AcProtect 1.41 外壳分析[36]

3848d cd1c4000 add eax,dword ptr ss:[ebp+ecx*4+401ccd] 0058b54d 83e8 24 sub eax,24 0058b550 3bc3 cmp eax,ebx 0058b552 ^ 75 e1 jnz short 0058b535 0058b554 8bb48d 5d1e4000 mov esi,dword ptr ss:[ebp+ecx*4+401e5d] 0058b55b 8bbc8d 3d1b4000 mov edi,dword ptr ss:[ebp+ecx*4+401b3d] 0058b562 03bd 46f84000 add edi,dword ptr ss:[ebp+40f846] 0058b568 8b948d cd1c4000 mov edx,dword ptr ss:[ebp+ecx*4+401ccd] 0058b56f 87ca xchg edx,ecx 0058b571 f3:a4 rep movs byte ptr es:[edi],byte ptr ds:[e>; 把代码加密回去 0058b573 90 nop ...... 0058b5af 61 popad 0058b5b0 c3 retn sub_getebp: 0058c100 > e8 00000000 call 0058c105 ; sub_getebp 0058c105 5d pop ebp 0058c106 81ed 05114100 sub ebp,00411105 ; 计算ebp的值，用于定位实际的地址 0058c10c c3 retn ; ebp==0017b000 sub_getep_crypt_key: 005910b0 > 60 pushad ; 开始解压代码 005910b1 d3c0 rol eax,cl 005910b3 f8 clc 005910b4 f9 stc 005910b5 72 03 jb short 005910ba 005910b7 73 01 jnb short 005910ba 005910b9 ^ 79 f9 jns short 005910b4 005910bb eb 01 jmp short 005910be ...... 00591243 8125 d9c95700 4>and dword ptr ds:[57c9d9],8e10c147 0059124d 4f dec edi 0059124e ^ 0f85 54ffffff jnz 005911a8 ; 没有解压完跳回去继续 ...... 0059125b e8 a0aeffff call <sub_getebp >
00591260 8b85 46f84000 mov eax,dword ptr ss:[ebp+40f846] ; mov eax,offset dd_imagebase 00591266 8b70 3c mov esi,dword ptr ds:[eax+3c] ; get peheader 00591269 03b5 46f84000 add esi,dword ptr ss:[ebp+40f846] 0059126f 83c6 28 add esi,28 ; 定位addressofentrypoint(定位壳入口) 00591272 ad lods dword ptr ds:[esi] ; 壳入口rva为:17c000 00591273 8ad8 mov bl,al 00591275 02dc add bl,ah 00591277 c1e8 10 shr eax,10 0059127a 02d8 add bl,al 0059127c 02dc add bl,ah ; 实际就是把壳ep直接相加， 0059127e 889d 1e204000 mov byte ptr ss:[ebp+40201e],bl ; 相加后的值做为key保存在[ebp+40201e]处,[57d01e]==d7(17+c0) 00591284 60 pushad ; 计算完毕把代码再加密回去 00591285 e8 00000000 call 0059128a 0059128a 5e pop esi 0059128b 83ee 06 sub esi,6 0059128e b9 29000000 mov ecx,29 00591293 29ce sub esi,ecx 00591