AcProtect 1.41 外壳分析[41]

; /enumwindows 0058e868 e8 bdd8ffff call <sub_getprocaddress> ; \getprocaddressfun 0058e86d b8 c7fc4000 mov eax,0040fcc7 0058e872 ba 0bfd4000 mov edx,0040fd0b ; /getwindowtexta 0058e877 e8 aed8ffff call <sub_getprocaddress> ; \getprocaddressfun 0058e87c b8 d6fc4000 mov eax,0040fcd6 0058e881 ba 0ffd4000 mov edx,0040fd0f ; /getclassnamea 0058e886 e8 9fd8ffff call <sub_getprocaddress> ; \getprocaddressfun 0058e88b b8 e4fc4000 mov eax,0040fce4 0058e890 ba 13fd4000 mov edx,0040fd13 ; /postmessagea 0058e895 e8 90d8ffff call <sub_getprocaddress> ; \getprocaddressfun 0058e89a b8 bafd4000 mov eax,0040fdba 0058e89f ba b6fd4000 mov edx,0040fdb6 ; /wsprintfa 0058e8a4 e8 81d8ffff call <sub_getprocaddress> ; \getprocaddressfun 0058e8a9 b8 c8fd4000 mov eax,0040fdc8 0058e8ae ba c4fd4000 mov edx,0040fdc4 ; /registerhotkey 0058e8b3 e8 72d8ffff call <sub_getprocaddress> ; \getprocaddressfun 0058e8b8 8dbd 83fb4000 lea edi,dword ptr ss:[ebp+40fb83] 0058e8be 8d8d f1fc4000 lea ecx,dword ptr ss:[ebp+40fcf1] ; 获取完相关的api后，清除名字 0058e8c4 2bcf sub ecx,edi ; 大小为16e 0058e8c6 33c0 xor eax,eax 0058e8c8 f3:aa rep stos byte ptr es:[edi] ; 清除壳api数据 0058e8ca c3 retn sub_getprocaddress: 0058c12a > 53 push ebx ; sub_getprocaddress 0058c12b 50 push eax 0058c12c 52 push edx 0058c12d 03c5 add eax,ebp 0058c12f 50 push eax 0058c130 53 push ebx 0058c131 50 push eax 0058c132 8b85 1c854100 mov eax,dword ptr ss:[ebp+41851c] 0058c138 0fb600 movzx eax,byte ptr ds:[eax] 0058c13b 83e8 33 sub eax,33 0058c13e 3d 99000000 cmp eax,99 0058c143 74 10 je short <gameover> 0058c145 90 nop 0058c146 90 nop 0058c147 90 nop 0058c148 90 nop 0058c149 58 pop eax ; /globalalloc 0058c14a ff95 1c854100 call dword ptr ss:[ebp+41851c] ; \getprocaddress 0058c150 eb 17 jmp short <save address> 0058c152 90 nop 0058c153 90 nop 0058c154 90 nop 0058c155 > b8 e8030000 mov eax,3e8 ; gameover 0058c15a e8 6ff7ffff call <get_rnd_value> 0058c15f 8dbd 615d4000 lea edi,dword ptr ss:[ebp+405d61] 0058c165 03f8 add edi,eax 0058c167 ab stos dword ptr es