用peid查，显示是PECompact 2.x -> Jeremy Collake的壳
用OD载入后停在
00401000     B8 D4A14300         mov eax,CoralQQ.0043A1D4
      
F8单步运行
00401005     50                  push eax
00401006     64:FF35 00000000    push dword ptr fs:[0]
0040100D     64:8925 00000000    mov dword ptr fs:[0],esp
00401014     33C0                xor eax,eax                  
到这里我们看到在堆栈窗口
————————————————————————————————————————————————
0012FFBC      0012FFE0     指针到下一个 SEH 记录
0012FFC0      0043A1D4     SE 句柄
0012FFC4      7C816D4F     返回到 kernel32.7C816D4F
————————————————————————————————————————————————
看回来，我们ctrl+G到 0043A1D4，到达后在此处下断点，然后F9运行，
程序被断下。
0043A1D4     B8 7E9043F0         mov eax,F043907E
0043A1D9     8D88 79110010       lea ecx,dword ptr ds:[eax+10001179]
0043A1DF     8941 01             mov dword ptr ds:[ecx+1],eax
0043A1E2     8B5424 04           mov edx,dword ptr ss:[esp+4]
0043A1E6     8B52 0C             mov edx,dword ptr ds:[edx+C]
0043A1E9     C602 E9             mov byte ptr ds:[edx],0E9
0043A1EC     83C2 05             add edx,5
0043A1EF     2BCA                sub ecx,edx
0043A1F1     894A FC             mov dword ptr ds:[edx-4],ecx
取消断点，然后在0043A1F7下断点
0043A1F7     B8 78563412         mov eax,12345678
0043A1FC     64:8F05 00000000    pop dword ptr fs:[0]
0043A203     83C4 04             add esp,4
0043A206     55                  push ebp
0043A207     53                  push ebx
0043A208     51                  push ecx
0043A209     57                  push edi
0043A20A     56                  push esi
0043A20B     52                  push edx
再按F9运行，程序又被断下，取消断点。F8单步运行，
一直F8到了0043A29F，
0043A281     8985 23120010       mov dword ptr ss:[ebp+10001223],eax
0043A287     8BF0                mov esi,eax
0043A289     59                  pop ecx
0043A28A     5A                  pop edx
0043A28B     03CA                add ecx,edx
0043A28D     68 00800000         push 8000
0043A292     6A 00               push 0
0043A294     57                  push edi