📄 stub.cod
字号:
000be 33 c0 xor eax, eax
000c0 f2 ae repne scasb
000c2 f7 d1 not ecx
000c4 49 dec ecx
000c5 51 push ecx
000c6 68 00 00 00 00 push OFFSET FLAT:?szGlobalFree@@3PAEA ; szGlobalFree
000cb e8 00 00 00 00 call ?DecryptData_TEA@@YA_NPBXHPBD@Z ; DecryptData_TEA
000d0 83 c4 0c add esp, 12 ; 0000000cH
000d3 68 00 00 00 00 push OFFSET FLAT:?szGlobalFree@@3PAEA ; szGlobalFree
000d8 56 push esi
000d9 ff d3 call ebx
000db a3 00 00 00 00 mov DWORD PTR ?pfnGlobalFree@@3P6GPAXPAX@ZA, eax ; pfnGlobalFree
000e0 bf 00 00 00 00 mov edi, OFFSET FLAT:?szGlobalFree@@3PAEA ; szGlobalFree
000e5 83 c9 ff or ecx, -1
000e8 33 c0 xor eax, eax
000ea f2 ae repne scasb
000ec f7 d1 not ecx
000ee 49 dec ecx
000ef bf 00 00 00 00 mov edi, OFFSET FLAT:?szGlobalFree@@3PAEA ; szGlobalFree
000f4 8b d1 mov edx, ecx
000f6 68 00 00 00 00 push OFFSET FLAT:?szKey@@3PAEA ; szKey
000fb c1 e9 02 shr ecx, 2
000fe f3 ab rep stosd
00100 8b ca mov ecx, edx
00102 83 e1 03 and ecx, 3
00105 f3 aa rep stosb
00107 bf 00 00 00 00 mov edi, OFFSET FLAT:?szIsDebuggerPresent@@3PAEA ; szIsDebuggerPresent
0010c 83 c9 ff or ecx, -1
0010f 33 c0 xor eax, eax
00111 f2 ae repne scasb
00113 f7 d1 not ecx
00115 49 dec ecx
00116 51 push ecx
00117 68 00 00 00 00 push OFFSET FLAT:?szIsDebuggerPresent@@3PAEA ; szIsDebuggerPresent
0011c e8 00 00 00 00 call ?DecryptData_TEA@@YA_NPBXHPBD@Z ; DecryptData_TEA
00121 83 c4 0c add esp, 12 ; 0000000cH
00124 68 00 00 00 00 push OFFSET FLAT:?szIsDebuggerPresent@@3PAEA ; szIsDebuggerPresent
00129 56 push esi
0012a ff d3 call ebx
0012c a3 00 00 00 00 mov DWORD PTR ?pfnIsDebugerPresent@@3P6GHXZA, eax ; pfnIsDebugerPresent
00131 bf 00 00 00 00 mov edi, OFFSET FLAT:?szIsDebuggerPresent@@3PAEA ; szIsDebuggerPresent
00136 83 c9 ff or ecx, -1
00139 33 c0 xor eax, eax
0013b f2 ae repne scasb
0013d f7 d1 not ecx
0013f 49 dec ecx
00140 bf 00 00 00 00 mov edi, OFFSET FLAT:?szIsDebuggerPresent@@3PAEA ; szIsDebuggerPresent
00145 8b d1 mov edx, ecx
00147 68 00 00 00 00 push OFFSET FLAT:?szKey@@3PAEA ; szKey
0014c c1 e9 02 shr ecx, 2
0014f f3 ab rep stosd
00151 8b ca mov ecx, edx
00153 83 e1 03 and ecx, 3
00156 f3 aa rep stosb
00158 bf 00 00 00 00 mov edi, OFFSET FLAT:?szExitProcess@@3PAEA ; szExitProcess
0015d 83 c9 ff or ecx, -1
00160 33 c0 xor eax, eax
00162 f2 ae repne scasb
00164 f7 d1 not ecx
00166 49 dec ecx
00167 51 push ecx
00168 68 00 00 00 00 push OFFSET FLAT:?szExitProcess@@3PAEA ; szExitProcess
0016d e8 00 00 00 00 call ?DecryptData_TEA@@YA_NPBXHPBD@Z ; DecryptData_TEA
00172 83 c4 0c add esp, 12 ; 0000000cH
00175 68 00 00 00 00 push OFFSET FLAT:?szExitProcess@@3PAEA ; szExitProcess
0017a 56 push esi
0017b ff d3 call ebx
0017d a3 00 00 00 00 mov DWORD PTR ?pfnExitProcess@@3P6GXI@ZA, eax ; pfnExitProcess
00182 bf 00 00 00 00 mov edi, OFFSET FLAT:?szExitProcess@@3PAEA ; szExitProcess
00187 83 c9 ff or ecx, -1
0018a 33 c0 xor eax, eax
0018c f2 ae repne scasb
0018e f7 d1 not ecx
00190 49 dec ecx
00191 bf 00 00 00 00 mov edi, OFFSET FLAT:?szExitProcess@@3PAEA ; szExitProcess
00196 8b d1 mov edx, ecx
00198 68 00 00 00 00 push OFFSET FLAT:?szKey@@3PAEA ; szKey
0019d c1 e9 02 shr ecx, 2
001a0 f3 ab rep stosd
001a2 8b ca mov ecx, edx
001a4 83 e1 03 and ecx, 3
001a7 f3 aa rep stosb
001a9 bf 00 00 00 00 mov edi, OFFSET FLAT:?szVirtualProtect@@3PAEA ; szVirtualProtect
001ae 83 c9 ff or ecx, -1
001b1 33 c0 xor eax, eax
001b3 f2 ae repne scasb
001b5 f7 d1 not ecx
001b7 49 dec ecx
001b8 51 push ecx
001b9 68 00 00 00 00 push OFFSET FLAT:?szVirtualProtect@@3PAEA ; szVirtualProtect
001be e8 00 00 00 00 call ?DecryptData_TEA@@YA_NPBXHPBD@Z ; DecryptData_TEA
001c3 83 c4 0c add esp, 12 ; 0000000cH
001c6 68 00 00 00 00 push OFFSET FLAT:?szVirtualProtect@@3PAEA ; szVirtualProtect
001cb 56 push esi
001cc ff d3 call ebx
001ce a3 00 00 00 00 mov DWORD PTR ?pfnVirtualProtect@@3P6GHPAXKKPAK@ZA, eax ; pfnVirtualProtect
001d3 bf 00 00 00 00 mov edi, OFFSET FLAT:?szVirtualProtect@@3PAEA ; szVirtualProtect
001d8 83 c9 ff or ecx, -1
001db 33 c0 xor eax, eax
001dd f2 ae repne scasb
001df f7 d1 not ecx
001e1 49 dec ecx
001e2 bf 00 00 00 00 mov edi, OFFSET FLAT:?szVirtualProtect@@3PAEA ; szVirtualProtect
001e7 8b d1 mov edx, ecx
001e9 c1 e9 02 shr ecx, 2
001ec f3 ab rep stosd
001ee 8b ca mov ecx, edx
001f0 83 e1 03 and ecx, 3
001f3 f3 aa rep stosb
; 81 : CheckDebugger();
001f5 ff 15 00 00 00
00 call DWORD PTR ?pfnIsDebugerPresent@@3P6GHXZA ; pfnIsDebugerPresent
001fb 83 f8 01 cmp eax, 1
001fe 75 08 jne SHORT $L17251
00200 6a 00 push 0
00202 ff 15 00 00 00
00 call DWORD PTR ?pfnExitProcess@@3P6GXI@ZA ; pfnExitProcess
$L17251:
; 82 : DecryptVars();
00208 6a 18 push 24 ; 00000018H
0020a 6a 40 push 64 ; 00000040H
0020c ff 15 00 00 00
00 call DWORD PTR ?pfnGlobalAlloc@@3P6GPAXIK@ZA ; pfnGlobalAlloc
00212 8b d8 mov ebx, eax
00214 53 push ebx
00215 68 00 00 00 00 push OFFSET FLAT:?gev@@3UGlobalExternalVars@@A ; gev
0021a e8 00 00 00 00 call _aP_depack
0021f 83 c4 08 add esp, 8
00222 b9 06 00 00 00 mov ecx, 6
00227 8b f3 mov esi, ebx
00229 bf 00 00 00 00 mov edi, OFFSET FLAT:?gev@@3UGlobalExternalVars@@A ; gev
0022e f3 a5 rep movsd
00230 53 push ebx
00231 ff 15 00 00 00
00 call DWORD PTR ?pfnGlobalFree@@3P6GPAXPAX@ZA ; pfnGlobalFree
; 83 : GetLoadAddress();
00237 8b 35 08 00 00
00 mov esi, DWORD PTR ?gev@@3UGlobalExternalVars@@A+8
0023d b8 00 00 00 00 mov eax, OFFSET FLAT:?StubEntryPoint@@YAXXZ ; StubEntryPoint
00242 2b c6 sub eax, esi
; 84 : Decrypt();
00244 33 c9 xor ecx, ecx
00246 a3 00 00 00 00 mov DWORD PTR ?dwLoadAddress@@3KA, eax ; dwLoadAddress
0024b bf 00 00 00 00 mov edi, OFFSET FLAT:?szRsrc@@3PAEA ; szRsrc
00250 8b 70 3c mov esi, DWORD PTR [eax+60]
00253 68 00 00 00 00 push OFFSET FLAT:?szKey@@3PAEA ; szKey
00258 03 f0 add esi, eax
0025a 89 75 e8 mov DWORD PTR _pNtHdr$17269[ebp], esi
0025d 66 8b 4e 14 mov cx, WORD PTR [esi+20]
00261 66 8b 46 06 mov ax, WORD PTR [esi+6]
00265 66 89 45 f0 mov WORD PTR _wNumSections$17274[ebp], ax
00269 33 c0 xor eax, eax
0026b 8d 5c 31 18 lea ebx, DWORD PTR [ecx+esi+24]
0026f 83 c9 ff or ecx, -1
00272 f2 ae repne scasb
00274 f7 d1 not ecx
00276 49 dec ecx
00277 51 push ecx
00278 68 00 00 00 00 push OFFSET FLAT:?szRsrc@@3PAEA ; szRsrc
0027d e8 00 00 00 00 call ?DecryptData_TEA@@YA_NPBXHPBD@Z ; DecryptData_TEA
00282 8b 45 f0 mov eax, DWORD PTR _wNumSections$17274[ebp]
00285 83 c4 0c add esp, 12 ; 0000000cH
00288 25 ff ff 00 00 and eax, 65535 ; 0000ffffH
0028d 48 dec eax
0028e 85 c0 test eax, eax
00290 0f 8e a2 01 00
00 jle $L17282
; 82 : DecryptVars();
00296 89 45 f0 mov DWORD PTR -16+[ebp], eax
; 84 : Decrypt();
$L17280:
00299 c6 45 ff 00 mov BYTE PTR _bResource$17277[ebp], 0
0029d be 00 00 00 00 mov esi, OFFSET FLAT:?szRsrc@@3PAEA ; szRsrc
002a2 8b fb mov edi, ebx
$L17301:
002a4 8a 17 mov dl, BYTE PTR [edi]
002a6 8a 0e mov cl, BYTE PTR [esi]
002a8 8a c2 mov al, dl
002aa 3a d1 cmp dl, cl
002ac 75 1e jne SHORT $L17302
002ae 84 c0 test al, al
002b0 74 16 je SHORT $L17303
002b2 8a 4f 01 mov cl, BYTE PTR [edi+1]
002b5 8a 56 01 mov dl, BYTE PTR [esi+1]
002b8 8a c1 mov al, cl
002ba 3a ca cmp cl, dl
002bc 75 0e jne SHORT $L17302
002be 83 c7 02 add edi, 2
002c1 83 c6 02 add esi, 2
002c4 84 c0 test al, al
002c6 75 dc jne SHORT $L17301
$L17303:
002c8 33 c0 xor eax, eax
002ca eb 05 jmp SHORT $L17304
$L17302:
002cc 1b c0 sbb eax, eax
002ce 83 d8 ff sbb eax, -1
$L17304:
002d1 85 c0 test eax, eax
002d3 75 04 jne SHORT $L17283
002d5 c6 45 ff 01 mov BYTE PTR _bResource$17277[ebp], 1
$L17283:
002d9 8b 43 10 mov eax, DWORD PTR [ebx+16]
002dc 85 c0 test eax, eax
002de 0f 84 41 01 00
00 je $L17292
002e4 50 push eax
002e5 6a 40 push 64 ; 00000040H
002e7 ff 15 00 00 00
00 call DWORD PTR ?pfnGlobalAlloc@@3P6GPAXIK@ZA ; pfnGlobalAlloc
002ed 8b d0 mov edx, eax
002ef 8a 45 ff mov al, BYTE PTR _bResource$17277[ebp]
002f2 84 c0 test al, al
002f4 89 55 ec mov DWORD PTR _lpbDecompBuffer$17285[ebp], edx
002f7 c7 45 f4 00 00
00 00 mov DWORD PTR _lpbResourceBuffer$17287[ebp], 0
002fe 74 7c je SHORT $L17288
00300 bf 00 00 00 00 mov edi, OFFSET FLAT:?szRsrc@@3PAEA ; szRsrc
00305 83 c9 ff or ecx, -1
00308 33 c0 xor eax, eax
0030a f2 ae repne scasb
0030c f7 d1 not ecx
0030e 49 dec ecx
0030f bf 00 00 00 00 mov edi, OFFSET FLAT:?szRsrc@@3PAEA ; szRsrc
00314 8b f1 mov esi, ecx
00316 c1 e9 02 shr ecx, 2
00319 f3 ab rep stosd
0031b 8b ce mov ecx, esi
0031d 8b 35 00 00 00
00 mov esi, DWORD PTR ?dwLoadAddress@@3KA ; dwLoadAddress
00323 83 e1 03 and ecx, 3
00326 f3 aa rep stosb
00328 a1 0c 00 00 00 mov eax, DWORD PTR ?gev@@3UGlobalExternalVars@@A+12
0032d 8b 4b 10 mov ecx, DWORD PTR [ebx+16]
00330 8b 7b 0c mov edi, DWORD PTR [ebx+12]
00333 03 f0 add esi, eax
00335 2b c8 sub ecx, eax
00337 03 f7 add esi, edi
00339 8b fa mov edi, edx
0033b 8b d1 mov edx, ecx
0033d c1 e9 02 shr ecx, 2
00340 f3 a5 rep movsd
00342 8b ca mov ecx, edx
00344 83 e1 03 and ecx, 3
00347 f3 a4 rep movsb
00349 a1 0c 00 00 00 mov eax, DWORD PTR ?gev@@3UGlobalExternalVars@@A+12
0034e 85 c0 test eax, eax
00350 74 48 je SHORT $L17290
00352 50 push eax
00353 6a 40 push 64 ; 00000040H
00355 ff 15 00 00 00
00 call DWORD PTR ?pfnGlobalAlloc@@3P6GPAXIK@ZA ; pfnGlobalAlloc
0035b 8b 35 00 00 00
00 mov esi, DWORD PTR ?dwLoadAddress@@3KA ; dwLoadAddress
00361 8b 7b 0c mov edi, DWORD PTR [ebx+12]
00364 8b 0d 0c 00 00
00 mov ecx, DWORD PTR ?gev@@3UGlobalExternalVars@@A+12
0036a 03 f7 add esi, edi
0036c 89 45 f4 mov DWORD PTR _lpbResourceBuffer$17287[ebp], eax
0036f 8b f8 mov edi, eax
00371 8b c1 mov eax, ecx
00373 c1 e9 02 shr ecx, 2
00376 f3 a5 rep movsd
00378 8b c8 mov ecx, eax
0037a eb 19 jmp SHORT $L17306
$L17288:
0037c 8b 35 00 00 00
00 mov esi, DWORD PTR ?dwLoadAddress@@3KA ; dwLoadAddress
00382 8b 7b 0c mov edi, DWORD PTR [ebx+12]
00385 8b 4b 10 mov ecx, DWORD PTR [ebx+16]
00388 03 f7 add esi, edi
0038a 8b fa mov edi, edx
0038c 8b d1 mov edx, ecx
0038e c1 e9 02 shr ecx, 2
00391 f3 a5 rep movsd
00393 8b ca mov ecx, edx
$L17306:
00395 83 e1 03 and ecx, 3
00398 f3 a4 rep movsb
$L17290:
0039a 8b 35 00 00 00
00 mov esi, DWORD PTR ?dwLoadAddress@@3KA ; dwLoadAddress
003a0 8b 53 0c mov edx, DWORD PTR [ebx+12]
003a3 8b 4b 08 mov ecx, DWORD PTR [ebx+8]
003a6 8d 45 f8 lea eax, DWORD PTR _dwOldProtect$17278[ebp]
003a9 50 push eax
003aa 03 f2 add esi, edx
003ac 6a 04 push 4
003ae 51 push ecx
003af 56 push esi
003b0 ff 15 00 00 00
00 call DWORD PTR ?pfnVirtualProtect@@3P6GHPAXKKPAK@ZA ; pfnVirtualProtect
003b6 8b 7d ec mov edi, DWORD PTR _lpbDecompBuffer$17285[ebp]
003b9 56 push esi
003ba 57 push edi
003bb e8 00 00 00 00 call _aP_depack
003c0 8b 45 f8 mov eax, DWORD PTR _dwOldProtect$17278[ebp]
003c3 8b 4b 08 mov ecx, DWORD PTR [ebx+8]
003c6 83 c4 08 add esp, 8
003c9 8d 55 f8 lea edx, DWORD PTR _dwOldProtect$17278[ebp]
003cc 52 push edx
003cd 50 push eax
003ce 51 push ecx
003cf 56 push esi
003d0 ff 15 00 00 00
00 call DWORD PTR ?pfnVirtualProtect@@3P6GHPAXKKPAK@ZA ; pfnVirtualProtect
003d6 57 push edi
003d7 ff 15 00 00 00
00 call DWORD PTR ?pfnGlobalFree@@3P6GPAXPAX@ZA ; pfnGlobalFree
003dd 8a 45 ff mov al, BYTE PTR _bResource$17277[ebp]
003e0 84 c0 test al, al
003e2 74 41 je SHORT $L17292
003e4 a1 0c 00 00 00 mov eax, DWORD PTR ?gev@@3UGlobalExternalVars@@A+12
003e9 85 c0 test eax, eax
003eb 74 38 je SHORT $L17292
003ed 8b 43 08 mov eax, DWORD PTR [ebx+8]
003f0 8d 55 f8 lea edx, DWORD PTR _dwOldProtect$17278[ebp]
003f3 52 push edx
003f4 6a 04 push 4
003f6 50 push eax
003f7 56 push esi
003f8 ff 15 00 00 00
00 call DWORD PTR ?pfnVirtualProtect@@3P6GHPAXKKPAK@ZA ; pfnVirtualProtect
003fe 8b 7d f4 mov edi, DWORD PTR _lpbResourceBuffer$17287[ebp]
00401 56 push esi
00402 57 push edi
00403 e8 00 00 00 00 call ?CopyResources@@YAXPAU_IMAGE_RESOURCE_DIRECTORY@@0@Z ; CopyResources
00408 8b 55 f8 mov edx, DWORD PTR _dwOldProtect$17278[ebp]
0040b 8b 43 08 mov eax, DWORD PTR [ebx+8]
0040e 83 c4 08 add esp, 8
00411 8d 4d f8 lea ecx, DWORD PTR _dwOldProtect$17278[ebp]
00414 51 push ecx
00415 52 push edx
00416 50 push eax
00417 56 push esi
00418 ff 15 00 00 00
00 call DWORD PTR ?pfnVirtualProtect@@3P6GHPAXKKPAK@ZA ; pfnVirtualProtect
0041e 57 push edi
0041f ff 15 00 00 00
00 call DWORD PTR ?pfnGlobalFree@@3P6GPAXPAX@ZA ; pfnGlobalFree
$L17292:
00425 8b 45 f0 mov eax, DWORD PTR -16+[ebp]
00428 83 c3 28 add ebx, 40 ; 00000028H
0042b 48 dec eax
0042c 89 45 f0 mov DWORD PTR -16+[ebp], eax
0042f 0f 85 64 fe ff
ff jne $L17280
00435 8b 75 e8 mov esi, DWORD PTR _pNtHdr$17269[ebp]
$L17282:
00438 8d 4d f8 lea ecx, DWORD PTR _dwOldProtect$17278[ebp]
0043b 51 push ecx
0043c 6a 04 push 4
0043e 68 f8 00 00 00 push 248 ; 000000f8H
00443 56 push esi
00444 ff 15 00 00 00
00 call DWORD PTR ?pfnVirtualProtect@@3P6GHPAXKKPAK@ZA ; pfnVirtualProtect
0044a 66 ff 4e 06 dec WORD PTR [esi+6]
0044e 8b 45 f8 mov eax, DWORD PTR _dwOldProtect$17278[ebp]
00451 8d 55 f8 lea edx, DWORD PTR _dwOldProtect$17278[ebp]
00454 52 push edx
00455 50 push eax
00456 68 f8 00 00 00 push 248 ; 000000f8H
0045b 56 push esi
0045c ff 15 00 00 00
00 call DWORD PTR ?pfnVirtualProtect@@3P6GHPAXKKPAK@ZA ; pfnVirtualProtect
; 85 : ResolveImports();
00462 e8 00 00 00 00 call ?ResolveImports@@YAXXZ ; ResolveImports
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -