00409729 53 PUSH EBX
0040972A 68 FE260000 PUSH 26FE
0040972F 56 PUSH ESI
00409730 83C3 04 ADD EBX,4
00409733 53 PUSH EBX
00409734 50 PUSH EAX
00409735 C703 03000200 MOV DWORD PTR DS:[EBX],20003
.
.
.
0040A28E 8D4424 80 LEA EAX,DWORD PTR SS:[ESP-80] ; 运行后停在这里,使用命令[HD]去掉硬件断点。
0040A292 6A 00 PUSH 0
0040A294 39C4 CMP ESP,EAX
0040A296 ^ 75 FA JNZ SHORT 0.0040A292
0040A298 83EC 80 SUB ESP,-80
0040A29B ^ E9 8CCDFFFF JMP 0.0040702C ; 这行代码是第二层壳结束的地方,是一个跨段大跳。
0040A2A0 0000 ADD BYTE PTR DS:[EAX],AL
0040A2A2 0000 ADD BYTE PTR DS:[EAX],AL
0040A2A4 0000 ADD BYTE PTR DS:[EAX],AL
0040A2A6 0000 ADD BYTE PTR DS:[EAX],AL
0040A2A8 0000 ADD BYTE PTR DS:[EAX],AL
0040A2AA 0000 ADD BYTE PTR DS:[EAX],AL
脱第三层壳:(未知壳)
0040702C F9 STC ; 第三层壳入口。
0040702D /72 05 JB SHORT 0.00407034
0040702F |3C 91 CMP AL,91
00407031 |1105 02607208 ADC DWORD PTR DS:[8726002],EAX
00407037 48 DEC EAX
00407038 95 XCHG EAX,EBP
00407039 0E PUSH CS
0040703A 71 0F JNO SHORT 0.0040704B
0040703C 53 PUSH EBX
0040703D E0 17 LOOPDNE SHORT 0.00407056
0040703F E8 08000000 CALL 0.0040704C
00407044 D7 XLAT BYTE PTR DS:[EBX+AL]
00407045 27 DAA
00407046 0FFDB6 B1413D5E PADDW MM6,QWORD PTR DS:[ESI+5E3D41B1]
0040704D EB 04 JMP SHORT 0.00407053
0040704F 1A96 3BAC81C6 SBB DL,BYTE PTR DS:[ESI+C681AC3B]
00407055 BC FFFFFFEB MOV ESP,EBFFFFFF
0040705A 0957 36 OR DWORD PTR DS:[EDI+36],EDX
0040705D 40 INC EAX
0040705E 23A7 FE03CB19 AND ESP,DWORD PTR DS:[EDI+19CB03FE]
00407064 833E 00 CMP DWORD PTR DS:[ESI],0
00407067 EB 02 JMP SHORT 0.0040706B
00407069 91 XCHG EAX,ECX
0040706A 810F 84840000 OR DWORD PTR DS:[EDI],8484
00407070 00F9 ADD CL,BH
00407072 EB 05 JMP SHORT 0.00407079
00407074 0067 1C ADD BYTE PTR DS:[EDI+1C],AH
00407077 77 67 JA SHORT 0.004070E0
