AcProtect 1.41 外壳分析[2]

id="2">ss:[ebp+40fd7b],ebx ; 计算出的imagebase保存到 [ebp+40fd7b]=[0058ad7b]==400000 005912e5 e8 c6fdffff call <sub_getep_crypt_key> 005912ea e8 11aeffff call <sub_getebp > 005912ef e8 daa5ffff call <get_rnd_value> 005912f4 8985 d5084100 mov dword ptr ss:[ebp+4108d5],eax 005912fa e8 01aeffff call <sub_getebp >
005912ff c685 6cf74000 0>mov byte ptr ss:[ebp+40f76c],0 ; 刚开始就设置为没有注册的标志 00591306 e8 f0d2ffff call <sub_getapiaddress> ; 获取壳要用的api 0059130b e8 38f9ffff call <copy_import table> ; 填充跳转表 00591310 e8 ebadffff call <sub_getebp >
00591315 8b85 6b814100 mov eax,dword ptr ss:[ebp+41816b] 0059131b 8985 7ffd4000 mov dword ptr ss:[ebp+40fd7f],eax 00591321 8b85 6f814100 mov eax,dword ptr ss:[ebp+41816f] 00591327 8985 83fd4000 mov dword ptr ss:[ebp+40fd83],eax 0059132d e8 66d0ffff call <unpack_sections> ; 解压程序各段 00591332 e8 1ffbffff call <restore_jmp api table> ; 还原壳的跳转表 00591337 e8 2efdffff call <sub_sdk_disposal> ; 处理用到sdk的地址代码 0059133c 43 inc ebx 0059133d 85f3 test ebx,esi 0059133f 87d9 xchg ecx,ebx 00591341 e8 01000000 call 00591347 ; 开始解压出下一段要执行的代码。 00591346 ea 83c4047d 028>jmp far 8502:7d04c483 ; far jump ...... 下面的代码就开始边走边解壳了： ...... 0059142a e8 ef000000 call 0059151e 0059142f e8 04000000 call 00591438 00591434 0000 add byte ptr ds:[eax],al 00591436 0000 add byte ptr ds:[eax],al 00591438 5a pop edx 00591439 8b4424 04 mov eax,dword ptr ss:[esp+4] 0059143d 8b00 mov eax,dword ptr ds:[eax] 0059143f 8b4c24 0c mov ecx,dword ptr ss:[esp+c] 00591443 ff81 b8000000 inc dword ptr ds:[ecx+b8] 00591449 3d 03000080 cmp eax,80000003 0059144e 75 4d jnz short 0059149d 00591450 8d82 02114000 lea eax,dword ptr ds:[edx+401102] 00591456 2d 0e104000 sub eax,0040100e 0059145b 8941 04 mov dword ptr ds:[ecx+4],eax 0059145e 8d82 04114000 lea eax,dword ptr ds:[edx+401104] 00591464 2d 0e104000 sub eax,0040100e 00591469 8941 08 mov dword ptr ds:[ecx+8],eax