这是
ReWolf写的关于VMProtect一文中的一段代码还原的思路:
第一步
Temporary variables: Temporary variables:
[color=#b000b0]DWORD[/color] t0 [color=#b000b0]DWORD[/color] t0
[color=#b000b0]DWORD[/color] t1 [color=#b000b0]DWORD[/color] t1
[color=#b000b0]DWORD[/color] t2 [color=#b000b0]DWORD[/color] t2
[color=#b000b0]DWORD[/color] t3 [color=#b000b0]DWORD[/color] t3
[color=#b000b0]DWORD[/color] t4 [color=#b000b0]DWORD[/color] t4
[color=#b000b0]DWORD[/color] t5 [color=#b000b0]DWORD[/color] t5
[color=#b000b0]DWORD[/color] t6 [color=#b000b0]DWORD[/color] t6
[color=#b000b0]DWORD[/color] t7 [color=#b000b0]DWORD[/color] t7
[color=#b000b0]DWORD[/color] t8 [color=#b000b0]DWORD[/color] t8
[color=#b000b0]DWORD[/color] t9 [color=#b000b0]DWORD[/color] t9
[color=#b000b0]DWORD[/color] t10 [color=#b000b0]DWORD[/color] t10
[color=#b000b0]DWORD[/color] t11 [color=#b000b0]DWORD[/color] t11
[color=#b000b0]DWORD[/color] t12 [color=#b000b0]DWORD[/color] t12
[color=#b000b0]DWORD[/color] t13 [color=#b000b0]DWORD[/color] t13
[color=#b000b0]DWORD[/color] t14 [color=#b000b0]DWORD[/color] t14
[color=#b000b0]DWORD[/color] t15 [color=#b000b0]DWORD[/color] t15
[color=#b000b0]DWORD[/color] t16 [color=#b000b0]DWORD[/color] t16
[color=#b000b0]DWORD[/color] t17 [color=#b000b0]DWORD[/color] t17
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](19088743)
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](-1985229329)
[color=#0000D0]push[/color] [color=#FF0000]edi[/color]
[color=#0000D0]push[/color] [color=#FF0000]ecx[/color]
[color=#0000D0]push[/color] [color=#FF0000]edx[/color]
[color=#0000D0]push[/color] [color=#FF0000]esi[/color]
[color=#0000D0]push[/color] [color=#FF0000]ebp[/color]
[color=#0000D0]push[/color] [color=#FF0000]ebx[/color]
[color=#0000D0]push[/color] [color=#FF0000]eax[/color]
[color=#0000D0]push[/color] [color=#FF0000]edx[/color]
[color=#0000D0]push[/color] eflags
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](0)
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)] = [color=#b000b0]Dword[/color](0)
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](28)] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](28)] = eflags
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)] = [color=#FF0000]edx[/color]
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](56)] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](56)] = [color=#FF0000]eax[/color]
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)] = [color=#FF0000]ebx[/color]
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)] = [color=#FF0000]ebp[/color]
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)] = [color=#FF0000]esi[/color]
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](44)] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](44)] = [color=#FF0000]edx[/color]
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)] = [color=#FF0000]ecx[/color]
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)] = [color=#FF0000]edi[/color]
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)] = [color=#b000b0]Dword[/color](-1985229329)
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)] = [color=#b000b0]Dword[/color](19088743)
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)] [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)]
[color=#0000D0]push[/color] [color=#FF0000]esp[/color]
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)] = [color=#FF0000]esp[/color]
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](-1) [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](-1)
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4525664) [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4525664)
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4362952) [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4362952)
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](0)
[color=#0000D0]pop[/color] t0 t0 = [color=#b000b0]Dword[/color](0)
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[t0] [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[t0]
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)] [color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)] [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]
[color=#0000D0]push[/color] [color=#FF0000]esp[/color]
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](0)
[color=#0000D0]pop[/color] t1 t1 = [color=#b000b0]Dword[/color](0)
[color=#0000D0]pop[/color] t2 t2 = [color=#FF0000]esp[/color]
[color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[t1] = t2 [color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[t1] = t2
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](-88)
[color=#0000D0]push[/color] [color=#FF0000]esp[/color]
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4)
[color=#0000D0]pop[/color] t3 t3 = [color=#b000b0]Dword[/color](4)
[color=#0000D0]pop[/color] t4 t4 = [color=#FF0000]esp[/color]
t5 = t3 + t4 t5 = t3 + t4
[color=#0000D0]push[/color] t5
[color=#0000D0]push[/color] flags t5
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](52)] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](52)] = flags t5
[color=#0000D0]pop[/color] t6 t6 = t5
[color=#0000D0]pop[/color] t7 t7 = [color=#b000b0]Dword[/color](-88)
t8 = t6 + t7 t8 = t6 + t7
[color=#0000D0]push[/color] t8
[color=#0000D0]push[/color] flags t8
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)] = flags t8
[color=#0000D0]pop[/color] [color=#FF0000]esp[/color] [color=#FF0000]esp[/color] = t8
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)] [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)] [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)] [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)]
[color=#0000D0]push[/color] [color=#FF0000]esp[/color]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](-24)
[color=#0000D0]pop[/color] t9 t9 = [color=#b000b0]Dword[/color](-24)
[color=#0000D0]pop[/color] t10 t10 = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]
t11 = t9 + t10 t11 = t9 + t10
[color=#0000D0]push[/color] t11
[color=#0000D0]push[/color] flags t11
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)] = flags t11
[color=#0000D0]pop[/color] t12 t12 = t11
[color=#0000D0]pop[/color] t13 t13 = [color=#FF0000]esp[/color]
[color=#b000b0]DWORD[/color] [color=#FF0000]SS[/color]:[t12] = t13 [color=#b000b0]DWORD[/color] [color=#FF0000]SS[/color]:[t12] = t13
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4638392)
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)]
[color=#0000D0]pop[/color] t14 t14 = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)]
[color=#0000D0]pop[/color] t15 t15 = [color=#b000b0]Dword[/color](4638392)
t16 = t14 + t15 t16 = t14 + t15
[color=#0000D0]push[/color] t16 [color=#0000D0]push[/color] t16
[color=#0000D0]push[/color] flags t16
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)] = flags t16
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4590300)
[color=#0000D0]pop[/color] t17 t17 = [color=#b000b0]Dword[/color](4590300)
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [t17] [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [t17]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](44)]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)]
[color=#0000D0]pop[/color] [color=#FF0000]edx[/color] [color=#FF0000]edx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)]
[color=#0000D0]pop[/color] eflags eflags = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)]
[color=#0000D0]pop[/color] [color=#FF0000]edx[/color] [color=#FF0000]edx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)]
[color=#0000D0]pop[/color] [color=#FF0000]eax[/color] [color=#FF0000]eax[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]
[color=#0000D0]pop[/color] [color=#FF0000]ebx[/color] [color=#FF0000]ebx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)]
[color=#0000D0]pop[/color] [color=#FF0000]ebp[/color] [color=#FF0000]ebp[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]
[color=#0000D0]pop[/color] [color=#FF0000]esi[/color] [color=#FF0000]esi[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)]
[color=#0000D0]pop[/color] [color=#FF0000]ecx[/color] [color=#FF0000]ecx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](44)]
[color=#0000D0]pop[/color] [color=#FF0000]ecx[/color] [color=#FF0000]ecx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)]
[color=#0000D0]pop[/color] [color=#FF0000]edi[/color] [color=#FF0000]edi[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)]
[color=#0000D0]ret[/color] [color=#0000D0]ret[/color]
第二步
Temporary variables:
[color=#b000b0]DWORD[/color] t0
[color=#b000b0]DWORD[/color] t1
[color=#b000b0]DWORD[/color] t2
[color=#b000b0]DWORD[/color] t3
[color=#b000b0]DWORD[/color] t4
[color=#b000b0]DWORD[/color] t5
[color=#b000b0]DWORD[/color] t6
[color=#b000b0]DWORD[/color] t7
[color=#b000b0]DWORD[/color] t8
[color=#b000b0]DWORD[/color] t9
[color=#b000b0]DWORD[/color] t10
[color=#b000b0]DWORD[/color] t11
[color=#b000b0]DWORD[/color] t12
[color=#b000b0]DWORD[/color] t13
[color=#b000b0]DWORD[/color] t14
[color=#b000b0]DWORD[/color] t15
[color=#b000b0]DWORD[/color] t16
[color=#b000b0]DWORD[/color] t17
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)] = [color=#b000b0]Dword[/color](0) [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)] = [color=#b000b0]Dword[/color](0)
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](28)] = eflags [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](28)] = eflags
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)] = [color=#FF0000]edx[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)] = [color=#FF0000]edx[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](56)] = [color=#FF0000]eax[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](56)] = [color=#FF0000]eax[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)] = [color=#FF0000]ebx[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)] = [color=#FF0000]ebx[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)] = [color=#FF0000]ebp[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)] = [color=#FF0000]ebp[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)] = [color=#FF0000]esi[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)] = [color=#FF0000]esi[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](44)] = [color=#FF0000]edx[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](44)] = [color=#FF0000]edx[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)] = [color=#FF0000]ecx[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)] = [color=#FF0000]ecx[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)] = [color=#FF0000]edi[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)] = [color=#FF0000]edi[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)] = [color=#b000b0]Dword[/color](-1985229329) [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)] = [color=#b000b0]Dword[/color](-1985229329)
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)] = [color=#b000b0]Dword[/color](19088743) [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)] = [color=#b000b0]Dword[/color](19088743)
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)] [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)] = [color=#FF0000]esp[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)] = [color=#FF0000]esp[/color]
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](-1) [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](-1)
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4525664) [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4525664)
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4362952) [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4362952)
t0 = [color=#b000b0]Dword[/color](0)
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[t0] [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[[color=#b000b0]Dword[/color](0)]
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)] [color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)] [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]
t1 = [color=#b000b0]Dword[/color](0)
t2 = [color=#FF0000]esp[/color]
[color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[t1] = t2 [color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[[color=#b000b0]Dword[/color](0)] = [color=#FF0000]esp[/color]
t3 = [color=#b000b0]Dword[/color](4)
t4 = [color=#FF0000]esp[/color]
t5 = t3 + t4
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](52)] = flags t5 [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](52)] = flags [color=#b000b0]Dword[/color](4) + [color=#FF0000]esp[/color]
t6 = t5
t7 = [color=#b000b0]Dword[/color](-88)
t8 = t6 + t7
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)] = flags t8 [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)] = flags [color=#b000b0]Dword[/color](4) + [color=#FF0000]esp[/color] + [color=#b000b0]Dword[/color](-88)
[color=#FF0000]esp[/color] = t8 [color=#FF0000]esp[/color] = [color=#b000b0]Dword[/color](4) + [color=#FF0000]esp[/color] + [color=#b000b0]Dword[/color](-88)
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)] [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)] [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)] [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)]
t9 = [color=#b000b0]Dword[/color](-24)
t10 = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]
t11 = t9 + t10
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)] = flags t11 [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)] = flags [color=#b000b0]Dword[/color](-24) + [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]
t12 = t11
t13 = [color=#FF0000]esp[/color]
[color=#b000b0]DWORD[/color] [color=#FF0000]SS[/color]:[t12] = t13 [color=#b000b0]DWORD[/color] [color=#FF0000]SS[/color]:[[color=#b000b0]Dword[/color](-24) + [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]] = [color=#FF0000]esp[/color]
t14 = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)]
t15 = [color=#b000b0]Dword[/color](4638392)
t16 = t14 + t15
[color=#0000D0]push[/color] t16 [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)] + [color=#b000b0]Dword[/color](4638392)
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)] = flags t16 [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)] = flags [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)] + [color=#b000b0]Dword[/color](4638392)
t17 = [color=#b000b0]Dword[/color](4590300)
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [t17] [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [[color=#b000b0]Dword[/color](4590300)]
[color=#FF0000]edx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)]
eflags = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)] eflags = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)]
[color=#FF0000]edx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)] [color=#FF0000]edx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)]
[color=#FF0000]eax[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)] [color=#FF0000]eax[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]
[color=#FF0000]ebx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)] [color=#FF0000]ebx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)]
[color=#FF0000]ebp[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)] [color=#FF0000]ebp[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]
[color=#FF0000]esi[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)] [color=#FF0000]esi[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)]
[color=#FF0000]ecx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](44)]
[color=#FF0000]ecx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)] [color=#FF0000]ecx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)]
[color=#FF0000]edi[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)] [color=#FF0000]edi[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)]
[color=#0000D0]ret[/color] [color=#0000D0]ret[/color]
第三步
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)] = [color=#b000b0]Dword[/color](0)
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](28)] = eflags
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)] = [color=#FF0000]edx[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](56)] = [color=#FF0000]eax[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)] = [color=#FF0000]ebx[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)] = [color=#FF0000]ebp[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)] = [color=#FF0000]esi[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](44)] = [color=#FF0000]edx[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)] = [color=#FF0000]ecx[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)] = [color=#FF0000]edi[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)] = [color=#b000b0]Dword[/color](-1985229329)
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)] = [color=#b000b0]Dword[/color](19088743)
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)] [color=#0000D0]push[/color] [color=#FF0000]ebp[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)] = [color=#FF0000]esp[/color] [color=#FF0000]ebp[/color] = [color=#FF0000]esp[/color]
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](-1) [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](-1)
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4525664) [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4525664)
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4362952) [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4362952)
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[[color=#b000b0]Dword[/color](0)] [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[[color=#b000b0]Dword[/color](0)]
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)] [color=#0000D0]pop[/color] [color=#FF0000]eax[/color]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)] [color=#0000D0]push[/color] [color=#FF0000]eax[/color]
[color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[[color=#b000b0]Dword[/color](0)] = [color=#FF0000]esp[/color] [color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[[color=#b000b0]Dword[/color](0)] = [color=#FF0000]esp[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](52)] = flags [color=#b000b0]Dword[/color](4) + [color=#FF0000]esp[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)] = flags [color=#b000b0]Dword[/color](4) + [color=#FF0000]esp[/color] + [color=#b000b0]Dword[/color](-88) eflags = flags [color=#b000b0]Dword[/color](4) + [color=#FF0000]esp[/color] + [color=#b000b0]Dword[/color](-88)
[color=#FF0000]esp[/color] = [color=#b000b0]Dword[/color](4) + [color=#FF0000]esp[/color] + [color=#b000b0]Dword[/color](-88) [color=#FF0000]esp[/color] = [color=#b000b0]Dword[/color](4) + [color=#FF0000]esp[/color] + [color=#b000b0]Dword[/color](-88)
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)] [color=#0000D0]push[/color] [color=#FF0000]ebx[/color]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)] [color=#0000D0]push[/color] [color=#FF0000]esi[/color]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)] [color=#0000D0]push[/color] [color=#FF0000]edi[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)] = flags [color=#b000b0]Dword[/color](-24) + [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)] [color=#b000b0]DWORD[/color] [color=#FF0000]SS[/color]:[[color=#b000b0]Dword[/color](-24) + [color=#FF0000]ebp[/color]] = [color=#FF0000]esp[/color]
[color=#b000b0]DWORD[/color] [color=#FF0000]SS[/color]:[[color=#b000b0]Dword[/color](-24) + [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]] = [color=#FF0000]esp[/color]
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)] + [color=#b000b0]Dword[/color](4638392) [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](0) + [color=#b000b0]Dword[/color](4638392)
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)] = flags [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)] + [color=#b000b0]Dword[/color](4638392)
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [[color=#b000b0]Dword[/color](4590300)] [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [[color=#b000b0]Dword[/color](4590300)]
eflags = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)]
[color=#FF0000]edx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)]
[color=#FF0000]eax[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]
[color=#FF0000]ebx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)]
[color=#FF0000]ebp[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]
[color=#FF0000]esi[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)]
[color=#FF0000]ecx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)]
[color=#FF0000]edi[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)]
[color=#0000D0]ret[/color] [color=#0000D0]ret[/color]