 100011EA \|. C2 0800 retn 8 100011ED \|> 8B7424 18 mov esi,dword ptr ss:[esp+18] 100011F1 \|. 897C24 10 mov dword ptr ss:[esp+10],edi 100011F5 \|. 803E 00 cmp byte ptr ds:[esi],0 100011F8 \|. 74 56 je short car_exam.10001250 100011FA \|> 85FF /test edi,edi 100011FC \|. 74 19 \|je short car_exam.10001217 100011FE \|. 33FF \|xor edi,edi 10001200 \|. 85ED \|test ebp,ebp 10001202 \|. 74 33 \|je short car_exam.10001237 10001204 \|. 33D2 \|xor edx,edx 10001206 \|. 8A56 FF \|mov dl,byte ptr ds:[esi-1] 10001209 \|. 3BD5 \|cmp edx,ebp 1000120B \|. 75 2A \|jnz short car_exam.10001237 1000120D \|. 33C0 \|xor eax,eax 1000120F \|. 8A06 \|mov al,byte ptr ds:[esi] 10001211 \|. 3BC3 \|cmp eax,ebx 10001213 \|. 74 36 \|je short car_exam.1000124B 10001215 \|. EB 20 \|jmp short car_exam.10001237 10001217 \|> 8A0E \|mov cl,byte ptr ds:[esi] 10001219 \|. 51 \|push ecx ; /TestChar 1000121A \|. FF15 10500010 \|call dword ptr ds:[<&KERNEL32.IsDBC>; \IsDBCSLeadByte 10001220 \|. 85C0 \|test eax,eax 10001222 \|. 74 07 \|je short car_exam.1000122B 10001224 \|. BF 01000000 \|mov edi,1 10001229 \|. EB 0C \|jmp short car_exam.10001237 1000122B \|> 8B4424 1C \|mov eax,dword ptr ss:[esp+1C] 1000122F \|. 33D2 \|xor edx,edx 10001231 \|. 8A16 \|mov dl,byte ptr ds:[esi] 10001233 \|. 3BD0 \|cmp edx,eax 10001235 \|. 74 15 \|je short car_exam.1000124C 10001237 \|> 8A46 01 \|mov al,byte ptr ds:[esi+1] 1000123A \|. 46 \|inc esi 1000123B \|. 84C0 \|test al,al 1000123D \|.^ 75 BB \jnz short car_exam.100011FA 1000123F \|. 8B4424 10 mov eax,dword ptr ss:[esp+10] 10001243 \|. 5F pop edi 10001244 \|. 5E pop esi 10001245 \|. 5D pop ebp 10001246 \|. 5B pop ebx 10001247 \|. 59 pop ecx 10001248 \|. C2 0800 retn 8 1000124B \|> 4E dec esi 1000124C \|> 897424 10 mov dword ptr ss:[esp+10],esi 10001250 \|> 8B4424 10 mov eax,dword ptr ss:[esp+10] 10001254 \|. 5F pop edi 10001255 \|. 5E pop esi 10001256 \|. 5D pop ebp 10001257 \|. 5B pop ebx 10001258 \|. 59 pop ecx 10001259 \. C2 0800 retn 8 1000125C 90 nop 1000125D 90 nop 1000125E 90 nop 1000125F 90 nop 10001260 . 53 push ebx 10001261 . 55 push ebp 10001262 . 56 push esi 10001263 . 8B7424 10 mov esi,dword ptr ss:[esp+10] 10001267 . 33DB xor ebx,ebx 10001269 . 33ED xor ebp,ebp 1000126B . 8A06 mov al,byte ptr ds:[esi] 1000126D . 57 push edi 1000126E . 84C0 test al,al 10001270 . 74 5F je short car_exam.100012D1 10001272 . 8B7C24 14 mov edi,dword ptr ss:[esp+14] 10001276 > 85DB test ebx,ebx 10001278 . 74 0A je short car_exam.10001284 1000127A . 33C0 xor eax,eax 1000127C . 33DB xor ebx,ebx 1000127E . 8A06 mov al,byte ptr ds:[esi] 10001280 . 0BF8 or edi,eax 10001282 . EB 24 jmp short car_exam.100012A8 10001284 > 8A0E mov cl,byte ptr ds:[esi] 10001286 . 51 push ecx ; /TestChar 10001287 . FF15 10500010 call dword ptr ds:[<&KERNEL32.IsDBCS>; \IsDBCSLeadByte 1000128D . 85C0 test eax,eax 1000128F . 74 0F je short car_exam.100012A0 10001291 . 33D2 xor edx,edx 10001293 . BB 01000000 mov ebx,1 10001298 . 8A36 mov dh,byte ptr ds:[esi] 1000129A . 8BEE mov ebp,esi 1000129C . 8BFA mov edi,edx 1000129E . EB 17 jmp short car_exam.100012B7 100012A0 > 33C0 xor eax,eax 100012A2 . 8BEE mov ebp,esi 100012A4 . 8A06 mov al,byte ptr ds:[esi] 100012A6 . 8BF8 mov edi,eax 100012A8 > 8B4C24 18 mov ecx,dword ptr ss:[esp+18] 100012AC . 57 push edi 100012AD . 51 push ecx 100012AE . E8 FDFEFFFF call car_exam.100011B0 100012B3 . 85C0 test eax,eax 100012B5 . 75 11 jnz short car_exam.100012C8 100012B7 > 8A46 01 mov al,byte ptr ds:[esi+1] 100012BA . 46 inc esi 100012BB . 84C0 test al,al 100012BD .^ 75 B7 jnz short car_exam.10001276 100012BF . 33C0 xor eax,eax 100012C1 . 5F pop edi 100012C2 . 5E pop esi 100012C3 . 5D pop ebp 100012C4 . 5B pop ebx 100012C5 . C2 0800 retn 8 100012C8 > 8BC5 mov eax,ebp 100012CA . 5F pop edi 100012CB . 5E pop esi 100012CC . 5D pop ebp 100012CD . 5B pop ebx 100012CE . C2 0800 retn 8 100012D1 > 5F pop edi 100012D2 . 5E pop esi 100012D3 . 5D pop ebp 100012D4 . 33C0 xor eax,eax 100012D6 . 5B pop ebx 100012D7 . C2 0800 retn 8 100012DA 90 nop 100012DB 90 nop 100012DC 90 nop 100012DD 90 nop 100012DE 90 nop 100012DF 90 nop 100012E0 . 83EC 08 sub esp,8 100012E3 . 53 push ebx 100012E4 . 55 push ebp 100012E5 . 8B6C24 14 mov ebp,dword ptr ss:[esp+14] 100012E9 . 56 push esi 100012EA . 57 push edi 100012EB . C74424 10 000>mov dword ptr ss:[esp+10],0 100012F3 . 8A45 00 mov al,byte ptr ss:[ebp] 100012F6 . 896C24 1C mov dword ptr ss:[esp+1C],ebp 100012FA . 84C0 test al,al 100012FC . 0F84 C3000000 je car_exam.100013C5 10001302 > 8B7424 20 mov esi,dword ptr ss:[esp+20] 10001306 . 83C9 FF or ecx,FFFFFFFF 10001309 . 8BFE mov edi,esi 1000130B . 33C0 xor eax,eax 1000130D . F2:AE repne scas byte ptr es:[edi] 1000130F . F7D1 not ecx 10001311 . 49 dec ecx 10001312 . 8BFD mov edi,ebp 10001314 . 8BD1 mov edx,ecx 10001316 . 83C9 FF or ecx,FFFFFFFF 10001319 . F2:AE repne scas byte ptr es:[edi] 1000131B . F7D1 not ecx 1000131D . 49 dec ecx 1000131E . 3BD1 cmp edx,ecx 10001320 . 0F87 9F000000 ja car_exam.100013C5 10001326 . 8B4424 10 mov eax,dword ptr ss:[esp+10] 1000132A . 85C0 test eax,eax 1000132C . 74 0A je short car_exam.10001338 1000132E . C74424 10 000>mov dword ptr ss:[esp+10],0 10001336 . EB 65 jmp short car_exam.1000139D 10001338 > 8A45 00 mov al,byte ptr ss:[ebp] 1000133B . 50 push eax ; /TestChar 1000133C . FF15 10500010 call dword ptr ds:[<&KERNEL32.IsDBCS>; \IsDBCSLeadByte 10001342 . 85C0 test eax,eax 10001344 . 74 08 je short car_exam.1000134E 10001346 . C74424 10 010>mov dword ptr ss:[esp+10],1 1000134E > 8A06 mov al,byte ptr ds:[esi] 10001350 . 8BD6 mov edx,esi 10001352 . 84C0 test al,al 10001354 . 74 42 je short car_exam.10001398 10001356 . 2BEE sub ebp,esi 10001358 > 8A1C2A mov bl,byte ptr ds:[edx+ebp] 1000135B . 8D342A lea esi,dword ptr ds:[edx+ebp] 1000135E . 84DB test bl,bl 10001360 . 74 32 je short car_exam.10001394 10001362 . 8BFA mov edi,edx 10001364 . 83C9 FF or ecx,FFFFFFFF 10001367 . 33C0 xor eax,eax 10001369 . F2:AE repne scas byte ptr es:[edi] 1000136B . F7D1 not ecx 1000136D . 49 dec ecx 1000136E . 8BFE mov edi,esi 10001370 . 8BC1 mov eax,ecx 10001372 . 83C9 FF or ecx,FFFFFFFF 10001375 . 894424 14 mov dword ptr ss:[esp+14],eax 10001379 . 33C0 xor eax,eax 1000137B . F2:AE repne scas byte ptr es:[edi] 1000137D . 8B4424 14 mov eax,dword ptr ss:[esp+14] 10001381 . F7D1 not ecx 10001383 . 49 dec ecx 10001384 . 3BC8 cmp ecx,eax 10001386 . 72 0C jb short car_exam.10001394 10001388 . 3A1A cmp bl,byte ptr ds:[edx] 1000138A . 75 08 jnz short car_exam.10001394 1000138C . 8A42 01 mov al,byte ptr ds:[edx+1] 1000138F . 42 inc edx 10001390 . 84C0 test al,al 10001392 .^ 75 C4 jnz short car_exam.10001358 10001394 > 8B6C24 1C mov ebp,dword ptr ss:[esp+1C] 10001398 > 803A 00 cmp byte ptr ds:[edx],0 1000139B . 74 1C je short car_exam.100013B9 1000139D > 8A45 01 mov al,byte ptr ss:[ebp+1] 100013A0 . 45 inc ebp 100013A1 . 84C0 test al,al 100013A3 . 896C24 1C mov dword ptr ss:[esp+1C],ebp 100013A7 .^ 0F85 55FFFFFF jnz car_exam.10001302 100013AD . 33C0 xor eax,eax 100013AF . 5F pop edi 100013B0 . 5E pop esi 100013B1 . 5D pop ebp 100013B2 . 5B pop ebx 100013B3 . 83C4 08 add esp,8 100013B6 . C2 0800 retn 8 100013B9 > 8BC5 mov eax,ebp 100013BB . 5F pop edi 100013BC . 5E pop esi 100013BD . 5D pop ebp 100013BE . 5B pop ebx 100013BF . 83C4 08 add esp,8 100013C2 . C2 0800 retn 8 100013C5 > 5F pop edi 100013C6 . 5E pop esi 100013C7 . 5D pop ebp 100013C8 . 33C0 xor eax,eax 100013CA . 5B pop ebx 100013CB . 83C4 08 add esp,8 100013CE . C2 0800 retn 8 100013D1 90 nop 100013D2 90 nop 100013D3 90 nop 100013D4 90 nop 100013D5 90 nop 100013D6 90 nop 100013D7 90 nop 100013D8 90 nop 100013D9 90 nop 100013DA 90 nop 100013DB 90 nop 100013DC 90 nop 100013DD 90 nop 100013DE 90 nop 100013DF 90 nop 100013E0 /$ 53 push ebx 100013E1 \|. 55 push ebp 100013E2 \|. 56 push esi 100013E3 \|. 8B7424 10 mov esi,dword ptr ss:[esp+10] 100013E7 \|. 57 push edi 100013E8 \|. 33ED xor ebp,ebp 100013EA \|. 8A06 mov al,byte ptr ds:[esi] 100013EC \|. 33FF xor edi,edi 100013EE \|. 84C0 test al,al 100013F0 \|. 74 76 je short car_exam.10001468 100013F2 \|. 8A5C24 1C mov bl,byte ptr ss:[esp+1C] 100013F6 \|> 3B6C24 18 /cmp ebp,dword ptr ss:[esp+18] 100013FA \|. 7D 6C \|jge short car_exam.10001468 100013FC \|. 85FF \|test edi,edi 100013FE \|. 74 04 \|je short car_exam.10001404 10001400 \|. 33FF \|xor edi,edi 10001402 \|. EB 5B \|jmp short car_exam.1000145F 10001404 \|> 8A06 \|mov al,byte ptr ds:[esi] 10001406 \|. 50 \|push eax ; /TestChar 10001407 \|. FF15 10500010 \|call dword ptr ds:[<&KERNEL32.IsDBC>; \IsDBCSLeadByte 1000140D \|. 85C0 \|test eax,eax 1000140F \|. 74 07 \|je short car_exam.10001418 10001411 \|. BF 01000000 \|mov edi,1 10001416 \|. EB 47 \|jmp short car_exam.1000145F 10001418 \|> F6C3 01 \|test bl,1 1000141B \|. 74 1D \|je short car_exam.1000143A 1000141D \|. 33C9 \|xor ecx,ecx 1000141F \|. 8A0E \|mov cl,byte ptr ds:[esi] 10001421 \|. 51 \|push ecx 10001422 \|. E8 59050000 \|call car_exam.10001980 10001427 \|. 83C4 04 \|add esp,4 1000142A \|. 85C0 \|test eax,eax 1000142C \|. 74 0C \|je short car_exam.1000143A 1000142E \|. 33D2 \|xor edx,edx 10001430 \|. 8A16 \|mov dl,byte ptr ds:[esi] 10001432 \|. 52 \|push edx 10001433 \|. E8 78050000 \|call car_exam.100019B0 10001438 \|. EB 20 \|jmp short car_exam.1000145A 1000143A \|> F6C3 02 \|test bl,2 1000143D \|. 74 20 \|je short car_exam.1000145F 1000143F \|. 33C0 \|xor eax,eax 10001441 \|. 8A06 \|mov al,byte ptr ds:[esi] 10001443 \|. 50 \|push eax 10001444 \|. E8 07050000 \|call car_exam.10001950 10001449 \|. 83C4 04 \|add esp,4 1000144C \|. 85C0 \|test eax,eax 1000144E \|. 74 0F \|je short car_exam.1000145F 10001450 \|. 33C9 \|xor ecx,ecx 10001452 \|. 8A0E \|mov cl,byte ptr ds:[esi] 10001454 \|. 51 \|push ecx 10001455 \|. E8 F6030000 \|call car_exam.10001850 1000145A \|> 83C4 04 \|add esp,4 1000145D \|. 8806 \|mov byte ptr ds:[esi],al 1000145F \|> 8A46 01 \|mov al,byte ptr ds:[esi+1] 10001462 \|. 46 \|inc esi 10001463 \|. 45 \|inc ebp 10001464 \|. 84C0 \|test al,al 10001466 \|.^ 75 8E \jnz short car_exam.100013F6 10001468 \|> 5F pop edi 10001469 \|. 8BC5 mov eax,ebp 1000146B \|. 5E pop esi 1000146C \|. 5D pop ebp 1000146D \|. 5B pop ebx 1000146E \. C2 0C00 retn 0C 10001471 90 nop 10001472 90 nop 10001473 90 nop 10001474 90 nop 10001475 90 nop 10001476 90 nop 10001477 90 nop 10001478 90 nop 10001479 90 nop 1000147A 90 nop 1000147B 90 nop 1000147C 90 nop 1000147D 90 nop 1000147E 90 nop 1000147F 90 nop 10001480 . 8B4424 08 mov eax,dword ptr ss:[esp+8] 10001484 . 8B4C24 04 mov ecx,dword ptr ss:[esp+4] 10001488 . 6A 02 push 2 1000148A . 50 push eax 1000148B . 51 push ecx 1000148C . E8 4FFFFFFF call car_exam.100013E0 10001491 . C2 0800 retn 8 10001494 90 nop 10001495 90 nop 10001496 90 nop 10001497 90 nop 10001498 90 nop 10001499 90 nop 1000149A 90 nop 1000149B 90 nop 1000149C 90 nop 1000149D 90 nop 1000149E 90 nop 1000149F 90 nop 100014A0 . 8B4424 08 mov eax,dword ptr ss:[esp+8] 100014A4 . 8B4C24 04 mov ecx,dword ptr ss:[esp+4] 100014A8 . 6A 01 push 1 100014AA . 50 push eax 100014AB . 51 push ecx 100014AC . E8 2FFFFFFF call car_exam.100013E0 100014B1 . C2 0800 retn 8 100014B4 90 nop 100014B5 90 nop 100014B6 90 nop 100014B7 90 nop 100014B8 90 nop 100014B9 90 nop 100014BA 90 nop 100014BB 90 nop 100014BC 90 nop 100014BD 90 nop 100014BE 90 nop 100014BF 90 nop 100014C0 . 56 push esi 100014C1 . 8B7424 08 mov esi,dword ptr ss:[esp+8] 100014C5 . 57 push edi 100014C6 . 8BFE mov edi,esi 100014C8 . 83C9 FF or ecx,FFFFFFFF 100014CB . 33C0 xor eax,eax 100014CD . F2:AE repne scas byte ptr es:[edi] 100014CF . F7D1 not ecx 100014D1 . 49 dec ecx 100014D2 . 6A 02 push 2 100014D4 . 51 push ecx 100014D5 . 56 push esi 100014D6 . E8 05FFFFFF call car_exam.100013E0 100014DB . 8BC6 mov eax,esi 100014DD . 5F pop edi 100014DE . 5E pop esi 100014DF . C2 0400 retn 4 100014E2 90 nop 100014E3 90 nop 100014E4 90 nop 100014E5 90 nop 100014E6 90 nop 100014E7 90 nop 100014E8 90 nop 100014E9 90 nop 100014EA 90 nop 100014EB 90 nop 100014EC 90 nop 100014ED 90 nop 100014EE 90 nop 100014EF 90 nop 100014F0 . 56 push esi 100014F1 . 8B7424 08 mov esi,dword ptr ss:[esp+8] 100014F5 . 57 push edi 100014F6 . 8BFE mov edi,esi 100014F8 . 83C9 FF or ecx,FFFFFFFF 100014FB . 33C0 xor eax,eax 100014FD . F2:AE repne scas byte ptr es:[edi] 100014FF . F7D1 not ecx 10001501 . 49 dec ecx 10001502 . 6A 01 push 1 10001504 . 51 push ecx 10001505 . 56 push esi 10001506 . E8 D5FEFFFF call car_exam.100013E0 1000150B . 8BC6 mov eax,esi 1000150D . 5F pop edi 1000150E . 5E pop esi 1000150F . C2 0400 retn 4 10001512 90 nop 10001513 90 nop 10001514 90 nop 10001515 90 nop 10001516 90 nop 10001517 90 nop 10001518 90 nop 10001519 90 nop 1000151A 90 nop 1000151B 90 nop 1000151C 90 nop 1000151D 90 nop 1000151E 90 nop 1000151F 90 nop 10001520 . 53 push ebx 10001521 . 55 push ebp 10001522 . 56 push esi 10001523 . 8B7424 10 mov esi,dword ptr ss:[esp+10] 10001527 . 57 push edi 10001528 . 83C8 FF or eax,FFFFFFFF 1000152B . 8A0E mov cl,byte ptr ds:[esi] 1000152D . 33FF xor edi,edi 1000152F . 84C9 test cl,cl 10001531 . 74 4B je short car_exam.1000157E 10001533 . 8B5C24 18 mov ebx,dword ptr ss:[esp+18] 10001537 . 8B2D 10500010 mov ebp,dword ptr ds:[<&KERNEL32.IsD>; kernel32.IsDBCSLeadByte 1000153D > 3BFB cmp edi,ebx 1000153F . 7F 3D jg short car_exam.1000157E 10001541 . 83F8 01 cmp eax,1 10001544 . 75 16 jnz short car_exam.1000155C 10001546 . 33C0 xor eax,eax 10001548 . 8A06 mov al,byte ptr ds:[esi] 1000154A . 50 push eax 1000154B . E8 80050000 call car_exam.10001AD0 10001550 . 83C4 04 add esp,4 10001553 . F7D8 neg eax 10001555 . 1BC0 sbb eax,eax 10001557 . 83E0 03 and eax,3 1000155A . EB 18 jmp short car_exam.10001574 1000155C > 8A0E mov cl,byte ptr ds:[esi] 1000155E . 51 push ecx 1000155F . FFD5 call ebp 10001561 . 85C0 test eax,eax 10001563 . 74 07 je short car_exam.1000156C 10001565 . B8 01000000 mov eax,1 1000156A . EB 09 jmp short car_exam.10001575 1000156C > 8A06 mov al,byte ptr ds:[esi] 1000156E . F6D8 neg al 10001570 . 1BC0 sbb eax,eax 10001572 . F7D8 neg eax 10001574 > 48 dec eax 10001575 > 8A4E 01 mov cl,byte ptr ds:[esi+1] 10001578 . 46 inc esi 10001579 . 47 inc edi 1000157A . 84C9 test cl,cl 1000157C .^ 75 BF jnz short car_exam.1000153D 1000157E > 5F pop edi 1000157F . 5E pop esi 10001580 . 5D pop ebp 10001581 . 5B pop ebx 10001582 . C2 0800 retn 8 10001585 90 nop 10001586 90 nop 10001587 90 nop 10001588 90 nop 10001589 90 nop 1000158A 90 nop 1000158B 90 nop 1000158C 90 nop 1000158D 90 nop 1000158E 90 nop 1000158F 90 nop 10001590 . 53 push ebx 10001591 . 55 push ebp 10001592 . 56 push esi 10001593 . 57 push edi 10001594 . 8B7C24 14 mov edi,dword ptr ss:[esp+14] 10001598 . 33F6 xor esi,esi 1000159A . 85FF test edi,edi 1000159C . 74 26 je short car_exam.100015C4 1000159E . 8A07 mov al,byte ptr ds:[edi] 100015A0 . 84C0 test al,al 100015A2 . 74 20 je short car_exam.100015C4 100015A4 . 8B2D 10500010 mov ebp,dword ptr ds:[<&KERNEL32.IsD>; kernel32.IsDBCSLeadByte 100015AA . 33DB xor ebx,ebx 100015AC > 85F6 test esi,esi 100015AE . 74 1D je short car_exam.100015CD 100015B0 . 33F6 xor esi,esi 100015B2 > 43 inc ebx 100015B3 > 8A47 01 mov al,byte ptr ds:[edi+1] 100015B6 . 47 inc edi 100015B7 . 84C0 test al,al 100015B9 .^ 75 F1 jnz short car_exam.100015AC 100015BB . 8BC3 mov eax,ebx 100015BD . 5F pop edi 100015BE . 5E pop esi 100015BF . 5D pop ebp 100015C0 . 5B pop ebx 100015C1 . C2 0400 retn 4 100015C4 > 5F pop edi 100015C5 . 5E pop esi 100015C6 . 5D pop ebp 100015C7 . 33C0 xor eax,eax 100015C9 . 5B pop ebx 100015CA . C2 0400 retn 4 100015CD > 50 push eax 100015CE . FFD5 call ebp 100015D0 . 85C0 test eax,eax 100015D2 .^ 74 DE je short car_exam.100015B2 100015D4 . BE 01000000 mov esi,1 100015D9 .^ EB D8 jmp short car_exam.100015B3 100015DB 90 nop 100015DC 90 nop 100015DD 90 nop 100015DE 90 nop 100015DF 90 nop 100015E0 . 53 push ebx 100015E1 . 55 push ebp 100015E2 . 56 push esi 100015E3 . 8B7424 10 mov esi,dword ptr ss:[esp+10] 100015E7 . 57 push edi 100015E8 . 33FF xor edi,edi 100015EA . 85F6 test esi,esi 100015EC . 74 29 je short car_exam.10001617 100015EE . 8A06 mov al,byte ptr ds:[esi] 100015F0 . 84C0 test al,al 100015F2 . 74 23 je short car_exam.10001617 100015F4 . 33ED xor ebp,ebp 100015F6 . 33DB xor ebx,ebx 100015F8 > 3B5C24 18 cmp ebx,dword ptr ss:[esp+18] 100015FC . 73 10 jnb short car_exam.1000160E 100015FE . 85FF test edi,edi 10001600 . 74 1E je short car_exam.10001620 10001602 . 33FF xor edi,edi 10001604 > 43 inc ebx 10001605 > 8A46 01 mov al,byte ptr ds:[esi+1] 10001608 . 46 inc esi 10001609 . 45 inc ebp 1000160A . 84C0 test al,al 1000160C .^ 75 EA jnz short car_exam.100015F8 1000160E > 8BC5 mov eax,ebp 10001610 . 5F pop edi 10001611 . 5E pop esi 10001612 . 5D pop ebp 10001613 . 5B pop ebx 10001614 . C2 0800 retn 8 10001617 > 5F pop edi 10001618 . 5E pop esi 10001619 . 5D pop ebp 1000161A . 33C0 xor eax,eax 1000161C . 5B pop ebx 1000161D . C2 0800 retn 8 10001620 > 50 push eax ; /TestChar 10001621 . FF15 10500010 call dword ptr ds:[<&KERNEL32.IsDBCS>; \IsDBCSLeadByte 10001627 . 85C0 test eax,eax 10001629 .^ 74 D9 je short car_exam.10001604 1000162B . BF 01000000 mov edi,1 10001630 .^ EB D3 jmp short car_exam.10001605 10001632 90 nop 10001633 90 nop 10001634 90 nop 10001635 90 nop 10001636 90 nop 10001637 90 nop 10001638 90 nop 10001639 90 nop 1000163A 90 nop 1000163B 90 nop 1000163C 90 nop 1000163D 90 nop 1000163E 90 nop 1000163F 90 nop 10001640 . 53 push ebx 10001641 . 55 push ebp 10001642 . 56 push esi 10001643 . 8B7424 10 mov esi,dword ptr ss:[esp+10] 10001647 . 57 push edi 10001648 . 33FF xor edi,edi 1000164A . 85F6 test esi,esi 1000164C . 74 29 je short car_exam.10001677 1000164E . 8A06 mov al,byte ptr ds:[esi] 10001650 . 84C0 test al,al 10001652 . 74 23 je short car_exam.10001677 10001654 . 33ED xor ebp,ebp 10001656 . 33DB xor ebx,ebx 10001658 > 3B5C24 18 cmp ebx,dword ptr ss:[esp+18] 1000165C . 73 10 jnb short car_exam.1000166E 1000165E . 85FF test edi,edi 10001660 . 74 1E je short car_exam.10001680 10001662 . 33FF xor edi,edi 10001664 > 45 inc ebp 10001665 > 8A46 01 mov al,byte ptr ds:[esi+1] 10001668 . 46 inc esi 10001669 . 43 inc ebx 1000166A . 84C0 test al,al 1000166C .^ 75 EA jnz short car_exam.10001658 1000166E > 8BC5 mov eax,ebp 10001670 . 5F pop edi 10001671 . 5E pop esi 10001672 . 5D pop ebp 10001673 . 5B pop ebx 10001674 . C2 0800 retn 8 10001677 > 5F pop edi 10001678 . 5E pop esi 10001679 . 5D pop ebp 1000167A . 33C0 xor eax,eax 1000167C . 5B pop ebx 1000167D . C2 0800 retn 8 10001680 > 50 push eax ; /TestChar 10001681 . FF15 10500010 call dword ptr ds:[<&KERNEL32.IsDBCS>; \IsDBCSLeadByte 10001687 . 85C0 test eax,eax 10001689 .^ 74 D9 je short car_exam.10001664 1000168B . BF 01000000 mov edi,1 10001690 .^ EB D3 jmp short car_exam.10001665 10001692 90 nop 10001693 90 nop 10001694 90 nop 10001695 90 nop 10001696 90 nop 10001697 90 nop 10001698 90 nop 10001699 90 nop 1000169A 90 nop 1000169B 90 nop 1000169C 90 nop 1000169D 90 nop 1000169E 90 nop 1000169F 90 nop 100016A0 . 8B4424 04 mov eax,dword ptr ss:[esp+4] 100016A4 . A8 80 test al,80 100016A6 . 75 12 jnz short car_exam.100016BA 100016A8 . 83F8 30 cmp eax,30 100016AB . 7C 0D jl short car_exam.100016BA 100016AD . 83F8 39 cmp eax,39 100016B0 . 7F 08 jg short car_exam.100016BA 100016B2 . B8 01000000 mov eax,1 100016B7 . C2 0400 retn 4 100016BA > 33C0 xor eax,eax 100016BC . C2 0400 retn 4 100016BF 90 nop 100016C0 $- FF25 94500010 jmp dword ptr ds:[<&PBVM80.#137>] ; PBVM80.FN_RunExecutable 100016C6 CC int3 100016C7 CC int3 100016C8 CC int3 100016C9 CC int3 100016CA CC int3 100016CB CC int3 100016CC CC int3 100016CD CC int3 100016CE CC int3 100016CF CC int3 100016D0 /> 8D42 FF lea eax,dword ptr ds:[edx-1] 100016D3 \|. 5B pop ebx 100016D4 \|. C3 retn 100016D5 \| 2E db 2E ; CHAR '.' 100016D6 \| 8BC0 mov eax,eax 100016D8 \| 2E db 2E ; CHAR '.' 100016D9 \| 8BC0 mov eax,eax 100016DB \| 2E db 2E ; CHAR '.' 100016DC \| 8BC0 mov eax,eax 100016DE \| 8BC0 mov eax,eax 100016E0 \|$ 33C0 xor eax,eax 100016E2 \|. 8A4424 08 mov al,byte ptr ss:[esp+8] 100016E6 \|. 53 push ebx 100016E7 \|. 8BD8 mov ebx,eax 100016E9 \|. C1E0 08 shl eax,8 100016EC \|. 8B5424 08 mov edx,dword ptr ss:[esp+8] 100016F0 \|. F7C2 03000000 test edx,3 100016F6 \|. 74 13 je short car_exam.1000170B 100016F8 \|> 8A0A /mov cl,byte ptr ds:[edx] 100016FA \|. 42 \|inc edx 100016FB \|. 38D9 \|cmp cl,bl 100016FD \|.^ 74 D1 \|je short car_exam.100016D0 100016FF \|. 84C9 \|test cl,cl 10001701 \|. 74 51 \|je short car_exam.10001754 10001703 \|. F7C2 03000000 \|test edx,3 10001709 \|.^ 75 ED \jnz short car_exam.100016F8 1000170B \|> 0BD8 or ebx,eax 1000170D \|. 57 push edi 1000170E \|. 8BC3 mov eax,ebx 10001710 \|. C1E3 10 shl ebx,10 10001713 \|. 56 push esi 10001714 \|. 0BD8 or ebx,eax 10001716 \|> 8B0A /mov ecx,dword ptr ds:[edx] 10001718 \|. BF FFFEFE7E \|mov edi,7EFEFEFF 1000171D \|. 8BC1 \|mov eax,ecx 1000171F \|. 8BF7 \|mov esi,edi 10001721 \|. 33CB \|xor ecx,ebx 10001723 \|. 03F0 \|add esi,eax 10001725 \|. 03F9 \|add edi,ecx 10001727 \|. 83F1 FF \|xor ecx,FFFFFFFF 1000172A \|. 83F0 FF \|xor eax,FFFFFFFF 1000172D \|. 33CF \|xor ecx,edi 1000172F \|. 33C6 \|xor eax,esi 10001731 \|. 83C2 04 \|add edx,4 10001734 \|. 81E1 00010181 \|and ecx,81010100 1000173A \|. 75 1C \|jnz short car_exam.10001758 1000173C \|. 25 00010181 \|and eax,81010100 10001741 \|.^ 74 D3 \|je short car_exam.10001716 10001743 \|. 25 00010101 \|and eax,1010100 10001748 \|. 75 08 \|jnz short car_exam.10001752 1000174A \|. 81E6 00000080 \|and esi,80000000 10001750 \|.^ 75 C4 \jnz short car_exam.10001716 10001752 \|> 5E pop esi 10001753 \|. 5F pop edi 10001754 \|> 5B pop ebx 10001755 \|. 33C0 xor eax,eax 10001757 \|. C3 retn 10001758 \|> 8B42 FC mov eax,dword ptr ds:[edx-4] 1000175B \|. 38D8 cmp al,bl 1000175D \|. 74 36 je short car_exam.10001795 1000175F \|. 84C0 test al,al 10001761 \|.^ 74 EF je short car_exam.10001752 10001763 \|. 38DC cmp ah,bl 10001765 \|. 74 27 je short car_exam.1000178E 10001767 \|. 84E4 test ah,ah 10001769 \|.^ 74 E7 je short car_exam.10001752 1000176B \|. C1E8 10 shr eax,10 1000176E \|. 38D8 cmp al,bl 10001770 \|. 74 15 je short car_exam.10001787 10001772 \|. 84C0 test al,al 10001774 \|.^ 74 DC je short car_exam.10001752 10001776 \|. 38DC cmp ah,bl 10001778 \|. 74 06 je short car_exam.10001780 1000177A \|. 84E4 test ah,ah 1000177C \|.^ 74 D4 je short car_exam.10001752 1000177E \|.^ EB 96 jmp short car_exam.10001716 10001780 \|> 5E pop esi 10001781 \|. 5F pop edi 10001782 \|. 8D42 FF lea eax,dword ptr ds:[edx-1] 10001785 \|. 5B pop ebx 10001786 \|. C3 retn 10001787 \|> 8D42 FE lea eax,dword ptr ds:[edx-2] 1000178A \|. 5E pop esi 1000178B \|. 5F pop edi 1000178C \|. 5B pop ebx 1000178D \|. C3 retn 1000178E \|> 8D42 FD lea eax,dword ptr ds:[edx-3] 10001791 \|. 5E pop esi 10001792 \|. 5F pop edi 10001793 \|. 5B pop ebx 10001794 \|. C3 retn 10001795 \|> 8D42 FC lea eax,dword ptr ds:[edx-4] 10001798 \|. 5E pop esi 10001799 \|. 5F pop edi 1000179A \|. 5B pop ebx 1000179B \. C3 retn 1000179C CC int3 1000179D CC int3 1000179E CC int3 1000179F CC int3 100017A0 /$ A1 D0860010 mov eax,dword ptr ds:[100086D0] 100017A5 \|. 53 push ebx 100017A6 \|. 85C0 test eax,eax 100017A8 \|. 56 push esi 100017A9 \|. 75 15 jnz short car_exam.100017C0 100017AB \|. 8B4424 10 mov eax,dword ptr ss:[esp+10] 100017AF \|. 8B4C24 0C mov ecx,dword ptr ss:[esp+C] 100017B3 \|. 50 push eax 100017B4 \|. 51 push ecx 100017B5 \|. E8 26FFFFFF call car_exam.100016E0 100017BA \|. 83C4 08 add esp,8 100017BD \|. 5E pop esi 100017BE \|. 5B pop ebx 100017BF \|. C3 retn 100017C0 \|> 8B5424 0C mov edx,dword ptr ss:[esp+C] 100017C4 \|. 8B7424 10 mov esi,dword ptr ss:[esp+10] 100017C8 \|. 66:0FB602 movzx ax,byte ptr ds:[edx] 100017CC \|. 66:85C0 test ax,ax 100017CF \|. 74 66 je short car_exam.10001837 100017D1 \|. B3 04 mov bl,4 100017D3 \|> 8BC8 /mov ecx,eax 100017D5 \|. 81E1 FF000000 \|and ecx,0FF 100017DB \|. 8499 C9840010 \|test byte ptr ds:[ecx+100084C9],bl 100017E1 \|. 74 1E \|je short car_exam.10001801 100017E3 \|. 8A4A 01 \|mov cl,byte ptr ds:[edx+1] 100017E6 \|. 42 \|inc edx 100017E7 \|. 84C9 \|test cl,cl 100017E9 \|. 74 41 \|je short car_exam.1000182C 100017EB \|. 25 FFFF0000 \|and eax,0FFFF 100017F0 \|. 81E1 FF000000 \|and ecx,0FF 100017F6 \|. C1E0 08 \|shl eax,8 100017F9 \|. 0BC1 \|or eax,ecx 100017FB \|. 3BF0 \|cmp esi,eax 100017FD \|. 74 32 \|je short car_exam.10001831 100017FF \|. EB 0C \|jmp short car_exam.1000180D 10001801 \|> 8BC8 \|mov ecx,eax 10001803 \|. 81E1 FFFF0000 \|and ecx,0FFFF 10001809 \|. 3BF1 \|cmp esi,ecx 1000180B \|. 74 2A \|je short car_exam.10001837 1000180D \|> 66:0FB642 01 \|movzx ax,byte ptr ds:[edx+1] 10001812 \|. 42 \|inc edx 10001813 \|. 66:85C0 \|test ax,ax 10001816 \|.^ 75 BB \jnz short car_exam.100017D3 10001818 \|. 25 FFFF0000 and eax,0FFFF 1000181D \|. 33C9 xor ecx,ecx 1000181F \|. 3BF0 cmp esi,eax 10001821 \|. 0F95C1 setne cl 10001824 \|. 49 dec ecx 10001825 \|. 23CA and ecx,edx 10001827 \|. 8BC1 mov eax,ecx 10001829 \|. 5E pop esi 1000182A \|. 5B pop ebx 1000182B \|. C3 retn 1000182C \|> 33C0 xor eax,eax 1000182E \|. 5E pop esi 1000182F \|. 5B pop ebx 10001830 \|. C3 retn 10001831 \|> 8D42 FF lea eax,dword ptr ds:[edx-1] 10001834 \|. 5E pop esi 10001835 \|. 5B pop ebx 10001836 \|. C3 retn 10001837 \|> 25 FFFF0000 and eax,0FFFF 1000183C \|. 33C9 xor ecx,ecx 1000183E \|. 3BF0 cmp esi,eax 10001840 \|. 5E pop esi 10001841 \|. 0F95C1 setne cl 10001844 \|. 49 dec ecx 10001845 \|. 5B pop ebx 10001846 \|. 23CA and ecx,edx 10001848 \|. 8BC1 mov eax,ecx 1000184A \. C3 retn 1000184B 90 nop 1000184C 90 nop 1000184D 90 nop 1000184E 90 nop 1000184F 90 nop 10001850 /$ A1 F8860010 mov eax,dword ptr ds:[100086F8] 10001855 \|. 83EC 08 sub esp,8 10001858 \|. 85C0 test eax,eax 1000185A \|. 53 push ebx 1000185B \|. 75 1E jnz short car_exam.1000187B 1000185D \|. 8B4424 10 mov eax,dword ptr ss:[esp+10] 10001861 \|. 83F8 41 cmp eax,41 10001864 \|. 0F8C DF000000 jl car_exam.10001949 1000186A \|. 83F8 5A cmp eax,5A 1000186D \|. 0F8F D6000000 jg car_exam.10001949 10001873 \|. 83C0 20 add eax,20 10001876 \|. 5B pop ebx 10001877 \|. 83C4 08 add esp,8 1000187A \|. C3 retn 1000187B \|> 8B5C24 10 mov ebx,dword ptr ss:[esp+10] 1000187F \|. 81FB 00010000 cmp ebx,100 10001885 \|. 7D 2C jge short car_exam.100018B3 10001887 \|. 833D 3C630010>cmp dword ptr ds:[1000633C],1 1000188E \|. 7E 0D jle short car_exam.1000189D 10001890 \|. 6A 01 push 1 10001892 \|. 53 push ebx 10001893 \|. E8 E80B0000 call car_exam.10002480 10001898 \|. 83C4 08 add esp,8 1000189B \|. EB 0B jmp short car_exam.100018A8 1000189D \|> A1 30610010 mov eax,dword ptr ds:[10006130] 100018A2 \|. 8A0458 mov al,byte ptr ds:[eax+ebx2] 100018A5 \|. 83E0 01 and eax,1 100018A8 \|> 85C0 test eax,eax 100018AA \|. 75 07 jnz short car_exam.100018B3 100018AC \|. 8BC3 mov eax,ebx 100018AE \|. 5B pop ebx 100018AF \|. 83C4 08 add esp,8 100018B2 \|. C3 retn 100018B3 \|> 8B15 30610010 mov edx,dword ptr ds:[10006130] ; car_exam.1000613A 100018B9 \|. 8BC3 mov eax,ebx 100018BB \|. C1F8 08 sar eax,8 100018BE \|. 8BC8 mov ecx,eax 100018C0 \|. 81E1 FF000000 and ecx,0FF 100018C6 \|. F6444A 01 80 test byte ptr ds:[edx+ecx2+1],80 100018CB \|. 74 14 je short car_exam.100018E1 100018CD \|. 884424 10 mov byte ptr ss:[esp+10],al 100018D1 \|. 885C24 11 mov byte ptr ss:[esp+11],bl 100018D5 \|. C64424 12 00 mov byte ptr ss:[esp+12],0 100018DA \|. B8 02000000 mov eax,2 100018DF \|. EB 0E jmp short car_exam.100018EF 100018E1 \|> 885C24 10 mov byte ptr ss:[esp+10],bl 100018E5 \|. C64424 11 00 mov byte ptr ss:[esp+11],0 100018EA \|. B8 01000000 mov eax,1 100018EF \|> 6A 01 push 1 100018F1 \|. 6A 00 push 0 100018F3 \|. 8D4C24 0C lea ecx,dword ptr ss:[esp+C] 100018F7 \|. 6A 03 push 3 100018F9 \|. 51 push ecx 100018FA \|. 8D5424 20 lea edx,dword ptr ss:[esp+20] 100018FE \|. 50 push eax 100018FF \|. A1 F8860010 mov eax,dword ptr ds:[100086F8] 10001904 \|. 52 push edx 10001905 \|. 68 00010000 push 100 1000190A \|. 50 push eax 1000190B \|. E8 10090000 call car_exam.10002220 10001910 \|. 83C4 20 add esp,20 10001913 \|. 85C0 test eax,eax 10001915 \|. 75 07 jnz short car_exam.1000191E 10001917 \|. 8BC3 mov eax,ebx 10001919 \|. 5B pop ebx 1000191A \|. 83C4 08 add esp,8 1000191D \|. C3 retn 1000191E \|> 83F8 01 cmp eax,1 10001921 \|. 75 0E jnz short car_exam.10001931 10001923 \|. 8B4424 04 mov eax,dword ptr ss:[esp+4] 10001927 \|. 25 FF000000 and eax,0FF 1000192C \|. 5B pop ebx 1000192D \|. 83C4 08 add esp,8 10001930 \|. C3 retn 10001931 \|> 8B4424 05 mov eax,dword ptr ss:[esp+5] 10001935 \|. 8B4C24 04 mov ecx,dword ptr ss:[esp+4] 10001939 \|. 25 FF000000 and eax,0FF 1000193E \|. 81E1 FF000000 and ecx,0FF 10001944 \|. C1E0 08 shl eax,8 10001947 \|. 0BC1 or eax,ecx 10001949 \|> 5B pop ebx 1000194A \|. 83C4 08 add esp,8 1000194D \. C3 retn 1000194E 90 nop 1000194F 90 nop 10001950 /$ 833D 3C630010>cmp dword ptr ds:[1000633C],1 10001957 \|. 7E 10 jle short car_exam.10001969 10001959 \|. 8B4424 04 mov eax,dword ptr ss:[esp+4] 1000195D \|. 6A 01 push 1 1000195F \|. 50 push eax 10001960 \|. E8 1B0B0000 call car_exam.10002480 10001965 \|. 83C4 08 add esp,8 10001968 \|. C3 retn 10001969 \|> 8B4C24 04 mov ecx,dword ptr ss:[esp+4] 1000196D \|. 8B15 30610010 mov edx,dword ptr ds:[10006130] ; car_exam.1000613A 10001973 \|. 8A044A mov al,byte ptr ds:[edx+ecx2] 10001976 \|. 83E0 01 and eax,1 10001979 \. C3 retn 1000197A 90 nop 1000197B 90 nop 1000197C 90 nop 1000197D 90 nop 1000197E 90 nop 1000197F 90 nop 10001980 /$ 833D 3C630010>cmp dword ptr ds:[1000633C],1 10001987 \|. 7E 10 jle short car_exam.10001999 10001989 \|. 8B4424 04 mov eax,dword ptr ss:[esp+4] 1000198D \|. 6A 02 push 2 1000198F \|. 50 push eax 10001990 \|. E8 EB0A0000 call car_exam.10002480 10001995 \|. 83C4 08 add esp,8 10001998 \|. C3 retn 10001999 \|> 8B4C24 04 mov ecx,dword ptr ss:[esp+4] 1000199D \|. 8B15 30610010 mov edx,dword ptr ds:[10006130] ; car_exam.1000613A 100019A3 \|. 8A044A mov al,byte ptr ds:[edx+ecx2] 100019A6 \|. 83E0 02 and eax,2 100019A9 \. C3 retn 100019AA 90 nop 100019AB 90 nop 100019AC 90 nop 100019AD 90 nop 100019AE 90 nop 100019AF 90 nop 100019B0 /$ A1 F8860010 mov eax,dword ptr ds:[100086F8] 100019B5 \|. 83EC 08 sub esp,8 100019B8 \|. 85C0 test eax,eax 100019BA \|. 53 push ebx 100019BB \|. 75 1E jnz short car_exam.100019DB 100019BD \|. 8B4424 10 mov eax,dword ptr ss:[esp+10] 100019C1 \|. 83F8 61 cmp eax,61 100019C4 \|. 0F8C DF000000 jl car_exam.10001AA9 100019CA \|. 83F8 7A cmp eax,7A 100019CD \|. 0F8F D6000000 jg car_exam.10001AA9 100019D3 \|. 83E8 20 sub eax,20 100019D6 \|. 5B pop ebx 100019D7 \|. 83C4 08 add esp,8 100019DA \|. C3 retn 100019DB \|> 8B5C24 10 mov ebx,dword ptr ss:[esp+10] 100019DF \|. 81FB 00010000 cmp ebx,100 100019E5 \|. 7D 2C jge short car_exam.10001A13 100019E7 \|. 833D 3C630010>cmp dword ptr ds:[1000633C],1 100019EE \|. 7E 0D jle short car_exam.100019FD 100019F0 \|. 6A 02 push 2 100019F2 \|. 53 push ebx 100019F3 \|. E8 880A0000 call car_exam.10002480 100019F8 \|. 83C4 08 add esp,8 100019FB \|. EB 0B jmp short car_exam.10001A08 100019FD \|> A1 30610010 mov eax,dword ptr ds:[10006130] 10001A02 \|. 8A0458 mov al,byte ptr ds:[eax+ebx2] 10001A05 \|. 83E0 02 and eax,2 10001A08 \|> 85C0 test eax,eax 10001A0A \|. 75 07 jnz short car_exam.10001A13 10001A0C \|. 8BC3 mov eax,ebx 10001A0E \|. 5B pop ebx 10001A0F \|. 83C4 08 add esp,8 10001A12 \|. C3 retn 10001A13 \|> 8B15 30610010 mov edx,dword ptr ds:[10006130] ; car_exam.1000613A 10001A19 \|. 8BC3 mov eax,ebx 10001A1B \|. C1F8 08 sar eax,8 10001A1E \|. 8BC8 mov ecx,eax 10001A20 \|. 81E1 FF000000 and ecx,0FF 10001A26 \|. F6444A 01 80 test byte ptr ds:[edx+ecx2+1],80 10001A2B \|. 74 14 je short car_exam.10001A41 10001A2D \|. 884424 10 mov byte ptr ss:[esp+10],al 10001A31 \|. 885C24 11 mov byte ptr ss:[esp+11],bl 10001A35 \|. C64424 12 00 mov byte ptr ss:[esp+12],0 10001A3A \|. B8 02000000 mov eax,2 10001A3F \|. EB 0E jmp short car_exam.10001A4F 10001A41 \|> 885C24 10 mov byte ptr ss:[esp+10],bl 10001A45 \|. C64424 11 00 mov byte ptr ss:[esp+11],0 10001A4A \|. B8 01000000 mov eax,1 10001A4F \|> 6A 01 push 1 10001A51 \|. 6A 00 push 0 10001A53 \|. 8D4C24 0C lea ecx,dword ptr ss:[esp+C] 10001A57 \|. 6A 03 push 3 10001A59 \|. 51 push ecx 10001A5A \|. 8D5424 20 lea edx,dword ptr ss:[esp+20] 10001A5E \|. 50 push eax 10001A5F \|. A1 F8860010 mov eax,dword ptr ds:[100086F8] 10001A64 \|. 52 push edx 10001A65 \|. 68 00020000 push 200 10001A6A \|. 50 push eax 10001A6B \|. E8 B0070000 call car_exam.10002220 10001A70 \|. 83C4 20 add esp,20 10001A73 \|. 85C0 test eax,eax 10001A75 \|. 75 07 jnz short car_exam.10001A7E 10001A77 \|. 8BC3 mov eax,ebx 10001A79 \|. 5B pop ebx 10001A7A \|. 83C4 08 add esp,8 10001A7D \|. C3 retn 10001A7E \|> 83F8 01 cmp eax,1 10001A81 \|. 75 0E jnz short car_exam.10001A91 10001A83 \|. 8B4424 04 mov eax,dword ptr ss:[esp+4] 10001A87 \|. 25 FF000000 and eax,0FF 10001A8C \|. 5B pop ebx 10001A8D \|. 83C4 08 add esp,8 10001A90 \|. C3 retn 10001A91 \|> 8B4424 05 mov eax,dword ptr ss:[esp+5] 10001A95 \|. 8B4C24 04 mov ecx,dword ptr ss:[esp+4] 10001A99 \|. 25 FF000000 and eax,0FF 10001A9E \|. 81E1 FF000000 and ecx,0FF 10001AA4 \|. C1E0 08 shl eax,8 10001AA7 \|. 0BC1 or eax,ecx 10001AA9 \|> 5B pop ebx 10001AAA \|. 83C4 08 add esp,8 10001AAD \. C3 retn 10001AAE 90 nop 10001AAF 90 nop 10001AB0 /$ 8B4424 04 mov eax,dword ptr ss:[esp+4] 10001AB4 \|. 6A 04 push 4 10001AB6 \|. 6A 00 push 0 10001AB8 \|. 50 push eax 10001AB9 \|. E8 32000000 call car_exam.10001AF0 10001ABE \|. 83C4 0C add esp,0C 10001AC1 \. C3 retn 10001AC2 90 nop 10001AC3 90 nop 10001AC4 90 nop 10001AC5 90 nop 10001AC6 90 nop 10001AC7 90 nop 10001AC8 90 nop 10001AC9 90 nop 10001ACA 90 nop 10001ACB 90 nop 10001ACC 90 nop 10001ACD 90 nop 10001ACE 90 nop 10001ACF 90 nop 10001AD0 /$ 8B4424 04 mov eax,dword ptr ss:[esp+4] 10001AD4 \|. 6A 08 push 8 10001AD6 \|. 6A 00 push 0 10001AD8 \|. 50 push eax 10001AD9 \|. E8 12000000 call car_exam.10001AF0 10001ADE \|. 83C4 0C add esp,0C 10001AE1 \. C3 retn 10001AE2 90 nop 10001AE3 90 nop 10001AE4 90 nop 10001AE5 90 nop 10001AE6 90 nop 10001AE7 90 nop 10001AE8 90 nop 10001AE9 90 nop 10001AEA 90 nop 10001AEB 90 nop 10001AEC 90 nop 10001AED 90 nop 10001AEE 90 nop 10001AEF 90 nop 10001AF0 /$ 8B4424 04 mov eax,dword ptr ss:[esp+4] 10001AF4 \|. 8A4C24 0C mov cl,byte ptr ss:[esp+C] 10001AF8 \|. 25 FF000000 and eax,0FF 10001AFD \|. 8488 C9840010 test byte ptr ds:[eax+100084C9],cl 10001B03 \|. 75 1F jnz short car_exam.10001B24 10001B05 \|. 8B4C24 08 mov ecx,dword ptr ss:[esp+8] 10001B09 \|. 85C9 test ecx,ecx 10001B0B \|. 74 10 je short car_exam.10001B1D 10001B0D \|. 33D2 xor edx,edx 10001B0F \|. 66:8B1445 3A6>mov dx,word ptr ds:[eax2+1000613A] 10001B17 \|. 8BC2 mov eax,edx 10001B19 \|. 23C1 and eax,ecx 10001B1B \|. EB 02 jmp short car_exam.10001B1F 10001B1D \|> 33C0 xor eax,eax 10001B1F \|> 85C0 test eax,eax 10001B21 \|. 75 01 jnz short car_exam.10001B24 10001B23 \|. C3 retn 10001B24 \|> B8 01000000 mov eax,1 10001B29 \. C3 retn 10001B2A 90 nop 10001B2B 90 nop 10001B2C 90 nop 10001B2D 90 nop 10001B2E 90 nop 10001B2F 90 nop 10001B30 > $ 55 push ebp ; (初始化 cpu 选择状态) 10001B31 . 8BEC mov ebp,esp 10001B33 . 6A FF push -1 10001B35 . 68 A0500010 push car_exam.100050A0 10001B3A . 68 28300010 push car_exam.10003028 ; SE 句柄安装 10001B3F . 64:A1 0000000>mov eax,dword ptr fs:[0] 10001B45 . 50 push eax 10001B46 . 64:8925 00000>mov dword ptr fs:[0],esp 10001B4D . 83C4 A8 add esp,-58 10001B50 . 53 push ebx 10001B51 . 56 push esi 10001B52 . 57 push edi 10001B53 . 8965 E8 mov dword ptr ss:[ebp-18],esp 10001B56 . FF15 1C500010 call dword ptr ds:[<&KERNEL32.GetVer>; kernel32.GetVersion 10001B5C . 33D2 xor edx,edx 10001B5E . 8AD4 mov dl,ah 10001B60 . 8915 24870010 mov dword ptr ds:[10008724],edx 10001B66 . 8BC8 mov ecx,eax 10001B68 . 81E1 FF000000 and ecx,0FF 10001B6E . 890D 20870010 mov dword ptr ds:[10008720],ecx 10001B74 . C1E1 08 shl ecx,8 10001B77 . 03CA add ecx,edx 10001B79 . 890D 1C870010 mov dword ptr ds:[1000871C],ecx 10001B7F . C1E8 10 shr eax,10 10001B82 . A3 18870010 mov dword ptr ds:[10008718],eax 10001B87 . E8 64130000 call car_exam.10002EF0 10001B8C . 85C0 test eax,eax 10001B8E . 75 0A jnz short car_exam.10001B9A 10001B90 . 6A 1C push 1C 10001B92 . E8 69010000 call car_exam.10001D00 10001B97 . 83C4 04 add esp,4 10001B9A > C745 FC 00000>mov dword ptr ss:[ebp-4],0 10001BA1 . E8 4A110000 call car_exam.10002CF0 10001BA6 . E8 65060000 call car_exam.10002210 10001BAB . FF15 08500010 call dword ptr ds:[<&KERNEL32.GetCom>; [GetCommandLineA 10001BB1 . A3 B4890010 mov dword ptr ds:[100089B4],eax 10001BB6 . E8 D50F0000 call car_exam.10002B90 10001BBB . A3 BC840010 mov dword ptr ds:[100084BC],eax 10001BC0 . 85C0 test eax,eax 10001BC2 . 74 09 je short car_exam.10001BCD 10001BC4 . A1 B4890010 mov eax,dword ptr ds:[100089B4] 10001BC9 . 85C0 test eax,eax 10001BCB . 75 0A jnz short car_exam.10001BD7 10001BCD > 6A FF push -1 10001BCF . E8 7C090000 call car_exam.10002550 10001BD4 . 83C4 04 add esp,4 10001BD7 > E8 040D0000 call car_exam.100028E0 10001BDC . E8 0F0C0000 call car_exam.100027F0 10001BE1 . E8 3A090000 call car_exam.10002520 10001BE6 . 8B35 B4890010 mov esi,dword ptr ds:[100089B4] 10001BEC . 8975 9C mov dword ptr ss:[ebp-64],esi 10001BEF . 803E 22 cmp byte ptr ds:[esi],22 10001BF2 . 0F85 BE000000 jnz car_exam.10001CB6 10001BF8 > 46 inc esi 10001BF9 . 8975 9C mov dword ptr ss:[ebp-64],esi 10001BFC . 8A06 mov al,byte ptr ds:[esi] 10001BFE . 3C 22 cmp al,22 10001C00 . 74 1C je short car_exam.10001C1E 10001C02 . 84C0 test al,al 10001C04 . 74 18 je short car_exam.10001C1E 10001C06 . 25 FF000000 and eax,0FF 10001C0B . 50 push eax 10001C0C . E8 9FFEFFFF call car_exam.10001AB0 10001C11 . 83C4 04 add esp,4 10001C14 . 85C0 test eax,eax 10001C16 .^ 74 E0 je short car_exam.10001BF8 10001C18 . 46 inc esi 10001C19 . 8975 9C mov dword ptr ss:[ebp-64],esi 10001C1C .^ EB DA jmp short car_exam.10001BF8 10001C1E > 803E 22 cmp byte ptr ds:[esi],22 10001C21 . 75 04 jnz short car_exam.10001C27 10001C23 . 46 inc esi 10001C24 . 8975 9C mov dword ptr ss:[ebp-64],esi 10001C27 > 8A06 mov al,byte ptr ds:[esi] 10001C29 . 84C0 test al,al 10001C2B . 74 0A je short car_exam.10001C37 10001C2D . 3C 20 cmp al,20 10001C2F . 77 06 ja short car_exam.10001C37 10001C31 . 46 inc esi 10001C32 . 8975 9C mov dword ptr ss:[ebp-64],esi 10001C35 .^ EB F0 jmp short car_exam.10001C27 10001C37 > C745 D0 00000>mov dword ptr ss:[ebp-30],0 10001C3E . 8D45 A4 lea eax,dword ptr ss:[ebp-5C] 10001C41 . 50 push eax ; /pStartupinfo 10001C42 . FF15 18500010 call dword ptr ds:[<&KERNEL32.GetSta>; \GetStartupInfoA 10001C48 . F645 D0 01 test byte ptr ss:[ebp-30],1 10001C4C . 74 0A je short car_exam.10001C58 10001C4E . 8B45 D4 mov eax,dword ptr ss:[ebp-2C] 10001C51 . 25 FFFF0000 and eax,0FFFF 10001C56 . EB 05 jmp short car_exam.10001C5D 10001C58 > B8 0A000000 mov eax,0A 10001C5D > 50 push eax 10001C5E . 56 push esi 10001C5F . 6A 00 push 0 10001C61 . 6A 00 push 0 ; /pModule = NULL 10001C63 . FF15 14500010 call dword ptr ds:[<&KERNEL32.GetMod>; \GetModuleHandleA 10001C69 . 50 push eax 10001C6A . E8 91F3FFFF call car_exam.10001000 10001C6F . 8945 A0 mov dword ptr ss:[ebp-60],eax 10001C72 . 50 push eax 10001C73 . E8 D8080000 call car_exam.10002550 10001C78 . EB 21 jmp short car_exam.10001C9B 10001C7A . 8B45 EC mov eax,dword ptr ss:[ebp-14] 10001C7D . 8B08 mov ecx,dword ptr ds:[eax] 10001C7F . 8B09 mov ecx,dword ptr ds:[ecx] 10001C81 . 894D 98 mov dword ptr ss:[ebp-68],ecx 10001C84 . 50 push eax 10001C85 . 51 push ecx 10001C86 . E8 D5090000 call car_exam.10002660 10001C8B . 83C4 08 add esp,8 10001C8E . C3 retn 10001C8F . 8B65 E8 mov esp,dword ptr ss:[ebp-18] 10001C92 . 8B55 98 mov edx,dword ptr ss:[ebp-68] 10001C95 . 52 push edx 10001C96 . E8 D5080000 call car_exam.10002570 10001C9B > 83C4 04 add esp,4 10001C9E . C745 FC FFFFF>mov dword ptr ss:[ebp-4],-1 10001CA5 . 8B4D F0 mov ecx,dword ptr ss:[ebp-10] 10001CA8 . 64:890D 00000>mov dword ptr fs:[0],ecx 10001CAF . 5F pop edi 10001CB0 . 5E pop esi 10001CB1 . 5B pop ebx 10001CB2 . 8BE5 mov esp,ebp 10001CB4 . 5D pop ebp 10001CB5 . C3 retn 10001CB6 > 803E 20 cmp byte ptr ds:[esi],20 10001CB9 .^ 0F86 68FFFFFF jbe car_exam.10001C27 10001CBF . 46 inc esi 10001CC0 . 8975 9C mov dword ptr ss:[ebp-64],esi 10001CC3 .^ EB F1 jmp short car_exam.10001CB6 10001CC5 90 nop 10001CC6 90 nop 10001CC7 90 nop 10001CC8 90 nop 10001CC9 90 nop 10001CCA 90 nop 10001CCB 90 nop 10001CCC 90 nop 10001CCD 90 nop 10001CCE 90 nop 10001CCF 90 nop 10001CD0 /$ 833D C4840010>cmp dword ptr ds:[100084C4],1 10001CD7 \|. 75 05 jnz short car_exam.10001CDE 10001CD9 \|. E8 22140000 call car_exam.10003100 10001CDE \|> 8B4424 04 mov eax,dword ptr ss:[esp+4] 10001CE2 \|. 50 push eax 10001CE3 \|. E8 58140000 call car_exam.10003140 10001CE8 \|. 83C4 04 add esp,4 10001CEB \|. 68 FF000000 push 0FF 10001CF0 \|. FF15 30600010 call dword ptr ds:[10006030] ; car_exam.10002570 10001CF6 \|. 83C4 04 add esp,4 10001CF9 \. C3 retn 10001CFA 90 nop 10001CFB 90 nop 10001CFC 90 nop 10001CFD 90 nop 10001CFE 90 nop 10001CFF 90 nop 10001D00 /$ 833D C4840010>cmp dword ptr ds:[100084C4],1 10001D07 \|. 75 05 jnz short car_exam.10001D0E 10001D09 \|. E8 F2130000 call car_exam.10003100 10001D0E \|> 8B4424 04 mov eax,dword ptr ss:[esp+4] 10001D12 \|. 50 push eax 10001D13 \|. E8 28140000 call car_exam.10003140 10001D18 \|. 83C4 04 add esp,4 10001D1B \|. 68 FF000000 push 0FF ; /ExitCode = FF 10001D20 \. FF15 20500010 call dword ptr ds:[<&KERNEL32.ExitPr>; \ExitProcess 10001D26 . C3 retn 10001D27 90 nop 10001D28 90 nop 10001D29 90 nop 10001D2A 90 nop 10001D2B 90 nop 10001D2C 90 nop 10001D2D 90 nop 10001D2E 90 nop 10001D2F 90 nop 10001D30 /$ 8B4424 04 mov eax,dword ptr ss:[esp+4] 10001D34 \|. 83EC 14 sub esp,14 10001D37 \|. 53 push ebx 10001D38 \|. 55 push ebp 10001D39 \|. 56 push esi 10001D3A \|. 57 push edi 10001D3B \|. 50 push eax 10001D3C \|. E8 FF010000 call car_exam.10001F40 10001D41 \|. 8BC8 mov ecx,eax 10001D43 \|. A1 D0860010 mov eax,dword ptr ds:[100086D0] 10001D48 \|. 83C4 04 add esp,4 10001D4B \|. 3BC8 cmp ecx,eax 10001D4D \|. 894C24 28 mov dword ptr ss:[esp+28],ecx 10001D51 \|. 75 0A jnz short car_exam.10001D5D 10001D53 \|. 33C0 xor eax,eax 10001D55 \|. 5F pop edi 10001D56 \|. 5E pop esi 10001D57 \|. 5D pop ebp 10001D58 \|. 5B pop ebx 10001D59 \|. 83C4 14 add esp,14 10001D5C \|. C3 retn 10001D5D \|> 85C9 test ecx,ecx 10001D5F \|. 75 14 jnz short car_exam.10001D75 10001D61 \|. E8 8A020000 call car_exam.10001FF0 10001D66 \|. E8 C5020000 call car_exam.10002030 10001D6B \|. 33C0 xor eax,eax 10001D6D \|. 5F pop edi 10001D6E \|. 5E pop esi 10001D6F \|. 5D pop ebp 10001D70 \|. 5B pop ebx 10001D71 \|. 83C4 14 add esp,14 10001D74 \|. C3 retn 10001D75 \|> 33D2 xor edx,edx 10001D77 \|. B8 40600010 mov eax,car_exam.10006040 10001D7C \|> 3908 /cmp dword ptr ds:[eax],ecx 10001D7E \|. 0F84 07010000 \|je car_exam.10001E8B 10001D84 \|. 83C0 30 \|add eax,30 10001D87 \|. 42 \|inc edx 10001D88 \|. 3D 30610010 \|cmp eax,car_exam.10006130 10001D8D \|.^ 72 ED \jb short car_exam.10001D7C 10001D8F \|. 8D5424 10 lea edx,dword ptr ss:[esp+10] 10001D93 \|. 52 push edx ; /pCPInfo 10001D94 \|. 51 push ecx ; \|CodePage 10001D95 \|. FF15 0C500010 call dword ptr ds:[<&KERNEL32.GetCPI>; \GetCPInfo 10001D9B \|. BE 01000000 mov esi,1 10001DA0 \|. 3BC6 cmp eax,esi 10001DA2 \|. 0F85 BB000000 jnz car_exam.10001E63 10001DA8 \|. B9 40000000 mov ecx,40 10001DAD \|. 33C0 xor eax,eax 10001DAF \|. BF C8840010 mov edi,car_exam.100084C8 10001DB4 \|. F3:AB rep stos dword ptr es:[edi] 10001DB6 \|. 8B4C24 10 mov ecx,dword ptr ss:[esp+10] 10001DBA \|. AA stos byte ptr es:[edi] 10001DBB \|. 8B7C24 28 mov edi,dword ptr ss:[esp+28] 10001DBF \|. 33C0 xor eax,eax 10001DC1 \|. 3BCE cmp ecx,esi 10001DC3 \|. 893D D0860010 mov dword ptr ds:[100086D0],edi 10001DC9 \|. A3 D4860010 mov dword ptr ds:[100086D4],eax 10001DCE \|. 76 6E jbe short car_exam.10001E3E 10001DD0 \|. 8A4424 16 mov al,byte ptr ss:[esp+16] 10001DD4 \|. 84C0 test al,al 10001DD6 \|. 74 37 je short car_exam.10001E0F 10001DD8 \|. 8D5424 17 lea edx,dword ptr ss:[esp+17] 10001DDC \|> 8A0A /mov cl,byte ptr ds:[edx] 10001DDE \|. 84C9 \|test cl,cl 10001DE0 \|. 74 2D \|je short car_exam.10001E0F 10001DE2 \|. 33C0 \|xor eax,eax 10001DE4 \|. 81E1 FF000000 \|and ecx,0FF 10001DEA \|. 8A42 FF \|mov al,byte ptr ds:[edx-1] 10001DED \|. 3BC1 \|cmp eax,ecx 10001DEF \|. 77 14 \|ja short car_exam.10001E05 10001DF1 \|> 8A98 C9840010 \|/mov bl,byte ptr ds:[eax+100084C9] 10001DF7 \|. 80CB 04 \|\|or bl,4 10001DFA \|. 8898 C9840010 \|\|mov byte ptr ds:[eax+100084C9],bl 10001E00 \|. 40 \|\|inc eax 10001E01 \|. 3BC1 \|\|cmp eax,ecx 10001E03 \|.^ 76 EC \|\jbe short car_exam.10001DF1 10001E05 \|> 8A42 01 \|mov al,byte ptr ds:[edx+1] 10001E08 \|. 83C2 02 \|add edx,2 10001E0B \|. 84C0 \|test al,al 10001E0D \|.^ 75 CD \jnz short car_exam.10001DDC 10001E0F \|> 8BC6 mov eax,esi 10001E11 \|> 8A98 C9840010 /mov bl,byte ptr ds:[eax+100084C9] 10001E17 \|. 80CB 08 \|or bl,8 10001E1A \|. 8898 C9840010 \|mov byte ptr ds:[eax+100084C9],bl 10001E20 \|. 40 \|inc eax 10001E21 \|. 3D FF000000 \|cmp eax,0FF 10001E26 \|.^ 72 E9 \jb short car_exam.10001E11 10001E28 \|. 57 push edi 10001E29 \|. E8 62010000 call car_exam.10001F90 10001E2E \|. 83C4 04 add esp,4 10001E31 \|. A3 D4860010 mov dword ptr ds:[100086D4],eax 10001E36 \|. 8935 B0890010 mov dword ptr ds:[100089B0],esi 10001E3C \|. EB 05 jmp short car_exam.10001E43 10001E3E \|> A3 B0890010 mov dword ptr ds:[100089B0],eax 10001E43 \|> 33C0 xor eax,eax 10001E45 \|. A3 D8860010 mov dword ptr ds:[100086D8],eax 10001E4A \|. A3 DC860010 mov dword ptr ds:[100086DC],eax 10001E4F \|. A3 E0860010 mov dword ptr ds:[100086E0],eax 10001E54 \|. E8 D7010000 call car_exam.10002030 10001E59 \|. 33C0 xor eax,eax 10001E5B \|. 5F pop edi 10001E5C \|. 5E pop esi 10001E5D \|. 5D pop ebp 10001E5E \|. 5B pop ebx 10001E5F \|. 83C4 14 add esp,14 10001E62 \|. C3 retn 10001E63 \|> A1 E4860010 mov eax,dword ptr ds:[100086E4] 10001E68 \|. 85C0 test eax,eax 10001E6A \|. 74 14 je short car_exam.10001E80 10001E6C \|. E8 7F010000 call car_exam.10001FF0 10001E71 \|. E8 BA010000 call car_exam.10002030 10001E76 \|. 33C0 xor eax,eax 10001E78 \|. 5F pop edi 10001E79 \|. 5E pop esi 10001E7A \|. 5D pop ebp 10001E7B \|. 5B pop ebx 10001E7C \|. 83C4 14 add esp,14 10001E7F \|. C3 retn 10001E80 \|> 83C8 FF or eax,FFFFFFFF 10001E83 \|. 5F pop edi 10001E84 \|. 5E pop esi 10001E85 \|. 5D pop ebp 10001E86 \|. 5B pop ebx 10001E87 \|. 83C4 14 add esp,14 10001E8A \|. C3 retn 10001E8B \|> B9 40000000 mov ecx,40 10001E90 \|. 33C0 xor eax,eax 10001E92 \|. BF C8840010 mov edi,car_exam.100084C8 10001E97 \|. 8D1C52 lea ebx,dword ptr ds:[edx+edx2] 10001E9A \|. F3:AB rep stos dword ptr es:[edi] 10001E9C \|. AA stos byte ptr es:[edi] 10001E9D \|. 33FF xor edi,edi 10001E9F \|. C1E3 04 shl ebx,4 10001EA2 \|. 8DAB 50600010 lea ebp,dword ptr ds:[ebx+10006050] 10001EA8 \|> 8A45 00 /mov al,byte ptr ss:[ebp] 10001EAB \|. 8BF5 \|mov esi,ebp 10001EAD \|. 84C0 \|test al,al 10001EAF \|. 74 30 \|je short car_exam.10001EE1 10001EB1 \|> 8A4E 01 \|/mov cl,byte ptr ds:[esi+1] 10001EB4 \|. 84C9 \|\|test cl,cl 10001EB6 \|. 74 29 \|\|je short car_exam.10001EE1 10001EB8 \|. 33C0 \|\|xor eax,eax 10001EBA \|. 81E1 FF000000 \|\|and ecx,0FF 10001EC0 \|. 8A06 \|\|mov al,byte ptr ds:[esi] 10001EC2 \|. 3BC1 \|\|cmp eax,ecx 10001EC4 \|. 77 11 \|\|ja short car_exam.10001ED7 10001EC6 \|. 8A97 38600010 \|\|mov dl,byte ptr ds:[edi+10006038] 10001ECC \|> 0890 C9840010 \|\|/or byte ptr ds:[eax+100084C9],dl 2006-9-8 19:44 0
海风月影雪币： 7309 活跃值： (3788) 能力值： (RANK：1130 ) 在线值：发帖 93 回帖 2308 粉丝 119 关注私信	海风月影 22 8 楼 PB是解释语言，不是机器码，就像VB的P-CODE一样，所以当然是转来转去的 2006-9-8 21:41 0
caiweb 雪币： 199 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 41 粉丝 0 关注私信	caiweb 9 楼怎么办啊???? 如何脱壳????? 2006-9-8 22:07 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

caiweb

雪币： 199

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

11

回帖

41

粉丝

0

关注

私信

caiweb: 2 楼

还有，我分析过，不是e语言的。

2006-9-5 22:27

0

Kisco

雪币： 203

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

7

回帖

43

粉丝

0

关注

私信

Kisco: 3 楼

C++ 5.0 本身就是一种编程语言啊, 汗~~~~~~~~~~~~~~~

2006-9-5 22:43

0

caiweb

雪币： 199

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

11

回帖

41

粉丝

0

关注

私信

caiweb: 4 楼

肯定加密了的，字符串全都找不到。

2006-9-6 17:32

0

linex

雪币： 279

活跃值： (145)

能力值：

( LV9，RANK：290 )

在线值：

发帖

11

回帖

267

粉丝

0

关注

私信

linex 7: 5 楼

有些加密壳会伪装成C++的.

2006-9-6 17:35

0

caiweb

雪币： 199

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

11

回帖

41

粉丝

0

关注

私信

caiweb: 6 楼

肯定是pb写的,能用什么加密壳啊？？
用OD转来转去转不出来啊。谁帮看看。

2006-9-8 19:38

0

caiweb

雪币： 199

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

11

回帖

41

粉丝

0

关注

私信

caiweb: 7 楼

10001000  /$  56          push esi
10001001  |.  57          push edi
10001002  |.  FF15 08500010 call dword ptr ds:[<&KERNEL32.GetCom>; [GetCommandLineA
10001008  |.  8BF0       mov esi,eax
1000100A  |.  8A06       mov al,byte ptr ds:[esi]
1000100C  |.  46          inc esi
1000100D  |.  3C 22       cmp al,22
1000100F  |.  75 3E       jnz short car_exam.1000104F
10001011  |.  E8 DA000000 call car_exam.100010F0
10001016  |.  85C0       test eax,eax
10001018  |.  6A 22       push 22
1000101A  |.  56          push esi
1000101B  |.  74 07       je short car_exam.10001024
1000101D  |.  E8 7E070000 call car_exam.100017A0
10001022  |.  EB 05       jmp short car_exam.10001029
10001024  |>  E8 B7060000 call car_exam.100016E0
10001029  |>  8BD0       mov edx,eax
1000102B  |.  83C4 08    add esp,8
1000102E  |.  85D2       test edx,edx
10001030  |.  74 44       je short car_exam.10001076
10001032  |.  8BFA       mov edi,edx
10001034  |.  83C9 FF    or ecx,FFFFFFFF
10001037  |.  33C0       xor eax,eax
10001039  |.  F2:AE       repne scas byte ptr es:[edi]
1000103B  |.  F7D1       not ecx
1000103D  |.  49          dec ecx
1000103E  |.  83F9 02    cmp ecx,2
10001041  |.  77 07       ja short car_exam.1000104A
10001043  |.  BE B0840010 mov esi,car_exam.100084B0
10001048  |.  EB 2C       jmp short car_exam.10001076
1000104A  |>  8D72 02    lea esi,dword ptr ds:[edx+2]
1000104D  |.  EB 27       jmp short car_exam.10001076
1000104F  |>  E8 9C000000 call car_exam.100010F0
10001054  |.  85C0       test eax,eax
10001056  |.  6A 20       push 20
10001058  |.  56          push esi
10001059  |.  74 07       je short car_exam.10001062
1000105B  |.  E8 40070000 call car_exam.100017A0
10001060  |.  EB 05       jmp short car_exam.10001067
10001062  |>  E8 79060000 call car_exam.100016E0
10001067  |>  83C4 08    add esp,8
1000106A  |.  BE B4840010 mov esi,car_exam.100084B4
1000106F  |.  85C0       test eax,eax
10001071  |.  74 03       je short car_exam.10001076
10001073  |.  8D70 01    lea esi,dword ptr ds:[eax+1]
10001076  |>  8B4C24 18    mov ecx,dword ptr ss:[esp+18]
1000107A  |.  8B5424 10    mov edx,dword ptr ss:[esp+10]
1000107E  |.  8B4424 0C    mov eax,dword ptr ss:[esp+C]
10001082  |.  6A 00       push 0
10001084  |.  68 E8030000 push 3E8
10001089  |.  51          push ecx
1000108A  |.  56          push esi
1000108B  |.  52          push edx
1000108C  |.  50          push eax
1000108D  |.  E8 2E060000 call <jmp.&PBVM80.#137>
10001092  |.  5F          pop edi
10001093  |.  5E          pop esi
10001094  \.  C2 1000    retn 10
10001097    90          nop
10001098    90          nop
10001099    90          nop
1000109A    90          nop
1000109B    90          nop
1000109C    90          nop
1000109D    90          nop
1000109E    90          nop
1000109F    90          nop
100010A0 .  E9 0B000000 jmp car_exam.100010B0
100010A5    90          nop
100010A6    90          nop
100010A7    90          nop
100010A8    90          nop
100010A9    90          nop
100010AA    90          nop
100010AB    90          nop
100010AC    90          nop
100010AD    90          nop
100010AE    90          nop
100010AF    90          nop
100010B0 >  E8 0B000000 call car_exam.100010C0
100010B5 .  A3 B8840010 mov dword ptr ds:[100084B8],eax
100010BA .  C3          retn
100010BB    90          nop
100010BC    90          nop
100010BD    90          nop
100010BE    90          nop
100010BF    90          nop
100010C0  /$  83EC 14    sub esp,14
100010C3  |.  8D4424 00    lea eax,dword ptr ss:[esp]
100010C7  |.  50          push eax                            ; /pCPInfo
100010C8  |.  6A 00       push 0                            ; |CodePage = CP_ACP
100010CA  |.  FF15 0C500010 call dword ptr ds:[<&KERNEL32.GetCPI>; \GetCPInfo
100010D0  |.  8B5424 00    mov edx,dword ptr ss:[esp]
100010D4  |.  B9 01000000 mov ecx,1
100010D9  |.  3BCA       cmp ecx,edx
100010DB  |.  1BC0       sbb eax,eax
100010DD  |.  F7D8       neg eax
100010DF  |.  83C4 14    add esp,14
100010E2  \.  C3          retn
100010E3    90          nop
100010E4    90          nop
100010E5    90          nop
100010E6    90          nop
100010E7    90          nop
100010E8    90          nop
100010E9    90          nop
100010EA    90          nop
100010EB    90          nop
100010EC    90          nop
100010ED    90          nop
100010EE    90          nop
100010EF    90          nop
100010F0  /$  A1 B8840010 mov eax,dword ptr ds:[100084B8]
100010F5  \.  C3          retn
100010F6    90          nop
100010F7    90          nop
100010F8    90          nop
100010F9    90          nop
100010FA    90          nop
100010FB    90          nop
100010FC    90          nop
100010FD    90          nop
100010FE    90          nop
100010FF    90          nop
10001100 .  51          push ecx
10001101 .  8B4424 0C    mov eax,dword ptr ss:[esp+C]
10001105 .  33D2       xor edx,edx
10001107 .  53          push ebx
10001108 .  55          push ebp
10001109 .  8AD4       mov dl,ah
1000110B .  56          push esi
1000110C .  8BC8       mov ecx,eax
1000110E .  57          push edi
1000110F .  8BEA       mov ebp,edx
10001111 .  33FF       xor edi,edi
10001113 .  81E1 FF000000 and ecx,0FF
10001119 .  85ED       test ebp,ebp
1000111B .  894C24 10    mov dword ptr ss:[esp+10],ecx
1000111F .  75 20       jnz short car_exam.10001141
10001121 .  85C9       test ecx,ecx
10001123 .  75 1C       jnz short car_exam.10001141
10001125 .  8B5424 18    mov edx,dword ptr ss:[esp+18]
10001129 .  83C9 FF    or ecx,FFFFFFFF
1000112C .  8BFA       mov edi,edx
1000112E .  33C0       xor eax,eax
10001130 .  F2:AE       repne scas byte ptr es:[edi]
10001132 .  F7D1       not ecx
10001134 .  49          dec ecx
10001135 .  8BC1       mov eax,ecx
10001137 .  03C2       add eax,edx
10001139 .  5F          pop edi
1000113A .  5E          pop esi
1000113B .  5D          pop ebp
1000113C .  5B          pop ebx
1000113D .  59          pop ecx
1000113E .  C2 0800    retn 8
10001141 >  8B7424 18    mov esi,dword ptr ss:[esp+18]
10001145 .  33DB       xor ebx,ebx
10001147 .  803E 00    cmp byte ptr ds:[esi],0
1000114A .  74 51       je short car_exam.1000119D
1000114C .  EB 04       jmp short car_exam.10001152
1000114E >  8B4C24 10    mov ecx,dword ptr ss:[esp+10]
10001152 >  85FF       test edi,edi
10001154 .  74 1D       je short car_exam.10001173
10001156 .  33FF       xor edi,edi
10001158 .  85ED       test ebp,ebp
1000115A .  74 39       je short car_exam.10001195
1000115C .  8D46 FF    lea eax,dword ptr ds:[esi-1]
1000115F .  33D2       xor edx,edx
10001161 .  8A10       mov dl,byte ptr ds:[eax]
10001163 .  3BD5       cmp edx,ebp
10001165 .  75 2E       jnz short car_exam.10001195
10001167 .  33D2       xor edx,edx
10001169 .  8A16       mov dl,byte ptr ds:[esi]
1000116B .  3BD1       cmp edx,ecx
1000116D .  75 26       jnz short car_exam.10001195
1000116F .  8BD8       mov ebx,eax
10001171 .  EB 22       jmp short car_exam.10001195
10001173 >  8A06       mov al,byte ptr ds:[esi]
10001175 .  50          push eax                            ; /TestChar
10001176 .  FF15 10500010 call dword ptr ds:[<&KERNEL32.IsDBCS>; \IsDBCSLeadByte
1000117C .  85C0       test eax,eax
1000117E .  74 07       je short car_exam.10001187
10001180 .  BF 01000000 mov edi,1
10001185 .  EB 0E       jmp short car_exam.10001195
10001187 >  8B4424 1C    mov eax,dword ptr ss:[esp+1C]
1000118B .  33C9       xor ecx,ecx
1000118D .  8A0E       mov cl,byte ptr ds:[esi]
1000118F .  3BC8       cmp ecx,eax
10001191 .  75 02       jnz short car_exam.10001195
10001193 .  8BDE       mov ebx,esi
10001195 >  8A46 01    mov al,byte ptr ds:[esi+1]
10001198 .  46          inc esi
10001199 .  84C0       test al,al
1000119B .^ 75 B1       jnz short car_exam.1000114E
1000119D >  5F          pop edi
1000119E .  5E          pop esi
1000119F .  8BC3       mov eax,ebx
100011A1 .  5D          pop ebp
100011A2 .  5B          pop ebx
100011A3 .  59          pop ecx
100011A4 .  C2 0800    retn 8
100011A7    90          nop
100011A8    90          nop
100011A9    90          nop
100011AA    90          nop
100011AB    90          nop
100011AC    90          nop
100011AD    90          nop
100011AE    90          nop
100011AF    90          nop
100011B0  /$  51          push ecx
100011B1  |.  8B4424 0C    mov eax,dword ptr ss:[esp+C]
100011B5  |.  53          push ebx
100011B6  |.  33C9       xor ecx,ecx
100011B8  |.  55          push ebp
100011B9  |.  56          push esi
100011BA  |.  8ACC       mov cl,ah
100011BC  |.  57          push edi
100011BD  |.  8BD8       mov ebx,eax
100011BF  |.  33FF       xor edi,edi
100011C1  |.  8BE9       mov ebp,ecx
100011C3  |.  81E3 FF000000 and ebx,0FF
100011C9  |.  3BEF       cmp ebp,edi
100011CB  |.  75 20       jnz short car_exam.100011ED
100011CD  |.  3BDF       cmp ebx,edi
100011CF  |.  75 1C       jnz short car_exam.100011ED
100011D1  |.  8B5424 18    mov edx,dword ptr ss:[esp+18]
100011D5  |.  83C9 FF    or ecx,FFFFFFFF
100011D8  |.  8BFA       mov edi,edx
100011DA  |.  33C0       xor eax,eax
100011DC  |.  F2:AE       repne scas byte ptr es:[edi]
100011DE  |.  F7D1       not ecx
100011E0  |.  49          dec ecx
100011E1  |.  8BC1       mov eax,ecx
100011E3  |.  03C2       add eax,edx
100011E5  |.  5F          pop edi
100011E6  |.  5E          pop esi
100011E7  |.  5D          pop ebp
100011E8  |.  5B          pop ebx
100011E9  |.  59          pop ecx
100011EA  |.  C2 0800    retn 8
100011ED  |>  8B7424 18    mov esi,dword ptr ss:[esp+18]
100011F1  |.  897C24 10    mov dword ptr ss:[esp+10],edi
100011F5  |.  803E 00    cmp byte ptr ds:[esi],0
100011F8  |.  74 56       je short car_exam.10001250
100011FA  |>  85FF       /test edi,edi
100011FC  |.  74 19       |je short car_exam.10001217
100011FE  |.  33FF       |xor edi,edi
10001200  |.  85ED       |test ebp,ebp
10001202  |.  74 33       |je short car_exam.10001237
10001204  |.  33D2       |xor edx,edx
10001206  |.  8A56 FF    |mov dl,byte ptr ds:[esi-1]
10001209  |.  3BD5       |cmp edx,ebp
1000120B  |.  75 2A       |jnz short car_exam.10001237
1000120D  |.  33C0       |xor eax,eax
1000120F  |.  8A06       |mov al,byte ptr ds:[esi]
10001211  |.  3BC3       |cmp eax,ebx
10001213  |.  74 36       |je short car_exam.1000124B
10001215  |.  EB 20       |jmp short car_exam.10001237
10001217  |>  8A0E       |mov cl,byte ptr ds:[esi]
10001219  |.  51          |push ecx                         ; /TestChar
1000121A  |.  FF15 10500010 |call dword ptr ds:[<&KERNEL32.IsDBC>; \IsDBCSLeadByte
10001220  |.  85C0       |test eax,eax
10001222  |.  74 07       |je short car_exam.1000122B
10001224  |.  BF 01000000 |mov edi,1
10001229  |.  EB 0C       |jmp short car_exam.10001237
1000122B  |>  8B4424 1C    |mov eax,dword ptr ss:[esp+1C]
1000122F  |.  33D2       |xor edx,edx
10001231  |.  8A16       |mov dl,byte ptr ds:[esi]
10001233  |.  3BD0       |cmp edx,eax
10001235  |.  74 15       |je short car_exam.1000124C
10001237  |>  8A46 01    |mov al,byte ptr ds:[esi+1]
1000123A  |.  46          |inc esi
1000123B  |.  84C0       |test al,al
1000123D  |.^ 75 BB       \jnz short car_exam.100011FA
1000123F  |.  8B4424 10    mov eax,dword ptr ss:[esp+10]
10001243  |.  5F          pop edi
10001244  |.  5E          pop esi
10001245  |.  5D          pop ebp
10001246  |.  5B          pop ebx
10001247  |.  59          pop ecx
10001248  |.  C2 0800    retn 8
1000124B  |>  4E          dec esi
1000124C  |>  897424 10    mov dword ptr ss:[esp+10],esi
10001250  |>  8B4424 10    mov eax,dword ptr ss:[esp+10]
10001254  |.  5F          pop edi
10001255  |.  5E          pop esi
10001256  |.  5D          pop ebp
10001257  |.  5B          pop ebx
10001258  |.  59          pop ecx
10001259  \.  C2 0800    retn 8
1000125C    90          nop
1000125D    90          nop
1000125E    90          nop
1000125F    90          nop
10001260 .  53          push ebx
10001261 .  55          push ebp
10001262 .  56          push esi
10001263 .  8B7424 10    mov esi,dword ptr ss:[esp+10]
10001267 .  33DB       xor ebx,ebx
10001269 .  33ED       xor ebp,ebp
1000126B .  8A06       mov al,byte ptr ds:[esi]
1000126D .  57          push edi
1000126E .  84C0       test al,al
10001270 .  74 5F       je short car_exam.100012D1
10001272 .  8B7C24 14    mov edi,dword ptr ss:[esp+14]
10001276 >  85DB       test ebx,ebx
10001278 .  74 0A       je short car_exam.10001284
1000127A .  33C0       xor eax,eax
1000127C .  33DB       xor ebx,ebx
1000127E .  8A06       mov al,byte ptr ds:[esi]
10001280 .  0BF8       or edi,eax
10001282 .  EB 24       jmp short car_exam.100012A8
10001284 >  8A0E       mov cl,byte ptr ds:[esi]
10001286 .  51          push ecx                            ; /TestChar
10001287 .  FF15 10500010 call dword ptr ds:[<&KERNEL32.IsDBCS>; \IsDBCSLeadByte
1000128D .  85C0       test eax,eax
1000128F .  74 0F       je short car_exam.100012A0
10001291 .  33D2       xor edx,edx
10001293 .  BB 01000000 mov ebx,1
10001298 .  8A36       mov dh,byte ptr ds:[esi]
1000129A .  8BEE       mov ebp,esi
1000129C .  8BFA       mov edi,edx
1000129E .  EB 17       jmp short car_exam.100012B7
100012A0 >  33C0       xor eax,eax
100012A2 .  8BEE       mov ebp,esi
100012A4 .  8A06       mov al,byte ptr ds:[esi]
100012A6 .  8BF8       mov edi,eax
100012A8 >  8B4C24 18    mov ecx,dword ptr ss:[esp+18]
100012AC .  57          push edi
100012AD .  51          push ecx
100012AE .  E8 FDFEFFFF call car_exam.100011B0
100012B3 .  85C0       test eax,eax
100012B5 .  75 11       jnz short car_exam.100012C8
100012B7 >  8A46 01    mov al,byte ptr ds:[esi+1]
100012BA .  46          inc esi
100012BB .  84C0       test al,al
100012BD .^ 75 B7       jnz short car_exam.10001276
100012BF .  33C0       xor eax,eax
100012C1 .  5F          pop edi
100012C2 .  5E          pop esi
100012C3 .  5D          pop ebp
100012C4 .  5B          pop ebx
100012C5 .  C2 0800    retn 8
100012C8 >  8BC5       mov eax,ebp
100012CA .  5F          pop edi
100012CB .  5E          pop esi
100012CC .  5D          pop ebp
100012CD .  5B          pop ebx
100012CE .  C2 0800    retn 8
100012D1 >  5F          pop edi
100012D2 .  5E          pop esi
100012D3 .  5D          pop ebp
100012D4 .  33C0       xor eax,eax
100012D6 .  5B          pop ebx
100012D7 .  C2 0800    retn 8
100012DA    90          nop
100012DB    90          nop
100012DC    90          nop
100012DD    90          nop
100012DE    90          nop
100012DF    90          nop
100012E0 .  83EC 08    sub esp,8
100012E3 .  53          push ebx
100012E4 .  55          push ebp
100012E5 .  8B6C24 14    mov ebp,dword ptr ss:[esp+14]
100012E9 .  56          push esi
100012EA .  57          push edi
100012EB .  C74424 10 000>mov dword ptr ss:[esp+10],0
100012F3 .  8A45 00    mov al,byte ptr ss:[ebp]
100012F6 .  896C24 1C    mov dword ptr ss:[esp+1C],ebp
100012FA .  84C0       test al,al
100012FC .  0F84 C3000000 je car_exam.100013C5
10001302 >  8B7424 20    mov esi,dword ptr ss:[esp+20]
10001306 .  83C9 FF    or ecx,FFFFFFFF
10001309 .  8BFE       mov edi,esi
1000130B .  33C0       xor eax,eax
1000130D .  F2:AE       repne scas byte ptr es:[edi]
1000130F .  F7D1       not ecx
10001311 .  49          dec ecx
10001312 .  8BFD       mov edi,ebp
10001314 .  8BD1       mov edx,ecx
10001316 .  83C9 FF    or ecx,FFFFFFFF
10001319 .  F2:AE       repne scas byte ptr es:[edi]
1000131B .  F7D1       not ecx
1000131D .  49          dec ecx
1000131E .  3BD1       cmp edx,ecx
10001320 .  0F87 9F000000 ja car_exam.100013C5
10001326 .  8B4424 10    mov eax,dword ptr ss:[esp+10]
1000132A .  85C0       test eax,eax
1000132C .  74 0A       je short car_exam.10001338
1000132E .  C74424 10 000>mov dword ptr ss:[esp+10],0
10001336 .  EB 65       jmp short car_exam.1000139D
10001338 >  8A45 00    mov al,byte ptr ss:[ebp]
1000133B .  50          push eax                            ; /TestChar
1000133C .  FF15 10500010 call dword ptr ds:[<&KERNEL32.IsDBCS>; \IsDBCSLeadByte
10001342 .  85C0       test eax,eax
10001344 .  74 08       je short car_exam.1000134E
10001346 .  C74424 10 010>mov dword ptr ss:[esp+10],1
1000134E >  8A06       mov al,byte ptr ds:[esi]
10001350 .  8BD6       mov edx,esi
10001352 .  84C0       test al,al
10001354 .  74 42       je short car_exam.10001398
10001356 .  2BEE       sub ebp,esi
10001358 >  8A1C2A       mov bl,byte ptr ds:[edx+ebp]
1000135B .  8D342A       lea esi,dword ptr ds:[edx+ebp]
1000135E .  84DB       test bl,bl
10001360 .  74 32       je short car_exam.10001394
10001362 .  8BFA       mov edi,edx
10001364 .  83C9 FF    or ecx,FFFFFFFF
10001367 .  33C0       xor eax,eax
10001369 .  F2:AE       repne scas byte ptr es:[edi]
1000136B .  F7D1       not ecx
1000136D .  49          dec ecx
1000136E .  8BFE       mov edi,esi
10001370 .  8BC1       mov eax,ecx
10001372 .  83C9 FF    or ecx,FFFFFFFF
10001375 .  894424 14    mov dword ptr ss:[esp+14],eax
10001379 .  33C0       xor eax,eax
1000137B .  F2:AE       repne scas byte ptr es:[edi]
1000137D .  8B4424 14    mov eax,dword ptr ss:[esp+14]
10001381 .  F7D1       not ecx
10001383 .  49          dec ecx
10001384 .  3BC8       cmp ecx,eax
10001386 .  72 0C       jb short car_exam.10001394
10001388 .  3A1A       cmp bl,byte ptr ds:[edx]
1000138A .  75 08       jnz short car_exam.10001394
1000138C .  8A42 01    mov al,byte ptr ds:[edx+1]
1000138F .  42          inc edx
10001390 .  84C0       test al,al
10001392 .^ 75 C4       jnz short car_exam.10001358
10001394 >  8B6C24 1C    mov ebp,dword ptr ss:[esp+1C]
10001398 >  803A 00    cmp byte ptr ds:[edx],0
1000139B .  74 1C       je short car_exam.100013B9
1000139D >  8A45 01    mov al,byte ptr ss:[ebp+1]
100013A0 .  45          inc ebp
100013A1 .  84C0       test al,al
100013A3 .  896C24 1C    mov dword ptr ss:[esp+1C],ebp
100013A7 .^ 0F85 55FFFFFF jnz car_exam.10001302
100013AD .  33C0       xor eax,eax
100013AF .  5F          pop edi
100013B0 .  5E          pop esi
100013B1 .  5D          pop ebp
100013B2 .  5B          pop ebx
100013B3 .  83C4 08    add esp,8
100013B6 .  C2 0800    retn 8
100013B9 >  8BC5       mov eax,ebp
100013BB .  5F          pop edi
100013BC .  5E          pop esi
100013BD .  5D          pop ebp
100013BE .  5B          pop ebx
100013BF .  83C4 08    add esp,8
100013C2 .  C2 0800    retn 8
100013C5 >  5F          pop edi
100013C6 .  5E          pop esi
100013C7 .  5D          pop ebp
100013C8 .  33C0       xor eax,eax
100013CA .  5B          pop ebx
100013CB .  83C4 08    add esp,8
100013CE .  C2 0800    retn 8
100013D1    90          nop
100013D2    90          nop
100013D3    90          nop
100013D4    90          nop
100013D5    90          nop
100013D6    90          nop
100013D7    90          nop
100013D8    90          nop
100013D9    90          nop
100013DA    90          nop
100013DB    90          nop
100013DC    90          nop
100013DD    90          nop
100013DE    90          nop
100013DF    90          nop
100013E0  /$  53          push ebx
100013E1  |.  55          push ebp
100013E2  |.  56          push esi
100013E3  |.  8B7424 10    mov esi,dword ptr ss:[esp+10]
100013E7  |.  57          push edi
100013E8  |.  33ED       xor ebp,ebp
100013EA  |.  8A06       mov al,byte ptr ds:[esi]
100013EC  |.  33FF       xor edi,edi
100013EE  |.  84C0       test al,al
100013F0  |.  74 76       je short car_exam.10001468
100013F2  |.  8A5C24 1C    mov bl,byte ptr ss:[esp+1C]
100013F6  |>  3B6C24 18    /cmp ebp,dword ptr ss:[esp+18]
100013FA  |.  7D 6C       |jge short car_exam.10001468
100013FC  |.  85FF       |test edi,edi
100013FE  |.  74 04       |je short car_exam.10001404
10001400  |.  33FF       |xor edi,edi
10001402  |.  EB 5B       |jmp short car_exam.1000145F
10001404  |>  8A06       |mov al,byte ptr ds:[esi]
10001406  |.  50          |push eax                         ; /TestChar
10001407  |.  FF15 10500010 |call dword ptr ds:[<&KERNEL32.IsDBC>; \IsDBCSLeadByte
1000140D  |.  85C0       |test eax,eax
1000140F  |.  74 07       |je short car_exam.10001418
10001411  |.  BF 01000000 |mov edi,1
10001416  |.  EB 47       |jmp short car_exam.1000145F
10001418  |>  F6C3 01    |test bl,1
1000141B  |.  74 1D       |je short car_exam.1000143A
1000141D  |.  33C9       |xor ecx,ecx
1000141F  |.  8A0E       |mov cl,byte ptr ds:[esi]
10001421  |.  51          |push ecx
10001422  |.  E8 59050000 |call car_exam.10001980
10001427  |.  83C4 04    |add esp,4
1000142A  |.  85C0       |test eax,eax
1000142C  |.  74 0C       |je short car_exam.1000143A
1000142E  |.  33D2       |xor edx,edx
10001430  |.  8A16       |mov dl,byte ptr ds:[esi]
10001432  |.  52          |push edx
10001433  |.  E8 78050000 |call car_exam.100019B0
10001438  |.  EB 20       |jmp short car_exam.1000145A
1000143A  |>  F6C3 02    |test bl,2
1000143D  |.  74 20       |je short car_exam.1000145F
1000143F  |.  33C0       |xor eax,eax
10001441  |.  8A06       |mov al,byte ptr ds:[esi]
10001443  |.  50          |push eax
10001444  |.  E8 07050000 |call car_exam.10001950
10001449  |.  83C4 04    |add esp,4
1000144C  |.  85C0       |test eax,eax
1000144E  |.  74 0F       |je short car_exam.1000145F
10001450  |.  33C9       |xor ecx,ecx
10001452  |.  8A0E       |mov cl,byte ptr ds:[esi]
10001454  |.  51          |push ecx
10001455  |.  E8 F6030000 |call car_exam.10001850
1000145A  |>  83C4 04    |add esp,4
1000145D  |.  8806       |mov byte ptr ds:[esi],al
1000145F  |>  8A46 01    |mov al,byte ptr ds:[esi+1]
10001462  |.  46          |inc esi
10001463  |.  45          |inc ebp
10001464  |.  84C0       |test al,al
10001466  |.^ 75 8E       \jnz short car_exam.100013F6
10001468  |>  5F          pop edi
10001469  |.  8BC5       mov eax,ebp
1000146B  |.  5E          pop esi
1000146C  |.  5D          pop ebp
1000146D  |.  5B          pop ebx
1000146E  \.  C2 0C00    retn 0C
10001471    90          nop
10001472    90          nop
10001473    90          nop
10001474    90          nop
10001475    90          nop
10001476    90          nop
10001477    90          nop
10001478    90          nop
10001479    90          nop
1000147A    90          nop
1000147B    90          nop
1000147C    90          nop
1000147D    90          nop
1000147E    90          nop
1000147F    90          nop
10001480 .  8B4424 08    mov eax,dword ptr ss:[esp+8]
10001484 .  8B4C24 04    mov ecx,dword ptr ss:[esp+4]
10001488 .  6A 02       push 2
1000148A .  50          push eax
1000148B .  51          push ecx
1000148C .  E8 4FFFFFFF call car_exam.100013E0
10001491 .  C2 0800    retn 8
10001494    90          nop
10001495    90          nop
10001496    90          nop
10001497    90          nop
10001498    90          nop
10001499    90          nop
1000149A    90          nop
1000149B    90          nop
1000149C    90          nop
1000149D    90          nop
1000149E    90          nop
1000149F    90          nop
100014A0 .  8B4424 08    mov eax,dword ptr ss:[esp+8]
100014A4 .  8B4C24 04    mov ecx,dword ptr ss:[esp+4]
100014A8 .  6A 01       push 1
100014AA .  50          push eax
100014AB .  51          push ecx
100014AC .  E8 2FFFFFFF call car_exam.100013E0
100014B1 .  C2 0800    retn 8
100014B4    90          nop
100014B5    90          nop
100014B6    90          nop
100014B7    90          nop
100014B8    90          nop
100014B9    90          nop
100014BA    90          nop
100014BB    90          nop
100014BC    90          nop
100014BD    90          nop
100014BE    90          nop
100014BF    90          nop
100014C0 .  56          push esi
100014C1 .  8B7424 08    mov esi,dword ptr ss:[esp+8]
100014C5 .  57          push edi
100014C6 .  8BFE       mov edi,esi
100014C8 .  83C9 FF    or ecx,FFFFFFFF
100014CB .  33C0       xor eax,eax
100014CD .  F2:AE       repne scas byte ptr es:[edi]
100014CF .  F7D1       not ecx
100014D1 .  49          dec ecx
100014D2 .  6A 02       push 2
100014D4 .  51          push ecx
100014D5 .  56          push esi
100014D6 .  E8 05FFFFFF call car_exam.100013E0
100014DB .  8BC6       mov eax,esi
100014DD .  5F          pop edi
100014DE .  5E          pop esi
100014DF .  C2 0400    retn 4
100014E2    90          nop
100014E3    90          nop
100014E4    90          nop
100014E5    90          nop
100014E6    90          nop
100014E7    90          nop
100014E8    90          nop
100014E9    90          nop
100014EA    90          nop
100014EB    90          nop
100014EC    90          nop
100014ED    90          nop
100014EE    90          nop
100014EF    90          nop
100014F0 .  56          push esi
100014F1 .  8B7424 08    mov esi,dword ptr ss:[esp+8]
100014F5 .  57          push edi
100014F6 .  8BFE       mov edi,esi
100014F8 .  83C9 FF    or ecx,FFFFFFFF
100014FB .  33C0       xor eax,eax
100014FD .  F2:AE       repne scas byte ptr es:[edi]
100014FF .  F7D1       not ecx
10001501 .  49          dec ecx
10001502 .  6A 01       push 1
10001504 .  51          push ecx
10001505 .  56          push esi
10001506 .  E8 D5FEFFFF call car_exam.100013E0
1000150B .  8BC6       mov eax,esi
1000150D .  5F          pop edi
1000150E .  5E          pop esi
1000150F .  C2 0400    retn 4
10001512    90          nop
10001513    90          nop
10001514    90          nop
10001515    90          nop
10001516    90          nop
10001517    90          nop
10001518    90          nop
10001519    90          nop
1000151A    90          nop
1000151B    90          nop
1000151C    90          nop
1000151D    90          nop
1000151E    90          nop
1000151F    90          nop
10001520 .  53          push ebx
10001521 .  55          push ebp
10001522 .  56          push esi
10001523 .  8B7424 10    mov esi,dword ptr ss:[esp+10]
10001527 .  57          push edi
10001528 .  83C8 FF    or eax,FFFFFFFF
1000152B .  8A0E       mov cl,byte ptr ds:[esi]
1000152D .  33FF       xor edi,edi
1000152F .  84C9       test cl,cl
10001531 .  74 4B       je short car_exam.1000157E
10001533 .  8B5C24 18    mov ebx,dword ptr ss:[esp+18]
10001537 .  8B2D 10500010 mov ebp,dword ptr ds:[<&KERNEL32.IsD>;  kernel32.IsDBCSLeadByte
1000153D >  3BFB       cmp edi,ebx
1000153F .  7F 3D       jg short car_exam.1000157E
10001541 .  83F8 01    cmp eax,1
10001544 .  75 16       jnz short car_exam.1000155C
10001546 .  33C0       xor eax,eax
10001548 .  8A06       mov al,byte ptr ds:[esi]
1000154A .  50          push eax
1000154B .  E8 80050000 call car_exam.10001AD0
10001550 .  83C4 04    add esp,4
10001553 .  F7D8       neg eax
10001555 .  1BC0       sbb eax,eax
10001557 .  83E0 03    and eax,3
1000155A .  EB 18       jmp short car_exam.10001574
1000155C >  8A0E       mov cl,byte ptr ds:[esi]
1000155E .  51          push ecx
1000155F .  FFD5       call ebp
10001561 .  85C0       test eax,eax
10001563 .  74 07       je short car_exam.1000156C
10001565 .  B8 01000000 mov eax,1
1000156A .  EB 09       jmp short car_exam.10001575
1000156C >  8A06       mov al,byte ptr ds:[esi]
1000156E .  F6D8       neg al
10001570 .  1BC0       sbb eax,eax
10001572 .  F7D8       neg eax
10001574 >  48          dec eax
10001575 >  8A4E 01    mov cl,byte ptr ds:[esi+1]
10001578 .  46          inc esi
10001579 .  47          inc edi
1000157A .  84C9       test cl,cl
1000157C .^ 75 BF       jnz short car_exam.1000153D
1000157E >  5F          pop edi
1000157F .  5E          pop esi
10001580 .  5D          pop ebp
10001581 .  5B          pop ebx
10001582 .  C2 0800    retn 8
10001585    90          nop
10001586    90          nop
10001587    90          nop
10001588    90          nop
10001589    90          nop
1000158A    90          nop
1000158B    90          nop
1000158C    90          nop
1000158D    90          nop
1000158E    90          nop
1000158F    90          nop
10001590 .  53          push ebx
10001591 .  55          push ebp
10001592 .  56          push esi
10001593 .  57          push edi
10001594 .  8B7C24 14    mov edi,dword ptr ss:[esp+14]
10001598 .  33F6       xor esi,esi
1000159A .  85FF       test edi,edi
1000159C .  74 26       je short car_exam.100015C4
1000159E .  8A07       mov al,byte ptr ds:[edi]
100015A0 .  84C0       test al,al
100015A2 .  74 20       je short car_exam.100015C4
100015A4 .  8B2D 10500010 mov ebp,dword ptr ds:[<&KERNEL32.IsD>;  kernel32.IsDBCSLeadByte
100015AA .  33DB       xor ebx,ebx
100015AC >  85F6       test esi,esi
100015AE .  74 1D       je short car_exam.100015CD
100015B0 .  33F6       xor esi,esi
100015B2 >  43          inc ebx
100015B3 >  8A47 01    mov al,byte ptr ds:[edi+1]
100015B6 .  47          inc edi
100015B7 .  84C0       test al,al
100015B9 .^ 75 F1       jnz short car_exam.100015AC
100015BB .  8BC3       mov eax,ebx
100015BD .  5F          pop edi
100015BE .  5E          pop esi
100015BF .  5D          pop ebp
100015C0 .  5B          pop ebx
100015C1 .  C2 0400    retn 4
100015C4 >  5F          pop edi
100015C5 .  5E          pop esi
100015C6 .  5D          pop ebp
100015C7 .  33C0       xor eax,eax
100015C9 .  5B          pop ebx
100015CA .  C2 0400    retn 4
100015CD >  50          push eax
100015CE .  FFD5       call ebp
100015D0 .  85C0       test eax,eax
100015D2 .^ 74 DE       je short car_exam.100015B2
100015D4 .  BE 01000000 mov esi,1
100015D9 .^ EB D8       jmp short car_exam.100015B3
100015DB    90          nop
100015DC    90          nop
100015DD    90          nop
100015DE    90          nop
100015DF    90          nop
100015E0 .  53          push ebx
100015E1 .  55          push ebp
100015E2 .  56          push esi
100015E3 .  8B7424 10    mov esi,dword ptr ss:[esp+10]
100015E7 .  57          push edi
100015E8 .  33FF       xor edi,edi
100015EA .  85F6       test esi,esi
100015EC .  74 29       je short car_exam.10001617
100015EE .  8A06       mov al,byte ptr ds:[esi]
100015F0 .  84C0       test al,al
100015F2 .  74 23       je short car_exam.10001617
100015F4 .  33ED       xor ebp,ebp
100015F6 .  33DB       xor ebx,ebx
100015F8 >  3B5C24 18    cmp ebx,dword ptr ss:[esp+18]
100015FC .  73 10       jnb short car_exam.1000160E
100015FE .  85FF       test edi,edi
10001600 .  74 1E       je short car_exam.10001620
10001602 .  33FF       xor edi,edi
10001604 >  43          inc ebx
10001605 >  8A46 01    mov al,byte ptr ds:[esi+1]
10001608 .  46          inc esi
10001609 .  45          inc ebp
1000160A .  84C0       test al,al
1000160C .^ 75 EA       jnz short car_exam.100015F8
1000160E >  8BC5       mov eax,ebp
10001610 .  5F          pop edi
10001611 .  5E          pop esi
10001612 .  5D          pop ebp
10001613 .  5B          pop ebx
10001614 .  C2 0800    retn 8
10001617 >  5F          pop edi
10001618 .  5E          pop esi
10001619 .  5D          pop ebp
1000161A .  33C0       xor eax,eax
1000161C .  5B          pop ebx
1000161D .  C2 0800    retn 8
10001620 >  50          push eax                            ; /TestChar
10001621 .  FF15 10500010 call dword ptr ds:[<&KERNEL32.IsDBCS>; \IsDBCSLeadByte
10001627 .  85C0       test eax,eax
10001629 .^ 74 D9       je short car_exam.10001604
1000162B .  BF 01000000 mov edi,1
10001630 .^ EB D3       jmp short car_exam.10001605
10001632    90          nop
10001633    90          nop
10001634    90          nop
10001635    90          nop
10001636    90          nop
10001637    90          nop
10001638    90          nop
10001639    90          nop
1000163A    90          nop
1000163B    90          nop
1000163C    90          nop
1000163D    90          nop
1000163E    90          nop
1000163F    90          nop
10001640 .  53          push ebx
10001641 .  55          push ebp
10001642 .  56          push esi
10001643 .  8B7424 10    mov esi,dword ptr ss:[esp+10]
10001647 .  57          push edi
10001648 .  33FF       xor edi,edi
1000164A .  85F6       test esi,esi
1000164C .  74 29       je short car_exam.10001677
1000164E .  8A06       mov al,byte ptr ds:[esi]
10001650 .  84C0       test al,al
10001652 .  74 23       je short car_exam.10001677
10001654 .  33ED       xor ebp,ebp
10001656 .  33DB       xor ebx,ebx
10001658 >  3B5C24 18    cmp ebx,dword ptr ss:[esp+18]
1000165C .  73 10       jnb short car_exam.1000166E
1000165E .  85FF       test edi,edi
10001660 .  74 1E       je short car_exam.10001680
10001662 .  33FF       xor edi,edi
10001664 >  45          inc ebp
10001665 >  8A46 01    mov al,byte ptr ds:[esi+1]
10001668 .  46          inc esi
10001669 .  43          inc ebx
1000166A .  84C0       test al,al
1000166C .^ 75 EA       jnz short car_exam.10001658
1000166E >  8BC5       mov eax,ebp
10001670 .  5F          pop edi
10001671 .  5E          pop esi
10001672 .  5D          pop ebp
10001673 .  5B          pop ebx
10001674 .  C2 0800    retn 8
10001677 >  5F          pop edi
10001678 .  5E          pop esi
10001679 .  5D          pop ebp
1000167A .  33C0       xor eax,eax
1000167C .  5B          pop ebx
1000167D .  C2 0800    retn 8
10001680 >  50          push eax                            ; /TestChar
10001681 .  FF15 10500010 call dword ptr ds:[<&KERNEL32.IsDBCS>; \IsDBCSLeadByte
10001687 .  85C0       test eax,eax
10001689 .^ 74 D9       je short car_exam.10001664
1000168B .  BF 01000000 mov edi,1
10001690 .^ EB D3       jmp short car_exam.10001665
10001692    90          nop
10001693    90          nop
10001694    90          nop
10001695    90          nop
10001696    90          nop
10001697    90          nop
10001698    90          nop
10001699    90          nop
1000169A    90          nop
1000169B    90          nop
1000169C    90          nop
1000169D    90          nop
1000169E    90          nop
1000169F    90          nop
100016A0 .  8B4424 04    mov eax,dword ptr ss:[esp+4]
100016A4 .  A8 80       test al,80
100016A6 .  75 12       jnz short car_exam.100016BA
100016A8 .  83F8 30    cmp eax,30
100016AB .  7C 0D       jl short car_exam.100016BA
100016AD .  83F8 39    cmp eax,39
100016B0 .  7F 08       jg short car_exam.100016BA
100016B2 .  B8 01000000 mov eax,1
100016B7 .  C2 0400    retn 4
100016BA >  33C0       xor eax,eax
100016BC .  C2 0400    retn 4
100016BF    90          nop
100016C0 $- FF25 94500010 jmp dword ptr ds:[<&PBVM80.#137>] ;  PBVM80.FN_RunExecutable
100016C6    CC          int3
100016C7    CC          int3
100016C8    CC          int3
100016C9    CC          int3
100016CA    CC          int3
100016CB    CC          int3
100016CC    CC          int3
100016CD    CC          int3
100016CE    CC          int3
100016CF    CC          int3
100016D0  />  8D42 FF    lea eax,dword ptr ds:[edx-1]
100016D3  |.  5B          pop ebx
100016D4  |.  C3          retn
100016D5  | 2E          db 2E                               ;  CHAR '.'
100016D6  | 8BC0       mov eax,eax
100016D8  | 2E          db 2E                               ;  CHAR '.'
100016D9  | 8BC0       mov eax,eax
100016DB  | 2E          db 2E                               ;  CHAR '.'
100016DC  | 8BC0       mov eax,eax
100016DE  | 8BC0       mov eax,eax
100016E0  |$  33C0       xor eax,eax
100016E2  |.  8A4424 08    mov al,byte ptr ss:[esp+8]
100016E6  |.  53          push ebx
100016E7  |.  8BD8       mov ebx,eax
100016E9  |.  C1E0 08    shl eax,8
100016EC  |.  8B5424 08    mov edx,dword ptr ss:[esp+8]
100016F0  |.  F7C2 03000000 test edx,3
100016F6  |.  74 13       je short car_exam.1000170B
100016F8  |>  8A0A       /mov cl,byte ptr ds:[edx]
100016FA  |.  42          |inc edx
100016FB  |.  38D9       |cmp cl,bl
100016FD  |.^ 74 D1       |je short car_exam.100016D0
100016FF  |.  84C9       |test cl,cl
10001701  |.  74 51       |je short car_exam.10001754
10001703  |.  F7C2 03000000 |test edx,3
10001709  |.^ 75 ED       \jnz short car_exam.100016F8
1000170B  |>  0BD8       or ebx,eax
1000170D  |.  57          push edi
1000170E  |.  8BC3       mov eax,ebx
10001710  |.  C1E3 10    shl ebx,10
10001713  |.  56          push esi
10001714  |.  0BD8       or ebx,eax
10001716  |>  8B0A       /mov ecx,dword ptr ds:[edx]
10001718  |.  BF FFFEFE7E |mov edi,7EFEFEFF
1000171D  |.  8BC1       |mov eax,ecx
1000171F  |.  8BF7       |mov esi,edi
10001721  |.  33CB       |xor ecx,ebx
10001723  |.  03F0       |add esi,eax
10001725  |.  03F9       |add edi,ecx
10001727  |.  83F1 FF    |xor ecx,FFFFFFFF
1000172A  |.  83F0 FF    |xor eax,FFFFFFFF
1000172D  |.  33CF       |xor ecx,edi
1000172F  |.  33C6       |xor eax,esi
10001731  |.  83C2 04    |add edx,4
10001734  |.  81E1 00010181 |and ecx,81010100
1000173A  |.  75 1C       |jnz short car_exam.10001758
1000173C  |.  25 00010181 |and eax,81010100
10001741  |.^ 74 D3       |je short car_exam.10001716
10001743  |.  25 00010101 |and eax,1010100
10001748  |.  75 08       |jnz short car_exam.10001752
1000174A  |.  81E6 00000080 |and esi,80000000
10001750  |.^ 75 C4       \jnz short car_exam.10001716
10001752  |>  5E          pop esi
10001753  |.  5F          pop edi
10001754  |>  5B          pop ebx
10001755  |.  33C0       xor eax,eax
10001757  |.  C3          retn
10001758  |>  8B42 FC    mov eax,dword ptr ds:[edx-4]
1000175B  |.  38D8       cmp al,bl
1000175D  |.  74 36       je short car_exam.10001795
1000175F  |.  84C0       test al,al
10001761  |.^ 74 EF       je short car_exam.10001752
10001763  |.  38DC       cmp ah,bl
10001765  |.  74 27       je short car_exam.1000178E
10001767  |.  84E4       test ah,ah
10001769  |.^ 74 E7       je short car_exam.10001752
1000176B  |.  C1E8 10    shr eax,10
1000176E  |.  38D8       cmp al,bl
10001770  |.  74 15       je short car_exam.10001787
10001772  |.  84C0       test al,al
10001774  |.^ 74 DC       je short car_exam.10001752
10001776  |.  38DC       cmp ah,bl
10001778  |.  74 06       je short car_exam.10001780
1000177A  |.  84E4       test ah,ah
1000177C  |.^ 74 D4       je short car_exam.10001752
1000177E  |.^ EB 96       jmp short car_exam.10001716
10001780  |>  5E          pop esi
10001781  |.  5F          pop edi
10001782  |.  8D42 FF    lea eax,dword ptr ds:[edx-1]
10001785  |.  5B          pop ebx
10001786  |.  C3          retn
10001787  |>  8D42 FE    lea eax,dword ptr ds:[edx-2]
1000178A  |.  5E          pop esi
1000178B  |.  5F          pop edi
1000178C  |.  5B          pop ebx
1000178D  |.  C3          retn
1000178E  |>  8D42 FD    lea eax,dword ptr ds:[edx-3]
10001791  |.  5E          pop esi
10001792  |.  5F          pop edi
10001793  |.  5B          pop ebx
10001794  |.  C3          retn
10001795  |>  8D42 FC    lea eax,dword ptr ds:[edx-4]
10001798  |.  5E          pop esi
10001799  |.  5F          pop edi
1000179A  |.  5B          pop ebx
1000179B  \.  C3          retn
1000179C    CC          int3
1000179D    CC          int3
1000179E    CC          int3
1000179F    CC          int3
100017A0  /$  A1 D0860010 mov eax,dword ptr ds:[100086D0]
100017A5  |.  53          push ebx
100017A6  |.  85C0       test eax,eax
100017A8  |.  56          push esi
100017A9  |.  75 15       jnz short car_exam.100017C0
100017AB  |.  8B4424 10    mov eax,dword ptr ss:[esp+10]
100017AF  |.  8B4C24 0C    mov ecx,dword ptr ss:[esp+C]
100017B3  |.  50          push eax
100017B4  |.  51          push ecx
100017B5  |.  E8 26FFFFFF call car_exam.100016E0
100017BA  |.  83C4 08    add esp,8
100017BD  |.  5E          pop esi
100017BE  |.  5B          pop ebx
100017BF  |.  C3          retn
100017C0  |>  8B5424 0C    mov edx,dword ptr ss:[esp+C]
100017C4  |.  8B7424 10    mov esi,dword ptr ss:[esp+10]
100017C8  |.  66:0FB602    movzx ax,byte ptr ds:[edx]
100017CC  |.  66:85C0    test ax,ax
100017CF  |.  74 66       je short car_exam.10001837
100017D1  |.  B3 04       mov bl,4
100017D3  |>  8BC8       /mov ecx,eax
100017D5  |.  81E1 FF000000 |and ecx,0FF
100017DB  |.  8499 C9840010 |test byte ptr ds:[ecx+100084C9],bl
100017E1  |.  74 1E       |je short car_exam.10001801
100017E3  |.  8A4A 01    |mov cl,byte ptr ds:[edx+1]
100017E6  |.  42          |inc edx
100017E7  |.  84C9       |test cl,cl
100017E9  |.  74 41       |je short car_exam.1000182C
100017EB  |.  25 FFFF0000 |and eax,0FFFF
100017F0  |.  81E1 FF000000 |and ecx,0FF
100017F6  |.  C1E0 08    |shl eax,8
100017F9  |.  0BC1       |or eax,ecx
100017FB  |.  3BF0       |cmp esi,eax
100017FD  |.  74 32       |je short car_exam.10001831
100017FF  |.  EB 0C       |jmp short car_exam.1000180D
10001801  |>  8BC8       |mov ecx,eax
10001803  |.  81E1 FFFF0000 |and ecx,0FFFF
10001809  |.  3BF1       |cmp esi,ecx
1000180B  |.  74 2A       |je short car_exam.10001837
1000180D  |>  66:0FB642 01  |movzx ax,byte ptr ds:[edx+1]
10001812  |.  42          |inc edx
10001813  |.  66:85C0    |test ax,ax
10001816  |.^ 75 BB       \jnz short car_exam.100017D3
10001818  |.  25 FFFF0000 and eax,0FFFF
1000181D  |.  33C9       xor ecx,ecx
1000181F  |.  3BF0       cmp esi,eax
10001821  |.  0F95C1       setne cl
10001824  |.  49          dec ecx
10001825  |.  23CA       and ecx,edx
10001827  |.  8BC1       mov eax,ecx
10001829  |.  5E          pop esi
1000182A  |.  5B          pop ebx
1000182B  |.  C3          retn
1000182C  |>  33C0       xor eax,eax
1000182E  |.  5E          pop esi
1000182F  |.  5B          pop ebx
10001830  |.  C3          retn
10001831  |>  8D42 FF    lea eax,dword ptr ds:[edx-1]
10001834  |.  5E          pop esi
10001835  |.  5B          pop ebx
10001836  |.  C3          retn
10001837  |>  25 FFFF0000 and eax,0FFFF
1000183C  |.  33C9       xor ecx,ecx
1000183E  |.  3BF0       cmp esi,eax
10001840  |.  5E          pop esi
10001841  |.  0F95C1       setne cl
10001844  |.  49          dec ecx
10001845  |.  5B          pop ebx
10001846  |.  23CA       and ecx,edx
10001848  |.  8BC1       mov eax,ecx
1000184A  \.  C3          retn
1000184B    90          nop
1000184C    90          nop
1000184D    90          nop
1000184E    90          nop
1000184F    90          nop
10001850  /$  A1 F8860010 mov eax,dword ptr ds:[100086F8]
10001855  |.  83EC 08    sub esp,8
10001858  |.  85C0       test eax,eax
1000185A  |.  53          push ebx
1000185B  |.  75 1E       jnz short car_exam.1000187B
1000185D  |.  8B4424 10    mov eax,dword ptr ss:[esp+10]
10001861  |.  83F8 41    cmp eax,41
10001864  |.  0F8C DF000000 jl car_exam.10001949
1000186A  |.  83F8 5A    cmp eax,5A
1000186D  |.  0F8F D6000000 jg car_exam.10001949
10001873  |.  83C0 20    add eax,20
10001876  |.  5B          pop ebx
10001877  |.  83C4 08    add esp,8
1000187A  |.  C3          retn
1000187B  |>  8B5C24 10    mov ebx,dword ptr ss:[esp+10]
1000187F  |.  81FB 00010000 cmp ebx,100
10001885  |.  7D 2C       jge short car_exam.100018B3
10001887  |.  833D 3C630010>cmp dword ptr ds:[1000633C],1
1000188E  |.  7E 0D       jle short car_exam.1000189D
10001890  |.  6A 01       push 1
10001892  |.  53          push ebx
10001893  |.  E8 E80B0000 call car_exam.10002480
10001898  |.  83C4 08    add esp,8
1000189B  |.  EB 0B       jmp short car_exam.100018A8
1000189D  |>  A1 30610010 mov eax,dword ptr ds:[10006130]
100018A2  |.  8A0458       mov al,byte ptr ds:[eax+ebx*2]
100018A5  |.  83E0 01    and eax,1
100018A8  |>  85C0       test eax,eax
100018AA  |.  75 07       jnz short car_exam.100018B3
100018AC  |.  8BC3       mov eax,ebx
100018AE  |.  5B          pop ebx
100018AF  |.  83C4 08    add esp,8
100018B2  |.  C3          retn
100018B3  |>  8B15 30610010 mov edx,dword ptr ds:[10006130]    ;  car_exam.1000613A
100018B9  |.  8BC3       mov eax,ebx
100018BB  |.  C1F8 08    sar eax,8
100018BE  |.  8BC8       mov ecx,eax
100018C0  |.  81E1 FF000000 and ecx,0FF
100018C6  |.  F6444A 01 80  test byte ptr ds:[edx+ecx*2+1],80
100018CB  |.  74 14       je short car_exam.100018E1
100018CD  |.  884424 10    mov byte ptr ss:[esp+10],al
100018D1  |.  885C24 11    mov byte ptr ss:[esp+11],bl
100018D5  |.  C64424 12 00  mov byte ptr ss:[esp+12],0
100018DA  |.  B8 02000000 mov eax,2
100018DF  |.  EB 0E       jmp short car_exam.100018EF
100018E1  |>  885C24 10    mov byte ptr ss:[esp+10],bl
100018E5  |.  C64424 11 00  mov byte ptr ss:[esp+11],0
100018EA  |.  B8 01000000 mov eax,1
100018EF  |>  6A 01       push 1
100018F1  |.  6A 00       push 0
100018F3  |.  8D4C24 0C    lea ecx,dword ptr ss:[esp+C]
100018F7  |.  6A 03       push 3
100018F9  |.  51          push ecx
100018FA  |.  8D5424 20    lea edx,dword ptr ss:[esp+20]
100018FE  |.  50          push eax
100018FF  |.  A1 F8860010 mov eax,dword ptr ds:[100086F8]
10001904  |.  52          push edx
10001905  |.  68 00010000 push 100
1000190A  |.  50          push eax
1000190B  |.  E8 10090000 call car_exam.10002220
10001910  |.  83C4 20    add esp,20
10001913  |.  85C0       test eax,eax
10001915  |.  75 07       jnz short car_exam.1000191E
10001917  |.  8BC3       mov eax,ebx
10001919  |.  5B          pop ebx
1000191A  |.  83C4 08    add esp,8
1000191D  |.  C3          retn
1000191E  |>  83F8 01    cmp eax,1
10001921  |.  75 0E       jnz short car_exam.10001931
10001923  |.  8B4424 04    mov eax,dword ptr ss:[esp+4]
10001927  |.  25 FF000000 and eax,0FF
1000192C  |.  5B          pop ebx
1000192D  |.  83C4 08    add esp,8
10001930  |.  C3          retn
10001931  |>  8B4424 05    mov eax,dword ptr ss:[esp+5]
10001935  |.  8B4C24 04    mov ecx,dword ptr ss:[esp+4]
10001939  |.  25 FF000000 and eax,0FF
1000193E  |.  81E1 FF000000 and ecx,0FF
10001944  |.  C1E0 08    shl eax,8
10001947  |.  0BC1       or eax,ecx
10001949  |>  5B          pop ebx
1000194A  |.  83C4 08    add esp,8
1000194D  \.  C3          retn
1000194E    90          nop
1000194F    90          nop
10001950  /$  833D 3C630010>cmp dword ptr ds:[1000633C],1
10001957  |.  7E 10       jle short car_exam.10001969
10001959  |.  8B4424 04    mov eax,dword ptr ss:[esp+4]
1000195D  |.  6A 01       push 1
1000195F  |.  50          push eax
10001960  |.  E8 1B0B0000 call car_exam.10002480
10001965  |.  83C4 08    add esp,8
10001968  |.  C3          retn
10001969  |>  8B4C24 04    mov ecx,dword ptr ss:[esp+4]
1000196D  |.  8B15 30610010 mov edx,dword ptr ds:[10006130]    ;  car_exam.1000613A
10001973  |.  8A044A       mov al,byte ptr ds:[edx+ecx*2]
10001976  |.  83E0 01    and eax,1
10001979  \.  C3          retn
1000197A    90          nop
1000197B    90          nop
1000197C    90          nop
1000197D    90          nop
1000197E    90          nop
1000197F    90          nop
10001980  /$  833D 3C630010>cmp dword ptr ds:[1000633C],1
10001987  |.  7E 10       jle short car_exam.10001999
10001989  |.  8B4424 04    mov eax,dword ptr ss:[esp+4]
1000198D  |.  6A 02       push 2
1000198F  |.  50          push eax
10001990  |.  E8 EB0A0000 call car_exam.10002480
10001995  |.  83C4 08    add esp,8
10001998  |.  C3          retn
10001999  |>  8B4C24 04    mov ecx,dword ptr ss:[esp+4]
1000199D  |.  8B15 30610010 mov edx,dword ptr ds:[10006130]    ;  car_exam.1000613A
100019A3  |.  8A044A       mov al,byte ptr ds:[edx+ecx*2]
100019A6  |.  83E0 02    and eax,2
100019A9  \.  C3          retn
100019AA    90          nop
100019AB    90          nop
100019AC    90          nop
100019AD    90          nop
100019AE    90          nop
100019AF    90          nop
100019B0  /$  A1 F8860010 mov eax,dword ptr ds:[100086F8]
100019B5  |.  83EC 08    sub esp,8
100019B8  |.  85C0       test eax,eax
100019BA  |.  53          push ebx
100019BB  |.  75 1E       jnz short car_exam.100019DB
100019BD  |.  8B4424 10    mov eax,dword ptr ss:[esp+10]
100019C1  |.  83F8 61    cmp eax,61
100019C4  |.  0F8C DF000000 jl car_exam.10001AA9
100019CA  |.  83F8 7A    cmp eax,7A
100019CD  |.  0F8F D6000000 jg car_exam.10001AA9
100019D3  |.  83E8 20    sub eax,20
100019D6  |.  5B          pop ebx
100019D7  |.  83C4 08    add esp,8
100019DA  |.  C3          retn
100019DB  |>  8B5C24 10    mov ebx,dword ptr ss:[esp+10]
100019DF  |.  81FB 00010000 cmp ebx,100
100019E5  |.  7D 2C       jge short car_exam.10001A13
100019E7  |.  833D 3C630010>cmp dword ptr ds:[1000633C],1
100019EE  |.  7E 0D       jle short car_exam.100019FD
100019F0  |.  6A 02       push 2
100019F2  |.  53          push ebx
100019F3  |.  E8 880A0000 call car_exam.10002480
100019F8  |.  83C4 08    add esp,8
100019FB  |.  EB 0B       jmp short car_exam.10001A08
100019FD  |>  A1 30610010 mov eax,dword ptr ds:[10006130]
10001A02  |.  8A0458       mov al,byte ptr ds:[eax+ebx*2]
10001A05  |.  83E0 02    and eax,2
10001A08  |>  85C0       test eax,eax
10001A0A  |.  75 07       jnz short car_exam.10001A13
10001A0C  |.  8BC3       mov eax,ebx
10001A0E  |.  5B          pop ebx
10001A0F  |.  83C4 08    add esp,8
10001A12  |.  C3          retn
10001A13  |>  8B15 30610010 mov edx,dword ptr ds:[10006130]    ;  car_exam.1000613A
10001A19  |.  8BC3       mov eax,ebx
10001A1B  |.  C1F8 08    sar eax,8
10001A1E  |.  8BC8       mov ecx,eax
10001A20  |.  81E1 FF000000 and ecx,0FF
10001A26  |.  F6444A 01 80  test byte ptr ds:[edx+ecx*2+1],80
10001A2B  |.  74 14       je short car_exam.10001A41
10001A2D  |.  884424 10    mov byte ptr ss:[esp+10],al
10001A31  |.  885C24 11    mov byte ptr ss:[esp+11],bl
10001A35  |.  C64424 12 00  mov byte ptr ss:[esp+12],0
10001A3A  |.  B8 02000000 mov eax,2
10001A3F  |.  EB 0E       jmp short car_exam.10001A4F
10001A41  |>  885C24 10    mov byte ptr ss:[esp+10],bl
10001A45  |.  C64424 11 00  mov byte ptr ss:[esp+11],0
10001A4A  |.  B8 01000000 mov eax,1
10001A4F  |>  6A 01       push 1
10001A51  |.  6A 00       push 0
10001A53  |.  8D4C24 0C    lea ecx,dword ptr ss:[esp+C]
10001A57  |.  6A 03       push 3
10001A59  |.  51          push ecx
10001A5A  |.  8D5424 20    lea edx,dword ptr ss:[esp+20]
10001A5E  |.  50          push eax
10001A5F  |.  A1 F8860010 mov eax,dword ptr ds:[100086F8]
10001A64  |.  52          push edx
10001A65  |.  68 00020000 push 200
10001A6A  |.  50          push eax
10001A6B  |.  E8 B0070000 call car_exam.10002220
10001A70  |.  83C4 20    add esp,20
10001A73  |.  85C0       test eax,eax
10001A75  |.  75 07       jnz short car_exam.10001A7E
10001A77  |.  8BC3       mov eax,ebx
10001A79  |.  5B          pop ebx
10001A7A  |.  83C4 08    add esp,8
10001A7D  |.  C3          retn
10001A7E  |>  83F8 01    cmp eax,1
10001A81  |.  75 0E       jnz short car_exam.10001A91
10001A83  |.  8B4424 04    mov eax,dword ptr ss:[esp+4]
10001A87  |.  25 FF000000 and eax,0FF
10001A8C  |.  5B          pop ebx
10001A8D  |.  83C4 08    add esp,8
10001A90  |.  C3          retn
10001A91  |>  8B4424 05    mov eax,dword ptr ss:[esp+5]
10001A95  |.  8B4C24 04    mov ecx,dword ptr ss:[esp+4]
10001A99  |.  25 FF000000 and eax,0FF
10001A9E  |.  81E1 FF000000 and ecx,0FF
10001AA4  |.  C1E0 08    shl eax,8
10001AA7  |.  0BC1       or eax,ecx
10001AA9  |>  5B          pop ebx
10001AAA  |.  83C4 08    add esp,8
10001AAD  \.  C3          retn
10001AAE    90          nop
10001AAF    90          nop
10001AB0  /$  8B4424 04    mov eax,dword ptr ss:[esp+4]
10001AB4  |.  6A 04       push 4
10001AB6  |.  6A 00       push 0
10001AB8  |.  50          push eax
10001AB9  |.  E8 32000000 call car_exam.10001AF0
10001ABE  |.  83C4 0C    add esp,0C
10001AC1  \.  C3          retn
10001AC2    90          nop
10001AC3    90          nop
10001AC4    90          nop
10001AC5    90          nop
10001AC6    90          nop
10001AC7    90          nop
10001AC8    90          nop
10001AC9    90          nop
10001ACA    90          nop
10001ACB    90          nop
10001ACC    90          nop
10001ACD    90          nop
10001ACE    90          nop
10001ACF    90          nop
10001AD0  /$  8B4424 04    mov eax,dword ptr ss:[esp+4]
10001AD4  |.  6A 08       push 8
10001AD6  |.  6A 00       push 0
10001AD8  |.  50          push eax
10001AD9  |.  E8 12000000 call car_exam.10001AF0
10001ADE  |.  83C4 0C    add esp,0C
10001AE1  \.  C3          retn
10001AE2    90          nop
10001AE3    90          nop
10001AE4    90          nop
10001AE5    90          nop
10001AE6    90          nop
10001AE7    90          nop
10001AE8    90          nop
10001AE9    90          nop
10001AEA    90          nop
10001AEB    90          nop
10001AEC    90          nop
10001AED    90          nop
10001AEE    90          nop
10001AEF    90          nop
10001AF0  /$  8B4424 04    mov eax,dword ptr ss:[esp+4]
10001AF4  |.  8A4C24 0C    mov cl,byte ptr ss:[esp+C]
10001AF8  |.  25 FF000000 and eax,0FF
10001AFD  |.  8488 C9840010 test byte ptr ds:[eax+100084C9],cl
10001B03  |.  75 1F       jnz short car_exam.10001B24
10001B05  |.  8B4C24 08    mov ecx,dword ptr ss:[esp+8]
10001B09  |.  85C9       test ecx,ecx
10001B0B  |.  74 10       je short car_exam.10001B1D
10001B0D  |.  33D2       xor edx,edx
10001B0F  |.  66:8B1445 3A6>mov dx,word ptr ds:[eax*2+1000613A]
10001B17  |.  8BC2       mov eax,edx
10001B19  |.  23C1       and eax,ecx
10001B1B  |.  EB 02       jmp short car_exam.10001B1F
10001B1D  |>  33C0       xor eax,eax
10001B1F  |>  85C0       test eax,eax
10001B21  |.  75 01       jnz short car_exam.10001B24
10001B23  |.  C3          retn
10001B24  |>  B8 01000000 mov eax,1
10001B29  \.  C3          retn
10001B2A    90          nop
10001B2B    90          nop
10001B2C    90          nop
10001B2D    90          nop
10001B2E    90          nop
10001B2F    90          nop
10001B30 > $  55          push ebp                            ;  (初始化 cpu 选择状态)
10001B31 .  8BEC       mov ebp,esp
10001B33 .  6A FF       push -1
10001B35 .  68 A0500010 push car_exam.100050A0
10001B3A .  68 28300010 push car_exam.10003028             ;  SE 句柄安装
10001B3F .  64:A1 0000000>mov eax,dword ptr fs:[0]
10001B45 .  50          push eax
10001B46 .  64:8925 00000>mov dword ptr fs:[0],esp
10001B4D .  83C4 A8    add esp,-58
10001B50 .  53          push ebx
10001B51 .  56          push esi
10001B52 .  57          push edi
10001B53 .  8965 E8    mov dword ptr ss:[ebp-18],esp
10001B56 .  FF15 1C500010 call dword ptr ds:[<&KERNEL32.GetVer>;  kernel32.GetVersion
10001B5C .  33D2       xor edx,edx
10001B5E .  8AD4       mov dl,ah
10001B60 .  8915 24870010 mov dword ptr ds:[10008724],edx
10001B66 .  8BC8       mov ecx,eax
10001B68 .  81E1 FF000000 and ecx,0FF
10001B6E .  890D 20870010 mov dword ptr ds:[10008720],ecx
10001B74 .  C1E1 08    shl ecx,8
10001B77 .  03CA       add ecx,edx
10001B79 .  890D 1C870010 mov dword ptr ds:[1000871C],ecx
10001B7F .  C1E8 10    shr eax,10
10001B82 .  A3 18870010 mov dword ptr ds:[10008718],eax
10001B87 .  E8 64130000 call car_exam.10002EF0
10001B8C .  85C0       test eax,eax
10001B8E .  75 0A       jnz short car_exam.10001B9A
10001B90 .  6A 1C       push 1C
10001B92 .  E8 69010000 call car_exam.10001D00
10001B97 .  83C4 04    add esp,4
10001B9A >  C745 FC 00000>mov dword ptr ss:[ebp-4],0
10001BA1 .  E8 4A110000 call car_exam.10002CF0
10001BA6 .  E8 65060000 call car_exam.10002210
10001BAB .  FF15 08500010 call dword ptr ds:[<&KERNEL32.GetCom>; [GetCommandLineA
10001BB1 .  A3 B4890010 mov dword ptr ds:[100089B4],eax
10001BB6 .  E8 D50F0000 call car_exam.10002B90
10001BBB .  A3 BC840010 mov dword ptr ds:[100084BC],eax
10001BC0 .  85C0       test eax,eax
10001BC2 .  74 09       je short car_exam.10001BCD
10001BC4 .  A1 B4890010 mov eax,dword ptr ds:[100089B4]
10001BC9 .  85C0       test eax,eax
10001BCB .  75 0A       jnz short car_exam.10001BD7
10001BCD >  6A FF       push -1
10001BCF .  E8 7C090000 call car_exam.10002550
10001BD4 .  83C4 04    add esp,4
10001BD7 >  E8 040D0000 call car_exam.100028E0
10001BDC .  E8 0F0C0000 call car_exam.100027F0
10001BE1 .  E8 3A090000 call car_exam.10002520
10001BE6 .  8B35 B4890010 mov esi,dword ptr ds:[100089B4]
10001BEC .  8975 9C    mov dword ptr ss:[ebp-64],esi
10001BEF .  803E 22    cmp byte ptr ds:[esi],22
10001BF2 .  0F85 BE000000 jnz car_exam.10001CB6
10001BF8 >  46          inc esi
10001BF9 .  8975 9C    mov dword ptr ss:[ebp-64],esi
10001BFC .  8A06       mov al,byte ptr ds:[esi]
10001BFE .  3C 22       cmp al,22
10001C00 .  74 1C       je short car_exam.10001C1E
10001C02 .  84C0       test al,al
10001C04 .  74 18       je short car_exam.10001C1E
10001C06 .  25 FF000000 and eax,0FF
10001C0B .  50          push eax
10001C0C .  E8 9FFEFFFF call car_exam.10001AB0
10001C11 .  83C4 04    add esp,4
10001C14 .  85C0       test eax,eax
10001C16 .^ 74 E0       je short car_exam.10001BF8
10001C18 .  46          inc esi
10001C19 .  8975 9C    mov dword ptr ss:[ebp-64],esi
10001C1C .^ EB DA       jmp short car_exam.10001BF8
10001C1E >  803E 22    cmp byte ptr ds:[esi],22
10001C21 .  75 04       jnz short car_exam.10001C27
10001C23 .  46          inc esi
10001C24 .  8975 9C    mov dword ptr ss:[ebp-64],esi
10001C27 >  8A06       mov al,byte ptr ds:[esi]
10001C29 .  84C0       test al,al
10001C2B .  74 0A       je short car_exam.10001C37
10001C2D .  3C 20       cmp al,20
10001C2F .  77 06       ja short car_exam.10001C37
10001C31 .  46          inc esi
10001C32 .  8975 9C    mov dword ptr ss:[ebp-64],esi
10001C35 .^ EB F0       jmp short car_exam.10001C27
10001C37 >  C745 D0 00000>mov dword ptr ss:[ebp-30],0
10001C3E .  8D45 A4    lea eax,dword ptr ss:[ebp-5C]
10001C41 .  50          push eax                            ; /pStartupinfo
10001C42 .  FF15 18500010 call dword ptr ds:[<&KERNEL32.GetSta>; \GetStartupInfoA
10001C48 .  F645 D0 01 test byte ptr ss:[ebp-30],1
10001C4C .  74 0A       je short car_exam.10001C58
10001C4E .  8B45 D4    mov eax,dword ptr ss:[ebp-2C]
10001C51 .  25 FFFF0000 and eax,0FFFF
10001C56 .  EB 05       jmp short car_exam.10001C5D
10001C58 >  B8 0A000000 mov eax,0A
10001C5D >  50          push eax
10001C5E .  56          push esi
10001C5F .  6A 00       push 0
10001C61 .  6A 00       push 0                            ; /pModule = NULL
10001C63 .  FF15 14500010 call dword ptr ds:[<&KERNEL32.GetMod>; \GetModuleHandleA
10001C69 .  50          push eax
10001C6A .  E8 91F3FFFF call car_exam.10001000
10001C6F .  8945 A0    mov dword ptr ss:[ebp-60],eax
10001C72 .  50          push eax
10001C73 .  E8 D8080000 call car_exam.10002550
10001C78 .  EB 21       jmp short car_exam.10001C9B
10001C7A .  8B45 EC    mov eax,dword ptr ss:[ebp-14]
10001C7D .  8B08       mov ecx,dword ptr ds:[eax]
10001C7F .  8B09       mov ecx,dword ptr ds:[ecx]
10001C81 .  894D 98    mov dword ptr ss:[ebp-68],ecx
10001C84 .  50          push eax
10001C85 .  51          push ecx
10001C86 .  E8 D5090000 call car_exam.10002660
10001C8B .  83C4 08    add esp,8
10001C8E .  C3          retn
10001C8F .  8B65 E8    mov esp,dword ptr ss:[ebp-18]
10001C92 .  8B55 98    mov edx,dword ptr ss:[ebp-68]
10001C95 .  52          push edx
10001C96 .  E8 D5080000 call car_exam.10002570
10001C9B >  83C4 04    add esp,4
10001C9E .  C745 FC FFFFF>mov dword ptr ss:[ebp-4],-1
10001CA5 .  8B4D F0    mov ecx,dword ptr ss:[ebp-10]
10001CA8 .  64:890D 00000>mov dword ptr fs:[0],ecx
10001CAF .  5F          pop edi
10001CB0 .  5E          pop esi
10001CB1 .  5B          pop ebx
10001CB2 .  8BE5       mov esp,ebp
10001CB4 .  5D          pop ebp
10001CB5 .  C3          retn
10001CB6 >  803E 20    cmp byte ptr ds:[esi],20
10001CB9 .^ 0F86 68FFFFFF jbe car_exam.10001C27
10001CBF .  46          inc esi
10001CC0 .  8975 9C    mov dword ptr ss:[ebp-64],esi
10001CC3 .^ EB F1       jmp short car_exam.10001CB6
10001CC5    90          nop
10001CC6    90          nop
10001CC7    90          nop
10001CC8    90          nop
10001CC9    90          nop
10001CCA    90          nop
10001CCB    90          nop
10001CCC    90          nop
10001CCD    90          nop
10001CCE    90          nop
10001CCF    90          nop
10001CD0  /$  833D C4840010>cmp dword ptr ds:[100084C4],1
10001CD7  |.  75 05       jnz short car_exam.10001CDE
10001CD9  |.  E8 22140000 call car_exam.10003100
10001CDE  |>  8B4424 04    mov eax,dword ptr ss:[esp+4]
10001CE2  |.  50          push eax
10001CE3  |.  E8 58140000 call car_exam.10003140
10001CE8  |.  83C4 04    add esp,4
10001CEB  |.  68 FF000000 push 0FF
10001CF0  |.  FF15 30600010 call dword ptr ds:[10006030]       ;  car_exam.10002570
10001CF6  |.  83C4 04    add esp,4
10001CF9  \.  C3          retn
10001CFA    90          nop
10001CFB    90          nop
10001CFC    90          nop
10001CFD    90          nop
10001CFE    90          nop
10001CFF    90          nop
10001D00  /$  833D C4840010>cmp dword ptr ds:[100084C4],1
10001D07  |.  75 05       jnz short car_exam.10001D0E
10001D09  |.  E8 F2130000 call car_exam.10003100
10001D0E  |>  8B4424 04    mov eax,dword ptr ss:[esp+4]
10001D12  |.  50          push eax
10001D13  |.  E8 28140000 call car_exam.10003140
10001D18  |.  83C4 04    add esp,4
10001D1B  |.  68 FF000000 push 0FF                            ; /ExitCode = FF
10001D20  \.  FF15 20500010 call dword ptr ds:[<&KERNEL32.ExitPr>; \ExitProcess
10001D26 .  C3          retn
10001D27    90          nop
10001D28    90          nop
10001D29    90          nop
10001D2A    90          nop
10001D2B    90          nop
10001D2C    90          nop
10001D2D    90          nop
10001D2E    90          nop
10001D2F    90          nop
10001D30  /$  8B4424 04    mov eax,dword ptr ss:[esp+4]
10001D34  |.  83EC 14    sub esp,14
10001D37  |.  53          push ebx
10001D38  |.  55          push ebp
10001D39  |.  56          push esi
10001D3A  |.  57          push edi
10001D3B  |.  50          push eax
10001D3C  |.  E8 FF010000 call car_exam.10001F40
10001D41  |.  8BC8       mov ecx,eax
10001D43  |.  A1 D0860010 mov eax,dword ptr ds:[100086D0]
10001D48  |.  83C4 04    add esp,4
10001D4B  |.  3BC8       cmp ecx,eax
10001D4D  |.  894C24 28    mov dword ptr ss:[esp+28],ecx
10001D51  |.  75 0A       jnz short car_exam.10001D5D
10001D53  |.  33C0       xor eax,eax
10001D55  |.  5F          pop edi
10001D56  |.  5E          pop esi
10001D57  |.  5D          pop ebp
10001D58  |.  5B          pop ebx
10001D59  |.  83C4 14    add esp,14
10001D5C  |.  C3          retn
10001D5D  |>  85C9       test ecx,ecx
10001D5F  |.  75 14       jnz short car_exam.10001D75
10001D61  |.  E8 8A020000 call car_exam.10001FF0
10001D66  |.  E8 C5020000 call car_exam.10002030
10001D6B  |.  33C0       xor eax,eax
10001D6D  |.  5F          pop edi
10001D6E  |.  5E          pop esi
10001D6F  |.  5D          pop ebp
10001D70  |.  5B          pop ebx
10001D71  |.  83C4 14    add esp,14
10001D74  |.  C3          retn
10001D75  |>  33D2       xor edx,edx
10001D77  |.  B8 40600010 mov eax,car_exam.10006040
10001D7C  |>  3908       /cmp dword ptr ds:[eax],ecx
10001D7E  |.  0F84 07010000 |je car_exam.10001E8B
10001D84  |.  83C0 30    |add eax,30
10001D87  |.  42          |inc edx
10001D88  |.  3D 30610010 |cmp eax,car_exam.10006130
10001D8D  |.^ 72 ED       \jb short car_exam.10001D7C
10001D8F  |.  8D5424 10    lea edx,dword ptr ss:[esp+10]
10001D93  |.  52          push edx                            ; /pCPInfo
10001D94  |.  51          push ecx                            ; |CodePage
10001D95  |.  FF15 0C500010 call dword ptr ds:[<&KERNEL32.GetCPI>; \GetCPInfo
10001D9B  |.  BE 01000000 mov esi,1
10001DA0  |.  3BC6       cmp eax,esi
10001DA2  |.  0F85 BB000000 jnz car_exam.10001E63
10001DA8  |.  B9 40000000 mov ecx,40
10001DAD  |.  33C0       xor eax,eax
10001DAF  |.  BF C8840010 mov edi,car_exam.100084C8
10001DB4  |.  F3:AB       rep stos dword ptr es:[edi]
10001DB6  |.  8B4C24 10    mov ecx,dword ptr ss:[esp+10]
10001DBA  |.  AA          stos byte ptr es:[edi]
10001DBB  |.  8B7C24 28    mov edi,dword ptr ss:[esp+28]
10001DBF  |.  33C0       xor eax,eax
10001DC1  |.  3BCE       cmp ecx,esi
10001DC3  |.  893D D0860010 mov dword ptr ds:[100086D0],edi
10001DC9  |.  A3 D4860010 mov dword ptr ds:[100086D4],eax
10001DCE  |.  76 6E       jbe short car_exam.10001E3E
10001DD0  |.  8A4424 16    mov al,byte ptr ss:[esp+16]
10001DD4  |.  84C0       test al,al
10001DD6  |.  74 37       je short car_exam.10001E0F
10001DD8  |.  8D5424 17    lea edx,dword ptr ss:[esp+17]
10001DDC  |>  8A0A       /mov cl,byte ptr ds:[edx]
10001DDE  |.  84C9       |test cl,cl
10001DE0  |.  74 2D       |je short car_exam.10001E0F
10001DE2  |.  33C0       |xor eax,eax
10001DE4  |.  81E1 FF000000 |and ecx,0FF
10001DEA  |.  8A42 FF    |mov al,byte ptr ds:[edx-1]
10001DED  |.  3BC1       |cmp eax,ecx
10001DEF  |.  77 14       |ja short car_exam.10001E05
10001DF1  |>  8A98 C9840010 |/mov bl,byte ptr ds:[eax+100084C9]
10001DF7  |.  80CB 04    ||or bl,4
10001DFA  |.  8898 C9840010 ||mov byte ptr ds:[eax+100084C9],bl
10001E00  |.  40          ||inc eax
10001E01  |.  3BC1       ||cmp eax,ecx
10001E03  |.^ 76 EC       |\jbe short car_exam.10001DF1
10001E05  |>  8A42 01    |mov al,byte ptr ds:[edx+1]
10001E08  |.  83C2 02    |add edx,2
10001E0B  |.  84C0       |test al,al
10001E0D  |.^ 75 CD       \jnz short car_exam.10001DDC
10001E0F  |>  8BC6       mov eax,esi
10001E11  |>  8A98 C9840010 /mov bl,byte ptr ds:[eax+100084C9]
10001E17  |.  80CB 08    |or bl,8
10001E1A  |.  8898 C9840010 |mov byte ptr ds:[eax+100084C9],bl
10001E20  |.  40          |inc eax
10001E21  |.  3D FF000000 |cmp eax,0FF
10001E26  |.^ 72 E9       \jb short car_exam.10001E11
10001E28  |.  57          push edi
10001E29  |.  E8 62010000 call car_exam.10001F90
10001E2E  |.  83C4 04    add esp,4
10001E31  |.  A3 D4860010 mov dword ptr ds:[100086D4],eax
10001E36  |.  8935 B0890010 mov dword ptr ds:[100089B0],esi
10001E3C  |.  EB 05       jmp short car_exam.10001E43
10001E3E  |>  A3 B0890010 mov dword ptr ds:[100089B0],eax
10001E43  |>  33C0       xor eax,eax
10001E45  |.  A3 D8860010 mov dword ptr ds:[100086D8],eax
10001E4A  |.  A3 DC860010 mov dword ptr ds:[100086DC],eax
10001E4F  |.  A3 E0860010 mov dword ptr ds:[100086E0],eax
10001E54  |.  E8 D7010000 call car_exam.10002030
10001E59  |.  33C0       xor eax,eax
10001E5B  |.  5F          pop edi
10001E5C  |.  5E          pop esi
10001E5D  |.  5D          pop ebp
10001E5E  |.  5B          pop ebx
10001E5F  |.  83C4 14    add esp,14
10001E62  |.  C3          retn
10001E63  |>  A1 E4860010 mov eax,dword ptr ds:[100086E4]
10001E68  |.  85C0       test eax,eax
10001E6A  |.  74 14       je short car_exam.10001E80
10001E6C  |.  E8 7F010000 call car_exam.10001FF0
10001E71  |.  E8 BA010000 call car_exam.10002030
10001E76  |.  33C0       xor eax,eax
10001E78  |.  5F          pop edi
10001E79  |.  5E          pop esi
10001E7A  |.  5D          pop ebp
10001E7B  |.  5B          pop ebx
10001E7C  |.  83C4 14    add esp,14
10001E7F  |.  C3          retn
10001E80  |>  83C8 FF    or eax,FFFFFFFF
10001E83  |.  5F          pop edi
10001E84  |.  5E          pop esi
10001E85  |.  5D          pop ebp
10001E86  |.  5B          pop ebx
10001E87  |.  83C4 14    add esp,14
10001E8A  |.  C3          retn
10001E8B  |>  B9 40000000 mov ecx,40
10001E90  |.  33C0       xor eax,eax
10001E92  |.  BF C8840010 mov edi,car_exam.100084C8
10001E97  |.  8D1C52       lea ebx,dword ptr ds:[edx+edx*2]
10001E9A  |.  F3:AB       rep stos dword ptr es:[edi]
10001E9C  |.  AA          stos byte ptr es:[edi]
10001E9D  |.  33FF       xor edi,edi
10001E9F  |.  C1E3 04    shl ebx,4
10001EA2  |.  8DAB 50600010 lea ebp,dword ptr ds:[ebx+10006050]
10001EA8  |>  8A45 00    /mov al,byte ptr ss:[ebp]
10001EAB  |.  8BF5       |mov esi,ebp
10001EAD  |.  84C0       |test al,al
10001EAF  |.  74 30       |je short car_exam.10001EE1
10001EB1  |>  8A4E 01    |/mov cl,byte ptr ds:[esi+1]
10001EB4  |.  84C9       ||test cl,cl
10001EB6  |.  74 29       ||je short car_exam.10001EE1
10001EB8  |.  33C0       ||xor eax,eax
10001EBA  |.  81E1 FF000000 ||and ecx,0FF
10001EC0  |.  8A06       ||mov al,byte ptr ds:[esi]
10001EC2  |.  3BC1       ||cmp eax,ecx
10001EC4  |.  77 11       ||ja short car_exam.10001ED7
10001EC6  |.  8A97 38600010 ||mov dl,byte ptr ds:[edi+10006038]
10001ECC  |>  0890 C9840010 ||/or byte ptr ds:[eax+100084C9],dl

2006-9-8 19:44

0