大家帮我看看我这个程序的花指令效果如何-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

最新回复 (8)
fly 雪币： 896 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 295 回帖 7672 粉丝 32 关注私信	fly 85 2004-10-18 02:54 2 楼 0 XP+OD F9
辉仔Yock 雪币： 228 活跃值： (165) 能力值： ( LV2，RANK：10 ) 在线值：发帖 10 回帖 103 粉丝 1 关注私信	辉仔Yock 2004-10-18 06:31 3 楼 0 堆栈堆栈堆栈乱了. mov eax,XXXX push eax add eax,0d push eax add eax,0d push eax add eax,0d push eax add eax,0d push eax add eax,0d ...
nig 雪币： 414 活跃值： (531) 能力值： ( LV9，RANK：170 ) 在线值：发帖 38 回帖 1445 粉丝 12 关注私信	nig 4 2004-10-18 10:03 4 楼 0 00401000 > $ EB 03 JMP SHORT t.00401005 00401002 > EB 03 JMP SHORT t.00401007 00401004 90 NOP 00401005 >^EB FB JMP SHORT t.00401002 00401007 > E8 01000000 CALL t.0040100D 0040100C . 90 NOP 0040100D $ EB 03 JMP SHORT t.00401012 0040100F > EB 03 JMP SHORT t.00401014 00401011 90 NOP 00401012 >^EB FB JMP SHORT t.0040100F 00401014 > E8 01000000 CALL t.0040101A 00401019 . 90 NOP 0040101A $ EB 03 JMP SHORT t.0040101F 0040101C > EB 03 JMP SHORT t.00401021 0040101E 90 NOP 0040101F >^EB FB JMP SHORT t.0040101C 00401021 > E8 01000000 CALL t.00401027 00401026 . 90 NOP 00401027 $ EB 03 JMP SHORT t.0040102C 00401029 > EB 03 JMP SHORT t.0040102E 0040102B 90 NOP 0040102C >^EB FB JMP SHORT t.00401029 0040102E > E8 01000000 CALL t.00401034 00401033 . 90 NOP 00401034 $ EB 03 JMP SHORT t.00401039 00401036 > EB 03 JMP SHORT t.0040103B 00401038 90 NOP 00401039 >^EB FB JMP SHORT t.00401036 0040103B > E8 01000000 CALL t.00401041 00401040 . 90 NOP 00401041 $ EB 03 JMP SHORT t.00401046 00401043 > EB 03 JMP SHORT t.00401048 00401045 90 NOP 00401046 >^EB FB JMP SHORT t.00401043 00401048 > E8 01000000 CALL t.0040104E 0040104D . 90 NOP 0040104E $ EB 0A JMP SHORT t.0040105A 00401050 90 NOP 00401051 > E8 20000000 CALL t.00401076 00401056 90 NOP 00401057 90 NOP 00401058 90 NOP 00401059 90 NOP 0040105A > EB 03 JMP SHORT t.0040105F 0040105C > EB 03 JMP SHORT t.00401061 0040105E 90 NOP 0040105F >^EB FB JMP SHORT t.0040105C 00401061 > E8 01000000 CALL t.00401067 00401066 . 90 NOP 00401067 $ EB 03 JMP SHORT t.0040106C 00401069 > EB 03 JMP SHORT t.0040106E 0040106B 90 NOP 0040106C >^EB FB JMP SHORT t.00401069 0040106E > E8 01000000 CALL t.00401074 00401073 . 90 NOP 00401074 $^EB DB JMP SHORT t.00401051 00401076 $ EB 44 JMP SHORT t.004010BC 00401078 90 NOP 00401079 > EB 01 JMP SHORT t.0040107C 0040107B 90 NOP 0040107C > E8 01000000 CALL t.00401082 00401081 90 NOP 00401082 $ 8D05 0B304000 LEA EAX,DWORD PTR DS:[40300B] 00401088 . EB 1B JMP SHORT t.004010A5 0040108A 90 NOP 0040108B > 8D1D 00304000 LEA EBX,DWORD PTR DS:[403000] 00401091 . E8 01000000 CALL t.00401097 00401096 90 NOP 00401097 $ 6A 00 PUSH 0 ; /Style = MB_OK\|MB_APPLMODAL 00401099 . 53 PUSH EBX ; \|Title 0040109A . 50 PUSH EAX ; \|Text 0040109B . 6A 00 PUSH 0 ; \|hOwner = NULL 0040109D . E8 24000000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA 004010A2 . EB 04 JMP SHORT t.004010A8 004010A4 90 NOP 004010A5 >^EB E4 JMP SHORT t.0040108B 004010A7 90 NOP 004010A8 > E8 02000000 CALL t.004010AF 004010AD 90 NOP 004010AE 90 NOP 004010AF $ E8 01000000 CALL t.004010B5 004010B4 90 NOP 004010B5 . 6A 00 PUSH 0 ; /ExitCode = 0 004010B7 . E8 04000000 CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess 004010BC >^EB BB JMP SHORT t.00401079 004010BE 90 NOP 004010BF 90 NOP 004010C0 .-FF25 00204000 JMP DWORD PTR DS:[<&kernel32.ExitProcess>; kernel32.ExitProcess 004010C6 $-FF25 08204000 JMP DWORD PTR DS:[<&user32.MessageBoxA>] ; user32.MessageBoxA
nig 雪币： 414 活跃值： (531) 能力值： ( LV9，RANK：170 ) 在线值：发帖 38 回帖 1445 粉丝 12 关注私信	nig 4 2004-10-18 10:06 5 楼 0 处理方法:用编辑器代换C7 A8为90了,最后的部分手动处理一下就可以了.程序最重的毛病就是,没有还原堆栈,记得用Call XXXXXX 当跳转之后,pop一下啊,要不你这样调用多次的话,小心堆栈溢出了.
小虾雪币： 2367 活跃值： (756) 能力值： (RANK：410 ) 在线值：发帖 21 回帖 2235 粉丝 7 关注私信	小虾 10 2004-10-18 11:00 6 楼 0 恩，谢谢nig兄的提醒，下次我会注意这个问题。:p 这次我主要起看看这个花指令的效果如何，对于分析程序代码影响多大。我用OD加载程序后，OD我这里的显示的代码是这样的： 00401000 > $ /EB 03 JMP SHORT TEST.00401005 00401002 > \|EB 03 JMP SHORT TEST.00401007 00401004 \|C7 DB C7 00401005 >^\EB FB JMP SHORT TEST.00401002 00401007 > E8 01000000 CALL TEST.0040100D 0040100C A8 DB A8 0040100D . EB 03 JMP SHORT TEST.00401012 0040100F > EB 03 JMP SHORT TEST.00401014 00401011 ? C7 ??? ; 未知命令 00401012 >^ EB FB JMP SHORT TEST.0040100F ;到这里之后的代码OD完全不能识别出来，如果在这里用F8单步步过跟踪程序一定跑飞，因为以下代码我用了几个变形Call，必须使用F7步入单步跟踪才行，不过以下代码OD不能识别（用右键/分析代码也不行），若是不对程序进行修改，会给跟踪算法带来很大的?烦， 00401014 E8 DB E8 00401015 01 DB 01 00401016 00 DB 00 00401017 00 DB 00 00401018 00 DB 00 00401019 A8 DB A8 0040101A EB DB EB 0040101B 03 DB 03 0040101C EB DB EB 0040101D 03 DB 03 0040101E C7 DB C7 0040101F EB DB EB 00401020 FB DB FB 00401021 E8 DB E8 00401022 01 DB 01 00401023 00 DB 00 00401024 00 DB 00 00401025 00 DB 00 00401026 A8 DB A8 00401027 EB DB EB 00401028 03 DB 03 00401029 EB DB EB 0040102A 03 DB 03 0040102B C7 DB C7 0040102C EB DB EB 0040102D FB DB FB 0040102E E8 DB E8 0040102F 01 DB 01 00401030 00 DB 00 00401031 00 DB 00 00401032 00 DB 00 00401033 A8 DB A8 00401034 EB DB EB 00401035 03 DB 03 00401036 EB DB EB 00401037 03 DB 03 00401038 C7 DB C7 00401039 EB DB EB 0040103A FB DB FB 0040103B E8 DB E8 0040103C 01 DB 01 0040103D 00 DB 00 0040103E 00 DB 00 0040103F 00 DB 00 00401040 A8 DB A8 00401041 EB DB EB 00401042 03 DB 03 00401043 EB DB EB 00401044 03 DB 03 00401045 C7 DB C7 00401046 EB DB EB 00401047 FB DB FB 00401048 E8 DB E8 00401049 01 DB 01 0040104A 00 DB 00 0040104B 00 DB 00 0040104C 00 DB 00 0040104D A8 DB A8 0040104E EB DB EB 0040104F 0A DB 0A 00401050 68 DB 68 ; CHAR 'h' 00401051 E8 DB E8 00401052 20 DB 20 ; CHAR ' ' 00401053 00 DB 00 00401054 00 DB 00 00401055 00 DB 00 00401056 F0 DB F0 00401057 0F DB 0F 00401058 C7 DB C7 00401059 C8 DB C8 0040105A EB DB EB 0040105B 03 DB 03 0040105C EB DB EB 0040105D 03 DB 03 0040105E C7 DB C7 0040105F EB DB EB 00401060 FB DB FB 00401061 E8 DB E8 00401062 01 DB 01 00401063 00 DB 00 00401064 00 DB 00 00401065 00 DB 00 00401066 A8 DB A8 00401067 EB DB EB 00401068 03 DB 03 00401069 EB DB EB 0040106A 03 DB 03 0040106B C7 DB C7 0040106C EB DB EB 0040106D FB DB FB 0040106E E8 DB E8 0040106F 01 DB 01 00401070 00 DB 00 00401071 00 DB 00 00401072 00 DB 00 00401073 A8 DB A8 00401074 EB DB EB 00401075 DB DB DB 00401076 EB DB EB 00401077 44 DB 44 ; CHAR 'D' 00401078 E8 DB E8 00401079 EB DB EB 0040107A 01 DB 01 0040107B E8 DB E8 0040107C E8 DB E8 0040107D 01 DB 01 0040107E 00 DB 00 0040107F 00 DB 00 00401080 00 DB 00 00401081 E8 DB E8 00401082 8D DB 8D 00401083 05 DB 05 00401084 0B304000 DD TEST.0040300B 00401088 EB DB EB 00401089 1B DB 1B 0040108A EB DB EB 0040108B 8D DB 8D 0040108C 1D DB 1D 0040108D 00304000 DD TEST.00403000 00401091 E8 DB E8 00401092 01 DB 01 00401093 00 DB 00 00401094 00 DB 00 00401095 00 DB 00 00401096 E8 DB E8 00401097 6A DB 6A ; CHAR 'j' 00401098 00 DB 00 00401099 . 53 50 6A 00 ASCII "SPj",0 0040109D E8 DB E8 0040109E 24 DB 24 ; CHAR '$' 0040109F 00 DB 00 004010A0 00 DB 00 004010A1 00 DB 00 004010A2 EB DB EB 004010A3 04 DB 04 004010A4 EB DB EB 004010A5 EB DB EB 004010A6 E4 DB E4 004010A7 E6 DB E6 004010A8 E8 DB E8 004010A9 02 DB 02 004010AA 00 DB 00 004010AB 00 DB 00 004010AC 00 DB 00 004010AD E8 DB E8 004010AE EC DB EC 004010AF E8 DB E8 004010B0 01 DB 01 004010B1 00 DB 00 004010B2 00 DB 00 004010B3 00 DB 00 004010B4 EB DB EB 004010B5 . 6A 00 PUSH 0 ; /ExitCode = 0 004010B7 . E8 04000000 CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess 004010BC EB DB EB 004010BD BB DB BB 004010BE E8 DB E8 004010BF CC INT3 004010C0 .- FF25 00204000 JMP DWORD PTR DS:[<&kernel32.ExitProcess> 004010C6 .- FF25 08204000 JMP DWORD PTR DS:[<&user32.MessageBoxA>]
daxia200N 雪币： 674 活跃值： (1684) 能力值： ( LV9，RANK：250 ) 在线值：发帖 40 回帖 575 粉丝 5 关注私信	daxia200N 6 2004-10-18 13:36 7 楼 0 删除分析就可以了。
小虾雪币： 2367 活跃值： (756) 能力值： (RANK：410 ) 在线值：发帖 21 回帖 2235 粉丝 7 关注私信	小虾 10 2004-10-18 14:38 8 楼 0 这确是好方法。
nig 雪币： 414 活跃值： (531) 能力值： ( LV9，RANK：170 ) 在线值：发帖 38 回帖 1445 粉丝 12 关注私信	nig 4 2004-10-18 15:20 9 楼 0 选中那部分，右键，分析中删除就可以了。关于你说有一个部分代码显示不全的事，我建议看看OD的“外文”说明书（只所以称之为外文，是因为那说明书是“不太像英语”的英语），里面介绍到了OD的识别代码的方法。
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复

fly

雪币： 896

活跃值： (4039)

能力值：

( LV9，RANK：3410 )

在线值：

发帖

295

回帖

7672

粉丝

32

关注

私信

fly 85 2004-10-18 02:54: 2 楼
0

XP+OD
F9

辉仔Yock

雪币： 228

活跃值： (165)

能力值：

( LV2，RANK：10 )

在线值：

发帖

10

回帖

103

粉丝

1

关注

私信

辉仔Yock 2004-10-18 06:31: 3 楼
0

堆栈堆栈堆栈
乱了.

mov eax,XXXX
push eax
add eax,0d
push eax
add eax,0d
push eax
add eax,0d
push eax
add eax,0d
push eax
add eax,0d
...

nig

雪币： 414

活跃值： (531)

能力值：

( LV9，RANK：170 )

在线值：

发帖

38

回帖

1445

粉丝

12

关注

私信

nig 4 2004-10-18 10:03: 4 楼
0

00401000 > $ EB 03          JMP SHORT t.00401005
00401002 > EB 03          JMP SHORT t.00401007
00401004    90             NOP
00401005 >^EB FB          JMP SHORT t.00401002
00401007 > E8 01000000    CALL t.0040100D
0040100C . 90             NOP
0040100D $ EB 03          JMP SHORT t.00401012
0040100F > EB 03          JMP SHORT t.00401014
00401011    90             NOP
00401012 >^EB FB          JMP SHORT t.0040100F
00401014 > E8 01000000    CALL t.0040101A
00401019 . 90             NOP
0040101A $ EB 03          JMP SHORT t.0040101F
0040101C > EB 03          JMP SHORT t.00401021
0040101E    90             NOP
0040101F >^EB FB          JMP SHORT t.0040101C
00401021 > E8 01000000    CALL t.00401027
00401026 . 90             NOP
00401027 $ EB 03          JMP SHORT t.0040102C
00401029 > EB 03          JMP SHORT t.0040102E
0040102B    90             NOP
0040102C >^EB FB          JMP SHORT t.00401029
0040102E > E8 01000000    CALL t.00401034
00401033 . 90             NOP
00401034 $ EB 03          JMP SHORT t.00401039
00401036 > EB 03          JMP SHORT t.0040103B
00401038    90             NOP
00401039 >^EB FB          JMP SHORT t.00401036
0040103B > E8 01000000    CALL t.00401041
00401040 . 90             NOP
00401041 $ EB 03          JMP SHORT t.00401046
00401043 > EB 03          JMP SHORT t.00401048
00401045    90             NOP
00401046 >^EB FB          JMP SHORT t.00401043
00401048 > E8 01000000    CALL t.0040104E
0040104D . 90             NOP
0040104E $ EB 0A          JMP SHORT t.0040105A
00401050    90             NOP
00401051 > E8 20000000    CALL t.00401076
00401056    90             NOP
00401057    90             NOP
00401058    90             NOP
00401059    90             NOP
0040105A > EB 03          JMP SHORT t.0040105F
0040105C > EB 03          JMP SHORT t.00401061
0040105E    90             NOP
0040105F >^EB FB          JMP SHORT t.0040105C
00401061 > E8 01000000    CALL t.00401067
00401066 . 90             NOP
00401067 $ EB 03          JMP SHORT t.0040106C
00401069 > EB 03          JMP SHORT t.0040106E
0040106B    90             NOP
0040106C >^EB FB          JMP SHORT t.00401069
0040106E > E8 01000000    CALL t.00401074
00401073 . 90             NOP
00401074 $^EB DB          JMP SHORT t.00401051
00401076 $ EB 44          JMP SHORT t.004010BC
00401078    90             NOP
00401079 > EB 01          JMP SHORT t.0040107C
0040107B    90             NOP
0040107C > E8 01000000    CALL t.00401082
00401081    90             NOP
00401082 $ 8D05 0B304000 LEA EAX,DWORD PTR DS:[40300B]
00401088 . EB 1B          JMP SHORT t.004010A5
0040108A    90             NOP
0040108B > 8D1D 00304000 LEA EBX,DWORD PTR DS:[403000]
00401091 . E8 01000000    CALL t.00401097
00401096    90             NOP
00401097 $ 6A 00          PUSH 0                                  ; /Style = MB_OK|MB_APPLMODAL
00401099 . 53             PUSH EBX                               ; |Title
0040109A . 50             PUSH EAX                               ; |Text
0040109B . 6A 00          PUSH 0                                  ; |hOwner = NULL
0040109D . E8 24000000    CALL <JMP.&user32.MessageBoxA>          ; \MessageBoxA
004010A2 . EB 04          JMP SHORT t.004010A8
004010A4    90             NOP
004010A5 >^EB E4          JMP SHORT t.0040108B
004010A7    90             NOP
004010A8 > E8 02000000    CALL t.004010AF
004010AD    90             NOP
004010AE    90             NOP
004010AF $ E8 01000000    CALL t.004010B5
004010B4    90             NOP
004010B5 . 6A 00          PUSH 0                                  ; /ExitCode = 0
004010B7 . E8 04000000    CALL <JMP.&kernel32.ExitProcess>       ; \ExitProcess
004010BC >^EB BB          JMP SHORT t.00401079
004010BE    90             NOP
004010BF    90             NOP
004010C0 .-FF25 00204000 JMP DWORD PTR DS:[<&kernel32.ExitProcess>;  kernel32.ExitProcess
004010C6 $-FF25 08204000 JMP DWORD PTR DS:[<&user32.MessageBoxA>] ;  user32.MessageBoxA

nig

雪币： 414

活跃值： (531)

能力值：

( LV9，RANK：170 )

在线值：

发帖

38

回帖

1445

粉丝

12

关注

私信

nig 4 2004-10-18 10:06: 5 楼
0

处理方法:用编辑器代换C7 A8为90了,最后的部分手动处理一下就可以了.程序最重的毛病就是,没有还原堆栈,记得用Call XXXXXX 当跳转之后,pop一下啊,要不你这样调用多次的话,小心堆栈溢出了.

小虾

雪币： 2367

活跃值： (756)

能力值： (RANK：410 )

在线值：

发帖

21

回帖

2235

粉丝

7

关注

私信

小虾 10 2004-10-18 11:00: 6 楼
0

恩，谢谢nig兄的提醒，下次我会注意这个问题。:p 这次我主要起看看这个花指令的效果如何，对于分析程序代码影响多大。

我用OD加载程序后，OD我这里的显示的代码是这样的：

00401000 > $ /EB 03         JMP SHORT TEST.00401005
00401002   > |EB 03         JMP SHORT TEST.00401007
00401004     |C7            DB C7
00401005   >^\EB FB         JMP SHORT TEST.00401002
00401007   >  E8 01000000   CALL TEST.0040100D
0040100C      A8            DB A8
0040100D   .  EB 03         JMP SHORT TEST.00401012
0040100F   >  EB 03         JMP SHORT TEST.00401014
00401011   ?  C7            ???                                      ;  未知命令
00401012   >^ EB FB         JMP SHORT TEST.0040100F

;到这里之后的代码OD完全不能识别出来，如果在这里用F8单步步过跟踪程序一定跑飞，因为以下代码我用了几个变形Call，必须使用F7步入单步跟踪才行，不过以下代码OD不能识别（用右键/分析代码也不行），若是不对程序进行修改，会给跟踪算法带来很大的?烦，

00401014      E8            DB E8
00401015      01            DB 01
00401016      00            DB 00
00401017      00            DB 00
00401018      00            DB 00
00401019      A8            DB A8
0040101A      EB            DB EB
0040101B      03            DB 03
0040101C      EB            DB EB
0040101D      03            DB 03
0040101E      C7            DB C7
0040101F      EB            DB EB
00401020      FB            DB FB
00401021      E8            DB E8
00401022      01            DB 01
00401023      00            DB 00
00401024      00            DB 00
00401025      00            DB 00
00401026      A8            DB A8
00401027      EB            DB EB
00401028      03            DB 03
00401029      EB            DB EB
0040102A      03            DB 03
0040102B      C7            DB C7
0040102C      EB            DB EB
0040102D      FB            DB FB
0040102E      E8            DB E8
0040102F      01            DB 01
00401030      00            DB 00
00401031      00            DB 00
00401032      00            DB 00
00401033      A8            DB A8
00401034      EB            DB EB
00401035      03            DB 03
00401036      EB            DB EB
00401037      03            DB 03
00401038      C7            DB C7
00401039      EB            DB EB
0040103A      FB            DB FB
0040103B      E8            DB E8
0040103C      01            DB 01
0040103D      00            DB 00
0040103E      00            DB 00
0040103F      00            DB 00
00401040      A8            DB A8
00401041      EB            DB EB
00401042      03            DB 03
00401043      EB            DB EB
00401044      03            DB 03
00401045      C7            DB C7
00401046      EB            DB EB
00401047      FB            DB FB
00401048      E8            DB E8
00401049      01            DB 01
0040104A      00            DB 00
0040104B      00            DB 00
0040104C      00            DB 00
0040104D      A8            DB A8
0040104E      EB            DB EB
0040104F      0A            DB 0A
00401050      68            DB 68                                    ;  CHAR 'h'
00401051      E8            DB E8
00401052      20            DB 20                                    ;  CHAR ' '
00401053      00            DB 00
00401054      00            DB 00
00401055      00            DB 00
00401056      F0            DB F0
00401057      0F            DB 0F
00401058      C7            DB C7
00401059      C8            DB C8
0040105A      EB            DB EB
0040105B      03            DB 03
0040105C      EB            DB EB
0040105D      03            DB 03
0040105E      C7            DB C7
0040105F      EB            DB EB
00401060      FB            DB FB
00401061      E8            DB E8
00401062      01            DB 01
00401063      00            DB 00
00401064      00            DB 00
00401065      00            DB 00
00401066      A8            DB A8
00401067      EB            DB EB
00401068      03            DB 03
00401069      EB            DB EB
0040106A      03            DB 03
0040106B      C7            DB C7
0040106C      EB            DB EB
0040106D      FB            DB FB
0040106E      E8            DB E8
0040106F      01            DB 01
00401070      00            DB 00
00401071      00            DB 00
00401072      00            DB 00
00401073      A8            DB A8
00401074      EB            DB EB
00401075      DB            DB DB
00401076      EB            DB EB
00401077      44            DB 44                                    ;  CHAR 'D'
00401078      E8            DB E8
00401079      EB            DB EB
0040107A      01            DB 01
0040107B      E8            DB E8
0040107C      E8            DB E8
0040107D      01            DB 01
0040107E      00            DB 00
0040107F      00            DB 00
00401080      00            DB 00
00401081      E8            DB E8
00401082      8D            DB 8D
00401083      05            DB 05
00401084      0B304000      DD TEST.0040300B
00401088      EB            DB EB
00401089      1B            DB 1B
0040108A      EB            DB EB
0040108B      8D            DB 8D
0040108C      1D            DB 1D
0040108D      00304000      DD TEST.00403000
00401091      E8            DB E8
00401092      01            DB 01
00401093      00            DB 00
00401094      00            DB 00
00401095      00            DB 00
00401096      E8            DB E8
00401097      6A            DB 6A                                    ;  CHAR 'j'
00401098      00            DB 00
00401099   .  53 50 6A 00   ASCII "SPj",0
0040109D      E8            DB E8
0040109E      24            DB 24                                    ;  CHAR '$'
0040109F      00            DB 00
004010A0      00            DB 00
004010A1      00            DB 00
004010A2      EB            DB EB
004010A3      04            DB 04
004010A4      EB            DB EB
004010A5      EB            DB EB
004010A6      E4            DB E4
004010A7      E6            DB E6
004010A8      E8            DB E8
004010A9      02            DB 02
004010AA      00            DB 00
004010AB      00            DB 00
004010AC      00            DB 00
004010AD      E8            DB E8
004010AE      EC            DB EC
004010AF      E8            DB E8
004010B0      01            DB 01
004010B1      00            DB 00
004010B2      00            DB 00
004010B3      00            DB 00
004010B4      EB            DB EB
004010B5   .  6A 00         PUSH 0                                   ; /ExitCode = 0
004010B7   .  E8 04000000   CALL <JMP.&kernel32.ExitProcess>         ; \ExitProcess
004010BC      EB            DB EB
004010BD      BB            DB BB
004010BE      E8            DB E8
004010BF      CC            INT3
004010C0   .- FF25 00204000 JMP DWORD PTR DS:[<&kernel32.ExitProcess>
004010C6   .- FF25 08204000 JMP DWORD PTR DS:[<&user32.MessageBoxA>]