AcProtect 1.41 外壳分析[31]

2">edi,dword ptr ss:[ebp+401628] 0042226b 0fb61c07 movzx ebx,byte ptr ds:[edi+eax] ; 判断壳入口是否为pushad(60)如果不相等则over 0042226f 80eb 30 sub bl,30 00422272 80fb 30 cmp bl,30 00422275 75 09 jnz short <over way> 00422277 90 nop 00422278 90 nop 00422279 90 nop 0042227a 90 nop 0042227b eb 26 jmp short <good way> 0042227d 90 nop 0042227e 90 nop 0042227f 90 nop 00422280 > 60 pushad ; game over 00422281 e8 a7ecffff call <getebp> ; 如 果发现程序被修改了就写入随机垃圾代码 00422286 b8 00010000 mov eax,100 0042228b e8 aaecffff call 00420f3a 00422290 8bc8 mov ecx,eax 00422292 8dbd 9a404000 lea edi,dword ptr ss:[ebp+40409a] 00422298 03f8 add edi,eax 0042229a e8 afecffff call 00420f4e 0042229f ab stos dword ptr es:[edi] 004222a0 ^ e2 f8 loopd short 0042229a 004222a2 61 popad 004222a3 > 60 pushad ; good way 004222a4 e8 00000000 call 004222a9 004222a9 5e pop esi 004222aa 83ee 06 sub esi,6 004222ad b9 d1000000 mov ecx,0d1 004222b2 29ce sub esi,ecx 004222b4 ba 0d4034ef mov edx,ef34400d 004222b9 c1e9 02 shr ecx,2 004222bc 83e9 02 sub ecx,2 004222bf 83f9 00 cmp ecx,0 004222c2 7c 1a jl short 004222de 004222c4 8b048e mov eax,dword ptr ds:[esi+ecx*4] 004222c7 8b5c8e 04 mov ebx,dword ptr ds:[esi+ecx*4+4] 004222cb 33c3 xor eax,ebx 004222cd c1c0 14 rol eax,14 004222d0 33c2 xor eax,edx 004222d2 81ea 85a8d2e1 sub edx,e1d2a885 004222d8 89048e mov dword ptr ds:[esi+ecx*4],eax 004222db 49 dec ecx 004222dc ^ eb e1 jmp short 004222bf 004222de 61 popad 004222df 61 popad 004222e0 c3 retn sub_copy code: 004228f3 > 60 pushad ; sub_copy code 004228f4 7a 03 jpe short 004228f9 004228f6 7b 01 jpo short 004228f9 004228f8 9a 0f890600 000>call far 0000:0006890f ; far call 004228ff 81d0 94b7bd5b adc eax,5bbdb794 00422905 e8 01000000 call 0042290b 0042290a ^ 72 83 jb short 0042288f 0042290c c404f9 les eax,fword ptr ds:[ecx+edi*8] ; modification of segment register ...... 00422a9e e8 8ae4ffff call <getebp> 00422aa3 c685 59304000 c>mov byte ptr ss:[ebp+403059],0c3 ; 只执行一次call 00422aaa 8db5 9a404000 lea esi,dword ptr ss:[ebp+40409a] 00422ab0 46 inc esi