AcProtect 1.41 外壳分析[32]

00422ab1 8b06 mov eax,dword ptr ds:[esi] 00422ab3 3d 52455452 cmp eax,52544552 00422ab8 ^ 75 f6 jnz short 00422ab0 ; 查找标志 00422aba 8b46 04 mov eax,dword ptr ds:[esi+4] 00422abd 3d 49564150 cmp eax,50415649 00422ac2 ^ 75 ec jnz short 00422ab0 00422ac4 8b46 08 mov eax,dword ptr ds:[esi+8] 00422ac7 3d 495a4346 cmp eax,46435a49 00422acc ^ 75 e2 jnz short 00422ab0 00422ace 83c6 0e add esi,0e 00422ad1 8dbd ac154000 lea edi,dword ptr ss:[ebp+4015ac] 00422ad7 b9 28000000 mov ecx,28 00422adc f3:a5 rep movs dword ptr es:[edi],dword ptr ds>; 复制代码 00422ade eb 26 jmp short 00422b06 00422ae0 90 nop 00422ae1 90 nop 00422ae2 90 nop 00422ae3 60 pushad 00422ae4 e8 44e4ffff call <getebp> 00422ae9 b8 00010000 mov eax,100 00422aee e8 47e4ffff call 00420f3a 00422af3 8bc8 mov ecx,eax 00422af5 8dbd 9a404000 lea edi,dword ptr ss:[ebp+40409a] 00422afb 03f8 add edi,eax 00422afd e8 4ce4ffff call 00420f4e 00422b02 ab stos dword ptr es:[edi] 00422b03 ^ e2 f8 loopd short 00422afd 00422b05 61 popad 00422b06 60 pushad ; 加密代码 00422b07 e8 00000000 call 00422b0c 00422b0c 5e pop esi 00422b0d 83ee 06 sub esi,6 00422b10 b9 68000000 mov ecx,68 00422b15 29ce sub esi,ecx 00422b17 ba 5ec43194 mov edx,9431c45e 00422b1c c1e9 02 shr ecx,2 00422b1f 83e9 02 sub ecx,2 00422b22 83f9 00 cmp ecx,0 00422b25 7c 1a jl short 00422b41 00422b27 8b048e mov eax,dword ptr ds:[esi+ecx*4] 00422b2a 8b5c8e 04 mov ebx,dword ptr ds:[esi+ecx*4+4] 00422b2e 2bc3 sub eax,ebx 00422b30 c1c0 1d rol eax,1d 00422b33 33c2 xor eax,edx 00422b35 81f2 6cd4719b xor edx,9b71d46c 00422b3b 89048e mov dword ptr ds:[esi+ecx*4],eax 00422b3e 49 dec ecx 00422b3f ^ eb e1 jmp short 00422b22 00422b41 61 popad 00422b42 61 popad 00422b43 c3 retn sub_fuck_ring0'debugger: 004243ab > 60 pushad 004243ac . e8 c1fdffff call <getebp> ; 检测ring 0给调试器 004243b1 . c685 cc184000>mov byte ptr ss:[ebp+4018cc],0c3 004243b8 . e8 00000000 call 004243bd 004243bd $ 5d pop ebp 004243be . 8bf5 mov esi,ebp 004243c0 . 81ed de184000 sub ebp,004018de 004243c6 . 8db5 2c194000 lea <