📄 stub.cod
字号:
001b5 e8 00 00 00 00 call ?DecryptData_TEA@@YA_NPBXHPBD@Z ; DecryptData_TEA
001ba 83 c4 0c add esp, 12 ; 0000000cH
001bd 68 00 00 00 00 push OFFSET FLAT:?szVirtualProtect@@3PAEA ; szVirtualProtect
001c2 56 push esi
001c3 ff d3 call ebx
001c5 a3 00 00 00 00 mov DWORD PTR ?pfnVirtualProtect@@3P6GHPAXKKPAK@ZA, eax ; pfnVirtualProtect
001ca bf 00 00 00 00 mov edi, OFFSET FLAT:?szVirtualProtect@@3PAEA ; szVirtualProtect
001cf 83 c9 ff or ecx, -1
001d2 33 c0 xor eax, eax
001d4 f2 ae repne scasb
001d6 f7 d1 not ecx
001d8 49 dec ecx
001d9 bf 00 00 00 00 mov edi, OFFSET FLAT:?szVirtualProtect@@3PAEA ; szVirtualProtect
001de 8b d1 mov edx, ecx
001e0 c1 e9 02 shr ecx, 2
001e3 f3 ab rep stosd
001e5 8b ca mov ecx, edx
001e7 83 e1 03 and ecx, 3
001ea f3 aa rep stosb
001ec ff 15 00 00 00
00 call DWORD PTR ?pfnIsDebugerPresent@@3P6GHXZA ; pfnIsDebugerPresent
001f2 83 f8 01 cmp eax, 1
001f5 75 08 jne SHORT $L17165
001f7 6a 00 push 0
001f9 ff 15 00 00 00
00 call DWORD PTR ?pfnExitProcess@@3P6GXI@ZA ; pfnExitProcess
$L17165:
001ff 6a 18 push 24 ; 00000018H
00201 6a 40 push 64 ; 00000040H
00203 ff 15 00 00 00
00 call DWORD PTR ?pfnGlobalAlloc@@3P6GPAXIK@ZA ; pfnGlobalAlloc
00209 8b d8 mov ebx, eax
0020b 53 push ebx
0020c 68 00 00 00 00 push OFFSET FLAT:?gev@@3UGlobalExternalVars@@A ; gev
00211 e8 00 00 00 00 call _aP_depack
00216 83 c4 08 add esp, 8
00219 b9 06 00 00 00 mov ecx, 6
0021e 8b f3 mov esi, ebx
00220 bf 00 00 00 00 mov edi, OFFSET FLAT:?gev@@3UGlobalExternalVars@@A ; gev
00225 f3 a5 rep movsd
00227 53 push ebx
00228 ff 15 00 00 00
00 call DWORD PTR ?pfnGlobalFree@@3P6GPAXPAX@ZA ; pfnGlobalFree
0022e 8b 35 08 00 00
00 mov esi, DWORD PTR ?gev@@3UGlobalExternalVars@@A+8
00234 b8 00 00 00 00 mov eax, OFFSET FLAT:?StubEntryPoint@@YAXXZ ; StubEntryPoint
00239 2b c6 sub eax, esi
0023b 33 c9 xor ecx, ecx
0023d a3 00 00 00 00 mov DWORD PTR ?dwLoadAddress@@3KA, eax ; dwLoadAddress
00242 bf 00 00 00 00 mov edi, OFFSET FLAT:?szRsrc@@3PAEA ; szRsrc
00247 8b 70 3c mov esi, DWORD PTR [eax+60]
0024a 68 00 00 00 00 push OFFSET FLAT:?szKey@@3PAEA ; szKey
0024f 03 f0 add esi, eax
00251 89 75 e8 mov DWORD PTR _pNtHdr$17177[ebp], esi
00254 66 8b 4e 14 mov cx, WORD PTR [esi+20]
00258 66 8b 46 06 mov ax, WORD PTR [esi+6]
0025c 66 89 45 f0 mov WORD PTR _wNumSections$17182[ebp], ax
00260 33 c0 xor eax, eax
00262 8d 5c 31 18 lea ebx, DWORD PTR [ecx+esi+24]
00266 83 c9 ff or ecx, -1
00269 f2 ae repne scasb
0026b f7 d1 not ecx
0026d 49 dec ecx
0026e 51 push ecx
0026f 68 00 00 00 00 push OFFSET FLAT:?szRsrc@@3PAEA ; szRsrc
00274 e8 00 00 00 00 call ?DecryptData_TEA@@YA_NPBXHPBD@Z ; DecryptData_TEA
00279 8b 45 f0 mov eax, DWORD PTR _wNumSections$17182[ebp]
0027c 83 c4 0c add esp, 12 ; 0000000cH
0027f 25 ff ff 00 00 and eax, 65535 ; 0000ffffH
00284 48 dec eax
00285 85 c0 test eax, eax
00287 0f 8e a2 01 00
00 jle $L17190
0028d 89 45 f0 mov DWORD PTR -16+[ebp], eax
$L17188:
00290 c6 45 ff 00 mov BYTE PTR _bResource$17185[ebp], 0
00294 be 00 00 00 00 mov esi, OFFSET FLAT:?szRsrc@@3PAEA ; szRsrc
00299 8b fb mov edi, ebx
$L17208:
0029b 8a 17 mov dl, BYTE PTR [edi]
0029d 8a 0e mov cl, BYTE PTR [esi]
0029f 8a c2 mov al, dl
002a1 3a d1 cmp dl, cl
002a3 75 1e jne SHORT $L17209
002a5 84 c0 test al, al
002a7 74 16 je SHORT $L17210
002a9 8a 4f 01 mov cl, BYTE PTR [edi+1]
002ac 8a 56 01 mov dl, BYTE PTR [esi+1]
002af 8a c1 mov al, cl
002b1 3a ca cmp cl, dl
002b3 75 0e jne SHORT $L17209
002b5 83 c7 02 add edi, 2
002b8 83 c6 02 add esi, 2
002bb 84 c0 test al, al
002bd 75 dc jne SHORT $L17208
$L17210:
002bf 33 c0 xor eax, eax
002c1 eb 05 jmp SHORT $L17211
$L17209:
002c3 1b c0 sbb eax, eax
002c5 83 d8 ff sbb eax, -1
$L17211:
002c8 85 c0 test eax, eax
002ca 75 04 jne SHORT $L17191
002cc c6 45 ff 01 mov BYTE PTR _bResource$17185[ebp], 1
$L17191:
002d0 8b 43 10 mov eax, DWORD PTR [ebx+16]
002d3 85 c0 test eax, eax
002d5 0f 84 41 01 00
00 je $L17200
002db 50 push eax
002dc 6a 40 push 64 ; 00000040H
002de ff 15 00 00 00
00 call DWORD PTR ?pfnGlobalAlloc@@3P6GPAXIK@ZA ; pfnGlobalAlloc
002e4 8b d0 mov edx, eax
002e6 8a 45 ff mov al, BYTE PTR _bResource$17185[ebp]
002e9 84 c0 test al, al
002eb 89 55 ec mov DWORD PTR _lpbDecompBuffer$17193[ebp], edx
002ee c7 45 f4 00 00
00 00 mov DWORD PTR _lpbResourceBuffer$17195[ebp], 0
002f5 74 7c je SHORT $L17196
002f7 bf 00 00 00 00 mov edi, OFFSET FLAT:?szRsrc@@3PAEA ; szRsrc
002fc 83 c9 ff or ecx, -1
002ff 33 c0 xor eax, eax
00301 f2 ae repne scasb
00303 f7 d1 not ecx
00305 49 dec ecx
00306 bf 00 00 00 00 mov edi, OFFSET FLAT:?szRsrc@@3PAEA ; szRsrc
0030b 8b f1 mov esi, ecx
0030d c1 e9 02 shr ecx, 2
00310 f3 ab rep stosd
00312 8b ce mov ecx, esi
00314 8b 35 00 00 00
00 mov esi, DWORD PTR ?dwLoadAddress@@3KA ; dwLoadAddress
0031a 83 e1 03 and ecx, 3
0031d f3 aa rep stosb
0031f a1 0c 00 00 00 mov eax, DWORD PTR ?gev@@3UGlobalExternalVars@@A+12
00324 8b 4b 10 mov ecx, DWORD PTR [ebx+16]
00327 8b 7b 0c mov edi, DWORD PTR [ebx+12]
0032a 03 f0 add esi, eax
0032c 2b c8 sub ecx, eax
0032e 03 f7 add esi, edi
00330 8b fa mov edi, edx
00332 8b d1 mov edx, ecx
00334 c1 e9 02 shr ecx, 2
00337 f3 a5 rep movsd
00339 8b ca mov ecx, edx
0033b 83 e1 03 and ecx, 3
0033e f3 a4 rep movsb
00340 a1 0c 00 00 00 mov eax, DWORD PTR ?gev@@3UGlobalExternalVars@@A+12
00345 85 c0 test eax, eax
00347 74 48 je SHORT $L17198
00349 50 push eax
0034a 6a 40 push 64 ; 00000040H
0034c ff 15 00 00 00
00 call DWORD PTR ?pfnGlobalAlloc@@3P6GPAXIK@ZA ; pfnGlobalAlloc
00352 8b 35 00 00 00
00 mov esi, DWORD PTR ?dwLoadAddress@@3KA ; dwLoadAddress
00358 8b 7b 0c mov edi, DWORD PTR [ebx+12]
0035b 8b 0d 0c 00 00
00 mov ecx, DWORD PTR ?gev@@3UGlobalExternalVars@@A+12
00361 03 f7 add esi, edi
00363 89 45 f4 mov DWORD PTR _lpbResourceBuffer$17195[ebp], eax
00366 8b f8 mov edi, eax
00368 8b c1 mov eax, ecx
0036a c1 e9 02 shr ecx, 2
0036d f3 a5 rep movsd
0036f 8b c8 mov ecx, eax
00371 eb 19 jmp SHORT $L17213
$L17196:
00373 8b 35 00 00 00
00 mov esi, DWORD PTR ?dwLoadAddress@@3KA ; dwLoadAddress
00379 8b 7b 0c mov edi, DWORD PTR [ebx+12]
0037c 8b 4b 10 mov ecx, DWORD PTR [ebx+16]
0037f 03 f7 add esi, edi
00381 8b fa mov edi, edx
00383 8b d1 mov edx, ecx
00385 c1 e9 02 shr ecx, 2
00388 f3 a5 rep movsd
0038a 8b ca mov ecx, edx
$L17213:
0038c 83 e1 03 and ecx, 3
0038f f3 a4 rep movsb
$L17198:
00391 8b 35 00 00 00
00 mov esi, DWORD PTR ?dwLoadAddress@@3KA ; dwLoadAddress
00397 8b 53 0c mov edx, DWORD PTR [ebx+12]
0039a 8b 4b 08 mov ecx, DWORD PTR [ebx+8]
0039d 8d 45 f8 lea eax, DWORD PTR _dwOldProtect$17186[ebp]
003a0 50 push eax
003a1 03 f2 add esi, edx
003a3 6a 04 push 4
003a5 51 push ecx
003a6 56 push esi
003a7 ff 15 00 00 00
00 call DWORD PTR ?pfnVirtualProtect@@3P6GHPAXKKPAK@ZA ; pfnVirtualProtect
003ad 8b 7d ec mov edi, DWORD PTR _lpbDecompBuffer$17193[ebp]
003b0 56 push esi
003b1 57 push edi
003b2 e8 00 00 00 00 call _aP_depack
003b7 8b 45 f8 mov eax, DWORD PTR _dwOldProtect$17186[ebp]
003ba 8b 4b 08 mov ecx, DWORD PTR [ebx+8]
003bd 83 c4 08 add esp, 8
003c0 8d 55 f8 lea edx, DWORD PTR _dwOldProtect$17186[ebp]
003c3 52 push edx
003c4 50 push eax
003c5 51 push ecx
003c6 56 push esi
003c7 ff 15 00 00 00
00 call DWORD PTR ?pfnVirtualProtect@@3P6GHPAXKKPAK@ZA ; pfnVirtualProtect
003cd 57 push edi
003ce ff 15 00 00 00
00 call DWORD PTR ?pfnGlobalFree@@3P6GPAXPAX@ZA ; pfnGlobalFree
003d4 8a 45 ff mov al, BYTE PTR _bResource$17185[ebp]
003d7 84 c0 test al, al
003d9 74 41 je SHORT $L17200
003db a1 0c 00 00 00 mov eax, DWORD PTR ?gev@@3UGlobalExternalVars@@A+12
003e0 85 c0 test eax, eax
003e2 74 38 je SHORT $L17200
003e4 8b 43 08 mov eax, DWORD PTR [ebx+8]
003e7 8d 55 f8 lea edx, DWORD PTR _dwOldProtect$17186[ebp]
003ea 52 push edx
003eb 6a 04 push 4
003ed 50 push eax
003ee 56 push esi
003ef ff 15 00 00 00
00 call DWORD PTR ?pfnVirtualProtect@@3P6GHPAXKKPAK@ZA ; pfnVirtualProtect
003f5 8b 7d f4 mov edi, DWORD PTR _lpbResourceBuffer$17195[ebp]
003f8 56 push esi
003f9 57 push edi
003fa e8 00 00 00 00 call ?CopyResources@@YAXPAU_IMAGE_RESOURCE_DIRECTORY@@0@Z ; CopyResources
003ff 8b 55 f8 mov edx, DWORD PTR _dwOldProtect$17186[ebp]
00402 8b 43 08 mov eax, DWORD PTR [ebx+8]
00405 83 c4 08 add esp, 8
00408 8d 4d f8 lea ecx, DWORD PTR _dwOldProtect$17186[ebp]
0040b 51 push ecx
0040c 52 push edx
0040d 50 push eax
0040e 56 push esi
0040f ff 15 00 00 00
00 call DWORD PTR ?pfnVirtualProtect@@3P6GHPAXKKPAK@ZA ; pfnVirtualProtect
00415 57 push edi
00416 ff 15 00 00 00
00 call DWORD PTR ?pfnGlobalFree@@3P6GPAXPAX@ZA ; pfnGlobalFree
$L17200:
0041c 8b 45 f0 mov eax, DWORD PTR -16+[ebp]
0041f 83 c3 28 add ebx, 40 ; 00000028H
00422 48 dec eax
00423 89 45 f0 mov DWORD PTR -16+[ebp], eax
00426 0f 85 64 fe ff
ff jne $L17188
0042c 8b 75 e8 mov esi, DWORD PTR _pNtHdr$17177[ebp]
$L17190:
0042f 8d 4d f8 lea ecx, DWORD PTR _dwOldProtect$17186[ebp]
00432 51 push ecx
00433 6a 04 push 4
00435 68 f8 00 00 00 push 248 ; 000000f8H
0043a 56 push esi
0043b ff 15 00 00 00
00 call DWORD PTR ?pfnVirtualProtect@@3P6GHPAXKKPAK@ZA ; pfnVirtualProtect
00441 66 ff 4e 06 dec WORD PTR [esi+6]
00445 8b 45 f8 mov eax, DWORD PTR _dwOldProtect$17186[ebp]
00448 8d 55 f8 lea edx, DWORD PTR _dwOldProtect$17186[ebp]
0044b 52 push edx
0044c 50 push eax
0044d 68 f8 00 00 00 push 248 ; 000000f8H
00452 56 push esi
00453 ff 15 00 00 00
00 call DWORD PTR ?pfnVirtualProtect@@3P6GHPAXKKPAK@ZA ; pfnVirtualProtect
00459 e8 00 00 00 00 call ?ResolveImports@@YAXXZ ; ResolveImports
0045e e8 00 00 00 00 call ?FinaliseTlsStuff@@YAXXZ ; FinaliseTlsStuff
00463 8b 0d 00 00 00
00 mov ecx, DWORD PTR ?dwLoadAddress@@3KA ; dwLoadAddress
00469 a1 00 00 00 00 mov eax, DWORD PTR ?gev@@3UGlobalExternalVars@@A
0046e 03 c1 add eax, ecx
00470 a3 00 00 00 00 mov DWORD PTR ?gev@@3UGlobalExternalVars@@A, eax
; 77 :
; 78 : void main()
; 79 : {
; 80 : SetupFuncs();
00475 ff 35 00 00 00
00 push DWORD PTR ?gev@@3UGlobalExternalVars@@A
; 75 : main();
0047b b9 0d 00 00 00 mov ecx, 13 ; 0000000dH
00480 33 c0 xor eax, eax
00482 bf 00 00 00 00 mov edi, OFFSET FLAT:?gev@@3UGlobalExternalVars@@A ; gev
00487 f3 ab rep stosd
; 81 : CheckDebugger();
; 82 : DecryptVars();
00489 c3 ret 0
?StubEntryPoint@@YAXXZ ENDP ; StubEntryPoint
_TEXT ENDS
PUBLIC _main
; COMDAT _main
_TEXT SEGMENT
_pNtHdr$17269 = -24
_wNumSections$17274 = -16
_bResource$17277 = -1
_dwOldProtect$17278 = -8
_lpbDecompBuffer$17285 = -20
_lpbResourceBuffer$17287 = -12
_main PROC NEAR ; COMDAT
; 79 : {
00000 55 push ebp
00001 8b ec mov ebp, esp
00003 83 ec 18 sub esp, 24 ; 00000018H
00006 53 push ebx
00007 56 push esi
00008 57 push edi
; 80 : SetupFuncs();
00009 bf 00 00 00 00 mov edi, OFFSET FLAT:?szKernel32@@3PAEA ; szKernel32
0000e 83 c9 ff or ecx, -1
00011 33 c0 xor eax, eax
00013 f2 ae repne scasb
00015 f7 d1 not ecx
00017 49 dec ecx
00018 68 00 00 00 00 push OFFSET FLAT:?szKey@@3PAEA ; szKey
0001d 51 push ecx
0001e 68 00 00 00 00 push OFFSET FLAT:?szKernel32@@3PAEA ; szKernel32
00023 e8 00 00 00 00 call ?DecryptData_TEA@@YA_NPBXHPBD@Z ; DecryptData_TEA
00028 83 c4 0c add esp, 12 ; 0000000cH
0002b 68 00 00 00 00 push OFFSET FLAT:?szKernel32@@3PAEA ; szKernel32
00030 ff 15 00 00 00
00 call DWORD PTR __imp__LoadLibraryA@4
00036 8b f0 mov esi, eax
00038 bf 00 00 00 00 mov edi, OFFSET FLAT:?szKernel32@@3PAEA ; szKernel32
0003d 83 c9 ff or ecx, -1
00040 33 c0 xor eax, eax
00042 f2 ae repne scasb
00044 f7 d1 not ecx
00046 49 dec ecx
00047 bf 00 00 00 00 mov edi, OFFSET FLAT:?szKernel32@@3PAEA ; szKernel32
0004c 8b d1 mov edx, ecx
0004e 68 00 00 00 00 push OFFSET FLAT:?szKey@@3PAEA ; szKey
00053 c1 e9 02 shr ecx, 2
00056 f3 ab rep stosd
00058 8b ca mov ecx, edx
0005a 83 e1 03 and ecx, 3
0005d f3 aa rep stosb
0005f bf 00 00 00 00 mov edi, OFFSET FLAT:?szGlobalAlloc@@3PAEA ; szGlobalAlloc
00064 83 c9 ff or ecx, -1
00067 33 c0 xor eax, eax
00069 f2 ae repne scasb
0006b f7 d1 not ecx
0006d 49 dec ecx
0006e 51 push ecx
0006f 68 00 00 00 00 push OFFSET FLAT:?szGlobalAlloc@@3PAEA ; szGlobalAlloc
00074 e8 00 00 00 00 call ?DecryptData_TEA@@YA_NPBXHPBD@Z ; DecryptData_TEA
00079 8b 1d 00 00 00
00 mov ebx, DWORD PTR __imp__GetProcAddress@8
0007f 83 c4 0c add esp, 12 ; 0000000cH
00082 68 00 00 00 00 push OFFSET FLAT:?szGlobalAlloc@@3PAEA ; szGlobalAlloc
00087 56 push esi
00088 ff d3 call ebx
0008a a3 00 00 00 00 mov DWORD PTR ?pfnGlobalAlloc@@3P6GPAXIK@ZA, eax ; pfnGlobalAlloc
0008f bf 00 00 00 00 mov edi, OFFSET FLAT:?szGlobalAlloc@@3PAEA ; szGlobalAlloc
00094 83 c9 ff or ecx, -1
00097 33 c0 xor eax, eax
00099 f2 ae repne scasb
0009b f7 d1 not ecx
0009d 49 dec ecx
0009e bf 00 00 00 00 mov edi, OFFSET FLAT:?szGlobalAlloc@@3PAEA ; szGlobalAlloc
000a3 8b d1 mov edx, ecx
000a5 68 00 00 00 00 push OFFSET FLAT:?szKey@@3PAEA ; szKey
000aa c1 e9 02 shr ecx, 2
000ad f3 ab rep stosd
000af 8b ca mov ecx, edx
000b1 83 e1 03 and ecx, 3
000b4 f3 aa rep stosb
000b6 bf 00 00 00 00 mov edi, OFFSET FLAT:?szGlobalFree@@3PAEA ; szGlobalFree
000bb 83 c9 ff or ecx, -1
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -