好友
阅读权限10
听众
最后登录1970-1-1
|
舞乐天使
发表于 2015-9-9 16:07
回帖奖励 +8 CB吾爱币
首先查壳Microsoft Visual C++ ver 5.0/6.0
运行软件 点击登陆 提示“帐号密码错误”
好,直接丢入OD
中文智能搜索 --智能搜索--帐号密码错误 没查到相关字符,估计是加密了
好吧,直接爆破吧
CTRL+G 输入0401000
中文智能搜索 --智能搜索
查找ENO 双击回车过去
004017FD . /74 09 je short 第七课作.00401808
004017FF . |53 push ebx
00401800 . |E8 31860000 call 第七课作.00409E36
00401805 . |83C4 04 add esp,0x4
00401808 \837D EC 01 cmp dword ptr ss:[ebp-0x14],0x1 ; 把0改1
0040180C . 0F84 07000000 je 第七课作.00401819
00401812 . B8 01000000 mov eax,0x1
00401817 . EB 05 jmp short 第七课作.0040181E
00401819 > B8 00000000 mov eax,0x0
F9跑起来,登陆试下,软件直接关闭了
有退出暗桩
CTRL+G
输入FF 25 查找退出CALL,
00409E0A |. E8 6D7BFFFF call 第七课作.0040197C
00409E0F |. 68 01000152 push 0x52010001
00409E14 |. E8 11000000 call 第七课作.00409E2A
00409E19 |. 83C4 04 add esp,0x4
00409E1C |. E8 03000000 call 第七课作.00409E24
00409E21 |. 33C0 xor eax,eax
00409E23 \. C3 retn
00409E24 $ FF25 14264900 jmp dword ptr ds:[0x492614] ; 第七课作.004296B0
00409E2A $ FF25 18264900 jmp dword ptr ds:[0x492618] ; 第七课作.004296E0
00409E30 $ FF25 1C264900 jmp dword ptr ds:[0x49261C] ; 第七课作.00429290
00409E36 $ FF25 0C264900 jmp dword ptr ds:[0x49260C] ; 第七课作.004298B0
00409E3C $ FF25 04264900 jmp dword ptr ds:[0x492604] ; 第七课作.004297B0
00409E42 $ FF25 00264900 jmp dword ptr ds:[0x492600] ; 第七课作.00429680
00409E48 $ FF25 EC254900 jmp dword ptr ds:[0x4925EC] ; 第七课作.00429640
00409E4E $ FF25 F8254900 jmp dword ptr ds:[0x4925F8] ; 第七课作.00429310
00409E54 $ FF25 FC254900 jmp dword ptr ds:[0x4925FC] ; 第七课作.00429660
00409E5A $ FF25 10264900 jmp dword ptr ds:[0x492610] ; 第七课作.00429790 这个是
00409E60 $ FF25 F0254900 jmp dword ptr ds:[0x4925F0] ; 第七课作.004292C0
00409E66 CC int3
回车进去 RETN掉
00429790 C3 retn
00429791 |. 8BEC mov ebp,esp
00429793 |. 8B45 08 mov eax,[arg.1]
00429796 |. 50 push eax
00429797 |. B9 60185900 mov ecx,第七课作.00591860 ; 溃H
0042979C |. E8 BF83FFFF call 第七课作.00421B60
004297A1 |. 8B4D 08 mov ecx,[arg.1]
004297A4 |. 51 push ecx ; /ExitCode = 0x0 这里就是退出了
004297A5 \. FF15 5C024900 call dword ptr ds:[<&KERNEL32.ExitProces>; \ExitProcess
004297AB . 5D pop ebp ; kernel32.74D0919F
004297AC . C3 retn
004297AD CC int3
004297AE CC int3
004297AF CC int3
004297B0 55 push ebp
004297B1 |. 8BEC mov ebp,esp
运行跑起来,登陆看看,出现“功能演示窗口”还有一堆弹窗提示“暗桩”
开始以为是时钟事件,弄了后不行,应该错了
看看有无什么字符串可以的
查找字符串,发现有4个“暗桩”,双击过去全部NOP掉,这里辛苦死,看到眼都花了,好多跳转,特别是第三个
第一个暗桩
0040685A . 90 nop ; NOP掉6
0040685B . 90 nop
0040685C . 90 nop
0040685D . 90 nop
0040685E . 90 nop
0040685F . 90 nop
00406860 . B8 3CC65500 mov eax,第七课作.0055C63C ; v_geta
00406865 . 8945 F4 mov dword ptr ss:[ebp-0xC],eax
00406868 . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
0040686B . 50 push eax
0040686C . E8 13030000 call 第七课作.00406B84
00406871 . 8945 F0 mov dword ptr ss:[ebp-0x10],eax
00406874 . 8B5D F4 mov ebx,dword ptr ss:[ebp-0xC]
00406877 . 85DB test ebx,ebx
00406879 . 74 09 je short 第七课作.00406884
0040687B . 53 push ebx
0040687C . E8 B5350000 call 第七课作.00409E36
00406881 . 83C4 04 add esp,0x4
00406884 > 68 04000080 push 0x80000004
00406889 . 6A 00 push 0x0
0040688B . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
0040688E . 85C0 test eax,eax
00406890 . 75 05 jnz short 第七课作.00406897
00406892 . B8 3E264900 mov eax,第七课作.0049263E
00406897 > 50 push eax
00406898 . 68 01000000 push 0x1
0040689D . BB F0AC4000 mov ebx,第七课作.0040ACF0
004068A2 . E8 A7350000 call 第七课作.00409E4E
004068A7 . 83C4 10 add esp,0x10
004068AA . 8945 EC mov dword ptr ss:[ebp-0x14],eax
004068AD . 8B5D F0 mov ebx,dword ptr ss:[ebp-0x10]
004068B0 . 85DB test ebx,ebx
004068B2 . 74 09 je short 第七课作.004068BD
004068B4 . 53 push ebx
004068B5 . E8 7C350000 call 第七课作.00409E36
004068BA . 83C4 04 add esp,0x4
004068BD > B8 43C65500 mov eax,第七课作.0055C643
004068C2 . 33C9 xor ecx,ecx
004068C4 . 85C0 test eax,eax
004068C6 . 74 03 je short 第七课作.004068CB
004068C8 . 8B48 04 mov ecx,dword ptr ds:[eax+0x4] ; ntdll.771974A0
004068CB > 51 push ecx
004068CC . 83C0 08 add eax,0x8
004068CF . 50 push eax
004068D0 . 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
004068D3 . 33DB xor ebx,ebx
004068D5 . 85C0 test eax,eax
004068D7 . 74 03 je short 第七课作.004068DC
004068D9 . 8B58 04 mov ebx,dword ptr ds:[eax+0x4] ; ntdll.771974A0
004068DC > 83C0 08 add eax,0x8
004068DF . 50 push eax
004068E0 . 3BD9 cmp ebx,ecx
004068E2 . B8 01000000 mov eax,0x1
004068E7 . 75 0A jnz short 第七课作.004068F3
004068E9 . 48 dec eax
004068EA . 85C9 test ecx,ecx
004068EC . 74 05 je short 第七课作.004068F3
004068EE . E8 62FCFFFF call 第七课作.00406555
004068F3 > 83C4 0C add esp,0xC
004068F6 . 85C0 test eax,eax
004068F8 . B8 00000000 mov eax,0x0
004068FD . 0F94C0 sete al
00406900 . 8945 E8 mov dword ptr ss:[ebp-0x18],eax
00406903 . 8B5D EC mov ebx,dword ptr ss:[ebp-0x14]
00406906 . 85DB test ebx,ebx
00406908 . 74 09 je short 第七课作.00406913
0040690A . 53 push ebx
0040690B . E8 26350000 call 第七课作.00409E36
00406910 . 83C4 04 add esp,0x4
00406913 > 837D E8 00 cmp dword ptr ss:[ebp-0x18],0x0
00406917 . 90 nop ; NOP掉5
00406918 . 90 nop
00406919 . 90 nop
0040691A . 90 nop
0040691B . 90 nop
0040691C . 90 nop
0040691D . 68 01000000 push 0x1
00406922 . E8 16060000 call 第七课作.00406F3D
00406927 . 8945 F4 mov dword ptr ss:[ebp-0xC],eax
0040692A . 68 04000080 push 0x80000004
0040692F . 6A 00 push 0x0
00406931 . 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
00406934 . 85C0 test eax,eax
00406936 . 75 05 jnz short 第七课作.0040693D
00406938 . B8 3E264900 mov eax,第七课作.0049263E
0040693D > 50 push eax
0040693E . 68 01000000 push 0x1
00406943 . BB F0AC4000 mov ebx,第七课作.0040ACF0
00406948 . E8 01350000 call 第七课作.00409E4E
0040694D . 83C4 10 add esp,0x10
00406950 . 8945 F0 mov dword ptr ss:[ebp-0x10],eax
00406953 . 8B5D F4 mov ebx,dword ptr ss:[ebp-0xC]
00406956 . 85DB test ebx,ebx
00406958 . 74 09 je short 第七课作.00406963
0040695A . 53 push ebx
0040695B . E8 D6340000 call 第七课作.00409E36
00406960 . 83C4 04 add esp,0x4
00406963 > B8 6BC65500 mov eax,第七课作.0055C66B
00406968 . 33C9 xor ecx,ecx
0040696A . 85C0 test eax,eax
0040696C . 74 03 je short 第七课作.00406971
0040696E . 8B48 04 mov ecx,dword ptr ds:[eax+0x4] ; ntdll.771974A0
00406971 > 51 push ecx
00406972 . 83C0 08 add eax,0x8
00406975 . 50 push eax
00406976 . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
00406979 . 33DB xor ebx,ebx
0040697B . 85C0 test eax,eax
0040697D . 74 03 je short 第七课作.00406982
0040697F . 8B58 04 mov ebx,dword ptr ds:[eax+0x4] ; ntdll.771974A0
00406982 > 83C0 08 add eax,0x8
00406985 . 50 push eax
00406986 . 3BD9 cmp ebx,ecx
00406988 . B8 01000000 mov eax,0x1
0040698D . 75 0A jnz short 第七课作.00406999
0040698F . 48 dec eax
00406990 . 85C9 test ecx,ecx
00406992 . 74 05 je short 第七课作.00406999
00406994 . E8 BCFBFFFF call 第七课作.00406555
00406999 > 83C4 0C add esp,0xC
0040699C . 85C0 test eax,eax
0040699E . B8 00000000 mov eax,0x0
004069A3 . 0F94C0 sete al
004069A6 . 8945 EC mov dword ptr ss:[ebp-0x14],eax
004069A9 . 8B5D F0 mov ebx,dword ptr ss:[ebp-0x10]
004069AC . 85DB test ebx,ebx
004069AE . 74 09 je short 第七课作.004069B9
004069B0 . 53 push ebx
004069B1 . E8 80340000 call 第七课作.00409E36
004069B6 . 83C4 04 add esp,0x4
004069B9 > 837D EC 00 cmp dword ptr ss:[ebp-0x14],0x0
004069BD . 90 nop ; NOP掉4
004069BE . 90 nop
004069BF . 90 nop
004069C0 . 90 nop
004069C1 . 90 nop
004069C2 . 90 nop
004069C3 . 68 02000000 push 0x2
004069C8 . E8 70050000 call 第七课作.00406F3D
004069CD . 8945 F4 mov dword ptr ss:[ebp-0xC],eax
004069D0 . 68 04000080 push 0x80000004
004069D5 . 6A 00 push 0x0
004069D7 . 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
004069DA . 85C0 test eax,eax
004069DC . 75 05 jnz short 第七课作.004069E3
004069DE . B8 3E264900 mov eax,第七课作.0049263E
004069E3 > 50 push eax
004069E4 . 68 01000000 push 0x1
004069E9 . BB F0AC4000 mov ebx,第七课作.0040ACF0
004069EE . E8 5B340000 call 第七课作.00409E4E
004069F3 . 83C4 10 add esp,0x10
004069F6 . 8945 F0 mov dword ptr ss:[ebp-0x10],eax
004069F9 . 8B5D F4 mov ebx,dword ptr ss:[ebp-0xC]
004069FC . 85DB test ebx,ebx
004069FE . 74 09 je short 第七课作.00406A09
00406A00 . 53 push ebx
00406A01 . E8 30340000 call 第七课作.00409E36
00406A06 . 83C4 04 add esp,0x4
00406A09 > B8 7EC65500 mov eax,第七课作.0055C67E
00406A0E . 33C9 xor ecx,ecx
00406A10 . 85C0 test eax,eax
00406A12 . 74 03 je short 第七课作.00406A17
00406A14 . 8B48 04 mov ecx,dword ptr ds:[eax+0x4] ; ntdll.771974A0
00406A17 > 51 push ecx
00406A18 . 83C0 08 add eax,0x8
00406A1B . 50 push eax
00406A1C . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
00406A1F . 33DB xor ebx,ebx
00406A21 . 85C0 test eax,eax
00406A23 . 74 03 je short 第七课作.00406A28
00406A25 . 8B58 04 mov ebx,dword ptr ds:[eax+0x4] ; ntdll.771974A0
00406A28 > 83C0 08 add eax,0x8
00406A2B . 50 push eax
00406A2C . 3BD9 cmp ebx,ecx
00406A2E . B8 01000000 mov eax,0x1
00406A33 . 75 0A jnz short 第七课作.00406A3F
00406A35 . 48 dec eax
00406A36 . 85C9 test ecx,ecx
00406A38 . 74 05 je short 第七课作.00406A3F
00406A3A . E8 16FBFFFF call 第七课作.00406555
00406A3F > 83C4 0C add esp,0xC
00406A42 . 85C0 test eax,eax
00406A44 . B8 00000000 mov eax,0x0
00406A49 . 0F94C0 sete al
00406A4C . 8945 EC mov dword ptr ss:[ebp-0x14],eax
00406A4F . 8B5D F0 mov ebx,dword ptr ss:[ebp-0x10]
00406A52 . 85DB test ebx,ebx
00406A54 . 74 09 je short 第七课作.00406A5F
00406A56 . 53 push ebx
00406A57 . E8 DA330000 call 第七课作.00409E36
00406A5C . 83C4 04 add esp,0x4
00406A5F > 837D EC 00 cmp dword ptr ss:[ebp-0x14],0x0
00406A63 > . 90 nop ; NOP掉3
00406A64 . 90 nop
00406A65 . 90 nop
00406A66 . 90 nop
00406A67 . 90 nop
00406A68 . 90 nop
00406A69 . 68 0F000000 push 0xF
00406A6E . E8 CA040000 call 第七课作.00406F3D
00406A73 . 8945 F4 mov dword ptr ss:[ebp-0xC],eax
00406A76 . 68 04000080 push 0x80000004
00406A7B . 6A 00 push 0x0
00406A7D . 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
00406A80 . 85C0 test eax,eax
00406A82 . 75 05 jnz short 第七课作.00406A89
00406A84 . B8 3E264900 mov eax,第七课作.0049263E
00406A89 > 50 push eax
00406A8A . 68 01000000 push 0x1
00406A8F . BB F0AC4000 mov ebx,第七课作.0040ACF0
00406A94 . E8 B5330000 call 第七课作.00409E4E
00406A99 . 83C4 10 add esp,0x10
00406A9C . 8945 F0 mov dword ptr ss:[ebp-0x10],eax
00406A9F . 8B5D F4 mov ebx,dword ptr ss:[ebp-0xC]
00406AA2 . 85DB test ebx,ebx
00406AA4 . 74 09 je short 第七课作.00406AAF
00406AA6 . 53 push ebx
00406AA7 . E8 8A330000 call 第七课作.00409E36
00406AAC . 83C4 04 add esp,0x4
00406AAF > B8 91C65500 mov eax,第七课作.0055C691
00406AB4 . 33C9 xor ecx,ecx
00406AB6 . 85C0 test eax,eax
00406AB8 . 74 03 je short 第七课作.00406ABD
00406ABA . 8B48 04 mov ecx,dword ptr ds:[eax+0x4] ; ntdll.771974A0
00406ABD > 51 push ecx
00406ABE . 83C0 08 add eax,0x8
00406AC1 . 50 push eax
00406AC2 . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
00406AC5 . 33DB xor ebx,ebx
00406AC7 . 85C0 test eax,eax
00406AC9 . 74 03 je short 第七课作.00406ACE
00406ACB . 8B58 04 mov ebx,dword ptr ds:[eax+0x4] ; ntdll.771974A0
00406ACE > 83C0 08 add eax,0x8
00406AD1 . 50 push eax
00406AD2 . 3BD9 cmp ebx,ecx
00406AD4 . B8 01000000 mov eax,0x1
00406AD9 . 75 0A jnz short 第七课作.00406AE5
00406ADB . 48 dec eax
00406ADC . 85C9 test ecx,ecx
00406ADE . 74 05 je short 第七课作.00406AE5
00406AE0 . E8 70FAFFFF call 第七课作.00406555
00406AE5 > 83C4 0C add esp,0xC
00406AE8 . 85C0 test eax,eax
00406AEA . B8 00000000 mov eax,0x0
00406AEF . 0F94C0 sete al
00406AF2 . 8945 EC mov dword ptr ss:[ebp-0x14],eax
00406AF5 . 8B5D F0 mov ebx,dword ptr ss:[ebp-0x10]
00406AF8 . 85DB test ebx,ebx
00406AFA . 74 09 je short 第七课作.00406B05
00406AFC . 53 push ebx
00406AFD . E8 34330000 call 第七课作.00409E36
00406B02 . 83C4 04 add esp,0x4
00406B05 > 837D EC 00 cmp dword ptr ss:[ebp-0x14],0x0
00406B09 . 90 nop ; NOP掉2
00406B0A . 90 nop
00406B0B . 90 nop
00406B0C . 90 nop
00406B0D . 90 nop
00406B0E . 90 nop
00406B0F . 6A 00 push 0x0
00406B11 . 6A 00 push 0x0
00406B13 . 6A 00 push 0x0
00406B15 . 68 04000080 push 0x80000004
00406B1A . 6A 00 push 0x0
00406B1C . 68 B0C65500 push 第七课作.0055C6B0 ; 三级效验通过
00406B21 . 68 0F000100 push 0x1000F
00406B26 . 68 7D6B0116 push 0x16016B7D
00406B2B . 68 2B010152 push 0x5201012B
00406B30 . 68 03000000 push 0x3
00406B35 . BB E0B94000 mov ebx,第七课作.0040B9E0
00406B3A . E8 0F330000 call 第七课作.00409E4E
00406B3F . 83C4 28 add esp,0x28
00406B42 . E9 39000000 jmp 第七课作.00406B80
00406B47 . BB 06000000 mov ebx,0x6 ; 大跳转 NOP掉1
00406B4C . E8 EAA6FFFF call 第七课作.0040123B
00406B51 . 68 01030080 push 0x80000301
00406B56 . 6A 00 push 0x0
00406B58 . 68 00000000 push 0x0
00406B5D . 68 04000080 push 0x80000004
00406B62 . 6A 00 push 0x0
00406B64 . 68 BDC65500 push 第七课作.0055C6BD ; 暗桩
00406B69 . 68 04000000 push 0x4
00406B6E . BB 20B14000 mov ebx,第七课作.0040B120
00406B73 . E8 D6320000 call 第七课作.00409E4E
00406B78 . 83C4 34 add esp,0x34
00406B7B . E9 00000000 jmp 第七课作.00406B80
00406B80 > 8BE5 mov esp,ebp
00406B82 . 5D pop ebp ; kernel32.74D0919F
第二个暗桩
004076DE . 90 nop ; NOP掉4
004076DF . 90 nop
004076E0 . 90 nop
004076E1 . 90 nop
004076E2 . 90 nop
004076E3 . 90 nop
004076E4 . B8 3CC65500 mov eax,第七课作.0055C63C ; v_geta
004076E9 . 8945 F4 mov dword ptr ss:[ebp-0xC],eax
004076EC . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
004076EF . 50 push eax
004076F0 . E8 44F7FFFF call 第七课作.00406E39
004076F5 . 8B5D F4 mov ebx,dword ptr ss:[ebp-0xC]
004076F8 . 85DB test ebx,ebx
004076FA . 74 09 je short 第七课作.00407705
004076FC . 53 push ebx
004076FD . E8 34270000 call 第七课作.00409E36
00407702 . 83C4 04 add esp,0x4
00407705 > 68 01030080 push 0x80000301
0040770A . 6A 00 push 0x0
0040770C . FF75 FC push dword ptr ss:[ebp-0x4]
0040770F . 68 01000000 push 0x1
00407714 . BB 10B04000 mov ebx,第七课作.0040B010
00407719 . E8 30270000 call 第七课作.00409E4E
0040771E . 83C4 10 add esp,0x10
00407721 . 8945 F4 mov dword ptr ss:[ebp-0xC],eax
00407724 . 68 01030080 push 0x80000301
00407729 . 6A 00 push 0x0
0040772B . FF75 F8 push dword ptr ss:[ebp-0x8] ; kernel32.74D0919F
0040772E . 68 01000000 push 0x1
00407733 . BB 10B04000 mov ebx,第七课作.0040B010
00407738 . E8 11270000 call 第七课作.00409E4E
0040773D . 83C4 10 add esp,0x10
00407740 . 8945 F0 mov dword ptr ss:[ebp-0x10],eax
00407743 . FF75 F0 push dword ptr ss:[ebp-0x10]
00407746 . 68 12C65500 push 第七课作.0055C612 ; ,
0040774B . FF75 F4 push dword ptr ss:[ebp-0xC]
0040774E . 68 5BC65500 push 第七课作.0055C65B ; v_getb,
00407753 . B9 04000000 mov ecx,0x4
00407758 . E8 19DFFFFF call 第七课作.00405676
0040775D . 83C4 10 add esp,0x10
00407760 . 8945 EC mov dword ptr ss:[ebp-0x14],eax
00407763 . 8B5D F4 mov ebx,dword ptr ss:[ebp-0xC]
00407766 . 85DB test ebx,ebx
00407768 . 74 09 je short 第七课作.00407773
0040776A . 53 push ebx
0040776B . E8 C6260000 call 第七课作.00409E36
00407770 . 83C4 04 add esp,0x4
00407773 > 8B5D F0 mov ebx,dword ptr ss:[ebp-0x10]
00407776 . 85DB test ebx,ebx
00407778 . 74 09 je short 第七课作.00407783
0040777A . 53 push ebx
0040777B . E8 B6260000 call 第七课作.00409E36
00407780 . 83C4 04 add esp,0x4
00407783 > 8D45 EC lea eax,dword ptr ss:[ebp-0x14]
00407786 . 50 push eax
00407787 . E8 F8F3FFFF call 第七课作.00406B84
0040778C . 8945 E8 mov dword ptr ss:[ebp-0x18],eax
0040778F . 8B5D EC mov ebx,dword ptr ss:[ebp-0x14]
00407792 . 85DB test ebx,ebx
00407794 . 74 09 je short 第七课作.0040779F
00407796 . 53 push ebx
00407797 . E8 9A260000 call 第七课作.00409E36
0040779C . 83C4 04 add esp,0x4
0040779F > 68 04000080 push 0x80000004
004077A4 . 6A 00 push 0x0
004077A6 . 8B45 E8 mov eax,dword ptr ss:[ebp-0x18]
004077A9 . 85C0 test eax,eax
004077AB . 75 05 jnz short 第七课作.004077B2
004077AD . B8 3E264900 mov eax,第七课作.0049263E
004077B2 > 50 push eax
004077B3 . 68 01000000 push 0x1
004077B8 . BB 50A64000 mov ebx,第七课作.0040A650
004077BD . E8 8C260000 call 第七课作.00409E4E
004077C2 . 83C4 10 add esp,0x10
004077C5 . 8945 E4 mov dword ptr ss:[ebp-0x1C],eax
004077C8 . 8B5D E8 mov ebx,dword ptr ss:[ebp-0x18]
004077CB . 85DB test ebx,ebx
004077CD . 74 09 je short 第七课作.004077D8
004077CF . 53 push ebx
004077D0 . E8 61260000 call 第七课作.00409E36
004077D5 . 83C4 04 add esp,0x4
004077D8 > DB45 FC fild dword ptr ss:[ebp-0x4]
004077DB . DD5D DC fstp qword ptr ss:[ebp-0x24]
004077DE . DD45 DC fld qword ptr ss:[ebp-0x24]
004077E1 . DB45 F8 fild dword ptr ss:[ebp-0x8]
004077E4 . DD5D D4 fstp qword ptr ss:[ebp-0x2C]
004077E7 . DC45 D4 fadd qword ptr ss:[ebp-0x2C]
004077EA . DD5D CC fstp qword ptr ss:[ebp-0x34]
004077ED . DB45 E4 fild dword ptr ss:[ebp-0x1C]
004077F0 . DD5D C4 fstp qword ptr ss:[ebp-0x3C]
004077F3 . DD45 C4 fld qword ptr ss:[ebp-0x3C]
004077F6 . DC65 CC fsub qword ptr ss:[ebp-0x34]
004077F9 . D9E4 ftst
004077FB . DFE0 fstsw ax
004077FD . F6C4 01 test ah,0x1
00407800 . 74 02 je short 第七课作.00407804
00407802 . D9E0 fchs
00407804 > DC1D 63C65500 fcomp qword ptr ds:[0x55C663]
0040780A . DFE0 fstsw ax
0040780C . F6C4 41 test ah,0x41
0040780F > . 90 nop ; NOP掉3
00407810 . 90 nop
00407811 . 90 nop
00407812 . 90 nop
00407813 . 90 nop
00407814 . 90 nop
00407815 . B8 3CC65500 mov eax,第七课作.0055C63C ; v_geta
0040781A . 8945 F4 mov dword ptr ss:[ebp-0xC],eax
0040781D . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
00407820 . 50 push eax
00407821 . E8 5EF3FFFF call 第七课作.00406B84
00407826 . 8945 F0 mov dword ptr ss:[ebp-0x10],eax
00407829 . 8B5D F4 mov ebx,dword ptr ss:[ebp-0xC]
0040782C . 85DB test ebx,ebx
0040782E . 74 09 je short 第七课作.00407839
00407830 . 53 push ebx
00407831 . E8 00260000 call 第七课作.00409E36
00407836 . 83C4 04 add esp,0x4
00407839 > 68 04000080 push 0x80000004
0040783E . 6A 00 push 0x0
00407840 . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
00407843 . 85C0 test eax,eax
00407845 . 75 05 jnz short 第七课作.0040784C
00407847 . B8 3E264900 mov eax,第七课作.0049263E
0040784C > 50 push eax
0040784D . 68 01000000 push 0x1
00407852 . BB F0AC4000 mov ebx,第七课作.0040ACF0
00407857 . E8 F2250000 call 第七课作.00409E4E
0040785C . 83C4 10 add esp,0x10
0040785F . 8945 EC mov dword ptr ss:[ebp-0x14],eax
00407862 . 8B5D F0 mov ebx,dword ptr ss:[ebp-0x10]
00407865 . 85DB test ebx,ebx
00407867 . 74 09 je short 第七课作.00407872
00407869 . 53 push ebx
0040786A . E8 C7250000 call 第七课作.00409E36
0040786F . 83C4 04 add esp,0x4
00407872 > B8 43C65500 mov eax,第七课作.0055C643
00407877 . 33C9 xor ecx,ecx
00407879 . 85C0 test eax,eax
0040787B . 74 03 je short 第七课作.00407880
0040787D . 8B48 04 mov ecx,dword ptr ds:[eax+0x4] ; ntdll.771974A0
00407880 > 51 push ecx
00407881 . 83C0 08 add eax,0x8
00407884 . 50 push eax
00407885 . 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
00407888 . 33DB xor ebx,ebx
0040788A . 85C0 test eax,eax
0040788C . 74 03 je short 第七课作.00407891
0040788E . 8B58 04 mov ebx,dword ptr ds:[eax+0x4] ; ntdll.771974A0
00407891 > 83C0 08 add eax,0x8
00407894 . 50 push eax
00407895 . 3BD9 cmp ebx,ecx
00407897 . B8 01000000 mov eax,0x1
0040789C . 75 0A jnz short 第七课作.004078A8
0040789E . 48 dec eax
0040789F . 85C9 test ecx,ecx
004078A1 . 74 05 je short 第七课作.004078A8
004078A3 . E8 ADECFFFF call 第七课作.00406555
004078A8 > 83C4 0C add esp,0xC
004078AB . 85C0 test eax,eax
004078AD . B8 00000000 mov eax,0x0
004078B2 . 0F94C0 sete al
004078B5 . 8945 E8 mov dword ptr ss:[ebp-0x18],eax
004078B8 . 8B5D EC mov ebx,dword ptr ss:[ebp-0x14]
004078BB . 85DB test ebx,ebx
004078BD . 74 09 je short 第七课作.004078C8
004078BF . 53 push ebx
004078C0 . E8 71250000 call 第七课作.00409E36
004078C5 . 83C4 04 add esp,0x4
004078C8 > 837D E8 00 cmp dword ptr ss:[ebp-0x18],0x0
004078CC . 90 nop ; NOP掉2
004078CD . 90 nop
004078CE . 90 nop
004078CF . 90 nop
004078D0 . 90 nop
004078D1 . 90 nop
004078D2 . 6A 00 push 0x0
004078D4 . 6A 00 push 0x0
004078D6 . 6A 00 push 0x0
004078D8 . 68 04000080 push 0x80000004
004078DD . 6A 00 push 0x0
004078DF . 68 04C75500 push 第七课作.0055C704 ; 二级效验通过
004078E4 . 68 0F000100 push 0x1000F
004078E9 . 68 7D6B0116 push 0x16016B7D
004078EE . 68 2B010152 push 0x5201012B
004078F3 . 68 03000000 push 0x3
004078F8 . BB E0B94000 mov ebx,第七课作.0040B9E0
004078FD . E8 4C250000 call 第七课作.00409E4E
00407902 . 83C4 28 add esp,0x28
00407905 . E9 39000000 jmp 第七课作.00407943
0040790A . BB 06000000 mov ebx,0x6 ; 大跳转 NOP掉1
0040790F . E8 2799FFFF call 第七课作.0040123B
00407914 . 68 01030080 push 0x80000301
00407919 . 6A 00 push 0x0
0040791B . 68 00000000 push 0x0
00407920 . 68 04000080 push 0x80000004
00407925 . 6A 00 push 0x0
00407927 . 68 BDC65500 push 第七课作.0055C6BD ; 暗桩
0040792C . 68 04000000 push 0x4
00407931 . BB 20B14000 mov ebx,第七课作.0040B120
00407936 . E8 13250000 call 第七课作.00409E4E
0040793B . 83C4 34 add esp,0x34
0040793E . E9 00000000 jmp 第七课作.00407943
00407943 > 8BE5 mov esp,ebp
00407945 . 5D pop ebp ; kernel32.74D0919F
第三个暗桩
00408907 . 90 nop ; NOP4
00408908 . 90 nop
00408909 . 90 nop
0040890A . 90 nop
0040890B . 90 nop
0040890C . 90 nop
0040890D . B8 3CC65500 mov eax,第七课作.0055C63C ; v_geta
00408912 . 8945 F4 mov dword ptr ss:[ebp-0xC],eax
00408915 . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
00408918 . 50 push eax
00408919 . E8 1BE5FFFF call 第七课作.00406E39
0040891E . 8B5D F4 mov ebx,dword ptr ss:[ebp-0xC]
00408921 . 85DB test ebx,ebx
00408923 . 74 09 je short 第七课作.0040892E
00408925 . 53 push ebx
00408926 . E8 0B150000 call 第七课作.00409E36
0040892B . 83C4 04 add esp,0x4
0040892E > 68 01030080 push 0x80000301
00408933 . 6A 00 push 0x0
00408935 . FF75 FC push dword ptr ss:[ebp-0x4]
00408938 . 68 01000000 push 0x1
0040893D . BB 10B04000 mov ebx,第七课作.0040B010
00408942 . E8 07150000 call 第七课作.00409E4E
00408947 . 83C4 10 add esp,0x10
0040894A . 8945 F4 mov dword ptr ss:[ebp-0xC],eax
0040894D . 68 01030080 push 0x80000301
00408952 . 6A 00 push 0x0
00408954 . FF75 F8 push dword ptr ss:[ebp-0x8] ; kernel32.74D0919F
00408957 . 68 01000000 push 0x1
0040895C . BB 10B04000 mov ebx,第七课作.0040B010
00408961 . E8 E8140000 call 第七课作.00409E4E
00408966 . 83C4 10 add esp,0x10
00408969 . 8945 F0 mov dword ptr ss:[ebp-0x10],eax
0040896C . FF75 F0 push dword ptr ss:[ebp-0x10]
0040896F . 68 12C65500 push 第七课作.0055C612 ; ,
00408974 . FF75 F4 push dword ptr ss:[ebp-0xC]
00408977 . 68 5BC65500 push 第七课作.0055C65B ; v_getb,
0040897C . B9 04000000 mov ecx,0x4
00408981 . E8 F0CCFFFF call 第七课作.00405676
00408986 . 83C4 10 add esp,0x10
00408989 . 8945 EC mov dword ptr ss:[ebp-0x14],eax
0040898C . 8B5D F4 mov ebx,dword ptr ss:[ebp-0xC]
0040898F . 85DB test ebx,ebx
00408991 . 74 09 je short 第七课作.0040899C
00408993 . 53 push ebx
00408994 . E8 9D140000 call 第七课作.00409E36
00408999 . 83C4 04 add esp,0x4
0040899C > 8B5D F0 mov ebx,dword ptr ss:[ebp-0x10]
0040899F . 85DB test ebx,ebx
004089A1 . 74 09 je short 第七课作.004089AC
004089A3 . 53 push ebx
004089A4 . E8 8D140000 call 第七课作.00409E36
004089A9 . 83C4 04 add esp,0x4
004089AC > 8D45 EC lea eax,dword ptr ss:[ebp-0x14]
004089AF . 50 push eax
004089B0 . E8 CFE1FFFF call 第七课作.00406B84
004089B5 . 8945 E8 mov dword ptr ss:[ebp-0x18],eax
004089B8 . 8B5D EC mov ebx,dword ptr ss:[ebp-0x14]
004089BB . 85DB test ebx,ebx
004089BD . 74 09 je short 第七课作.004089C8
004089BF . 53 push ebx
004089C0 . E8 71140000 call 第七课作.00409E36
004089C5 . 83C4 04 add esp,0x4
004089C8 > 68 04000080 push 0x80000004
004089CD . 6A 00 push 0x0
004089CF . 8B45 E8 mov eax,dword ptr ss:[ebp-0x18]
004089D2 . 85C0 test eax,eax
004089D4 . 75 05 jnz short 第七课作.004089DB
004089D6 . B8 3E264900 mov eax,第七课作.0049263E
004089DB > 50 push eax
004089DC . 68 01000000 push 0x1
004089E1 . BB 50A64000 mov ebx,第七课作.0040A650
004089E6 . E8 63140000 call 第七课作.00409E4E
004089EB . 83C4 10 add esp,0x10
004089EE . 8945 E4 mov dword ptr ss:[ebp-0x1C],eax
004089F1 . 8B5D E8 mov ebx,dword ptr ss:[ebp-0x18]
004089F4 . 85DB test ebx,ebx
004089F6 . 74 09 je short 第七课作.00408A01
004089F8 . 53 push ebx
004089F9 . E8 38140000 call 第七课作.00409E36
004089FE . 83C4 04 add esp,0x4
00408A01 > DB45 FC fild dword ptr ss:[ebp-0x4]
00408A04 . DD5D DC fstp qword ptr ss:[ebp-0x24]
00408A07 . DD45 DC fld qword ptr ss:[ebp-0x24]
00408A0A . DB45 F8 fild dword ptr ss:[ebp-0x8]
00408A0D . DD5D D4 fstp qword ptr ss:[ebp-0x2C]
00408A10 . DC45 D4 fadd qword ptr ss:[ebp-0x2C]
00408A13 . DD5D CC fstp qword ptr ss:[ebp-0x34]
00408A16 . DB45 E4 fild dword ptr ss:[ebp-0x1C]
00408A19 . DD5D C4 fstp qword ptr ss:[ebp-0x3C]
00408A1C . DD45 C4 fld qword ptr ss:[ebp-0x3C]
00408A1F . DC65 CC fsub qword ptr ss:[ebp-0x34]
00408A22 . D9E4 ftst
00408A24 . DFE0 fstsw ax
00408A26 . F6C4 01 test ah,0x1
00408A29 . 74 02 je short 第七课作.00408A2D
00408A2B . D9E0 fchs
00408A2D > DC1D 63C65500 fcomp qword ptr ds:[0x55C663]
00408A33 . DFE0 fstsw ax
00408A35 . F6C4 41 test ah,0x41
00408A38 . 90 nop ; NOP3
00408A39 . 90 nop
00408A3A . 90 nop
00408A3B . 90 nop
00408A3C . 90 nop
00408A3D . 90 nop
00408A3E . B8 3CC65500 mov eax,第七课作.0055C63C ; v_geta
00408A43 . 8945 F4 mov dword ptr ss:[ebp-0xC],eax
00408A46 . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
00408A49 . 50 push eax
00408A4A . E8 35E1FFFF call 第七课作.00406B84
00408A4F . 8945 F0 mov dword ptr ss:[ebp-0x10],eax
00408A52 . 8B5D F4 mov ebx,dword ptr ss:[ebp-0xC]
00408A55 . 85DB test ebx,ebx
00408A57 . 74 09 je short 第七课作.00408A62
00408A59 . 53 push ebx
00408A5A . E8 D7130000 call 第七课作.00409E36
00408A5F . 83C4 04 add esp,0x4
00408A62 > 68 04000080 push 0x80000004
00408A67 . 6A 00 push 0x0
00408A69 . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
00408A6C . 85C0 test eax,eax
00408A6E . 75 05 jnz short 第七课作.00408A75
00408A70 . B8 3E264900 mov eax,第七课作.0049263E
00408A75 > 50 push eax
00408A76 . 68 01000000 push 0x1
00408A7B . BB F0AC4000 mov ebx,第七课作.0040ACF0
00408A80 . E8 C9130000 call 第七课作.00409E4E
00408A85 . 83C4 10 add esp,0x10
00408A88 . 8945 EC mov dword ptr ss:[ebp-0x14],eax
00408A8B . 8B5D F0 mov ebx,dword ptr ss:[ebp-0x10]
00408A8E . 85DB test ebx,ebx
00408A90 . 74 09 je short 第七课作.00408A9B
00408A92 . 53 push ebx
00408A93 . E8 9E130000 call 第七课作.00409E36
00408A98 . 83C4 04 add esp,0x4
00408A9B > B8 43C65500 mov eax,第七课作.0055C643
00408AA0 . 33C9 xor ecx,ecx
00408AA2 . 85C0 test eax,eax
00408AA4 . 74 03 je short 第七课作.00408AA9
00408AA6 . 8B48 04 mov ecx,dword ptr ds:[eax+0x4] ; ntdll.771974A0
00408AA9 > 51 push ecx
00408AAA . 83C0 08 add eax,0x8
00408AAD . 50 push eax
00408AAE . 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
00408AB1 . 33DB xor ebx,ebx
00408AB3 . 85C0 test eax,eax
00408AB5 . 74 03 je short 第七课作.00408ABA
00408AB7 . 8B58 04 mov ebx,dword ptr ds:[eax+0x4] ; ntdll.771974A0
00408ABA > 83C0 08 add eax,0x8
00408ABD . 50 push eax
00408ABE . 3BD9 cmp ebx,ecx
00408AC0 . B8 01000000 mov eax,0x1
00408AC5 . 75 0A jnz short 第七课作.00408AD1
00408AC7 . 48 dec eax
00408AC8 . 85C9 test ecx,ecx
00408ACA . 74 05 je short 第七课作.00408AD1
00408ACC . E8 84DAFFFF call 第七课作.00406555
00408AD1 > 83C4 0C add esp,0xC
00408AD4 . 85C0 test eax,eax
00408AD6 . B8 00000000 mov eax,0x0
00408ADB . 0F94C0 sete al
00408ADE . 8945 E8 mov dword ptr ss:[ebp-0x18],eax
00408AE1 . 8B5D EC mov ebx,dword ptr ss:[ebp-0x14]
00408AE4 . 85DB test ebx,ebx
00408AE6 . 74 09 je short 第七课作.00408AF1
00408AE8 . 53 push ebx
00408AE9 . E8 48130000 call 第七课作.00409E36
00408AEE . 83C4 04 add esp,0x4
00408AF1 > 837D E8 00 cmp dword ptr ss:[ebp-0x18],0x0
00408AF5 . 90 nop ; NOP2
00408AF6 . 90 nop
00408AF7 . 90 nop
00408AF8 . 90 nop
00408AF9 . 90 nop
00408AFA . 90 nop
00408AFB . 6A 00 push 0x0
00408AFD . 68 00000000 push 0x0
00408B02 . 6A FF push -0x1
00408B04 . 6A 06 push 0x6
00408B06 . 68 7C6B0116 push 0x16016B7C
00408B0B . 68 2B010152 push 0x5201012B
00408B10 . E8 2D130000 call 第七课作.00409E42
00408B15 . 83C4 18 add esp,0x18
00408B18 . 6A 00 push 0x0
00408B1A . 68 00000000 push 0x0
00408B1F . 6A FF push -0x1
00408B21 . 6A 06 push 0x6
00408B23 . 68 7B6B0116 push 0x16016B7B
00408B28 . 68 2B010152 push 0x5201012B
00408B2D . E8 10130000 call 第七课作.00409E42
00408B32 . 83C4 18 add esp,0x18
00408B35 . E9 39000000 jmp 第七课作.00408B73
00408B3A . BB 06000000 mov ebx,0x6 ; 大跳转NOP1
00408B3F . E8 F786FFFF call 第七课作.0040123B
00408B44 . 68 01030080 push 0x80000301
00408B49 . 6A 00 push 0x0
00408B4B . 68 00000000 push 0x0
00408B50 . 68 04000080 push 0x80000004
00408B55 . 6A 00 push 0x0
00408B57 . 68 BDC65500 push 第七课作.0055C6BD ; 暗桩
00408B5C . 68 04000000 push 0x4
00408B61 . BB 20B14000 mov ebx,第七课作.0040B120
00408B66 . E8 E3120000 call 第七课作.00409E4E
00408B6B . 83C4 34 add esp,0x34
00408B6E . E9 00000000 jmp 第七课作.00408B73
00408B73 > 8BE5 mov esp,ebp
00408B75 . 5D pop ebp ; kernel32.74D0919F
第四个暗桩
0040946A . 90 nop ; NOP4
0040946B . 90 nop
0040946C . 90 nop
0040946D . 90 nop
0040946E . 90 nop
0040946F . 90 nop
00409470 . 68 02000000 push 0x2
00409475 . E8 C3DAFFFF call 第七课作.00406F3D
0040947A . 8945 FC mov dword ptr ss:[ebp-0x4],eax
0040947D . 68 04000080 push 0x80000004
00409482 . 6A 00 push 0x0
00409484 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
00409487 . 85C0 test eax,eax
00409489 . 75 05 jnz short 第七课作.00409490
0040948B . B8 3E264900 mov eax,第七课作.0049263E
00409490 > 50 push eax
00409491 . 68 01000000 push 0x1
00409496 . BB F0AC4000 mov ebx,第七课作.0040ACF0
0040949B . E8 AE090000 call 第七课作.00409E4E
004094A0 . 83C4 10 add esp,0x10
004094A3 . 8945 F8 mov dword ptr ss:[ebp-0x8],eax
004094A6 . 8B5D FC mov ebx,dword ptr ss:[ebp-0x4]
004094A9 . 85DB test ebx,ebx
004094AB . 74 09 je short 第七课作.004094B6
004094AD . 53 push ebx
004094AE . E8 83090000 call 第七课作.00409E36
004094B3 . 83C4 04 add esp,0x4
004094B6 > B8 7EC65500 mov eax,第七课作.0055C67E
004094BB . 33C9 xor ecx,ecx
004094BD . 85C0 test eax,eax
004094BF . 74 03 je short 第七课作.004094C4
004094C1 . 8B48 04 mov ecx,dword ptr ds:[eax+0x4] ; ntdll.771974A0
004094C4 > 51 push ecx
004094C5 . 83C0 08 add eax,0x8
004094C8 . 50 push eax
004094C9 . 8B45 F8 mov eax,dword ptr ss:[ebp-0x8] ; kernel32.74D0919F
004094CC . 33DB xor ebx,ebx
004094CE . 85C0 test eax,eax
004094D0 . 74 03 je short 第七课作.004094D5
004094D2 . 8B58 04 mov ebx,dword ptr ds:[eax+0x4] ; ntdll.771974A0
004094D5 > 83C0 08 add eax,0x8
004094D8 . 50 push eax
004094D9 . 3BD9 cmp ebx,ecx
004094DB . B8 01000000 mov eax,0x1
004094E0 . 75 0A jnz short 第七课作.004094EC
004094E2 . 48 dec eax
004094E3 . 85C9 test ecx,ecx
004094E5 . 74 05 je short 第七课作.004094EC
004094E7 . E8 69D0FFFF call 第七课作.00406555
004094EC > 83C4 0C add esp,0xC
004094EF . 85C0 test eax,eax
004094F1 . B8 00000000 mov eax,0x0
004094F6 . 0F94C0 sete al
004094F9 . 8945 F4 mov dword ptr ss:[ebp-0xC],eax
004094FC . 8B5D F8 mov ebx,dword ptr ss:[ebp-0x8] ; kernel32.74D0919F
004094FF . 85DB test ebx,ebx
00409501 . 74 09 je short 第七课作.0040950C
00409503 . 53 push ebx
00409504 . E8 2D090000 call 第七课作.00409E36
00409509 . 83C4 04 add esp,0x4
0040950C > 837D F4 00 cmp dword ptr ss:[ebp-0xC],0x0
00409510 . 90 nop ; NOP3
00409511 . 90 nop
00409512 . 90 nop
00409513 . 90 nop
00409514 . 90 nop
00409515 . 90 nop
00409516 . 68 0F000000 push 0xF
0040951B . E8 1DDAFFFF call 第七课作.00406F3D
00409520 . 8945 FC mov dword ptr ss:[ebp-0x4],eax
00409523 . 68 04000080 push 0x80000004
00409528 . 6A 00 push 0x0
0040952A . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
0040952D . 85C0 test eax,eax
0040952F . 75 05 jnz short 第七课作.00409536
00409531 . B8 3E264900 mov eax,第七课作.0049263E
00409536 > 50 push eax
00409537 . 68 01000000 push 0x1
0040953C . BB F0AC4000 mov ebx,第七课作.0040ACF0
00409541 . E8 08090000 call 第七课作.00409E4E
00409546 . 83C4 10 add esp,0x10
00409549 . 8945 F8 mov dword ptr ss:[ebp-0x8],eax
0040954C . 8B5D FC mov ebx,dword ptr ss:[ebp-0x4]
0040954F . 85DB test ebx,ebx
00409551 . 74 09 je short 第七课作.0040955C
00409553 . 53 push ebx
00409554 . E8 DD080000 call 第七课作.00409E36
00409559 . 83C4 04 add esp,0x4
0040955C > B8 91C65500 mov eax,第七课作.0055C691
00409561 . 33C9 xor ecx,ecx
00409563 . 85C0 test eax,eax
00409565 . 74 03 je short 第七课作.0040956A
00409567 . 8B48 04 mov ecx,dword ptr ds:[eax+0x4] ; ntdll.771974A0
0040956A > 51 push ecx
0040956B . 83C0 08 add eax,0x8
0040956E . 50 push eax
0040956F . 8B45 F8 mov eax,dword ptr ss:[ebp-0x8] ; kernel32.74D0919F
00409572 . 33DB xor ebx,ebx
00409574 . 85C0 test eax,eax
00409576 . 74 03 je short 第七课作.0040957B
00409578 . 8B58 04 mov ebx,dword ptr ds:[eax+0x4] ; ntdll.771974A0
0040957B > 83C0 08 add eax,0x8
0040957E . 50 push eax
0040957F . 3BD9 cmp ebx,ecx
00409581 . B8 01000000 mov eax,0x1
00409586 . 75 0A jnz short 第七课作.00409592
00409588 . 48 dec eax
00409589 . 85C9 test ecx,ecx
0040958B . 74 05 je short 第七课作.00409592
0040958D . E8 C3CFFFFF call 第七课作.00406555
00409592 > 83C4 0C add esp,0xC
00409595 . 85C0 test eax,eax
00409597 . B8 00000000 mov eax,0x0
0040959C . 0F94C0 sete al
0040959F . 8945 F4 mov dword ptr ss:[ebp-0xC],eax
004095A2 . 8B5D F8 mov ebx,dword ptr ss:[ebp-0x8] ; kernel32.74D0919F
004095A5 . 85DB test ebx,ebx
004095A7 . 74 09 je short 第七课作.004095B2
004095A9 . 53 push ebx
004095AA . E8 87080000 call 第七课作.00409E36
004095AF . 83C4 04 add esp,0x4
004095B2 > 837D F4 00 cmp dword ptr ss:[ebp-0xC],0x0
004095B6 . 90 nop ; NOP2
004095B7 . 90 nop
004095B8 . 90 nop
004095B9 . 90 nop
004095BA . 90 nop
004095BB . 90 nop
004095BC . 6A 00 push 0x0
004095BE . 6A 00 push 0x0
004095C0 . 6A 00 push 0x0
004095C2 . 68 04000080 push 0x80000004
004095C7 . 6A 00 push 0x0
004095C9 . 68 AFD15500 push 第七课作.0055D1AF ; 一级效验通过
004095CE . 68 0F000100 push 0x1000F
004095D3 . 68 7D6B0116 push 0x16016B7D
004095D8 . 68 2B010152 push 0x5201012B
004095DD . 68 03000000 push 0x3
004095E2 . BB E0B94000 mov ebx,第七课作.0040B9E0
004095E7 . E8 62080000 call 第七课作.00409E4E
004095EC . 83C4 28 add esp,0x28
004095EF . E9 39000000 jmp 第七课作.0040962D
004095F4 . BB 06000000 mov ebx,0x6 ; 大跳 NOP1
004095F9 . E8 3D7CFFFF call 第七课作.0040123B
004095FE . 68 01030080 push 0x80000301
00409603 . 6A 00 push 0x0
00409605 . 68 00000000 push 0x0
0040960A . 68 04000080 push 0x80000004
0040960F . 6A 00 push 0x0
00409611 . 68 BDC65500 push 第七课作.0055C6BD ; 暗桩
00409616 . 68 04000000 push 0x4
0040961B . BB 20B14000 mov ebx,第七课作.0040B120
00409620 . E8 29080000 call 第七课作.00409E4E
00409625 . 83C4 34 add esp,0x34
00409628 . E9 00000000 jmp 第七课作.0040962D
0040962D > 8BE5 mov esp,ebp
0040962F . 5D pop ebp ; kernel32.74D0919F
NOP完后,运行跑起来看看
左边显示三级效验证通过
点击功能1和功能2按钮 左边依次显示一级效验通过和二级效验通过
作业到此结束,谢谢小雨老师的教导
链接: http://pan.baidu.com/s/1bnHM4On 密码: 8bkr
最后有个问题,希望可以解答下,我发现,每个暗桩都独立调用了一个相同的CALL几次,能一次搞定吗,一个个找好麻烦,也好容易漏掉@Hmily
跳转已实现
00406B47=<第七课作 这个CALL调用了5次
跳转已实现
0040790A=第七课作 这个CALL调用了4次
|
|
[复制链接]
80 CB吾爱币
发表于 2015-9-6 15:15
