AcProtect 1.41 外壳分析[30]

ds:[eax+ebx*2] ; modification of segment register 00422037 66:8bd1 mov dx,cx ...... 004221d2 e8 56edffff call <getebp> 004221d7 c685 8d274000 c>mov byte ptr ss:[ebp+40278d],0c3 004221de 8bb5 28164000 mov esi,dword ptr ss:[ebp+401628] 004221e4 66:8b16 mov dx,word ptr ds:[esi] 004221e7 66:81fa 4d5a cmp dx,5a4d 004221ec 0f85 b1000000 jnz <good way> 004221f2 0fb756 3c movzx edx,word ptr ds:[esi+3c] 004221f6 8bfe mov edi,esi 004221f8 03fa add edi,edx 004221fa 8b47 28 mov eax,dword ptr ds:[edi+28] 004221fd 3b85 50164000 cmp eax,dword ptr ss:[ebp+401650] 00422203 74 7b je short <over way> ; 如果 发现入口和原程序一样则over 00422205 90 nop 00422206 90 nop 00422207 90 nop 00422208 90 nop 00422209 3b85 54164000 cmp eax,dword ptr ss:[ebp+401654] ; 比较如果入口和壳入口不一样则over,感觉有点多余，直接判断不为壳入口不行吗? 0042220f 75 6f jnz short <over way> 00422211 90 nop 00422212 90 nop 00422213 90 nop 00422214 90 nop 00422215 0fb747 06 movzx eax,word ptr ds:[edi+6] ; 判断section是否为5，如果不为5则over 00422219 48 dec eax 0042221a 3d 04000000 cmp eax,4 0042221f 75 5f jnz short <over way> 00422221 90 nop 00422222 90 nop 00422223 90 nop 00422224 90 nop 00422225 ba 28000000 mov edx,28 0042222a f7e2 mul edx 0042222c 05 f8000000 add eax,0f8 00422231 03c7 add eax,edi 00422233 50 push eax 00422234 83c0 0c add eax,0c 00422237 8b18 mov ebx,dword ptr ds:[eax] 00422239 3b9d 54164000 cmp ebx,dword ptr ss:[ebp+401654] ; 再次判断入口是否为壳的入口, 0042223f 75 3f jnz short <over way> 00422241 90 nop 00422242 90 nop 00422243 90 nop 00422244 90 nop 00422245 5e pop esi 00422246 813e 2e706572 cmp dword ptr ds:[esi],7265702e ; 比 较最后一个字的名字是否为:.perplex 0042224c 75 32 jnz short <over way> ; 如果 不是则over 0042224e 90 nop 0042224f 90 nop 00422250 90 nop 00422251 90 nop 00422252 817e 04 706c657>cmp dword ptr ds:[esi+4],78656c70 00422259 75 25 jnz short <over way> 0042225b 90 nop 0042225c 90 nop 0042225d 90 nop 0042225e 90 nop 0042225f 8b85 54164000 mov eax,dword ptr ss:[ebp+401654] 00422265 8bbd 28164000 mov