吾爱破解培训第七课：手把手教你从实例看如何攻破常见的网络验证

协议：

网络验证协议分为UDP和TCP协议。

目前市面上流行的网络验证一半都是TCP协议的。

采用TCP协议程序发送数据所用API为：send，接收数据所用API为：recv
采用UDP协议程序发送数据所用API为：WSASend，接收数据所用API为：WSARecv

在分析封包时，了解程序使用的协议类型，采用相对应抓包工具。有的抓包工具只能抓到TCP协议发送的封包数据，比如用易语言网截所写的抓包工具，那种工具只能抓到TCP协议的封包

TCP （传输控制协议）

TCP（Transmission Control Protocol 传输控制协议）是一种面向连接的、可靠的、基于字节流的传输层通信协议，由IETF的RFC 793定义。在简化的计算机网络OSI模型中，它完成第四层传输层所指定的功能，用户数据报协议（UDP）是同一层内 另一个重要的传输协议。在因特网协议族（Internet protocol suite）中，TCP层是位于IP层之上，应用层之下的中间层。不同主机的应用层之间经常需要可靠的、像管道一样的连接，但是IP层不提供这样的流机制，而是提供不可靠的包交换。

应用层向TCP层发送用于网间传输的、用8位字节表示的数据流，然后TCP把数据流分区成适当长度的报文段（通常受该计算机连接的网络的数据链路层的最大传输单元（[1] MTU）的限制）。之后TCP把结果包传给IP层，由它来通过网络将包传送给接收端实体的TCP层。TCP为了保证不发生丢包，就给每个包一个序号，同时序号也保证了传送到接收端实体的包的按序接收。然后接收端实体对已成功收到的包发回一个相应的确认（ACK）；如果发送端实体在合理的往返时延（RTT）内未收到确认，那么对应的数据包就被假设为已丢失将会被进行重传。TCP用一个校验和函数来检验数据是否有错误；在发送和接收时都要计算校验和。

UDP

UDP 是User Datagram Protocol的简称， 中文名是用户数据报协议，是OSI（Open System Interconnection，开放式系统互联） 参考模型中一种无连接的传输层协议，提供面向事务的简单不可靠信息传送服务，IETF RFC 768是UDP的正式规范。UDP在IP报文的协议号是17。

UDP协议全称是用户数据报协议，在网络中它与TCP协议一样用于处理数据包，是一种无连接的协议。在OSI模型中，在第四层——传输层，处于IP协议的上一层。UDP有不提供数据包分组、组装和不能对数据包进行排序的缺点，也就是说，当报文发送之后，是无法得知其是否安全完整到达的。UDP用来支持那些需要在计算机之间传输数据的网络应用。包括网络视频会议系统在内的众多的客户/服务器模式的网络应用都需要使用UDP协议。UDP协议从问世至今已经被使用了很多年，虽然其最初的光彩已经被一些类似协议所掩盖，但是即使是在今天UDP仍然不失为一项非常实用和可行的网络传输层协议。

与所熟知的TCP（传输控制协议）协议一样，UDP协议直接位于IP（网际协议）协议的顶层。根据OSI（开放系统互连）参考模型，UDP和TCP都属于传输层协议。UDP协议的主要作用是将网络数据流量压缩成数据包的形式。一个典型的数据包就是一个二进制数据的传输单位。每一个数据包的前8个字节用来包含报头信息，剩余字节则用来包含具体的传输数据。

网络验证类型

Asp验证

php验证

云验证

exe程序互相通信验证

判断验证类型

Asp验证 飘零网络验证

Php验证 可可网络验证

云验证 注册宝网络验证

实例

易语言按钮事件

Code

FF 55 FC 5F 5E

查壳

Microsoft Visual C++ ver 5.0/6.0

爆破

CTRL+G 输入0401000
中文智能搜索 –智能搜索
查找ENO 双击回车过去

Code

004017FD   . /74 09         je short 第七课作.00401808
004017FF   . |53            push ebx
00401800   . |E8 31860000   call 第七课作.00409E36
00401805   . |83C4 04       add esp,0x4
00401808     \837D EC 01    cmp dword ptr ss:[ebp-0x14],0x1          ;  把0改1
0040180C   .  0F84 07000000 je 第七课作.00401819
00401812   .  B8 01000000   mov eax,0x1
00401817   .  EB 05         jmp short 第七课作.0040181E
00401819   >  B8 00000000   mov eax,0x0

F9跑起来，登陆试下，软件直接关闭了
有退出暗桩

CTRL+B
输入FF 25 查找退出CALL,

Code

00406729  |. /0F84 18040000 je 第七课作.00406B47                  ;  nop掉，大跳转开始
0040672F  |. |B8 3CC65500   mov eax,第七课作.0055C63C             ;  v_geta
00406734  |. |8945 F4       mov [local.3],eax                 ;  kernel32.BaseThreadInitThunk
00406737  |. |8D45 F4       lea eax,[local.3]
0040673A  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
0040673B  |. |E8 F9060000   call 第七课作.00406E39
00406740  |. |8B5D F4       mov ebx,[local.3]
00406743  |. |85DB          test ebx,ebx
00406745  |. |74 09         je short 第七课作.00406750
00406747  |. |53            push ebx
00406748  |. |E8 E9360000   call 第七课作.00409E36
0040674D  |. |83C4 04       add esp,0x4
00406750  |> |68 01030080   push 0x80000301
00406755  |. |6A 00         push 0x0
00406757  |. |FF75 FC       push [local.1]
0040675A  |. |68 01000000   push 0x1
0040675F  |. |BB 10B04000   mov ebx,第七课作.0040B010
00406764  |. |E8 E5360000   call 第七课作.00409E4E
00406769  |. |83C4 10       add esp,0x10
0040676C  |. |8945 F4       mov [local.3],eax                 ;  kernel32.BaseThreadInitThunk
0040676F  |. |68 01030080   push 0x80000301
00406774  |. |6A 00         push 0x0
00406776  |. |FF75 F8       push [local.2]                    ;  kernel32.76A4336A
00406779  |. |68 01000000   push 0x1
0040677E  |. |BB 10B04000   mov ebx,第七课作.0040B010
00406783  |. |E8 C6360000   call 第七课作.00409E4E
00406788  |. |83C4 10       add esp,0x10
0040678B  |. |8945 F0       mov [local.4],eax                 ;  kernel32.BaseThreadInitThunk
0040678E  |. |FF75 F0       push [local.4]
00406791  |. |68 12C65500   push 第七课作.0055C612                ;  ,
00406796  |. |FF75 F4       push [local.3]
00406799  |. |68 5BC65500   push 第七课作.0055C65B                ;  v_getb,
0040679E  |. |B9 04000000   mov ecx,0x4
004067A3  |. |E8 CEEEFFFF   call 第七课作.00405676
004067A8  |. |83C4 10       add esp,0x10
004067AB  |. |8945 EC       mov [local.5],eax                 ;  kernel32.BaseThreadInitThunk
004067AE  |. |8B5D F4       mov ebx,[local.3]
004067B1  |. |85DB          test ebx,ebx
004067B3  |. |74 09         je short 第七课作.004067BE
004067B5  |. |53            push ebx
004067B6  |. |E8 7B360000   call 第七课作.00409E36
004067BB  |. |83C4 04       add esp,0x4
004067BE  |> |8B5D F0       mov ebx,[local.4]
004067C1  |. |85DB          test ebx,ebx
004067C3  |. |74 09         je short 第七课作.004067CE
004067C5  |. |53            push ebx
004067C6  |. |E8 6B360000   call 第七课作.00409E36
004067CB  |. |83C4 04       add esp,0x4
004067CE  |> |8D45 EC       lea eax,[local.5]
004067D1  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
004067D2  |. |E8 AD030000   call 第七课作.00406B84
004067D7  |. |8945 E8       mov [local.6],eax                 ;  kernel32.BaseThreadInitThunk
004067DA  |. |8B5D EC       mov ebx,[local.5]
004067DD  |. |85DB          test ebx,ebx
004067DF  |. |74 09         je short 第七课作.004067EA
004067E1  |. |53            push ebx
004067E2  |. |E8 4F360000   call 第七课作.00409E36
004067E7  |. |83C4 04       add esp,0x4
004067EA  |> |68 04000080   push 0x80000004
004067EF  |. |6A 00         push 0x0
004067F1  |. |8B45 E8       mov eax,[local.6]
004067F4  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
004067F6  |. |75 05         jnz short 第七课作.004067FD
004067F8  |. |B8 3E264900   mov eax,第七课作.0049263E
004067FD  |> |50            push eax                          ;  kernel32.BaseThreadInitThunk
004067FE  |. |68 01000000   push 0x1
00406803  |. |BB 50A64000   mov ebx,第七课作.0040A650
00406808  |. |E8 41360000   call 第七课作.00409E4E
0040680D  |. |83C4 10       add esp,0x10
00406810  |. |8945 E4       mov [local.7],eax                 ;  kernel32.BaseThreadInitThunk
00406813  |. |8B5D E8       mov ebx,[local.6]
00406816  |. |85DB          test ebx,ebx
00406818  |. |74 09         je short 第七课作.00406823
0040681A  |. |53            push ebx
0040681B  |. |E8 16360000   call 第七课作.00409E36
00406820  |. |83C4 04       add esp,0x4
00406823  |> |DB45 FC       fild [local.1]
00406826  |. |DD5D DC       fstp qword ptr ss:[ebp-0x24]
00406829  |. |DD45 DC       fld qword ptr ss:[ebp-0x24]
0040682C  |. |DB45 F8       fild [local.2]
0040682F  |. |DD5D D4       fstp qword ptr ss:[ebp-0x2C]
00406832  |. |DC45 D4       fadd qword ptr ss:[ebp-0x2C]
00406835  |. |DD5D CC       fstp qword ptr ss:[ebp-0x34]
00406838  |. |DB45 E4       fild [local.7]
0040683B  |. |DD5D C4       fstp qword ptr ss:[ebp-0x3C]
0040683E  |. |DD45 C4       fld qword ptr ss:[ebp-0x3C]
00406841  |. |DC65 CC       fsub qword ptr ss:[ebp-0x34]
00406844  |. |D9E4          ftst
00406846  |. |DFE0          fstsw ax
00406848  |. |F6C4 01       test ah,0x1
0040684B  |. |74 02         je short 第七课作.0040684F
0040684D  |. |D9E0          fchs
0040684F  |> |DC1D 63C65500 fcomp qword ptr ds:[0x55C663]
00406855  |. |DFE0          fstsw ax
00406857  |. |F6C4 41       test ah,0x41
0040685A  |. |0F84 E7020000 je 第七课作.00406B47                  ;  nop掉
00406860  |. |B8 3CC65500   mov eax,第七课作.0055C63C             ;  v_geta
00406865  |. |8945 F4       mov [local.3],eax                 ;  kernel32.BaseThreadInitThunk
00406868  |. |8D45 F4       lea eax,[local.3]
0040686B  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
0040686C  |. |E8 13030000   call 第七课作.00406B84
00406871  |. |8945 F0       mov [local.4],eax                 ;  kernel32.BaseThreadInitThunk
00406874  |. |8B5D F4       mov ebx,[local.3]
00406877  |. |85DB          test ebx,ebx
00406879  |. |74 09         je short 第七课作.00406884
0040687B  |. |53            push ebx
0040687C  |. |E8 B5350000   call 第七课作.00409E36
00406881  |. |83C4 04       add esp,0x4
00406884  |> |68 04000080   push 0x80000004
00406889  |. |6A 00         push 0x0
0040688B  |. |8B45 F0       mov eax,[local.4]
0040688E  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
00406890  |. |75 05         jnz short 第七课作.00406897
00406892  |. |B8 3E264900   mov eax,第七课作.0049263E
00406897  |> |50            push eax                          ;  kernel32.BaseThreadInitThunk
00406898  |. |68 01000000   push 0x1
0040689D  |. |BB F0AC4000   mov ebx,第七课作.0040ACF0
004068A2  |. |E8 A7350000   call 第七课作.00409E4E
004068A7  |. |83C4 10       add esp,0x10
004068AA  |. |8945 EC       mov [local.5],eax                 ;  kernel32.BaseThreadInitThunk
004068AD  |. |8B5D F0       mov ebx,[local.4]
004068B0  |. |85DB          test ebx,ebx
004068B2  |. |74 09         je short 第七课作.004068BD
004068B4  |. |53            push ebx
004068B5  |. |E8 7C350000   call 第七课作.00409E36
004068BA  |. |83C4 04       add esp,0x4
004068BD  |> |B8 43C65500   mov eax,第七课作.0055C643
004068C2  |. |33C9          xor ecx,ecx
004068C4  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
004068C6  |. |74 03         je short 第七课作.004068CB
004068C8  |. |8B48 04       mov ecx,dword ptr ds:[eax+0x4]
004068CB  |> |51            push ecx
004068CC  |. |83C0 08       add eax,0x8
004068CF  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
004068D0  |. |8B45 EC       mov eax,[local.5]
004068D3  |. |33DB          xor ebx,ebx
004068D5  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
004068D7  |. |74 03         je short 第七课作.004068DC
004068D9  |. |8B58 04       mov ebx,dword ptr ds:[eax+0x4]
004068DC  |> |83C0 08       add eax,0x8
004068DF  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
004068E0  |. |3BD9          cmp ebx,ecx
004068E2  |. |B8 01000000   mov eax,0x1
004068E7  |. |75 0A         jnz short 第七课作.004068F3
004068E9  |. |48            dec eax                           ;  kernel32.BaseThreadInitThunk
004068EA  |. |85C9          test ecx,ecx
004068EC  |. |74 05         je short 第七课作.004068F3
004068EE  |. |E8 62FCFFFF   call 第七课作.00406555
004068F3  |> |83C4 0C       add esp,0xC
004068F6  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
004068F8  |. |B8 00000000   mov eax,0x0
004068FD  |. |0f94c0        sete al
00406900  |. |8945 E8       mov [local.6],eax                 ;  kernel32.BaseThreadInitThunk
00406903  |. |8B5D EC       mov ebx,[local.5]
00406906  |. |85DB          test ebx,ebx
00406908  |. |74 09         je short 第七课作.00406913
0040690A  |. |53            push ebx
0040690B  |. |E8 26350000   call 第七课作.00409E36
00406910  |. |83C4 04       add esp,0x4
00406913  |> |837D E8 00    cmp [local.6],0x0
00406917  |. |0F84 2A020000 je 第七课作.00406B47                  ;  nop掉
0040691D  |. |68 01000000   push 0x1
00406922  |. |E8 16060000   call 第七课作.00406F3D
00406927  |. |8945 F4       mov [local.3],eax                 ;  kernel32.BaseThreadInitThunk
0040692A  |. |68 04000080   push 0x80000004
0040692F  |. |6A 00         push 0x0
00406931  |. |8B45 F4       mov eax,[local.3]
00406934  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
00406936  |. |75 05         jnz short 第七课作.0040693D
00406938  |. |B8 3E264900   mov eax,第七课作.0049263E
0040693D  |> |50            push eax                          ;  kernel32.BaseThreadInitThunk
0040693E  |. |68 01000000   push 0x1
00406943  |. |BB F0AC4000   mov ebx,第七课作.0040ACF0
00406948  |. |E8 01350000   call 第七课作.00409E4E
0040694D  |. |83C4 10       add esp,0x10
00406950  |. |8945 F0       mov [local.4],eax                 ;  kernel32.BaseThreadInitThunk
00406953  |. |8B5D F4       mov ebx,[local.3]
00406956  |. |85DB          test ebx,ebx
00406958  |. |74 09         je short 第七课作.00406963
0040695A  |. |53            push ebx
0040695B  |. |E8 D6340000   call 第七课作.00409E36
00406960  |. |83C4 04       add esp,0x4
00406963  |> |B8 6BC65500   mov eax,第七课作.0055C66B
00406968  |. |33C9          xor ecx,ecx
0040696A  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
0040696C  |. |74 03         je short 第七课作.00406971
0040696E  |. |8B48 04       mov ecx,dword ptr ds:[eax+0x4]
00406971  |> |51            push ecx
00406972  |. |83C0 08       add eax,0x8
00406975  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
00406976  |. |8B45 F0       mov eax,[local.4]
00406979  |. |33DB          xor ebx,ebx
0040697B  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
0040697D  |. |74 03         je short 第七课作.00406982
0040697F  |. |8B58 04       mov ebx,dword ptr ds:[eax+0x4]
00406982  |> |83C0 08       add eax,0x8
00406985  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
00406986  |. |3BD9          cmp ebx,ecx
00406988  |. |B8 01000000   mov eax,0x1
0040698D  |. |75 0A         jnz short 第七课作.00406999
0040698F  |. |48            dec eax                           ;  kernel32.BaseThreadInitThunk
00406990  |. |85C9          test ecx,ecx
00406992  |. |74 05         je short 第七课作.00406999
00406994  |. |E8 BCFBFFFF   call 第七课作.00406555
00406999  |> |83C4 0C       add esp,0xC
0040699C  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
0040699E  |. |B8 00000000   mov eax,0x0
004069A3  |. |0f94c0        sete al
004069A6  |. |8945 EC       mov [local.5],eax                 ;  kernel32.BaseThreadInitThunk
004069A9  |. |8B5D F0       mov ebx,[local.4]
004069AC  |. |85DB          test ebx,ebx
004069AE  |. |74 09         je short 第七课作.004069B9
004069B0  |. |53            push ebx
004069B1  |. |E8 80340000   call 第七课作.00409E36
004069B6  |. |83C4 04       add esp,0x4
004069B9  |> |837D EC 00    cmp [local.5],0x0
004069BD  |. |0F84 84010000 je 第七课作.00406B47                  ;  nop掉
004069C3  |. |68 02000000   push 0x2
004069C8  |. |E8 70050000   call 第七课作.00406F3D
004069CD  |. |8945 F4       mov [local.3],eax                 ;  kernel32.BaseThreadInitThunk
004069D0  |. |68 04000080   push 0x80000004
004069D5  |. |6A 00         push 0x0
004069D7  |. |8B45 F4       mov eax,[local.3]
004069DA  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
004069DC  |. |75 05         jnz short 第七课作.004069E3
004069DE  |. |B8 3E264900   mov eax,第七课作.0049263E
004069E3  |> |50            push eax                          ;  kernel32.BaseThreadInitThunk
004069E4  |. |68 01000000   push 0x1
004069E9  |. |BB F0AC4000   mov ebx,第七课作.0040ACF0
004069EE  |. |E8 5B340000   call 第七课作.00409E4E
004069F3  |. |83C4 10       add esp,0x10
004069F6  |. |8945 F0       mov [local.4],eax                 ;  kernel32.BaseThreadInitThunk
004069F9  |. |8B5D F4       mov ebx,[local.3]
004069FC  |. |85DB          test ebx,ebx
004069FE  |. |74 09         je short 第七课作.00406A09
00406A00  |. |53            push ebx
00406A01  |. |E8 30340000   call 第七课作.00409E36
00406A06  |. |83C4 04       add esp,0x4
00406A09  |> |B8 7EC65500   mov eax,第七课作.0055C67E
00406A0E  |. |33C9          xor ecx,ecx
00406A10  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
00406A12  |. |74 03         je short 第七课作.00406A17
00406A14  |. |8B48 04       mov ecx,dword ptr ds:[eax+0x4]
00406A17  |> |51            push ecx
00406A18  |. |83C0 08       add eax,0x8
00406A1B  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
00406A1C  |. |8B45 F0       mov eax,[local.4]
00406A1F  |. |33DB          xor ebx,ebx
00406A21  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
00406A23  |. |74 03         je short 第七课作.00406A28
00406A25  |. |8B58 04       mov ebx,dword ptr ds:[eax+0x4]
00406A28  |> |83C0 08       add eax,0x8
00406A2B  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
00406A2C  |. |3BD9          cmp ebx,ecx
00406A2E  |. |B8 01000000   mov eax,0x1
00406A33  |. |75 0A         jnz short 第七课作.00406A3F
00406A35  |. |48            dec eax                           ;  kernel32.BaseThreadInitThunk
00406A36  |. |85C9          test ecx,ecx
00406A38  |. |74 05         je short 第七课作.00406A3F
00406A3A  |. |E8 16FBFFFF   call 第七课作.00406555
00406A3F  |> |83C4 0C       add esp,0xC
00406A42  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
00406A44  |. |B8 00000000   mov eax,0x0
00406A49  |. |0f94c0        sete al
00406A4C  |. |8945 EC       mov [local.5],eax                 ;  kernel32.BaseThreadInitThunk
00406A4F  |. |8B5D F0       mov ebx,[local.4]
00406A52  |. |85DB          test ebx,ebx
00406A54  |. |74 09         je short 第七课作.00406A5F
00406A56  |. |53            push ebx
00406A57  |. |E8 DA330000   call 第七课作.00409E36
00406A5C  |. |83C4 04       add esp,0x4
00406A5F  |> |837D EC 00    cmp [local.5],0x0
00406A63  |. |0F84 DE000000 je 第七课作.00406B47                  ;  nop掉
00406A69  |. |68 0F000000   push 0xF
00406A6E  |. |E8 CA040000   call 第七课作.00406F3D
00406A73  |. |8945 F4       mov [local.3],eax                 ;  kernel32.BaseThreadInitThunk
00406A76  |. |68 04000080   push 0x80000004
00406A7B  |. |6A 00         push 0x0
00406A7D  |. |8B45 F4       mov eax,[local.3]
00406A80  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
00406A82  |. |75 05         jnz short 第七课作.00406A89
00406A84  |. |B8 3E264900   mov eax,第七课作.0049263E
00406A89  |> |50            push eax                          ;  kernel32.BaseThreadInitThunk
00406A8A  |. |68 01000000   push 0x1
00406A8F  |. |BB F0AC4000   mov ebx,第七课作.0040ACF0
00406A94  |. |E8 B5330000   call 第七课作.00409E4E
00406A99  |. |83C4 10       add esp,0x10
00406A9C  |. |8945 F0       mov [local.4],eax                 ;  kernel32.BaseThreadInitThunk
00406A9F  |. |8B5D F4       mov ebx,[local.3]
00406AA2  |. |85DB          test ebx,ebx
00406AA4  |. |74 09         je short 第七课作.00406AAF
00406AA6  |. |53            push ebx
00406AA7  |. |E8 8A330000   call 第七课作.00409E36
00406AAC  |. |83C4 04       add esp,0x4
00406AAF  |> |B8 91C65500   mov eax,第七课作.0055C691
00406AB4  |. |33C9          xor ecx,ecx
00406AB6  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
00406AB8  |. |74 03         je short 第七课作.00406ABD
00406ABA  |. |8B48 04       mov ecx,dword ptr ds:[eax+0x4]
00406ABD  |> |51            push ecx
00406ABE  |. |83C0 08       add eax,0x8
00406AC1  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
00406AC2  |. |8B45 F0       mov eax,[local.4]
00406AC5  |. |33DB          xor ebx,ebx
00406AC7  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
00406AC9  |. |74 03         je short 第七课作.00406ACE
00406ACB  |. |8B58 04       mov ebx,dword ptr ds:[eax+0x4]
00406ACE  |> |83C0 08       add eax,0x8
00406AD1  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
00406AD2  |. |3BD9          cmp ebx,ecx
00406AD4  |. |B8 01000000   mov eax,0x1
00406AD9  |. |75 0A         jnz short 第七课作.00406AE5
00406ADB  |. |48            dec eax                           ;  kernel32.BaseThreadInitThunk
00406ADC  |. |85C9          test ecx,ecx
00406ADE  |. |74 05         je short 第七课作.00406AE5
00406AE0  |. |E8 70FAFFFF   call 第七课作.00406555
00406AE5  |> |83C4 0C       add esp,0xC
00406AE8  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
00406AEA  |. |B8 00000000   mov eax,0x0
00406AEF  |. |0f94c0        sete al
00406AF2  |. |8945 EC       mov [local.5],eax                 ;  kernel32.BaseThreadInitThunk
00406AF5  |. |8B5D F0       mov ebx,[local.4]
00406AF8  |. |85DB          test ebx,ebx
00406AFA  |. |74 09         je short 第七课作.00406B05
00406AFC  |. |53            push ebx
00406AFD  |. |E8 34330000   call 第七课作.00409E36
00406B02  |. |83C4 04       add esp,0x4
00406B05  |> |837D EC 00    cmp [local.5],0x0
00406B09  |. |0F84 38000000 je 第七课作.00406B47                  ;  nop掉
00406B0F  |. |6A 00         push 0x0
00406B11  |. |6A 00         push 0x0
00406B13  |. |6A 00         push 0x0
00406B15  |. |68 04000080   push 0x80000004
00406B1A  |. |6A 00         push 0x0
00406B1C  |. |68 B0C65500   push 第七课作.0055C6B0                ;  三级效验通过
00406B21  |. |68 0F000100   push 0x1000F
00406B26  |. |68 7D6B0116   push 0x16016B7D
00406B2B  |. |68 2B010152   push 0x5201012B
00406B30  |. |68 03000000   push 0x3
00406B35  |. |BB E0B94000   mov ebx,第七课作.0040B9E0
00406B3A  |. |E8 0F330000   call 第七课作.00409E4E
00406B3F  |. |83C4 28       add esp,0x28
00406B42  |. |E9 39000000   jmp 第七课作.00406B80
00406B47  |> \BB 06000000   mov ebx,0x6                       ;  nop掉，大跳转终点

第二个暗桩

Code

004076DE  |. /0F84 26020000 je 第七课作.0040790A                  ;  nop掉，大跳转开始
004076E4  |. |B8 3CC65500   mov eax,第七课作.0055C63C             ;  v_geta
004076E9  |. |8945 F4       mov [local.3],eax                 ;  kernel32.BaseThreadInitThunk
004076EC  |. |8D45 F4       lea eax,[local.3]
004076EF  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
004076F0  |. |E8 44F7FFFF   call 第七课作.00406E39
004076F5  |. |8B5D F4       mov ebx,[local.3]
004076F8  |. |85DB          test ebx,ebx
004076FA  |. |74 09         je short 第七课作.00407705
004076FC  |. |53            push ebx
004076FD  |. |E8 34270000   call 第七课作.00409E36
00407702  |. |83C4 04       add esp,0x4
00407705  |> |68 01030080   push 0x80000301
0040770A  |. |6A 00         push 0x0
0040770C  |. |FF75 FC       push [local.1]
0040770F  |. |68 01000000   push 0x1
00407714  |. |BB 10B04000   mov ebx,第七课作.0040B010
00407719  |. |E8 30270000   call 第七课作.00409E4E
0040771E  |. |83C4 10       add esp,0x10
00407721  |. |8945 F4       mov [local.3],eax                 ;  kernel32.BaseThreadInitThunk
00407724  |. |68 01030080   push 0x80000301
00407729  |. |6A 00         push 0x0
0040772B  |. |FF75 F8       push [local.2]                    ;  kernel32.76A4336A
0040772E  |. |68 01000000   push 0x1
00407733  |. |BB 10B04000   mov ebx,第七课作.0040B010
00407738  |. |E8 11270000   call 第七课作.00409E4E
0040773D  |. |83C4 10       add esp,0x10
00407740  |. |8945 F0       mov [local.4],eax                 ;  kernel32.BaseThreadInitThunk
00407743  |. |FF75 F0       push [local.4]
00407746  |. |68 12C65500   push 第七课作.0055C612                ;  ,
0040774B  |. |FF75 F4       push [local.3]
0040774E  |. |68 5BC65500   push 第七课作.0055C65B                ;  v_getb,
00407753  |. |B9 04000000   mov ecx,0x4
00407758  |. |E8 19DFFFFF   call 第七课作.00405676
0040775D  |. |83C4 10       add esp,0x10
00407760  |. |8945 EC       mov [local.5],eax                 ;  kernel32.BaseThreadInitThunk
00407763  |. |8B5D F4       mov ebx,[local.3]
00407766  |. |85DB          test ebx,ebx
00407768  |. |74 09         je short 第七课作.00407773
0040776A  |. |53            push ebx
0040776B  |. |E8 C6260000   call 第七课作.00409E36
00407770  |. |83C4 04       add esp,0x4
00407773  |> |8B5D F0       mov ebx,[local.4]
00407776  |. |85DB          test ebx,ebx
00407778  |. |74 09         je short 第七课作.00407783
0040777A  |. |53            push ebx
0040777B  |. |E8 B6260000   call 第七课作.00409E36
00407780  |. |83C4 04       add esp,0x4
00407783  |> |8D45 EC       lea eax,[local.5]
00407786  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
00407787  |. |E8 F8F3FFFF   call 第七课作.00406B84
0040778C  |. |8945 E8       mov [local.6],eax                 ;  kernel32.BaseThreadInitThunk
0040778F  |. |8B5D EC       mov ebx,[local.5]
00407792  |. |85DB          test ebx,ebx
00407794  |. |74 09         je short 第七课作.0040779F
00407796  |. |53            push ebx
00407797  |. |E8 9A260000   call 第七课作.00409E36
0040779C  |. |83C4 04       add esp,0x4
0040779F  |> |68 04000080   push 0x80000004
004077A4  |. |6A 00         push 0x0
004077A6  |. |8B45 E8       mov eax,[local.6]
004077A9  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
004077AB  |. |75 05         jnz short 第七课作.004077B2
004077AD  |. |B8 3E264900   mov eax,第七课作.0049263E
004077B2  |> |50            push eax                          ;  kernel32.BaseThreadInitThunk
004077B3  |. |68 01000000   push 0x1
004077B8  |. |BB 50A64000   mov ebx,第七课作.0040A650
004077BD  |. |E8 8C260000   call 第七课作.00409E4E
004077C2  |. |83C4 10       add esp,0x10
004077C5  |. |8945 E4       mov [local.7],eax                 ;  kernel32.BaseThreadInitThunk
004077C8  |. |8B5D E8       mov ebx,[local.6]
004077CB  |. |85DB          test ebx,ebx
004077CD  |. |74 09         je short 第七课作.004077D8
004077CF  |. |53            push ebx
004077D0  |. |E8 61260000   call 第七课作.00409E36
004077D5  |. |83C4 04       add esp,0x4
004077D8  |> |DB45 FC       fild [local.1]
004077DB  |. |DD5D DC       fstp qword ptr ss:[ebp-0x24]
004077DE  |. |DD45 DC       fld qword ptr ss:[ebp-0x24]
004077E1  |. |DB45 F8       fild [local.2]
004077E4  |. |DD5D D4       fstp qword ptr ss:[ebp-0x2C]
004077E7  |. |DC45 D4       fadd qword ptr ss:[ebp-0x2C]
004077EA  |. |DD5D CC       fstp qword ptr ss:[ebp-0x34]
004077ED  |. |DB45 E4       fild [local.7]
004077F0  |. |DD5D C4       fstp qword ptr ss:[ebp-0x3C]
004077F3  |. |DD45 C4       fld qword ptr ss:[ebp-0x3C]
004077F6  |. |DC65 CC       fsub qword ptr ss:[ebp-0x34]
004077F9  |. |D9E4          ftst
004077FB  |. |DFE0          fstsw ax
004077FD  |. |F6C4 01       test ah,0x1
00407800  |. |74 02         je short 第七课作.00407804
00407802  |. |D9E0          fchs
00407804  |> |DC1D 63C65500 fcomp qword ptr ds:[0x55C663]
0040780A  |. |DFE0          fstsw ax
0040780C  |. |F6C4 41       test ah,0x41
0040780F  |. |0F84 F5000000 je 第七课作.0040790A                  ;  nop掉
00407815  |. |B8 3CC65500   mov eax,第七课作.0055C63C             ;  v_geta
0040781A  |. |8945 F4       mov [local.3],eax                 ;  kernel32.BaseThreadInitThunk
0040781D  |. |8D45 F4       lea eax,[local.3]
00407820  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
00407821  |. |E8 5EF3FFFF   call 第七课作.00406B84
00407826  |. |8945 F0       mov [local.4],eax                 ;  kernel32.BaseThreadInitThunk
00407829  |. |8B5D F4       mov ebx,[local.3]
0040782C  |. |85DB          test ebx,ebx
0040782E  |. |74 09         je short 第七课作.00407839
00407830  |. |53            push ebx
00407831  |. |E8 00260000   call 第七课作.00409E36
00407836  |. |83C4 04       add esp,0x4
00407839  |> |68 04000080   push 0x80000004
0040783E  |. |6A 00         push 0x0
00407840  |. |8B45 F0       mov eax,[local.4]
00407843  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
00407845  |. |75 05         jnz short 第七课作.0040784C
00407847  |. |B8 3E264900   mov eax,第七课作.0049263E
0040784C  |> |50            push eax                          ;  kernel32.BaseThreadInitThunk
0040784D  |. |68 01000000   push 0x1
00407852  |. |BB F0AC4000   mov ebx,第七课作.0040ACF0
00407857  |. |E8 F2250000   call 第七课作.00409E4E
0040785C  |. |83C4 10       add esp,0x10
0040785F  |. |8945 EC       mov [local.5],eax                 ;  kernel32.BaseThreadInitThunk
00407862  |. |8B5D F0       mov ebx,[local.4]
00407865  |. |85DB          test ebx,ebx
00407867  |. |74 09         je short 第七课作.00407872
00407869  |. |53            push ebx
0040786A  |. |E8 C7250000   call 第七课作.00409E36
0040786F  |. |83C4 04       add esp,0x4
00407872  |> |B8 43C65500   mov eax,第七课作.0055C643
00407877  |. |33C9          xor ecx,ecx
00407879  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
0040787B  |. |74 03         je short 第七课作.00407880
0040787D  |. |8B48 04       mov ecx,dword ptr ds:[eax+0x4]
00407880  |> |51            push ecx
00407881  |. |83C0 08       add eax,0x8
00407884  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
00407885  |. |8B45 EC       mov eax,[local.5]
00407888  |. |33DB          xor ebx,ebx
0040788A  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
0040788C  |. |74 03         je short 第七课作.00407891
0040788E  |. |8B58 04       mov ebx,dword ptr ds:[eax+0x4]
00407891  |> |83C0 08       add eax,0x8
00407894  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
00407895  |. |3BD9          cmp ebx,ecx
00407897  |. |B8 01000000   mov eax,0x1
0040789C  |. |75 0A         jnz short 第七课作.004078A8
0040789E  |. |48            dec eax                           ;  kernel32.BaseThreadInitThunk
0040789F  |. |85C9          test ecx,ecx
004078A1  |. |74 05         je short 第七课作.004078A8
004078A3  |. |E8 ADECFFFF   call 第七课作.00406555
004078A8  |> |83C4 0C       add esp,0xC
004078AB  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
004078AD  |. |B8 00000000   mov eax,0x0
004078B2  |. |0f94c0        sete al
004078B5  |. |8945 E8       mov [local.6],eax                 ;  kernel32.BaseThreadInitThunk
004078B8  |. |8B5D EC       mov ebx,[local.5]
004078BB  |. |85DB          test ebx,ebx
004078BD  |. |74 09         je short 第七课作.004078C8
004078BF  |. |53            push ebx
004078C0  |. |E8 71250000   call 第七课作.00409E36
004078C5  |. |83C4 04       add esp,0x4
004078C8  |> |837D E8 00    cmp [local.6],0x0
004078CC  |. |0F84 38000000 je 第七课作.0040790A                  ;  nop掉
004078D2  |. |6A 00         push 0x0
004078D4  |. |6A 00         push 0x0
004078D6  |. |6A 00         push 0x0
004078D8  |. |68 04000080   push 0x80000004
004078DD  |. |6A 00         push 0x0
004078DF  |. |68 04C75500   push 第七课作.0055C704                ;  二级效验通过
004078E4  |. |68 0F000100   push 0x1000F
004078E9  |. |68 7D6B0116   push 0x16016B7D
004078EE  |. |68 2B010152   push 0x5201012B
004078F3  |. |68 03000000   push 0x3
004078F8  |. |BB E0B94000   mov ebx,第七课作.0040B9E0
004078FD  |. |E8 4C250000   call 第七课作.00409E4E
00407902  |. |83C4 28       add esp,0x28
00407905  |. |E9 39000000   jmp 第七课作.00407943
0040790A  |> \BB 06000000   mov ebx,0x6                       ;  nop掉，大跳转结束
0040790F  |.  E8 2799FFFF   call 第七课作.0040123B
00407914  |.  68 01030080   push 0x80000301
00407919  |.  6A 00         push 0x0
0040791B  |.  68 00000000   push 0x0
00407920  |.  68 04000080   push 0x80000004
00407925  |.  6A 00         push 0x0
00407927  |.  68 BDC65500   push 第七课作.0055C6BD                ;  暗桩
0040792C  |.  68 04000000   push 0x4
00407931  |.  BB 20B14000   mov ebx,第七课作.0040B120
00407936  |.  E8 13250000   call 第七课作.00409E4E
0040793B  |.  83C4 34       add esp,0x34
0040793E  |.  E9 00000000   jmp 第七课作.00407943
00407943  |>  8BE5          mov esp,ebp
00407945  |.  5D            pop ebp                           ;  kernel32.76A4336A
00407946  \.  C3            retn
00407947  /.  55            push ebp

第三个暗桩

Code

00408907  |. /0F84 2D020000 je 第七课作.00408B3A                  ;  nop掉,大跳转开始
0040890D  |. |B8 3CC65500   mov eax,第七课作.0055C63C             ;  v_geta
00408912  |. |8945 F4       mov [local.3],eax                 ;  kernel32.BaseThreadInitThunk
00408915  |. |8D45 F4       lea eax,[local.3]
00408918  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
00408919  |. |E8 1BE5FFFF   call 第七课作.00406E39
0040891E  |. |8B5D F4       mov ebx,[local.3]
00408921  |. |85DB          test ebx,ebx
00408923  |. |74 09         je short 第七课作.0040892E
00408925  |. |53            push ebx
00408926  |. |E8 0B150000   call 第七课作.00409E36
0040892B  |. |83C4 04       add esp,0x4
0040892E  |> |68 01030080   push 0x80000301
00408933  |. |6A 00         push 0x0
00408935  |. |FF75 FC       push [local.1]
00408938  |. |68 01000000   push 0x1
0040893D  |. |BB 10B04000   mov ebx,第七课作.0040B010
00408942  |. |E8 07150000   call 第七课作.00409E4E
00408947  |. |83C4 10       add esp,0x10
0040894A  |. |8945 F4       mov [local.3],eax                 ;  kernel32.BaseThreadInitThunk
0040894D  |. |68 01030080   push 0x80000301
00408952  |. |6A 00         push 0x0
00408954  |. |FF75 F8       push [local.2]                    ;  kernel32.76A4336A
00408957  |. |68 01000000   push 0x1
0040895C  |. |BB 10B04000   mov ebx,第七课作.0040B010
00408961  |. |E8 E8140000   call 第七课作.00409E4E
00408966  |. |83C4 10       add esp,0x10
00408969  |. |8945 F0       mov [local.4],eax                 ;  kernel32.BaseThreadInitThunk
0040896C  |. |FF75 F0       push [local.4]
0040896F  |. |68 12C65500   push 第七课作.0055C612                ;  ,
00408974  |. |FF75 F4       push [local.3]
00408977  |. |68 5BC65500   push 第七课作.0055C65B                ;  v_getb,
0040897C  |. |B9 04000000   mov ecx,0x4
00408981  |. |E8 F0CCFFFF   call 第七课作.00405676
00408986  |. |83C4 10       add esp,0x10
00408989  |. |8945 EC       mov [local.5],eax                 ;  kernel32.BaseThreadInitThunk
0040898C  |. |8B5D F4       mov ebx,[local.3]
0040898F  |. |85DB          test ebx,ebx
00408991  |. |74 09         je short 第七课作.0040899C
00408993  |. |53            push ebx
00408994  |. |E8 9D140000   call 第七课作.00409E36
00408999  |. |83C4 04       add esp,0x4
0040899C  |> |8B5D F0       mov ebx,[local.4]
0040899F  |. |85DB          test ebx,ebx
004089A1  |. |74 09         je short 第七课作.004089AC
004089A3  |. |53            push ebx
004089A4  |. |E8 8D140000   call 第七课作.00409E36
004089A9  |. |83C4 04       add esp,0x4
004089AC  |> |8D45 EC       lea eax,[local.5]
004089AF  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
004089B0  |. |E8 CFE1FFFF   call 第七课作.00406B84
004089B5  |. |8945 E8       mov [local.6],eax                 ;  kernel32.BaseThreadInitThunk
004089B8  |. |8B5D EC       mov ebx,[local.5]
004089BB  |. |85DB          test ebx,ebx
004089BD  |. |74 09         je short 第七课作.004089C8
004089BF  |. |53            push ebx
004089C0  |. |E8 71140000   call 第七课作.00409E36
004089C5  |. |83C4 04       add esp,0x4
004089C8  |> |68 04000080   push 0x80000004
004089CD  |. |6A 00         push 0x0
004089CF  |. |8B45 E8       mov eax,[local.6]
004089D2  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
004089D4  |. |75 05         jnz short 第七课作.004089DB
004089D6  |. |B8 3E264900   mov eax,第七课作.0049263E
004089DB  |> |50            push eax                          ;  kernel32.BaseThreadInitThunk
004089DC  |. |68 01000000   push 0x1
004089E1  |. |BB 50A64000   mov ebx,第七课作.0040A650
004089E6  |. |E8 63140000   call 第七课作.00409E4E
004089EB  |. |83C4 10       add esp,0x10
004089EE  |. |8945 E4       mov [local.7],eax                 ;  kernel32.BaseThreadInitThunk
004089F1  |. |8B5D E8       mov ebx,[local.6]
004089F4  |. |85DB          test ebx,ebx
004089F6  |. |74 09         je short 第七课作.00408A01
004089F8  |. |53            push ebx
004089F9  |. |E8 38140000   call 第七课作.00409E36
004089FE  |. |83C4 04       add esp,0x4
00408A01  |> |DB45 FC       fild [local.1]
00408A04  |. |DD5D DC       fstp qword ptr ss:[ebp-0x24]
00408A07  |. |DD45 DC       fld qword ptr ss:[ebp-0x24]
00408A0A  |. |DB45 F8       fild [local.2]
00408A0D  |. |DD5D D4       fstp qword ptr ss:[ebp-0x2C]
00408A10  |. |DC45 D4       fadd qword ptr ss:[ebp-0x2C]
00408A13  |. |DD5D CC       fstp qword ptr ss:[ebp-0x34]
00408A16  |. |DB45 E4       fild [local.7]
00408A19  |. |DD5D C4       fstp qword ptr ss:[ebp-0x3C]
00408A1C  |. |DD45 C4       fld qword ptr ss:[ebp-0x3C]
00408A1F  |. |DC65 CC       fsub qword ptr ss:[ebp-0x34]
00408A22  |. |D9E4          ftst
00408A24  |. |DFE0          fstsw ax
00408A26  |. |F6C4 01       test ah,0x1
00408A29  |. |74 02         je short 第七课作.00408A2D
00408A2B  |. |D9E0          fchs
00408A2D  |> |DC1D 63C65500 fcomp qword ptr ds:[0x55C663]
00408A33  |. |DFE0          fstsw ax
00408A35  |. |F6C4 41       test ah,0x41
00408A38  |. |0F84 FC000000 je 第七课作.00408B3A                  ;  nop掉
00408A3E  |. |B8 3CC65500   mov eax,第七课作.0055C63C             ;  v_geta
00408A43  |. |8945 F4       mov [local.3],eax                 ;  kernel32.BaseThreadInitThunk
00408A46  |. |8D45 F4       lea eax,[local.3]
00408A49  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
00408A4A  |. |E8 35E1FFFF   call 第七课作.00406B84
00408A4F  |. |8945 F0       mov [local.4],eax                 ;  kernel32.BaseThreadInitThunk
00408A52  |. |8B5D F4       mov ebx,[local.3]
00408A55  |. |85DB          test ebx,ebx
00408A57  |. |74 09         je short 第七课作.00408A62
00408A59  |. |53            push ebx
00408A5A  |. |E8 D7130000   call 第七课作.00409E36
00408A5F  |. |83C4 04       add esp,0x4
00408A62  |> |68 04000080   push 0x80000004
00408A67  |. |6A 00         push 0x0
00408A69  |. |8B45 F0       mov eax,[local.4]
00408A6C  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
00408A6E  |. |75 05         jnz short 第七课作.00408A75
00408A70  |. |B8 3E264900   mov eax,第七课作.0049263E
00408A75  |> |50            push eax                          ;  kernel32.BaseThreadInitThunk
00408A76  |. |68 01000000   push 0x1
00408A7B  |. |BB F0AC4000   mov ebx,第七课作.0040ACF0
00408A80  |. |E8 C9130000   call 第七课作.00409E4E
00408A85  |. |83C4 10       add esp,0x10
00408A88  |. |8945 EC       mov [local.5],eax                 ;  kernel32.BaseThreadInitThunk
00408A8B  |. |8B5D F0       mov ebx,[local.4]
00408A8E  |. |85DB          test ebx,ebx
00408A90  |. |74 09         je short 第七课作.00408A9B
00408A92  |. |53            push ebx
00408A93  |. |E8 9E130000   call 第七课作.00409E36
00408A98  |. |83C4 04       add esp,0x4
00408A9B  |> |B8 43C65500   mov eax,第七课作.0055C643
00408AA0  |. |33C9          xor ecx,ecx
00408AA2  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
00408AA4  |. |74 03         je short 第七课作.00408AA9
00408AA6  |. |8B48 04       mov ecx,dword ptr ds:[eax+0x4]
00408AA9  |> |51            push ecx
00408AAA  |. |83C0 08       add eax,0x8
00408AAD  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
00408AAE  |. |8B45 EC       mov eax,[local.5]
00408AB1  |. |33DB          xor ebx,ebx
00408AB3  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
00408AB5  |. |74 03         je short 第七课作.00408ABA
00408AB7  |. |8B58 04       mov ebx,dword ptr ds:[eax+0x4]
00408ABA  |> |83C0 08       add eax,0x8
00408ABD  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
00408ABE  |. |3BD9          cmp ebx,ecx
00408AC0  |. |B8 01000000   mov eax,0x1
00408AC5  |. |75 0A         jnz short 第七课作.00408AD1
00408AC7  |. |48            dec eax                           ;  kernel32.BaseThreadInitThunk
00408AC8  |. |85C9          test ecx,ecx
00408ACA  |. |74 05         je short 第七课作.00408AD1
00408ACC  |. |E8 84DAFFFF   call 第七课作.00406555
00408AD1  |> |83C4 0C       add esp,0xC
00408AD4  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
00408AD6  |. |B8 00000000   mov eax,0x0
00408ADB  |. |0f94c0        sete al
00408ADE  |. |8945 E8       mov [local.6],eax                 ;  kernel32.BaseThreadInitThunk
00408AE1  |. |8B5D EC       mov ebx,[local.5]
00408AE4  |. |85DB          test ebx,ebx
00408AE6  |. |74 09         je short 第七课作.00408AF1
00408AE8  |. |53            push ebx
00408AE9  |. |E8 48130000   call 第七课作.00409E36
00408AEE  |. |83C4 04       add esp,0x4
00408AF1  |> |837D E8 00    cmp [local.6],0x0
00408AF5  |. |0F84 3F000000 je 第七课作.00408B3A                  ;  nop掉
00408AFB  |. |6A 00         push 0x0
00408AFD  |. |68 00000000   push 0x0
00408B02  |. |6A FF         push -0x1
00408B04  |. |6A 06         push 0x6
00408B06  |. |68 7C6B0116   push 0x16016B7C
00408B0B  |. |68 2B010152   push 0x5201012B
00408B10  |. |E8 2D130000   call 第七课作.00409E42
00408B15  |. |83C4 18       add esp,0x18
00408B18  |. |6A 00         push 0x0
00408B1A  |. |68 00000000   push 0x0
00408B1F  |. |6A FF         push -0x1
00408B21  |. |6A 06         push 0x6
00408B23  |. |68 7B6B0116   push 0x16016B7B
00408B28  |. |68 2B010152   push 0x5201012B
00408B2D  |. |E8 10130000   call 第七课作.00409E42
00408B32  |. |83C4 18       add esp,0x18
00408B35  |. |E9 39000000   jmp 第七课作.00408B73
00408B3A  |> \BB 06000000   mov ebx,0x6                       ;  nop掉，大跳转结束
00408B3F  |.  E8 F786FFFF   call 第七课作.0040123B
00408B44  |.  68 01030080   push 0x80000301
00408B49  |.  6A 00         push 0x0
00408B4B  |.  68 00000000   push 0x0
00408B50  |.  68 04000080   push 0x80000004
00408B55  |.  6A 00         push 0x0
00408B57  |.  68 BDC65500   push 第七课作.0055C6BD                ;  暗桩
00408B5C  |.  68 04000000   push 0x4
00408B61  |.  BB 20B14000   mov ebx,第七课作.0040B120
00408B66  |.  E8 E3120000   call 第七课作.00409E4E
00408B6B  |.  83C4 34       add esp,0x34
00408B6E  |.  E9 00000000   jmp 第七课作.00408B73
00408B73  |>  8BE5          mov esp,ebp
00408B75  |.  5D            pop ebp                           ;  kernel32.76A4336A
00408B76  \.  C3            retn

第四个暗桩

Code

0040946A  |. /0F84 84010000 je 第七课作.004095F4                  ;  nop掉，大跳转开始
00409470  |. |68 02000000   push 0x2
00409475  |. |E8 C3DAFFFF   call 第七课作.00406F3D
0040947A  |. |8945 FC       mov [local.1],eax                 ;  kernel32.BaseThreadInitThunk
0040947D  |. |68 04000080   push 0x80000004
00409482  |. |6A 00         push 0x0
00409484  |. |8B45 FC       mov eax,[local.1]
00409487  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
00409489  |. |75 05         jnz short 第七课作.00409490
0040948B  |. |B8 3E264900   mov eax,第七课作.0049263E
00409490  |> |50            push eax                          ;  kernel32.BaseThreadInitThunk
00409491  |. |68 01000000   push 0x1
00409496  |. |BB F0AC4000   mov ebx,第七课作.0040ACF0
0040949B  |. |E8 AE090000   call 第七课作.00409E4E
004094A0  |. |83C4 10       add esp,0x10
004094A3  |. |8945 F8       mov [local.2],eax                 ;  kernel32.BaseThreadInitThunk
004094A6  |. |8B5D FC       mov ebx,[local.1]
004094A9  |. |85DB          test ebx,ebx
004094AB  |. |74 09         je short 第七课作.004094B6
004094AD  |. |53            push ebx
004094AE  |. |E8 83090000   call 第七课作.00409E36
004094B3  |. |83C4 04       add esp,0x4
004094B6  |> |B8 7EC65500   mov eax,第七课作.0055C67E
004094BB  |. |33C9          xor ecx,ecx
004094BD  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
004094BF  |. |74 03         je short 第七课作.004094C4
004094C1  |. |8B48 04       mov ecx,dword ptr ds:[eax+0x4]
004094C4  |> |51            push ecx
004094C5  |. |83C0 08       add eax,0x8
004094C8  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
004094C9  |. |8B45 F8       mov eax,[local.2]                 ;  kernel32.76A4336A
004094CC  |. |33DB          xor ebx,ebx
004094CE  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
004094D0  |. |74 03         je short 第七课作.004094D5
004094D2  |. |8B58 04       mov ebx,dword ptr ds:[eax+0x4]
004094D5  |> |83C0 08       add eax,0x8
004094D8  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
004094D9  |. |3BD9          cmp ebx,ecx
004094DB  |. |B8 01000000   mov eax,0x1
004094E0  |. |75 0A         jnz short 第七课作.004094EC
004094E2  |. |48            dec eax                           ;  kernel32.BaseThreadInitThunk
004094E3  |. |85C9          test ecx,ecx
004094E5  |. |74 05         je short 第七课作.004094EC
004094E7  |. |E8 69D0FFFF   call 第七课作.00406555
004094EC  |> |83C4 0C       add esp,0xC
004094EF  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
004094F1  |. |B8 00000000   mov eax,0x0
004094F6  |. |0f94c0        sete al
004094F9  |. |8945 F4       mov [local.3],eax                 ;  kernel32.BaseThreadInitThunk
004094FC  |. |8B5D F8       mov ebx,[local.2]                 ;  kernel32.76A4336A
004094FF  |. |85DB          test ebx,ebx
00409501  |. |74 09         je short 第七课作.0040950C
00409503  |. |53            push ebx
00409504  |. |E8 2D090000   call 第七课作.00409E36
00409509  |. |83C4 04       add esp,0x4
0040950C  |> |837D F4 00    cmp [local.3],0x0
00409510  |. |0F84 DE000000 je 第七课作.004095F4                  ;  nop掉
00409516  |. |68 0F000000   push 0xF
0040951B  |. |E8 1DDAFFFF   call 第七课作.00406F3D
00409520  |. |8945 FC       mov [local.1],eax                 ;  kernel32.BaseThreadInitThunk
00409523  |. |68 04000080   push 0x80000004
00409528  |. |6A 00         push 0x0
0040952A  |. |8B45 FC       mov eax,[local.1]
0040952D  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
0040952F  |. |75 05         jnz short 第七课作.00409536
00409531  |. |B8 3E264900   mov eax,第七课作.0049263E
00409536  |> |50            push eax                          ;  kernel32.BaseThreadInitThunk
00409537  |. |68 01000000   push 0x1
0040953C  |. |BB F0AC4000   mov ebx,第七课作.0040ACF0
00409541  |. |E8 08090000   call 第七课作.00409E4E
00409546  |. |83C4 10       add esp,0x10
00409549  |. |8945 F8       mov [local.2],eax                 ;  kernel32.BaseThreadInitThunk
0040954C  |. |8B5D FC       mov ebx,[local.1]
0040954F  |. |85DB          test ebx,ebx
00409551  |. |74 09         je short 第七课作.0040955C
00409553  |. |53            push ebx
00409554  |. |E8 DD080000   call 第七课作.00409E36
00409559  |. |83C4 04       add esp,0x4
0040955C  |> |B8 91C65500   mov eax,第七课作.0055C691
00409561  |. |33C9          xor ecx,ecx
00409563  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
00409565  |. |74 03         je short 第七课作.0040956A
00409567  |. |8B48 04       mov ecx,dword ptr ds:[eax+0x4]
0040956A  |> |51            push ecx
0040956B  |. |83C0 08       add eax,0x8
0040956E  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
0040956F  |. |8B45 F8       mov eax,[local.2]                 ;  kernel32.76A4336A
00409572  |. |33DB          xor ebx,ebx
00409574  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
00409576  |. |74 03         je short 第七课作.0040957B
00409578  |. |8B58 04       mov ebx,dword ptr ds:[eax+0x4]
0040957B  |> |83C0 08       add eax,0x8
0040957E  |. |50            push eax                          ;  kernel32.BaseThreadInitThunk
0040957F  |. |3BD9          cmp ebx,ecx
00409581  |. |B8 01000000   mov eax,0x1
00409586  |. |75 0A         jnz short 第七课作.00409592
00409588  |. |48            dec eax                           ;  kernel32.BaseThreadInitThunk
00409589  |. |85C9          test ecx,ecx
0040958B  |. |74 05         je short 第七课作.00409592
0040958D  |. |E8 C3CFFFFF   call 第七课作.00406555
00409592  |> |83C4 0C       add esp,0xC
00409595  |. |85C0          test eax,eax                      ;  kernel32.BaseThreadInitThunk
00409597  |. |B8 00000000   mov eax,0x0
0040959C  |. |0f94c0        sete al
0040959F  |. |8945 F4       mov [local.3],eax                 ;  kernel32.BaseThreadInitThunk
004095A2  |. |8B5D F8       mov ebx,[local.2]                 ;  kernel32.76A4336A
004095A5  |. |85DB          test ebx,ebx
004095A7  |. |74 09         je short 第七课作.004095B2
004095A9  |. |53            push ebx
004095AA  |. |E8 87080000   call 第七课作.00409E36
004095AF  |. |83C4 04       add esp,0x4
004095B2  |> |837D F4 00    cmp [local.3],0x0
004095B6  |. |0F84 38000000 je 第七课作.004095F4                  ;  nop掉
004095BC  |. |6A 00         push 0x0
004095BE  |. |6A 00         push 0x0
004095C0  |. |6A 00         push 0x0
004095C2  |. |68 04000080   push 0x80000004
004095C7  |. |6A 00         push 0x0
004095C9  |. |68 AFD15500   push 第七课作.0055D1AF                ;  一级效验通过
004095CE  |. |68 0F000100   push 0x1000F
004095D3  |. |68 7D6B0116   push 0x16016B7D
004095D8  |. |68 2B010152   push 0x5201012B
004095DD  |. |68 03000000   push 0x3
004095E2  |. |BB E0B94000   mov ebx,第七课作.0040B9E0
004095E7  |. |E8 62080000   call 第七课作.00409E4E
004095EC  |. |83C4 28       add esp,0x28
004095EF  |. |E9 39000000   jmp 第七课作.0040962D
004095F4  |> \BB 06000000   mov ebx,0x6                       ;  nop掉，大跳转结束
004095F9  |.  E8 3D7CFFFF   call 第七课作.0040123B
004095FE  |.  68 01030080   push 0x80000301
00409603  |.  6A 00         push 0x0
00409605  |.  68 00000000   push 0x0
0040960A  |.  68 04000080   push 0x80000004
0040960F  |.  6A 00         push 0x0
00409611  |.  68 BDC65500   push 第七课作.0055C6BD                ;  暗桩
00409616  |.  68 04000000   push 0x4
0040961B  |.  BB 20B14000   mov ebx,第七课作.0040B120
00409620  |.  E8 29080000   call 第七课作.00409E4E
00409625  |.  83C4 34       add esp,0x34
00409628  |.  E9 00000000   jmp 第七课作.0040962D
0040962D  |>  8BE5          mov esp,ebp
0040962F  |.  5D            pop ebp                           ;  kernel32.76A4336A
00409630  \.  C3            retn

运行起来

完美