00407079 8BCE MOV ECX,ESI
0040707B EB 03 JMP SHORT 0.00407080
0040707D E2 6B LOOPD SHORT 0.004070EA
0040707F A9 83C604EB TEST EAX,EB04C683
00407084 0262 86 ADD AH,BYTE PTR DS:[EDX-7A]
00407087 8B06 MOV EAX,DWORD PTR DS:[ESI]
00407089 EB 09 JMP SHORT 0.00407094
0040708B 16 PUSH SS
0040708C 39C7 CMP EDI,EAX
0040708E - E9 1120D3C8 JMP C91390A4
00407093 AE SCAS BYTE PTR ES:[EDI]
00407094 03C6 ADD EAX,ESI
00407096 F8 CLC
00407097 73 04 JNB SHORT 0.0040709D
00407099 10AB C2B88B56 ADC BYTE PTR DS:[EBX+568BB8C2],CH
0040709F 04 EB ADD AL,0EB
004070A1 035B 55 ADD EBX,DWORD PTR DS:[EBX+55]
004070A4 5B POP EBX
004070A5 8128 38E2B924 SUB DWORD PTR DS:[EAX],24B9E238
004070AB EB 02 JMP SHORT 0.004070AF
004070AD 6235 83C004EB BOUND ESI,QWORD PTR DS:[EB04C083]
004070B3 098B 5633CCA0 OR DWORD PTR DS:[EBX+A0CC3356],ECX
004070B9 BC 51C40A83 MOV ESP,830AC451
004070BE EA 01F97205 756>JMP FAR 6675:0572F901
004070C5 48 DEC EAX
004070C6 B5 A1 MOV CH,0A1
004070C8 ^ 0F85 D2FFFFFF JNZ 0.004070A0
004070CE EB 02 JMP SHORT 0.004070D2
004070D0 65:BA 83C608EB MOV EDX,EB08C683
004070D6 0230 ADD DH,BYTE PTR DS:[EAX]
004070D8 6D INS DWORD PTR ES:[EDI],DX
004070D9 8329 01 SUB DWORD PTR DS:[ECX],1
004070DC EB 02 JMP SHORT 0.004070E0
004070DE AE SCAS BYTE PTR ES:[EDI]
004070DF 76 0F JBE SHORT 0.004070F0
004070E1 859D FFFFFFF9 TEST DWORD PTR SS:[EBP+F9FFFFFF],EBX
004070E7 EB 01 JMP SHORT 0.004070EA
004070E9 55 PUSH EBP
004070EA 8BDE MOV EBX,ESI
004070EC EB 02 JMP SHORT 0.004070F0
004070EE F1 INT1
004070EF CE INTO
004070F0 E8 0E000000 CALL 0.00407103
004070F5 EB 02 JMP SHORT 0.004070F9
004070F7 2C ED SUB AL,0ED
004070F9 61 POPAD ; 明显的出栈特征。
004070FA F8 CLC
004070FB EB 01 JMP SHORT 0.004070FE
004070FD 54 PUSH ESP
004070FE - E9 CBCCFFFF JMP 0.00403DCE ; 这行代码是第三层壳结束的地方,是一个跨段大跳。
