AcProtect 1.41 外壳分析[42]

:[edi] 0058c168 58 pop eax 0058c169 > 5a pop edx ; save address 0058c16a 894415 00 mov dword ptr ss:[ebp+edx],eax ; 填入正确的api 0058c16e 58 pop eax 0058c16f 5b pop ebx 0058c170 c3 retn copy_import table: 00590c48 > 60 pushad ; copy_import table 00590c49 47 inc edi 00590c4a 7a 02 jpe short 00590c4e 00590c4c 85fb test ebx,edi 00590c4e 8bc1 mov eax,ecx 00590c50 7e 03 jle short 00590c55 00590c52 7f 01 jg short 00590c55 00590c54 ^ 75 d3 jnz short 00590c29 00590c56 ^ e0 e8 loopdne short 00590c40 00590c58 0100 add dword ptr ds:[eax],eax 00590c5a 0000 add byte ptr ds:[eax],al 00590c5c ^ 71 83 jno short 00590be1 00590c5e c404fc les eax,fword ptr ss:[esp+edi*8] ; modification of segment register 00590c61 e8 01000000 call 00590c67 00590c66 ^ 7c 83 jl short 00590beb ...... 00590df3 e8 08b3ffff call <sub_getebp >
00590df8 8db5 1c854100 lea esi,dword ptr ss:[ebp+41851c] ; 壳输入表起始位置 00590dfe 8dbd 33fd4000 lea edi,dword ptr ss:[ebp+40fd33] ; 复制到目标地址的起始位置 00590e04 b9 05000000 mov ecx,5 00590e09 f3:a5 rep movs dword ptr es:[edi],dword ptr ds:>; 复制 00590e0b 8dbd 43fd4000 lea edi,dword ptr ss:[ebp+40fd43] 00590e11 8d85 4bfe4000 lea eax,dword ptr ss:[ebp+40fe4b] 00590e17 ab stos dword ptr es:[edi] ; 把messageboxa的地址改为58ae4b 00590e18 60 pushad ; 加密代码 00590e19 e8 00000000 call 00590e1e 00590e1e 5e pop esi 00590e1f 83ee 06 sub esi,6 00590e22 b9 25000000 mov ecx,25 00590e27 29ce sub esi,ecx 00590e29 ba ab6d95b2 mov edx,b2956dab 00590e2e c1e9 02 shr ecx,2 00590e31 83e9 02 sub ecx,2 00590e34 83f9 00 /cmp ecx,0 00590e37 7c 1a |jl short 00590e53 00590e39 8b048e |mov eax,dword ptr ds:[esi+ecx*4] 00590e3c 8b5c8e 04 |mov ebx,dword ptr ds:[esi+ecx*4+4] 00590e40 33c3 |xor eax,ebx 00590e42 c1c8 02 |ror eax,2 00590e45 03c2 |add eax,edx 00590e47 81f2 7cdb1d5c |xor edx,5c1ddb7c 00590e4d 89048e |mov dword ptr ds:[esi+ecx*4],eax 00590e50 49 |dec ecx 00590e51 ^ eb e1 \jmp short 00590e34 00590e53 61