AcProtect 1.41 外壳分析[37]

295 ba 151e68ec mov edx,ec681e15 0059129a c1e9 02 shr ecx,2 0059129d 83e9 02 sub ecx,2 005912a0 83f9 00 /cmp ecx,0 005912a3 7c 1a |jl short 005912bf 005912a5 8b048e |mov eax,dword ptr ds:[esi+ecx*4] 005912a8 8b5c8e 04 |mov ebx,dword ptr ds:[esi+ecx*4+4] 005912ac 33c3 |xor eax,ebx 005912ae c1c0 1c |rol eax,1c 005912b1 2bc2 |sub eax,edx 005912b3 81ea f0b28598 |sub edx,9885b2f0 005912b9 89048e |mov dword ptr ds:[esi+ecx*4],eax 005912bc 49 |dec ecx 005912bd ^ eb e1 \jmp short 005912a0 ; 循环加密代码 005912bf 61 popad 005912c0 61 popad 005912c1 c3 retn get_rnd_value: 0058b8ce > 52 push edx 0058b8cf 0f31 rdtsc 0058b8d1 c1d0 02 rcl eax,2 0058b8d4 05 78563412 add eax,12345678 0058b8d9 13c4 adc eax,esp 0058b8db 33c1 xor eax,ecx 0058b8dd 3185 d5084100 xor dword ptr ss:[ebp+4108d5],eax ; [0058b8d5]==a0c10b22,每次的结果应该不同的 0058b8e3 034424 f8 add eax,dword ptr ss:[esp-8] 0058b8e7 d1d0 rcl eax,1 0058b8e9 5a pop edx 0058b8ea c3 retn sub_getapiaddress: 0058e5fb > e8 00dbffff call <sub_getebp >
; sub_getapiaddress 0058e600 8d85 83fb4000 lea eax,dword ptr ss:[ebp+40fb83] ; 从58abd3处开始取api的地址 0058e606 8bd8 mov ebx,eax 0058e608 50 push eax 0058e609 50 push eax 0058e60a 8b85 20854100 mov eax,dword ptr ss:[ebp+418520] ; getmodulehandlea 0058e610 0fb600 movzx eax,byte ptr ds:[eax] 0058e613 83e8 33 sub eax,33 0058e616 3d 99000000 cmp eax,99 0058e61b 74 10 je short <game over> ; 判断是否在api的入口处下了int 3断点,如果下了则over了 0058e61d 90 nop 0058e61e 90 nop 0058e61f 90 nop 0058e620 90 nop 0058e621 58 pop eax ; /hmodule=='kernel32.dll' 0058e622 ff95 20854100 call dword ptr ss:[ebp+418520] ; \getmodulehandlea 0058e628 eb 17 jmp short <next> 0058e62a 90 nop 0058e62b 90 nop 0058e62c 90 nop 0058e62d > b8 e8030000 mov eax,3e8 ; game over 0058e632 e8 97d2ffff call <get_rnd_value> 0058e637 8dbd 615d4000 lea edi,dword ptr ss:[ebp+405d61] 0058e63d 03f8 add edi,eax 0058e63f ab stos dword ptr