themida1.8.X-脱壳爆破－魔域王者4.7－新手教学帖子！[原创]-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

themida1.8.X-脱壳爆破－魔域王者4.7－新手教学帖子！[原创]

发表于: 2007-4-27 15:03 7055

themida1.8.X-脱壳爆破－魔域王者4.7－新手教学帖子！[原创]

jarodlau

2007-4-27 15:03

7055

【原创】themida-脱壳爆破－魔域王者4.7

主程序破解
1,查壳 themida
2，输入表重建
006D936D FF95 2920C406 call dword ptr [ebp+6C42029]
006D9373 8985 310EC406 mov    dword ptr [ebp+6C40E31], eax
006D9379 8BB5 D90BC406 mov    esi, dword ptr [ebp+6C40BD9]
006D937F 8B9D 9D15C406 mov    ebx, dword ptr [ebp+6C4159D]
006D9385 89B5 0525C406 mov    dword ptr [ebp+6C42505], esi
006D938B 899D A10AC406 mov    dword ptr [ebp+6C40AA1], ebx
006D9391 8B9D 9D15C406 mov    ebx, dword ptr [ebp+6C4159D]
006D9397 8B0B          mov    ecx, dword ptr [ebx]
006D9399 83F9 00       cmp    ecx, 0
006D939C 0F84 DF0A0000 je    006D9E81                      ; 输入表处理完成后此处跳
转
006D93A2 50             push eax
006D93A3 51             push ecx
006D93A4 60             pushad
006D93A5 33C0          xor    eax, eax
006D93A7 8985 C11BC406 mov    dword ptr [ebp+6C41BC1], eax
006D93AD BE 3C000000    mov    esi, 3C
006D93B2 037424 20    add    esi, dword ptr [esp+20]
006D93B6 66:AD          lods word ptr [esi]
006D93B8 034424 20    add    eax, dword ptr [esp+20]
006D93BC 8B70 78       mov    esi, dword ptr [eax+78]
006D93BF 037424 20    add    esi, dword ptr [esp+20]
006D93C3 8B7E 18       mov    edi, dword ptr [esi+18]
006D93C6 89BD A91DC406 mov    dword ptr [ebp+6C41DA9], edi
006D93CC 85FF          test edi, edi
006D93CE 0F85 0A000000 jnz    006D93DE
006D93D4 E8 0E110000    call 006DA4E7
006D93D9 E9 91000000    jmp    006D946F
006D93DE 51             push ecx
006D93DF 8BD7          mov    edx, edi
006D93E1 6BD2 04       imul edx, edx, 4
006D93E4 8995 411CC406 mov    dword ptr [ebp+6C41C41], edx
006D93EA 6A 04          push 4
006D93EC 68 00100000    push 1000
006D93F1 52             push edx
006D93F2 6A 00          push 0
006D93F4 FF95 2920C406 call dword ptr [ebp+6C42029]
006D93FA 8985 F110C406 mov    dword ptr [ebp+6C410F1], eax
006D9400 8BD0          mov    edx, eax
006D9402 59             pop    ecx
006D9403 E8 DF100000    call 006DA4E7
006D9408 56             push esi
006D9409 AD             lods dword ptr [esi]
006D940A 034424 24    add    eax, dword ptr [esp+24]
006D940E 97             xchg eax, edi
006D940F 8BDF          mov    ebx, edi
006D9411 57             push edi
006D9412 32C0          xor    al, al
006D9414 AE             scas byte ptr es:[edi]
006D9415  ^ 0F85 F9FFFFFF jnz    006D9414
006D941B 5E             pop    esi
006D941C 2BFB          sub    edi, ebx
006D941E 52             push edx
006D941F 8BD7          mov    edx, edi
006D9421 8BBD ED1DC406 mov    edi, dword ptr [ebp+6C41DED]
006D9427 83C9 FF       or    ecx, FFFFFFFF
006D942A 33C0          xor    eax, eax
006D942C 8A06          mov    al, byte ptr [esi]
006D942E 32C1          xor    al, cl
006D9430 46             inc    esi
006D9431 8B0487       mov    eax, dword ptr [edi+eax*4]
006D9434 C1E9 08       shr    ecx, 8
006D9437 33C8          xor    ecx, eax
006D9439 4A             dec    edx
006D943A  ^ 0F85 EAFFFFFF jnz    006D942A
006D9440 8BC1          mov    eax, ecx
006D9442 F7D0          not    eax
006D9444 5A             pop    edx
006D9445 8902          mov    dword ptr [edx], eax
006D9447 83C2 04       add    edx, 4
006D944A 52             push edx
006D944B FF85 C11BC406 inc    dword ptr [ebp+6C41BC1]
006D9451 8B95 C11BC406 mov    edx, dword ptr [ebp+6C41BC1]
006D9457 3995 A91DC406 cmp    dword ptr [ebp+6C41DA9], edx
006D945D 0F84 0A000000 je    006D946D
006D9463 5A             pop    edx
006D9464 5E             pop    esi
006D9465 83C6 04       add    esi, 4
006D9468  ^ E9 9BFFFFFF    jmp    006D9408
006D946D 5A             pop    edx
006D946E 5E             pop    esi
006D946F 61             popad
006D9470 59             pop    ecx
006D9471 58             pop    eax
006D9472 C785 2503C406 0>mov    dword ptr [ebp+6C40325], 0
006D947C C785 A912C406 0>mov    dword ptr [ebp+6C412A9], 0
006D9486 83BD 56CCD506 0>cmp    dword ptr [ebp+6D5CC56], 0
006D948D 0F84 08000000 je    006D949B
006D9493 8D9D 3797D406 lea    ebx, dword ptr [ebp+6D49737]
006D9499 FFD3          call ebx
006D949B FF85 3D01C406 inc    dword ptr [ebp+6C4013D]
006D94A1 83BD 3D01C406 6>cmp    dword ptr [ebp+6C4013D], 64
006D94A8 0F82 62000000 jb    006D9510
006D94AE C785 3D01C406 0>mov    dword ptr [ebp+6C4013D], 1
006D94B8 60             pushad
006D94B9 8DB5 2ECDD506 lea    esi, dword ptr [ebp+6D5CD2E]
006D94BF 8DBD 99E9D506 lea    edi, dword ptr [ebp+6D5E999]
006D94C5 2BFE          sub    edi, esi
006D94C7 8BD7          mov    edx, edi
006D94C9 8BBD ED1DC406 mov    edi, dword ptr [ebp+6C41DED]
006D94CF 83C9 FF       or    ecx, FFFFFFFF
006D94D2 33C0          xor    eax, eax
006D94D4 8A06          mov    al, byte ptr [esi]
006D94D6 32C1          xor    al, cl
006D94D8 46             inc    esi
006D94D9 8B0487       mov    eax, dword ptr [edi+eax*4]
006D94DC C1E9 08       shr    ecx, 8
006D94DF 33C8          xor    ecx, eax
006D94E1 4A             dec    edx
006D94E2  ^ 0F85 EAFFFFFF jnz    006D94D2
006D94E8 8BC1          mov    eax, ecx
006D94EA F7D0          not    eax
006D94EC 3985 F516C406 cmp    dword ptr [ebp+6C416F5], eax
006D94F2 0F84 17000000 je    006D950F
006D94F8 83BD 752CC406 0>cmp    dword ptr [ebp+6C42C75], 0
006D94FF EB 0E          jmp    short 006D950F                ; Patch①、jmp 005A16B3
★自校验
006D9501 90             nop
006D9502 90             nop
006D9503 90             nop
006D9504 90             nop
006D9505 C785 9511C406 0>mov    dword ptr [ebp+6C41195], 1
006D950F 61             popad
006D9510 B9 A24F506B    mov    ecx, 6B504FA2
006D9515 BA 88579E31    mov    edx, 319E5788
006D951A AD             lods dword ptr [esi]
006D951B 89B5 0525C406 mov    dword ptr [ebp+6C42505], esi
006D9521 C746 FC 0000000>mov    dword ptr [esi-4], 0
006D9528 3D EEEEEEEE    cmp    eax, EEEEEEEE
006D952D 0F85 20000000 jnz    006D9553
006D9533 813E DDDDDDDD cmp    dword ptr [esi], DDDDDDDD
006D9539 0F85 14000000 jnz    006D9553
006D953F C706 00000000 mov    dword ptr [esi], 0
006D9545 83C6 04       add    esi, 4
006D9548 89B5 0525C406 mov    dword ptr [ebp+6C42505], esi
006D954E E9 F9080000    jmp    006D9E4C
006D9553 8BD8          mov    ebx, eax
006D9555 3385 9511C406 xor    eax, dword ptr [ebp+6C41195]
006D955B C1C8 03       ror    eax, 3
006D955E 2BC2          sub    eax, edx
006D9560 C1C0 10       rol    eax, 10
006D9563 33C1          xor    eax, ecx
006D9565 899D 9511C406 mov    dword ptr [ebp+6C41195], ebx
006D956B 3D 00000100    cmp    eax, 10000                   ; UNICODE "=::=::\"
006D9570 0F83 45000000 jnb    006D95BB
006D9576 813E BBBBBBBB cmp    dword ptr [esi], BBBBBBBB
006D957C 0F85 39000000 jnz    006D95BB
006D9582 C706 00000000 mov    dword ptr [esi], 0
006D9588 83C6 04       add    esi, 4
006D958B 89B5 0525C406 mov    dword ptr [ebp+6C42505], esi
006D9591 8B9D 9D15C406 mov    ebx, dword ptr [ebp+6C4159D]
006D9597 8B0B          mov    ecx, dword ptr [ebx]
006D9599 8BD0          mov    edx, eax
006D959B 60             pushad
006D959C 8BC2          mov    eax, edx
006D959E 2B85 FD28C406 sub    eax, dword ptr [ebp+6C428FD]
006D95A4 C1E0 02       shl    eax, 2
006D95A7 0385 DD32C406 add    eax, dword ptr [ebp+6C432DD]
006D95AD 96             xchg eax, esi
006D95AE AD             lods dword ptr [esi]
006D95AF 03C1          add    eax, ecx
006D95B1 894424 1C    mov    dword ptr [esp+1C], eax
006D95B5 61             popad
006D95B6 E9 7C000000    jmp    006D9637
006D95BB 51             push ecx
006D95BC 52             push edx
006D95BD 33C9          xor    ecx, ecx
006D95BF 8B95 F110C406 mov    edx, dword ptr [ebp+6C410F1]
006D95C5 3B02          cmp    eax, dword ptr [edx]
006D95C7 0F84 38000000 je    006D9605
006D95CD 83C2 04       add    edx, 4
006D95D0 41             inc    ecx
006D95D1 3B8D A91DC406 cmp    ecx, dword ptr [ebp+6C41DA9]
006D95D7  ^ 0F85 E8FFFFFF jnz    006D95C5
006D95DD 8DB5 13CCD506 lea    esi, dword ptr [ebp+6D5CC13]
006D95E3 8DBD FD25C406 lea    edi, dword ptr [ebp+6C425FD]
006D95E9 AC             lods byte ptr [esi]
006D95EA 84C0          test al, al
006D95EC 0F84 06000000 je    006D95F8
006D95F2 AA             stos byte ptr es:[edi]
006D95F3  ^ E9 F1FFFFFF    jmp    006D95E9
006D95F8 B8 00000000    mov    eax, 0
006D95FD 8D8D 5D4BC406 lea    ecx, dword ptr [ebp+6C44B5D]
006D9603 FFE1          jmp    ecx
006D9605 898D C11BC406 mov    dword ptr [ebp+6C41BC1], ecx
006D960B 5A             pop    edx
006D960C 59             pop    ecx
006D960D 56             push esi
006D960E 8B9D 9D15C406 mov    ebx, dword ptr [ebp+6C4159D]
006D9614 8B0B          mov    ecx, dword ptr [ebx]
006D9616 8B85 C11BC406 mov    eax, dword ptr [ebp+6C41BC1]
006D961C D1E0          shl    eax, 1
006D961E 0385 E530C406 add    eax, dword ptr [ebp+6C430E5]
006D9624 33F6          xor    esi, esi
006D9626 96             xchg eax, esi
006D9627 66:AD          lods word ptr [esi]
006D9629 C1E0 02       shl    eax, 2
006D962C 0385 DD32C406 add    eax, dword ptr [ebp+6C432DD]
006D9632 96             xchg eax, esi
006D9633 AD             lods dword ptr [esi]
006D9634 03C1          add    eax, ecx
006D9636 5E             pop    esi
006D9637 83BD 5914C406 0>cmp    dword ptr [ebp+6C41459], 1
006D963E EB 28          jmp    short 006D9668                ; Patch②、jmp 005A180C
★下面判断是否是特殊DLL的特殊函数，是则加密。当然不希望其加密啦
006D9640 90             nop
006D9641 90             nop
006D9642 90             nop
006D9643 90             nop
006D9644 3B8D 890FC406 cmp    ecx, dword ptr [ebp+6C40F89]
006D964A 0F84 2D000000 je    006D967D
006D9650 3B8D BD19C406 cmp    ecx, dword ptr [ebp+6C419BD]
006D9656 0F84 21000000 je    006D967D
006D965C 3B8D AD1EC406 cmp    ecx, dword ptr [ebp+6C41EAD]
006D9662 0F84 15000000 je    006D967D
006D9668 8D9D 71E1D506 lea    ebx, dword ptr [ebp+6D5E171]
006D966E FFD3          call ebx
006D9670 8BF8          mov    edi, eax
006D9672 8985 F910C406 mov    dword ptr [ebp+6C410F9], eax
006D9678 E9 B4060000    jmp    006D9D31
006D967D 8D9D 71E1D506 lea    ebx, dword ptr [ebp+6D5E171]
006D9683 FFD3          call ebx
006D9685 83BD 5914C406 0>cmp    dword ptr [ebp+6C41459], 0
006D968C 0F84 1D000000 je    006D96AF
006D9692 3B85 A91FC406 cmp    eax, dword ptr [ebp+6C41FA9]
006D9698 0F84 0C000000 je    006D96AA
006D969E 3B85 3520C406 cmp    eax, dword ptr [ebp+6C42035]
006D96A4 0F85 05000000 jnz    006D96AF
006D96AA  ^ E9 B9FFFFFF    jmp    006D9668
006D96AF 3B85 8D1CC406 cmp    eax, dword ptr [ebp+6C41C8D]
006D96B5 0F85 18000000 jnz    006D96D3
006D96BB 83BD 9D25C406 0>cmp    dword ptr [ebp+6C4259D], 0
006D96C2 0F85 0B000000 jnz    006D96D3
006D96C8 8D85 785ED506 lea    eax, dword ptr [ebp+6D55E78]
006D96CE  ^ E9 95FFFFFF    jmp    006D9668
006D96D3 3B85 8D1CC406 cmp    eax, dword ptr [ebp+6C41C8D]
006D96D9  ^ 0F84 89FFFFFF je    006D9668
006D96DF 83BD 0FCCD506 0>cmp    dword ptr [ebp+6D5CC0F], 1
006D96E6 0F85 17000000 jnz    006D9703
006D96EC 3B85 6ECCD506 cmp    eax, dword ptr [ebp+6D5CC6E]
006D96F2 0F85 0B000000 jnz    006D9703
006D96F8 8D85 A0E65800 lea    eax, dword ptr [ebp+58E6A0]
006D96FE  ^ E9 6DFFFFFF    jmp    006D9670
006D9703 33FF          xor    edi, edi
006D9705 83BD 7119C406 0>cmp    dword ptr [ebp+6C41971], 0
006D970C 0F84 67030000 je    006D9A79
006D9712 3B85 5ACCD506 cmp    eax, dword ptr [ebp+6D5CC5A]
006D9718 75 07          jnz    short 006D9721
006D971A 8B85 CD31C406 mov    eax, dword ptr [ebp+6C431CD]
006D9720 47             inc    edi
006D9721 3B85 62CCD506 cmp    eax, dword ptr [ebp+6D5CC62]
006D9727 75 07          jnz    short 006D9730
006D9729 8B85 E51FC406 mov    eax, dword ptr [ebp+6C41FE5]
006D972F 47             inc    edi
006D9730 3B85 5ECCD506 cmp    eax, dword ptr [ebp+6D5CC5E]
006D9736 75 07          jnz    short 006D973F
006D9738 8B85 7132C406 mov    eax, dword ptr [ebp+6C43271]
006D973E 47             inc    edi
006D973F 3B85 66CCD506 cmp    eax, dword ptr [ebp+6D5CC66]
006D9745 75 07          jnz    short 006D974E
006D9747 8B85 1907C406 mov    eax, dword ptr [ebp+6C40719]
006D974D 47             inc    edi
006D974E 3B85 6ACCD506 cmp    eax, dword ptr [ebp+6D5CC6A]
006D9754 75 07          jnz    short 006D975D
006D9756 8B85 2516C406 mov    eax, dword ptr [ebp+6C41625]
006D975C 47             inc    edi
006D975D 3B85 6ECCD506 cmp    eax, dword ptr [ebp+6D5CC6E]
006D9763 75 07          jnz    short 006D976C
006D9765 8B85 112DC406 mov    eax, dword ptr [ebp+6C42D11]
006D976B 47             inc    edi
006D976C 3B85 72CCD506 cmp    eax, dword ptr [ebp+6D5CC72]
006D9772 75 07          jnz    short 006D977B
006D9774 8B85 DD19C406 mov    eax, dword ptr [ebp+6C419DD]
006D977A 47             inc    edi
006D977B 3B85 76CCD506 cmp    eax, dword ptr [ebp+6D5CC76]
006D9781 75 07          jnz    short 006D978A
006D9783 8B85 0507C406 mov    eax, dword ptr [ebp+6C40705]
006D9789 47             inc    edi
006D978A 3B85 7ACCD506 cmp    eax, dword ptr [ebp+6D5CC7A]
006D9790 75 07          jnz    short 006D9799
006D9792 8B85 1D1FC406 mov    eax, dword ptr [ebp+6C41F1D]
006D9798 47             inc    edi
006D9799 3B85 7ECCD506 cmp    eax, dword ptr [ebp+6D5CC7E]
006D979F 75 07          jnz    short 006D97A8
006D97A1 8B85 F51DC406 mov    eax, dword ptr [ebp+6C41DF5]
006D97A7 47             inc    edi
006D97A8 3B85 86CCD506 cmp    eax, dword ptr [ebp+6D5CC86]
006D97AE 75 07          jnz    short 006D97B7
006D97B0 8B85 990AC406 mov    eax, dword ptr [ebp+6C40A99]
006D97B6 47             inc    edi
006D97B7 3B85 82CCD506 cmp    eax, dword ptr [ebp+6D5CC82]
006D97BD 75 10          jnz    short 006D97CF
006D97BF 83BD CD1CC406 0>cmp    dword ptr [ebp+6C41CCD], 0
006D97C6 75 07          jnz    short 006D97CF
006D97C8 8B85 2D05C406 mov    eax, dword ptr [ebp+6C4052D]
006D97CE 47             inc    edi
006D97CF 83BD 7107C406 0>cmp    dword ptr [ebp+6C40771], 0
006D97D6 74 0F          je    short 006D97E7
006D97D8 3B85 0ECDD506 cmp    eax, dword ptr [ebp+6D5CD0E]
006D97DE 75 07          jnz    short 006D97E7
006D97E0 8B85 6D02C406 mov    eax, dword ptr [ebp+6C4026D]
006D97E6 47             inc    edi
006D97E7 83BD E92BC406 0>cmp    dword ptr [ebp+6C42BE9], 0
006D97EE 74 72          je    short 006D9862
006D97F0 83BD 012DC406 0>cmp    dword ptr [ebp+6C42D01], 0
006D97F7 74 69          je    short 006D9862
006D97F9 3B85 F2CCD506 cmp    eax, dword ptr [ebp+6D5CCF2]
006D97FF 75 07          jnz    short 006D9808
006D9801 8B85 8932C406 mov    eax, dword ptr [ebp+6C43289]
006D9807 47             inc    edi
006D9808 3B85 02CDD506 cmp    eax, dword ptr [ebp+6D5CD02]
006D980E 75 07          jnz    short 006D9817
006D9810 8B85 C90BC406 mov    eax, dword ptr [ebp+6C40BC9]
006D9816 47             inc    edi
006D9817 3B85 F6CCD506 cmp    eax, dword ptr [ebp+6D5CCF6]
006D981D 75 07          jnz    short 006D9826
006D981F 8B85 8D1AC406 mov    eax, dword ptr [ebp+6C41A8D]
006D9825 47             inc    edi
006D9826 3B85 06CDD506 cmp    eax, dword ptr [ebp+6D5CD06]
006D982C 75 07          jnz    short 006D9835
006D982E 8B85 0104C406 mov    eax, dword ptr [ebp+6C40401]
006D9834 47             inc    edi
006D9835 3B85 0ACDD506 cmp    eax, dword ptr [ebp+6D5CD0A]
006D983B 75 07          jnz    short 006D9844
006D983D 8B85 991AC406 mov    eax, dword ptr [ebp+6C41A99]
006D9843 47             inc    edi
006D9844 3B85 FACCD506 cmp    eax, dword ptr [ebp+6D5CCFA]
006D984A 75 07          jnz    short 006D9853
006D984C 8B85 0103C406 mov    eax, dword ptr [ebp+6C40301]
006D9852 47             inc    edi
006D9853 3B85 FECCD506 cmp    eax, dword ptr [ebp+6D5CCFE]
006D9859 75 07          jnz    short 006D9862
006D985B 8B85 DD00C406 mov    eax, dword ptr [ebp+6C400DD]
006D9861 47             inc    edi
006D9862 83BD 012DC406 0>cmp    dword ptr [ebp+6C42D01], 0
006D9869 0F84 0A020000 je    006D9A79
006D986F 3B85 8ACCD506 cmp    eax, dword ptr [ebp+6D5CC8A]
006D9875 75 07          jnz    short 006D987E
006D9877 8B85 C903C406 mov    eax, dword ptr [ebp+6C403C9]
006D987D 47             inc    edi
006D987E 3B85 1ECDD506 cmp    eax, dword ptr [ebp+6D5CD1E]
006D9884 75 07          jnz    short 006D988D
006D9886 8B85 CD2FC406 mov    eax, dword ptr [ebp+6C42FCD]
006D988C 47             inc    edi
006D988D 3B85 8ECCD506 cmp    eax, dword ptr [ebp+6D5CC8E]
006D9893 75 07          jnz    short 006D989C
006D9895 8B85 A112C406 mov    eax, dword ptr [ebp+6C412A1]
006D989B 47             inc    edi
006D989C 3B85 92CCD506 cmp    eax, dword ptr [ebp+6D5CC92]
006D98A2 75 07          jnz    short 006D98AB
006D98A4 8B85 F103C406 mov    eax, dword ptr [ebp+6C403F1]
006D98AA 47             inc    edi
006D98AB 3B85 96CCD506 cmp    eax, dword ptr [ebp+6D5CC96]
006D98B1 75 07          jnz    short 006D98BA
006D98B3 8B85 C50EC406 mov    eax, dword ptr [ebp+6C40EC5]
006D98B9 47             inc    edi
006D98BA 3B85 9ACCD506 cmp    eax, dword ptr [ebp+6D5CC9A]
006D98C0 75 10          jnz    short 006D98D2
006D98C2 83BD CD1CC406 0>cmp    dword ptr [ebp+6C41CCD], 0
006D98C9 75 07          jnz    short 006D98D2
006D98CB 8B85 ED0FC406 mov    eax, dword ptr [ebp+6C40FED]
006D98D1 47             inc    edi
006D98D2 3B85 9ECCD506 cmp    eax, dword ptr [ebp+6D5CC9E]
006D98D8 75 07          jnz    short 006D98E1
006D98DA 8B85 A92FC406 mov    eax, dword ptr [ebp+6C42FA9]
006D98E0 47             inc    edi
006D98E1 3B85 A2CCD506 cmp    eax, dword ptr [ebp+6D5CCA2]
006D98E7 75 10          jnz    short 006D98F9
006D98E9 83BD CD1CC406 0>cmp    dword ptr [ebp+6C41CCD], 0
006D98F0 75 07          jnz    short 006D98F9
006D98F2 8B85 1520C406 mov    eax, dword ptr [ebp+6C42015]
006D98F8 47             inc    edi
006D98F9 3B85 A6CCD506 cmp    eax, dword ptr [ebp+6D5CCA6]
006D98FF 75 07          jnz    short 006D9908
006D9901 8B85 790FC406 mov    eax, dword ptr [ebp+6C40F79]
006D9907 47             inc    edi
006D9908 3B85 AACCD506 cmp    eax, dword ptr [ebp+6D5CCAA]
006D990E 75 07          jnz    short 006D9917
006D9910 8B85 F914C406 mov    eax, dword ptr [ebp+6C414F9]
006D9916 47             inc    edi
006D9917 3B85 B2CCD506 cmp    eax, dword ptr [ebp+6D5CCB2]
006D991D 75 10          jnz    short 006D992F
006D991F 83BD CD1CC406 0>cmp    dword ptr [ebp+6C41CCD], 0
006D9926 75 07          jnz    short 006D992F
006D9928 8B85 6505C406 mov    eax, dword ptr [ebp+6C40565]
006D992E 47             inc    edi
006D992F 3B85 AECCD506 cmp    eax, dword ptr [ebp+6D5CCAE]
006D9935 75 10          jnz    short 006D9947
006D9937 83BD CD1CC406 0>cmp    dword ptr [ebp+6C41CCD], 0
006D993E 75 07          jnz    short 006D9947
006D9940 8B85 FD31C406 mov    eax, dword ptr [ebp+6C431FD]
006D9946 47             inc    edi
006D9947 3B85 B6CCD506 cmp    eax, dword ptr [ebp+6D5CCB6]
006D994D 75 07          jnz    short 006D9956
006D994F 8B85 A118C406 mov    eax, dword ptr [ebp+6C418A1]
006D9955 47             inc    edi
006D9956 3B85 BACCD506 cmp    eax, dword ptr [ebp+6D5CCBA]
006D995C 75 07          jnz    short 006D9965
006D995E 8B85 3930C406 mov    eax, dword ptr [ebp+6C43039]
006D9964 47             inc    edi
006D9965 3B85 BECCD506 cmp    eax, dword ptr [ebp+6D5CCBE]
006D996B 75 07          jnz    short 006D9974
006D996D 8B85 FD19C406 mov    eax, dword ptr [ebp+6C419FD]
006D9973 47             inc    edi
006D9974 3B85 C2CCD506 cmp    eax, dword ptr [ebp+6D5CCC2]
006D997A 75 07          jnz    short 006D9983
006D997C 8B85 3D2FC406 mov    eax, dword ptr [ebp+6C42F3D]
006D9982 47             inc    edi
006D9983 3B85 C6CCD506 cmp    eax, dword ptr [ebp+6D5CCC6]
006D9989 75 07          jnz    short 006D9992
006D998B 8B85 6114C406 mov    eax, dword ptr [ebp+6C41461]
006D9991 47             inc    edi
006D9992 3B85 CACCD506 cmp    eax, dword ptr [ebp+6D5CCCA]
006D9998 75 07          jnz    short 006D99A1
006D999A 8B85 751CC406 mov    eax, dword ptr [ebp+6C41C75]
006D99A0 47             inc    edi
006D99A1 3B85 CECCD506 cmp    eax, dword ptr [ebp+6D5CCCE]
006D99A7 75 07          jnz    short 006D99B0
006D99A9 8B85 191DC406 mov    eax, dword ptr [ebp+6C41D19]
006D99AF 47             inc    edi
006D99B0 3B85 D2CCD506 cmp    eax, dword ptr [ebp+6D5CCD2]
006D99B6 75 07          jnz    short 006D99BF
006D99B8 8B85 8514C406 mov    eax, dword ptr [ebp+6C41485]
006D99BE 47             inc    edi
006D99BF 3B85 D11FC406 cmp    eax, dword ptr [ebp+6C41FD1]
006D99C5 75 07          jnz    short 006D99CE
006D99C7 8B85 6D16C406 mov    eax, dword ptr [ebp+6C4166D]
006D99CD 47             inc    edi
006D99CE 3B85 D6CCD506 cmp    eax, dword ptr [ebp+6D5CCD6]
006D99D4 75 07          jnz    short 006D99DD
006D99D6 8B85 0518C406 mov    eax, dword ptr [ebp+6C41805]
006D99DC 47             inc    edi
006D99DD 3B85 12CDD506 cmp    eax, dword ptr [ebp+6D5CD12]
006D99E3 75 19          jnz    short 006D99FE
006D99E5 83BD 1ACDD506 0>cmp    dword ptr [ebp+6D5CD1A], 0
006D99EC 75 09          jnz    short 006D99F7
006D99EE 83BD 5914C406 0>cmp    dword ptr [ebp+6C41459], 0
006D99F5 74 07          je    short 006D99FE
006D99F7 8B85 A515C406 mov    eax, dword ptr [ebp+6C415A5]
006D99FD 47             inc    edi
006D99FE 3B85 16CDD506 cmp    eax, dword ptr [ebp+6D5CD16]
006D9A04 75 19          jnz    short 006D9A1F
006D9A06 83BD 1ACDD506 0>cmp    dword ptr [ebp+6D5CD1A], 0
006D9A0D 75 09          jnz    short 006D9A18
006D9A0F 83BD 5914C406 0>cmp    dword ptr [ebp+6C41459], 0
006D9A16 74 07          je    short 006D9A1F
006D9A18 8B85 851FC406 mov    eax, dword ptr [ebp+6C41F85]
006D9A1E 47             inc    edi
006D9A1F 3B85 DACCD506 cmp    eax, dword ptr [ebp+6D5CCDA]
006D9A25 75 07          jnz    short 006D9A2E
006D9A27 8B85 8D1EC406 mov    eax, dword ptr [ebp+6C41E8D]
006D9A2D 47             inc    edi
006D9A2E 3B85 DECCD506 cmp    eax, dword ptr [ebp+6D5CCDE]
006D9A34 75 07          jnz    short 006D9A3D
006D9A36 8B85 6D18C406 mov    eax, dword ptr [ebp+6C4186D]
006D9A3C 47             inc    edi
006D9A3D 3B85 E2CCD506 cmp    eax, dword ptr [ebp+6D5CCE2]
006D9A43 75 07          jnz    short 006D9A4C
006D9A45 8B85 D507C406 mov    eax, dword ptr [ebp+6C407D5]
006D9A4B 47             inc    edi
006D9A4C 3B85 E6CCD506 cmp    eax, dword ptr [ebp+6D5CCE6]
006D9A52 75 07          jnz    short 006D9A5B
006D9A54 8B85 D931C406 mov    eax, dword ptr [ebp+6C431D9]
006D9A5A 47             inc    edi
006D9A5B 3B85 EACCD506 cmp    eax, dword ptr [ebp+6D5CCEA]
006D9A61 75 07          jnz    short 006D9A6A
006D9A63 8B85 3512C406 mov    eax, dword ptr [ebp+6C41235]
006D9A69 47             inc    edi
006D9A6A 3B85 EECCD506 cmp    eax, dword ptr [ebp+6D5CCEE]
006D9A70 75 07          jnz    short 006D9A79
006D9A72 8B85 C903C406 mov    eax, dword ptr [ebp+6C403C9]
006D9A78 47             inc    edi
006D9A79 0BFF          or    edi, edi
006D9A7B 0F84 05000000 je    006D9A86
006D9A81  ^ E9 EAFBFFFF    jmp    006D9670
006D9A86 3B85 8516C406 cmp    eax, dword ptr [ebp+6C41685]
006D9A8C 0F85 0B000000 jnz    006D9A9D
006D9A92 8D85 D93AD506 lea    eax, dword ptr [ebp+6D53AD9]
006D9A98  ^ E9 D3FBFFFF    jmp    006D9670
006D9A9D 3B85 F531C406 cmp    eax, dword ptr [ebp+6C431F5]
006D9AA3 0F85 18000000 jnz    006D9AC1
006D9AA9 83BD 0FCCD506 0>cmp    dword ptr [ebp+6D5CC0F], 1
006D9AB0 0F85 0B000000 jnz    006D9AC1
006D9AB6 8D85 23E65800 lea    eax, dword ptr [ebp+58E623]
006D9ABC  ^ E9 AFFBFFFF    jmp    006D9670
006D9AC1 3B85 4ACCD506 cmp    eax, dword ptr [ebp+6D5CC4A]
006D9AC7 0F84 0C000000 je    006D9AD9
006D9ACD 3B85 4ECCD506 cmp    eax, dword ptr [ebp+6D5CC4E]
006D9AD3 0F85 05000000 jnz    006D9ADE
006D9AD9  ^ E9 92FBFFFF    jmp    006D9670
006D9ADE BE 00000000    mov    esi, 0
006D9AE3 83FE 01       cmp    esi, 1
006D9AE6 0F85 45000000 jnz    006D9B31
006D9AEC 3B85 3ECCD506 cmp    eax, dword ptr [ebp+6D5CC3E]
006D9AF2 0F85 0B000000 jnz    006D9B03
006D9AF8 8D85 E4625800 lea    eax, dword ptr [ebp+5862E4]
006D9AFE  ^ E9 6DFBFFFF    jmp    006D9670
006D9B03 3B85 42CCD506 cmp    eax, dword ptr [ebp+6D5CC42]
006D9B09 0F85 0B000000 jnz    006D9B1A
006D9B0F 8D85 5A635800 lea    eax, dword ptr [ebp+58635A]
006D9B15  ^ E9 56FBFFFF    jmp    006D9670
006D9B1A 3B85 46CCD506 cmp    eax, dword ptr [ebp+6D5CC46]
006D9B20 0F85 0B000000 jnz    006D9B31
006D9B26 8D85 9F635800 lea    eax, dword ptr [ebp+58639F]
006D9B2C  ^ E9 3FFBFFFF    jmp    006D9670
006D9B31 8BC0          mov    eax, eax
006D9B33 BE 01000000    mov    esi, 1
006D9B38 0BF6          or    esi, esi
006D9B3A 0F85 05000000 jnz    006D9B45
006D9B40  ^ E9 23FBFFFF    jmp    006D9668
006D9B45 8BF0          mov    esi, eax
006D9B47 89B5 5905C406 mov    dword ptr [ebp+6C40559], esi
006D9B4D 89B5 FD18C406 mov    dword ptr [ebp+6C418FD], esi
006D9B53 803E E9       cmp    byte ptr [esi], 0E9
006D9B56 0F85 26000000 jnz    006D9B82
006D9B5C 8B7E 01       mov    edi, dword ptr [esi+1]
006D9B5F 03FE          add    edi, esi
006D9B61 8BDE          mov    ebx, esi
006D9B63 81C3 00400000 add    ebx, 4000
006D9B69 3BBD 5905C406 cmp    edi, dword ptr [ebp+6C40559]
006D9B6F 0F82 08000000 jb    006D9B7D
006D9B75 3BFB          cmp    edi, ebx
006D9B77 0F86 05000000 jbe    006D9B82
006D9B7D  ^ E9 E6FAFFFF    jmp    006D9668
006D9B82 8BBD 8912C406 mov    edi, dword ptr [ebp+6C41289]
006D9B88 C785 FD09C406 0>mov    dword ptr [ebp+6C409FD], 0
006D9B92 60             pushad
006D9B93 89B5 FD18C406 mov    dword ptr [ebp+6C418FD], esi
006D9B99 8D9D 52E7D506 lea    ebx, dword ptr [ebp+6D5E752]
006D9B9F FFD3          call ebx
006D9BA1 0F82 22000000 jb    006D9BC9
006D9BA7 8D9D CF06D306 lea    ebx, dword ptr [ebp+6D306CF]
006D9BAD FFD3          call ebx
006D9BAF  ^ 0F83 DEFFFFFF jnb    006D9B93
006D9BB5 8BB5 FD18C406 mov    esi, dword ptr [ebp+6C418FD]
006D9BBB 89B5 FD09C406 mov    dword ptr [ebp+6C409FD], esi
006D9BC1 8D9D DF96D406 lea    ebx, dword ptr [ebp+6D496DF]
006D9BC7 FFD3          call ebx
006D9BC9 8B85 5905C406 mov    eax, dword ptr [ebp+6C40559]
006D9BCF 8985 FD18C406 mov    dword ptr [ebp+6C418FD], eax
006D9BD5 61             popad
006D9BD6 8D9D BBE3D506 lea    ebx, dword ptr [ebp+6D5E3BB]
006D9BDC FFD3          call ebx
006D9BDE 8D9D A3E6D506 lea    ebx, dword ptr [ebp+6D5E6A3]
006D9BE4 FFD3          call ebx
006D9BE6 0F83 0C000000 jnb    006D9BF8
006D9BEC 8385 FD18C406 0>add    dword ptr [ebp+6C418FD], 5
006D9BF3  ^ E9 DEFFFFFF    jmp    006D9BD6
006D9BF8 8D9D CCE6D506 lea    ebx, dword ptr [ebp+6D5E6CC]
006D9BFE FFD3          call ebx
006D9C00 0F83 08000000 jnb    006D9C0E
006D9C06 83C2 04       add    edx, 4
006D9C09 E9 32000000    jmp    006D9C40
006D9C0E 8D9D CF06D306 lea    ebx, dword ptr [ebp+6D306CF]
006D9C14 FFD3          call ebx
006D9C16 0F83 0B000000 jnb    006D9C27
006D9C1C 8BB5 FD18C406 mov    esi, dword ptr [ebp+6C418FD]
006D9C22 E9 80070000    jmp    006DA3A7
006D9C27 8B8D FD18C406 mov    ecx, dword ptr [ebp+6C418FD]
006D9C2D 89B5 FD18C406 mov    dword ptr [ebp+6C418FD], esi
006D9C33 2BCE          sub    ecx, esi
006D9C35 F7D9          neg    ecx
006D9C37 2BF1          sub    esi, ecx
006D9C39 F3:A4          rep    movs byte ptr es:[edi], byte pt>
006D9C3B  ^ E9 96FFFFFF    jmp    006D9BD6
006D9C40 8D9D 3797D406 lea    ebx, dword ptr [ebp+6D49737]
006D9C46 FFD3          call ebx
006D9C48 8BC7          mov    eax, edi
006D9C4A 2B85 8912C406 sub    eax, dword ptr [ebp+6C41289]
006D9C50 8985 BD29C406 mov    dword ptr [ebp+6C429BD], eax
006D9C56 8B85 8912C406 mov    eax, dword ptr [ebp+6C41289]
006D9C5C 57             push edi
006D9C5D 50             push eax
006D9C5E 8D8D AC97D406 lea    ecx, dword ptr [ebp+6D497AC]
006D9C64 FFD1          call ecx
006D9C66 8B85 310EC406 mov    eax, dword ptr [ebp+6C40E31]
006D9C6C 50             push eax
006D9C6D 57             push edi
006D9C6E 8B85 8912C406 mov    eax, dword ptr [ebp+6C41289]
006D9C74 50             push eax
006D9C75 8D8D DB97D406 lea    ecx, dword ptr [ebp+6D497DB]
006D9C7B FFD1          call ecx
006D9C7D 8BD0          mov    edx, eax
006D9C7F 8BC8          mov    ecx, eax
006D9C81 2B8D 310EC406 sub    ecx, dword ptr [ebp+6C40E31]
006D9C87 83BD B112C406 0>cmp    dword ptr [ebp+6C412B1], 0
006D9C8E 0F84 2B000000 je    006D9CBF
006D9C94 8B85 4900C406 mov    eax, dword ptr [ebp+6C40049]
006D9C9A 2B85 B112C406 sub    eax, dword ptr [ebp+6C412B1]
006D9CA0 3BC1          cmp    eax, ecx
006D9CA2 0F86 17000000 jbe    006D9CBF
006D9CA8 8B85 E90EC406 mov    eax, dword ptr [ebp+6C40EE9]
006D9CAE 0385 B112C406 add    eax, dword ptr [ebp+6C412B1]
006D9CB4 8985 F910C406 mov    dword ptr [ebp+6C410F9], eax
006D9CBA E9 43000000    jmp    006D9D02
006D9CBF 51             push ecx
006D9CC0 8BC1          mov    eax, ecx
006D9CC2 48             dec    eax
006D9CC3 0D FF0F0000    or    eax, 0FFF
006D9CC8 40             inc    eax
006D9CC9 8985 4900C406 mov    dword ptr [ebp+6C40049], eax
006D9CCF 0185 8929C406 add    dword ptr [ebp+6C42989], eax
006D9CD5 C785 B112C406 0>mov    dword ptr [ebp+6C412B1], 0
006D9CDF 6A 40          push 40
006D9CE1 68 00100000    push 1000
006D9CE6 51             push ecx
006D9CE7 6A 00          push 0
006D9CE9 FF95 2920C406 call dword ptr [ebp+6C42029]
006D9CEF FF95 0D0BC406 call dword ptr [ebp+6C40B0D]
006D9CF5 8985 E90EC406 mov    dword ptr [ebp+6C40EE9], eax
006D9CFB 8985 F910C406 mov    dword ptr [ebp+6C410F9], eax
006D9D01 59             pop    ecx
006D9D02 FFB5 F910C406 push dword ptr [ebp+6C410F9]
006D9D08 FFB5 310EC406 push dword ptr [ebp+6C40E31]
006D9D0E 57             push edi
006D9D0F FFB5 8912C406 push dword ptr [ebp+6C41289]
006D9D15 8D85 6D9CD406 lea    eax, dword ptr [ebp+6D49C6D]
006D9D1B FFD0          call eax
006D9D1D 018D B112C406 add    dword ptr [ebp+6C412B1], ecx
006D9D23 8BBD F910C406 mov    edi, dword ptr [ebp+6C410F9]
006D9D29 8BB5 310EC406 mov    esi, dword ptr [ebp+6C40E31]
006D9D2F F3:A4          rep    movs byte ptr es:[edi], byte pt>
006D9D31 8BB5 0525C406 mov    esi, dword ptr [ebp+6C42505]
006D9D37 AD             lods dword ptr [esi]
006D9D38 C746 FC 0000000>mov    dword ptr [esi-4], 0
006D9D3F C1C0 05       rol    eax, 5
006D9D42 05 A24F506B    add    eax, 6B504FA2
006D9D47 0385 992CC406 add    eax, dword ptr [ebp+6C42C99]
006D9D4D 8B8D F910C406 mov    ecx, dword ptr [ebp+6C410F9]
006D9D53  - E9 A8629604    jmp    05040000                      ; Patch③、  jmp
005AF000 ★
006D9D58 90             nop
006D9D59 90             nop
006D9D5A 90             nop
006D9D5B 90             nop
006D9D5C 90             nop
006D9D5D 89B5 0525C406 mov    dword ptr [ebp+6C42505], esi ; A
006D9D63 83F8 FF       cmp    eax, -1
006D9D66 0F85 20000000 jnz    006D9D8C
006D9D6C 813E DDDDDDDD cmp    dword ptr [esi], DDDDDDDD
006D9D72 0F85 14000000 jnz    006D9D8C
006D9D78 C706 00000000 mov    dword ptr [esi], 0
006D9D7E 83C6 04       add    esi, 4
006D9D81 89B5 0525C406 mov    dword ptr [ebp+6C42505], esi
006D9D87  ^ E9 E6F6FFFF    jmp    006D9472
006D9D8C C1C0 03       rol    eax, 3
006D9D8F 0385 992CC406 add    eax, dword ptr [ebp+6C42C99]
006D9D95 83BD 090DC406 0>cmp    dword ptr [ebp+6C40D09], 1
006D9D9C 0F84 9D000000 je    006D9E3F
006D9DA2 813E AAAAAAAA cmp    dword ptr [esi], AAAAAAAA
006D9DA8 0F85 12000000 jnz    006D9DC0
006D9DAE 83C6 04       add    esi, 4
006D9DB1 C746 FC 0000000>mov    dword ptr [esi-4], 0
006D9DB8 97             xchg eax, edi
006D9DB9 B0 E9          mov    al, 0E9
006D9DBB E9 03000000    jmp    006D9DC3
006D9DC0 97             xchg eax, edi
006D9DC1 B0 E8          mov    al, 0E8
006D9DC3 50             push eax
006D9DC4 83BD 5914C406 0>cmp    dword ptr [ebp+6C41459], 1
006D9DCB 0F84 3E000000 je    006D9E0F
006D9DD1 B8 00010000    mov    eax, 100
006D9DD6 83BD 56CCD506 0>cmp    dword ptr [ebp+6D5CC56], 0
006D9DDD 0F84 08000000 je    006D9DEB
006D9DE3 8D9D AE9FD406 lea    ebx, dword ptr [ebp+6D49FAE]
006D9DE9 FFD3          call ebx
006D9DEB 803F 90       cmp    byte ptr [edi], 90
006D9DEE 0F84 08000000 je    006D9DFC
006D9DF4 83C7 05       add    edi, 5
006D9DF7 E9 43000000    jmp    006D9E3F
006D9DFC 83F8 50       cmp    eax, 50
006D9DFF 0F82 0A000000 jb    006D9E0F
006D9E05 B0 90          mov    al, 90
006D9E07 AA             stos byte ptr es:[edi]
006D9E08 58             pop    eax
006D9E09 AA             stos byte ptr es:[edi]
006D9E0A  - E9 05629604    jmp    05040014                      ; Patch④、  jmp
005AF014 ★
006D9E0F 58             pop    eax
006D9E10 AA             stos byte ptr es:[edi]
006D9E11 807F FF E9    cmp    byte ptr [edi-1], 0E9
006D9E15  - E9 1C629604    jmp    05040036                      ; Patch⑤、  jmp
005AF036 ★
006D9E1A 90             nop
006D9E1B 83BD 56CCD506 0>cmp    dword ptr [ebp+6D5CC56], 0    ; C
006D9E22 0F84 08000000 je    006D9E30
006D9E28 8D9D 7E9FD406 lea    ebx, dword ptr [ebp+6D49F7E]
006D9E2E FFD3          call ebx
006D9E30 90             nop                                  ; Patch⑥、  NOP ★
去掉加密填充
006D9E31 90             nop
006D9E32 90             nop
006D9E33 8B85 F910C406 mov    eax, dword ptr [ebp+6C410F9] ; B
006D9E39 2BC7          sub    eax, edi
006D9E3B 83E8 04       sub    eax, 4
006D9E3E 90             nop                                  ; Patch⑦、  NOP ★
去掉加密填充
006D9E3F AD             lods dword ptr [esi]
006D9E40 C746 FC 0000000>mov    dword ptr [esi-4], 0
006D9E47  - E9 13629604    jmp    0504005F                      ; Patch⑧、  jmp
005AF05F ★循环处理每个DLL的函数
006D9E4C 89B5 0525C406 mov    dword ptr [ebp+6C42505], esi
006D9E52 52             push edx
006D9E53 68 00800000    push 8000
006D9E58 6A 00          push 0
006D9E5A FFB5 F110C406 push dword ptr [ebp+6C410F1]
006D9E60 FF95 F506C406 call dword ptr [ebp+6C406F5]
006D9E66 5A             pop    edx
006D9E67 8B8D 9D15C406 mov    ecx, dword ptr [ebp+6C4159D]
006D9E6D C701 00000000 mov    dword ptr [ecx], 0
006D9E73 83C1 04       add    ecx, 4
006D9E76 898D 9D15C406 mov    dword ptr [ebp+6C4159D], ecx
006D9E7C  ^ E9 10F5FFFF    jmp    006D9391                      ; 循环处理所有DLL的函数
006D9E81 E9 A4060000    jmp    006DA52A                      ; 此处下断，输入表处理完
成后中断在这里
006D9E86 60             pushad

填充PATCH
05040000 A3 00040405    mov    dword ptr [5040400], eax       ; 保存EAX值于[5040400]
05040005 8908          mov    dword ptr [eax], ecx
05040007 AD             lods dword ptr [esi]
05040008 C746 FC 0000000>mov    dword ptr [esi-4], 0
0504000F  - E9 499D69FB    jmp    魔域王者.006D9D5D                ; A继续流程
05040014 50             push eax
05040015 A1 00040405    mov    eax, dword ptr [5040400]
0504001A 8907          mov    dword ptr [edi], eax
0504001C 807F FF E8    cmp    byte ptr [edi-1], 0E8
05040020 75 08          jnz    short 0504002A
05040022 66:C747 FE FF15 mov    word ptr [edi-2], 15FF
05040028 EB 06          jmp    short 05040030
0504002A 66:C747 FE FF25 mov    word ptr [edi-2], 25FF
05040030 58             pop    eax
05040031  - E9 FD9D69FB    jmp    魔域王者.006D9E33                ; B继续流程
05040036 50             push eax
05040037 A1 00040405    mov    eax, dword ptr [5040400]
0504003C 8947 01       mov    dword ptr [edi+1], eax
0504003F 807F FF E8    cmp    byte ptr [edi-1], 0E8
05040043 75 08          jnz    short 0504004D
05040045 66:C747 FF FF15 mov    word ptr [edi-1], 15FF
0504004B EB 06          jmp    short 05040053
0504004D 66:C747 FF FF25 mov    word ptr [edi-1], 25FF
05040053 58             pop    eax
05040054  - 0F85 D99D69FB jnz    魔域王者.006D9E33                ; B继续流程
0504005A  - E9 BC9D69FB    jmp    魔域王者.006D9E1B                ; C继续流程
0504005F 83C7 04       add    edi, 4
05040062  - E9 F69C69FB    jmp    魔域王者.006D9D5D                ; A继续流程
05040067 90             nop
填充CODE
A3 00 04 04 05 89 08 AD C7 46 FC 00 00 00 00 E9 49 9D 69 FB 50 A1 00 04 04 05 89 07 80 7F FF
E8
75 08 66 C7 47 FE FF 15 EB 06 66 C7 47 FE FF 25 58 E9 FD 9D 69 FB 50 A1 00 04 04 05 89 47 01
80
7F FF E8 75 08 66 C7 47 FF FF 15 EB 06 66 C7 47 FF FF 25 58 0F 85 D9 9D 69 FB E9 BC 9D 69 FB
83
C7 04 E9 F6 9C 69 FB 90
三、OEP
写好代码后,删除先前在代码段下的内存写入断点,shift+F9,中断在006D9E81,到这里已经获得了IAT,现在
找OEP.，在这里我采用世面上流传的找THEMIDA OEP方法：
取消006D9E81处断点,ALT+M打开内存察看窗口，直接在代码段F2下断点。Shift+F9就中断在OEP处了

00401000 /EB 10          jmp    short 00401012
00401002 |66:623A       bound di, dword ptr [edx]
00401005 |43             inc    ebx
00401006 |2B2B          sub    ebp, dword ptr [ebx]
00401008 |48             dec    eax
00401009 |4F             dec    edi
0040100A |4F             dec    edi
0040100B |4B             dec    ebx
0040100C |90             nop
0040100D  -|E9 74B34700    jmp    0087C386
00401012 \A1 67B34700    mov    eax, dword ptr [47B367]
00401017 C1E0 02       shl    eax, 2
0040101A A3 6BB34700    mov    dword ptr [47B36B], eax
0040101F 52             push edx
00401020 6A 00          push 0
00401022 E8 35940700    call 0047A45C                      ; jmp 到
kernel32.GetModuleHandleA ★跟随
00401027 8BD0          mov    edx, eax
00401029 E8 26870700    call 00479754
0040102E 5A             pop    edx
0040102F E8 3C9D0700    call 0047AD70                      ; jmp 到
CC3250MT.___CRTL_MEM_UseBorMM
00401034 E8 5F870700    call 00479798
00401039 6A 00          push 0
0040103B E8 8C880700    call 004798CC
00401040 59             pop    ecx
然后调用lordpe来dump，选择－－修正镜像大小，完整转存。
接下来修复IAT ，
00401000 /EB 10          jmp    short 00401012
00401002 |66:623A       bound di, dword ptr [edx]
00401005 |43             inc    ebx
00401006 |2B2B          sub    ebp, dword ptr [ebx]
00401008 |48             dec    eax
00401009 |4F             dec    edi
0040100A |4F             dec    edi
0040100B |4B             dec    ebx
0040100C |90             nop
0040100D  -|E9 74B34700    jmp    0087C386
00401012 \A1 67B34700    mov    eax, dword ptr [47B367]
00401017 C1E0 02       shl    eax, 2
0040101A A3 6BB34700    mov    dword ptr [47B36B], eax
0040101F 52             push edx
00401020 6A 00          push 0
00401022 E8 35940700    call 0047A45C                ; jmp 到
kernel32.GetModuleHandleA
00401027 8BD0          mov    edx, eax
00401029 E8 26870700    call 00479754
0040102E 5A             pop    edx
0040102F E8 3C9D0700    call 0047AD70                ; jmp 到
CC3250MT.___CRTL_MEM_UseBorMM
00401034 E8 5F870700    call 00479798
00401039 6A 00          push 0
0040103B E8 8C880700    call 004798CC
在 00401022 E8 35940700    call 0047A45C                ; jmp 到
kernel32.GetModuleHandleA
跟到下面
0047A45C  - FF25 64654800 jmp    dword ptr [486564]       ; kernel32.GetModuleHandleA
现在看DD 486564
到这里找到
00486130  2E156C5D
00486134  4100522C  BORLNDMM.GetAllocMemCount；这里就是RVA
00486138  00000000
0048613C  00000000
00486140  00000000
00486144  00000000
00486148  00000000
0048614C  00000000
00486150  00000000
00486154  00000000
00486158  00000000
0048615C  00000000
00486160  00000000
00486164  00000000
00486168  00000000
0048616C  00000000
00486170  00000000
00486174  00000000
00486178  00000000
0048617C  00000000
00486180  00000000
00486184  00000000
00486188  00000000
0048618C  00000000
00486190  00000000
00486194  00000000
00486198  00000000
0048619C  00000000
004861A0  00000000
004861A4  00000000
004861A8  00000000
004861AC  00000000
004861B0  00000000
004861B4  00000000
004861B8  00000000
004861BC  00000000
004861C0  00000000
004861C4  00000000
004861C8  00000000
004861CC  00000000
004861D0  00000000
004861D4  00000000
004861D8  00000000
004861DC  00000000
004861E0  00000000
004861E4  00000000
004861E8  00000000
004861EC  00000000
004861F0  00000000
004861F4  00000000
004861F8  00000000
004861FC  00000000
00486200  00000000
00486204  00000000
00486208  00000000
0048620C  463B6E5E
00486210  02809488  MYDLL.Shdocvw_ocx::Finalize
00486214  02809470  MYDLL.Shdocvw_ocx::Initialize
00486218  0287B158  MYDLL.Shdocvw_tlb::CLSID_CppInternetExplorer
0048621C  0287B1B8  MYDLL.Shdocvw_tlb::CLSID_CppShellUIHelper
00486220  0287B198  MYDLL.Shdocvw_tlb::CLSID_CppShellWindows
00486224  0287B1E8  MYDLL.Shdocvw_tlb::CLSID_ShellFavoritesNameSpace
00486228  0287B1D8  MYDLL.Shdocvw_tlb::IID_IShellFavoritesNameSpace
0048622C  0287B1A8  MYDLL.Shdocvw_tlb::IID_IShellUIHelper
00486230  0287B188  MYDLL.Shdocvw_tlb::IID_IShellWindows
00486234  0287B118  MYDLL.Shdocvw_tlb::IID_IWebBrowser2
00486238  02803830  MYDLL.Shdocvw_tlb::TCppInternetExplorer::BeforeDestruction
0048623C  028035CC  MYDLL.Shdocvw_tlb::TCppInternetExplorer::Connect
00486240  02803778  MYDLL.Shdocvw_tlb::TCppInternetExplorer:isconnect
00486244  0280330C  MYDLL.Shdocvw_tlb::TCppInternetExplorer::GetDunk
00486248  028039B8  MYDLL.Shdocvw_tlb::TCppInternetExplorer::InitServerData
0048624C  02803A08  MYDLL.Shdocvw_tlb::TCppInternetExplorer::InvokeEvent
00486250  028059A8  MYDLL.Shdocvw_tlb::TCppShellUIHelper::BeforeDestruction
00486254  02805744  MYDLL.Shdocvw_tlb::TCppShellUIHelper::Connect
00486258  028058F0  MYDLL.Shdocvw_tlb::TCppShellUIHelper:isconnect
0048625C  02805564  MYDLL.Shdocvw_tlb::TCppShellUIHelper::GetDunk
00486260  02805B34  MYDLL.Shdocvw_tlb::TCppShellUIHelper::InitServerData
00486264  02805228  MYDLL.Shdocvw_tlb::TCppShellWindows::BeforeDestruction
00486268  02804FC4  MYDLL.Shdocvw_tlb::TCppShellWindows::Connect
0048626C  02805170  MYDLL.Shdocvw_tlb::TCppShellWindows:isconnect
00486270  02804DE4  MYDLL.Shdocvw_tlb::TCppShellWindows::GetDunk
00486274  02805404  MYDLL.Shdocvw_tlb::TCppShellWindows::InvokeEvent
00486278  02807938  MYDLL.Shdocvw_tlb::TCppWebBrowser::TCppWebBrowser
0048627C  028798E0  MYDLL.Shdocvw_tlb::TCppWebBrowser::CControlData
00486280  02802348  MYDLL.Shdocvw_tlb::TCppWebBrowser::CreateControl
00486284  02879930  MYDLL.Shdocvw_tlb::TCppWebBrowser:EF_CTL_INTF
00486288  02879898  MYDLL.Shdocvw_tlb::TCppWebBrowser::EventDispIDs
0048628C  02802460  MYDLL.Shdocvw_tlb::TCppWebBrowser::GetDefaultInterface
00486290  02802330  MYDLL.Shdocvw_tlb::TCppWebBrowser::InitControlData
00486294  02802844  MYDLL.Shdocvw_tlb::TCppWebBrowser::Navigate
00486298  02879940  MYDLL.Shdocvw_tlb::TCppWebBrowser::OptParam
0048629C  02807FC0  MYDLL.Shdocvw_tlb::TCppWebBrowser_V1::TCppWebBrowser_V1
004862A0  02879568  MYDLL.Shdocvw_tlb::TCppWebBrowser_V1::CControlData
004862A4  0280179C  MYDLL.Shdocvw_tlb::TCppWebBrowser_V1::CreateControl
004862A8  028795B8  MYDLL.Shdocvw_tlb::TCppWebBrowser_V1:EF_CTL_INTF
004862AC  02879524  MYDLL.Shdocvw_tlb::TCppWebBrowser_V1::EventDispIDs
004862B0  02801A24  MYDLL.Shdocvw_tlb::TCppWebBrowser_V1::GetDefaultInterface
004862B4  02801784  MYDLL.Shdocvw_tlb::TCppWebBrowser_V1::InitControlData
004862B8  028795C8  MYDLL.Shdocvw_tlb::TCppWebBrowser_V1::OptParam
004862BC  02805FEC  MYDLL.Shdocvw_tlb::TShellFavoritesNameSpace::BeforeDestruction
004862C0  02805D88  MYDLL.Shdocvw_tlb::TShellFavoritesNameSpace::Connect
004862C4  02805F34  MYDLL.Shdocvw_tlb::TShellFavoritesNameSpace:isconnect
004862C8  02805BA8  MYDLL.Shdocvw_tlb::TShellFavoritesNameSpace::GetDunk
004862CC  0280618C  MYDLL.Shdocvw_tlb::TShellFavoritesNameSpace::InitServerData
004862D0  028061DC  MYDLL.Shdocvw_tlb::TShellFavoritesNameSpace::InvokeEvent
004862D4  028013D0  MYDLL.HookDown1
004862D8  02801470  MYDLL.HookUp1
004862DC  028053B4  MYDLL.Shdocvw_tlb::TCppShellWindows::InitServerData
004862E0  00000000
004862E4  00000000
004862E8  00000000
004862EC  00000000
004862F0  7F508211
004862F4  100015F0  WINIO.InitializeWinIo
004862F8  10001490  WINIO.SetPortVal
004862FC  100016E0  WINIO.ShutdownWinIo
00486300  00000000
00486304  00000000
00486308  00000000
0048630C  00000000
00486310  2DE9AA66
00486314  77DA6BF0  ADVAPI32.RegCloseKey
00486318  77DA761B  ADVAPI32.RegOpenKeyExA
0048631C  77DA7883  ADVAPI32.RegQueryValueExA
00486320  00000000
00486324  00000000
00486328  00000000
0048632C  00000000
00486330  00000000
00486334  00000000
00486338  00000000
0048633C  00000000
00486340  00000000
00486344  00000000
00486348  00000000
0048634C  00000000
00486350  00000000
00486354  00000000
00486358  00000000
0048635C  00000000
00486360  00000000
00486364  00000000
00486368  00000000
0048636C  00000000
00486370  00000000
00486374  00000000
00486378  00000000
0048637C  00000000
00486380  00000000
00486384  00000000
00486388  00000000
0048638C  00000000
00486390  00000000
00486394  00000000
00486398  00000000
0048639C  00000000
004863A0  00000000
004863A4  00000000
004863A8  00000000
004863AC  00000000
004863B0  00000000
004863B4  00000000
004863B8  00000000
004863BC  00000000
004863C0  00000000
004863C4  00000000
004863C8  00000000
004863CC  00000000
004863D0  00000000
004863D4  00000000
004863D8  00000000
004863DC  00000000
004863E0  00000000
004863E4  00000000
004863E8  00000000
004863EC  00000000
004863F0  00000000
004863F4  00000000
004863F8  00000000
004863FC  00000000
00486400  00000000
00486404  00000000
00486408  00000000
0048640C  00000000
00486410  00000000
00486414  00000000
00486418  00000000
0048641C  00000000
00486420  00000000
00486424  00000000
00486428  00000000
0048642C  00000000
00486430  00000000
00486434  00000000
00486438  00000000
0048643C  00000000
00486440  00000000
00486444  00000000
00486448  00000000
0048644C  00000000
00486450  00000000
00486454  00000000
00486458  00000000
0048645C  00000000
00486460  00000000
00486464  00000000
00486468  00000000
0048646C  00000000
00486470  00000000
00486474  00000000
00486478  00000000
0048647C  00000000
00486480  00000000
00486484  00000000
00486488  00000000
0048648C  00000000
00486490  00000000
00486494  00000000
00486498  00000000
0048649C  00000000
004864A0  00000000
004864A4  00000000
004864A8  00000000
004864AC  00000000
004864B0  00000000
004864B4  00000000
004864B8  00000000
004864BC  00000000
004864C0  00000000
004864C4  00000000
004864C8  242C2982
004864CC  7C809B47  kernel32.CloseHandle
004864D0  7C80D077  kernel32.CompareStringA
004864D4  7C8308AD  kernel32.CreateEventA
004864D8  7C801A24  kernel32.CreateFileA
004864DC  7C80945C  kernel32.CreateFileMappingA
004864E0  7C802367  kernel32.CreateProcessA
004864E4  7C81042C  kernel32.CreateRemoteThread
004864E8  7C810637  kernel32.CreateThread
004864EC  7C864B47  kernel32.CreateToolhelp32Snapshot
004864F0  7C859B72  kernel32.DebugBreak
004864F4  7C93188A  ntdll.RtlDeleteCriticalSection
004864F8  7C921005  ntdll.RtlEnterCriticalSection
004864FC  7C838211  kernel32.EnumCalendarInfoA
00486500  7C81CDDA  kernel32.ExitProcess
00486504  7C80C058  kernel32.ExitThread
00486508  7C83065D  kernel32.FileTimeToDosDateTime
0048650C  7C80E866  kernel32.FileTimeToLocalFileTime
00486510  7C80EDD7  kernel32.FindClose
00486514  7C8137D9  kernel32.FindFirstFileA
00486518  7C80BE89  kernel32.FindResourceA
0048651C  7C82F7A0  kernel32.FormatMessageA
00486520  7C80ABDE  kernel32.FreeLibrary
00486524  7C8260C2  kernel32.FreeResource
00486528  7C812E76  kernel32.GetCPInfo
0048652C  7C812F1D  kernel32.GetCommandLineA
00486530  7C8216A4  kernel32.GetComputerNameA
00486534  7C834FFE  kernel32.GetCurrentDirectoryA
00486538  7C809920  kernel32.GetCurrentProcessId
0048653C  7C809728  kernel32.GetCurrentThreadId
00486540  7C8361EE  kernel32.GetDateFormatA
00486544  7C8302ED  kernel32.GetDiskFreeSpaceA
00486548  7C821435  kernel32.GetExitCodeThread
0048654C  7C810A77  kernel32.GetFileSize
00486550  7C810E51  kernel32.GetFileType
00486554  7C930331  ntdll.RtlGetLastWin32Error
00486558  7C80A7D4  kernel32.GetLocalTime
0048655C  7C80D262  kernel32.GetLocaleInfoA
00486560  7C80B4CF  kernel32.GetModuleFileNameA
00486564  7C80B6A1  kernel32.GetModuleHandleA
00486568  7C832B56  kernel32.GetPrivateProfileStringA
0048656C  7C80ADA0  kernel32.GetProcAddress
打开IMPORT REC修改 OEP 1000 RVA 86134
GET IMPORTS
SHOW INVALID
CUT thunk（s）
到这里脱壳成功，实验一下！！可以完美运行了！
然后找他的关键跳转
0040232A  |.  8BD8       mov    ebx, eax
0040232C  |.  85DB       test ebx, ebx                      ;  Switch (cases -36..5)
0040232E  |.  75 38       jnz    short 00402368
00402330  |.  66:C747 10 44>mov    word ptr [edi+10], 44          ;  Case 0 of switch 0040232C
00402336  |.  BA F2B54700 mov    edx, 0047B5F2                   ;  数据格式错误！
0040233B  |.  8D45 E8    lea    eax, dword ptr [ebp-18]
0040233E  |.  E8 F9760700 call 00479A3C
00402343  |.  FF47 1C    inc    dword ptr [edi+1C]
00402346  |.  8B10       mov    edx, dword ptr [eax]
00402348  |.  8B86 0C030000 mov    eax, dword ptr [esi+30C]
0040234E  |.  E8 2DB60400 call 0044D980
00402353  |.  FF4F 1C    dec    dword ptr [edi+1C]
00402356  |.  8D45 E8    lea    eax, dword ptr [ebp-18]
00402359  |.  BA 02000000 mov    edx, 2
0040235E  |.  E8 31780700 call 00479B94
00402363  |.  E9 16060000 jmp    0040297E
00402368  |>  83FB FF    cmp    ebx, -1
0040236B  |.  75 38       jnz    short 004023A5
0040236D  |.  66:C747 10 50>mov    word ptr [edi+10], 50          ;  Case -1 of switch 0040232C
00402373  |.  BA 01B64700 mov    edx, 0047B601                   ;  认证失败！
00402378  |.  8D45 E4    lea    eax, dword ptr [ebp-1C]
0040237B  |.  E8 BC760700 call 00479A3C
00402380  |.  FF47 1C    inc    dword ptr [edi+1C]
00402383  |.  8B10       mov    edx, dword ptr [eax]
00402385  |.  8B86 0C030000 mov    eax, dword ptr [esi+30C]
0040238B  |.  E8 F0B50400 call 0044D980
00402390  |.  FF4F 1C    dec    dword ptr [edi+1C]
00402393  |.  8D45 E4    lea    eax, dword ptr [ebp-1C]
00402396  |.  BA 02000000 mov    edx, 2
0040239B  |.  E8 F4770700 call 00479B94
004023A0  |.  E9 D9050000 jmp    0040297E
004023A5  |>  83FB 01    cmp    ebx, 1
004023A8  |.  0F85 11020000 jnz    004025BF
004023AE  |.  66:C747 10 5C>mov    word ptr [edi+10], 5C          ;  Case 1 of switch 0040232C
004023B4  |.  BA 0CB64700 mov    edx, 0047B60C                   ;  usedays
004023B9  |.  8D45 E0    lea    eax, dword ptr [ebp-20]
004023BC  |.  E8 7B760700 call 00479A3C
004023C1  |.  FF47 1C    inc    dword ptr [edi+1C]
004023C4  |.  33D2       xor    edx, edx
004023C6  |.  8B08       mov    ecx, dword ptr [eax]
004023C8  |.  51          push ecx                            ; /Arg3
004023C9  |.  8D4D DC    lea    ecx, dword ptr [ebp-24]       ; |
004023CC  |.  8B45 FC    mov    eax, dword ptr [ebp-4]          ; |
004023CF  |.  50          push eax                            ; |Arg2
004023D0  |.  8955 DC    mov    dword ptr [ebp-24], edx       ; |
004023D3  |.  51          push ecx                            ; |Arg1
004023D4  |.  FF47 1C    inc    dword ptr [edi+1C]             ; |
004023D7  |.  E8 205D0000 call 004080FC                      ; \dumped_.004080FC
004023DC  |.  83C4 0C    add    esp, 0C
004023DF  |.  8D55 DC    lea    edx, dword ptr [ebp-24]
004023E2  |.  8D45 F8    lea    eax, dword ptr [ebp-8]
004023E5  |.  E8 DA770700 call 00479BC4
004023EA  |.  FF4F 1C    dec    dword ptr [edi+1C]
004023ED  |.  8D45 DC    lea    eax, dword ptr [ebp-24]
004023F0  |.  BA 02000000 mov    edx, 2
004023F5  |.  E8 9A770700 call 00479B94
004023FA  |.  FF4F 1C    dec    dword ptr [edi+1C]
004023FD  |.  8D45 E0    lea    eax, dword ptr [ebp-20]
00402400  |.  BA 02000000 mov    edx, 2
00402405  |.  E8 8A770700 call 00479B94
0040240A  |.  33D2       xor    edx, edx
0040240C  |.  8B45 F8    mov    eax, dword ptr [ebp-8]
0040240F  |.  E8 C8D20600 call 0046F6DC
00402414  |.  8BD8       mov    ebx, eax
00402416  |.  85DB       test ebx, ebx
00402418    0F8E 69010000 jle    00402587                      ;  关键跳转★
0040241E  |.  66:C747 10 68>mov    word ptr [edi+10], 68
00402424  |.  33C0       xor    eax, eax
00402426  |.  8D55 D8    lea    edx, dword ptr [ebp-28]
00402429  |.  8945 D8    mov    dword ptr [ebp-28], eax
0040242C  |.  8BC3       mov    eax, ebx
0040242E  |.  FF47 1C    inc    dword ptr [edi+1C]
00402431  |.  E8 3AD20600 call 0046F670
00402436  |.  8D55 D8    lea    edx, dword ptr [ebp-28]
00402439  |.  33C9       xor    ecx, ecx
0040243B  |.  894D D4    mov    dword ptr [ebp-2C], ecx
0040243E  |.  8D4D D4    lea    ecx, dword ptr [ebp-2C]
00402441  |.  FF47 1C    inc    dword ptr [edi+1C]
00402444  |.  B8 14B64700 mov    eax, 0047B614                   ;  可使用天数:
00402449  |.  E8 9E7A0700 call 00479EEC
0040244E  |.  8D55 D4    lea    edx, dword ptr [ebp-2C]
00402451  |.  52          push edx
00402452  |.  BA 21B64700 mov    edx, 0047B621                   ;  天!
00402457  |.  8D45 D0    lea    eax, dword ptr [ebp-30]
在关键跳转处直接NOP，保存到文件，就 OK了！

在这里提示一下，跟踪这种THEMIDA加壳的程序的时候注意参看以下帖子
FLY大大的[分享] Themida/WinLicense.V1.8.2.0 的Anit OllyDBG新方法
http://bbs.unpack.cn/thread-7985-1-1.html
  FLY大大的[原创] Themida V1.1.1.0 无驱动版试炼普通保护方式脱壳
http://bbs.unpack.cn/thread-2061-1-1.html

[课程]Android-CTF解题方法汇总！

收藏・1

免费・0

支持

最新回复 (4)
记忆戒指雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 21 粉丝 0 关注私信	记忆戒指 2 楼厉害~~~有时间帮我看看我的那个啊`~查不出来啥壳`~~修复估计没做对`~脱掉之后老是启动不起来 2007-4-27 16:17 0
xiajuncool 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 26 粉丝 0 关注私信	xiajuncool 3 楼你发错地方了啊，这可不是初学者看得懂的啊～ 2007-4-27 16:54 0
jarodlau 雪币： 208 活跃值： (20) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 8 粉丝 0 关注私信	jarodlau 4 楼呵呵，我也知道发错地方了，可是这个ACC没有发过多少帖子，汗★ 2007-4-27 19:06 0
glede 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 29 粉丝 0 关注私信	glede 5 楼不错不错，值得学习 2007-4-28 00:18 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

jarodlau

发帖

回帖

RANK

关注

私信

他的文章

themida1.8.X-脱壳爆破－魔域王者4.7－新手教学帖子！[原创] 7056

关于我们

联系我们

企业服务

看雪公众号

最新回复 (4)
记忆戒指雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 21 粉丝 0 关注私信	记忆戒指 2 楼厉害~~~有时间帮我看看我的那个啊`~查不出来啥壳`~~修复估计没做对`~脱掉之后老是启动不起来 2007-4-27 16:17 0
xiajuncool 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 26 粉丝 0 关注私信	xiajuncool 3 楼你发错地方了啊，这可不是初学者看得懂的啊～ 2007-4-27 16:54 0
jarodlau 雪币： 208 活跃值： (20) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 8 粉丝 0 关注私信	jarodlau 4 楼呵呵，我也知道发错地方了，可是这个ACC没有发过多少帖子，汗★ 2007-4-27 19:06 0
glede 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 29 粉丝 0 关注私信	glede 5 楼不错不错，值得学习 2007-4-28 00:18 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复