00407103 C3 RETN
脱壳完毕:(Microsoft Visual C++ 6.0 [Overlay])
00403DCE 55 PUSH EBP ; 这里就是程序真实的入口地址(OEP),DUMP并修复输入表就OK了。
00403DCF 8BEC MOV EBP,ESP
00403DD1 6A FF PUSH -1
00403DD3 68 80514000 PUSH 0.00405180
00403DD8 68 543F4000 PUSH 0.00403F54 ; JMP 到 msvcrt._except_handler3
00403DDD 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00403DE3 50 PUSH EAX
00403DE4 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
00403DEB 83EC 68 SUB ESP,68
00403DEE 53 PUSH EBX
00403DEF 56 PUSH ESI
00403DF0 57 PUSH EDI
00403DF1 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00403DF4 33DB XOR EBX,EBX
00403DF6 895D FC MOV DWORD PTR SS:[EBP-4],EBX
00403DF9 6A 02 PUSH 2
00403DFB FF15 FC404000 CALL DWORD PTR DS:[4040FC] ; msvcrt.__set_app_type
00403E01 59 POP ECX
00403E02 830D C8664000 F>OR DWORD PTR DS:[4066C8],FFFFFFFF
00403E09 830D CC664000 F>OR DWORD PTR DS:[4066CC],FFFFFFFF
00403E10 FF15 F8404000 CALL DWORD PTR DS:[4040F8] ; msvcrt.__p__fmode
00403E16 8B0D C0664000 MOV ECX,DWORD PTR DS:[4066C0]
00403E1C 8908 MOV DWORD PTR DS:[EAX],ECX
00403E1E FF15 F4404000 CALL DWORD PTR DS:[4040F4] ; msvcrt.__p__commode
00403E24 8B0D BC664000 MOV ECX,DWORD PTR DS:[4066BC]
00403E2A 8908 MOV DWORD PTR DS:[EAX],ECX
00403E2C A1 F0404000 MOV EAX,DWORD PTR DS:[4040F0]
00403E31 8B00 MOV EAX,DWORD PTR DS:[EAX]
00403E33 A3 C4664000 MOV DWORD PTR DS:[4066C4],EAX
00403E38 E8 16010000 CALL 0.00403F53
00403E3D 391D 00654000 CMP DWORD PTR DS:[406500],EBX
00403E43 75 0C JNZ SHORT 0.00403E51
00403E45 68 503F4000 PUSH 0.00403F50
00403E4A FF15 10414000 CALL DWORD PTR DS:[404110] ; msvcrt.__setusermatherr
00403E50 59 POP ECX
00403E51 E8 E8000000 CALL 0.00403F3E
00403E56 68 14604000 PUSH 0.00406014
00403E5B 68 10604000 PUSH 0.00406010
00403E60 E8 D3000000 CALL 0.00403F38 ; JMP 到 msvcrt._initterm
00403E65 A1 B8664000 MOV EAX,DWORD PTR DS:[4066B8]
00403E6A 8945 94 MOV DWORD PTR SS:[EBP-6C],EAX
00403E6D 8D45 94 LEA EAX,DWORD PTR SS:[EBP-6C]
00403E70 50 PUSH EAX
00403E71 FF35 B4664000 PUSH DWORD PTR DS:[4066B4]
00403E77 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
