AcProtect 1.41 外壳分析[12]

id="2">eax,dword ptr ss:[ebp+41814b] 005930e1 8985 0b814100 mov dword ptr ss:[ebp+41810b],eax 005930e7 e8 1490ffff call <sub_getebp >
005930ec 8dbd b87e4100 lea edi,dword ptr ss:[ebp+417eb8] 005930f2 8d8d fd804100 lea ecx,dword ptr ss:[ebp+4180fd] 005930f8 2bcf sub ecx,edi 005930fa c1e9 02 shr ecx,2 005930fd > e8 cc87ffff call <get_rnd_value> ; fill junk code 00593102 ab stos dword ptr es:[edi] 00593103 ^ e2 f8 loopd short <sub_fill_junk> ; 循环填上垃圾代码， 00593105 61 popad 00593106 eb 01 jmp short 00593109 00593108 90 nop 00593109 - ff25 4b315900 jmp dword ptr ds:[59314b] ; jmp to fake oep ....... 004b2de9 a3 a8464d00 mov dword ptr ds:[4d46a8],eax ; fake oep 004b2dee e8 6b010000 call 004b2f5e 004b2df3 391d 782f4c00 cmp dword ptr ds:[4c2f78],ebx 004b2df9 75 0c jnz short 004b2e07 分析完整理一下得出stolen code长这么个模样： 004b2d84 55 push ebp 004b2d85 8bec mov ebp,esp 004b2d87 6a ff push -1 004b2d89 68 609f4b00 push 004b9f60 004b2d8e 68 602f4b00 push 004b2f60 ; jmp to msvcrt._except_handler3 004b2d93 64:a1 00000000 mov eax,dword ptr fs:[0] 004b2d99 50 push eax 004b2d9a 64:8925 0000000>mov dword ptr fs:[0],esp 004b2da1 83ec 68 sub esp,68 004b2da4 53 push ebx 004b2da5 56 push esi 004b2da6 57 push edi 004b2da7 8965 e8 mov dword ptr ss:[ebp-18],esp 004b2daa 33db xor ebx,ebx 004b2dac 895d fc mov dword ptr ss:[ebp-4],ebx 004b2daf 6a 02 push 2 004b2db1 5f pop edi 004b2db2 57 push edi 004b2db3 ff15 14774b00 call dword ptr ds:[4b7714] ; msvcrt.__set_app_type 004b2db9 59 pop ecx 004b2dba 830d ac464d00 f>or dword ptr ds:[4d46ac],ffffffff 004b2dc1 830d b0464d00 f>or dword ptr ds:[4d46b0],ffffffff 004b2dc8 ff15 10774b00 call dword ptr ds:[4b7710] ; msvcrt.__p__fmode 004b2dce 8b0d 70464d00 mov ecx,dword ptr ds:[4d4670] 004b2dd4 8908 mov dword ptr ds:[eax],ecx 004b2dd6 ff15 0c774b00 call dword ptr ds:[4b770c] ; msvcrt.__p__commode 004b2ddc 8b0d 6c464d00 mov ecx,dword ptr ds:[4d466c] 004b2de2 8908 mov dword ptr ds:[eax],ecx 004b2de4 a1 08774b00 mov eax,