AcProtect 1.41 外壳分析[45]

"5">ptr ss:[ebp+415af7] ; 获取重定位表rva 00590b37 0bc0 or eax,eax 00590b39 0f84 e4000000 je <reloc finished> ; 如果重 定位表为空则跳 00590b3f 8b85 46f84000 mov eax,dword ptr ss:[ebp+40f846] ; mov eax,offset imagebase(这里指内存imagebase，如果是dll，imagebase就不一定等于文件的imagebase) 00590b45 8b70 3c mov esi,dword ptr ds:[eax+3c] 00590b48 03b5 46f84000 add esi,dword ptr ss:[ebp+40f846] 00590b4e 83c6 34 add esi,34 00590b51 ad lods dword ptr ds:[esi] ; 载入文件imagebase(默认为400000) 00590b52 8b9d 46f84000 mov ebx,dword ptr ss:[ebp+40f846] ; 实际内存imagebase 00590b58 2bd8 sub ebx,eax 00590b5a 899d 055b4100 mov dword ptr ss:[ebp+415b05],ebx 00590b60 0bdb or ebx,ebx 00590b62 0f84 bb000000 je <reloc finished> ; 如果相 等则不处理重定位表 00590b68 8bb5 46f84000 mov esi,dword ptr ss:[ebp+40f846] 00590b6e 03b5 f75a4100 add esi,dword ptr ss:[ebp+415af7] ; mem imagebase 00590b74 8b8d fb5a4100 mov ecx,dword ptr ss:[ebp+415afb] ; reloc size 00590b7a 03f1 add esi,ecx 00590b7c 89b5 095b4100 mov dword ptr ss:[ebp+415b09],esi 00590b82 2bf1 sub esi,ecx 00590b84 3bb5 095b4100 /cmp esi,dword ptr ss:[ebp+415b09] ; 如果处理完则跳去结束处 00590b8a 0f8d 93000000 |jge <reloc finished> ; 循环处理重定位表 00590b90 8bbd 46f84000 |mov edi,dword ptr ss:[ebp+40f846] 00590b96 8bd6 |mov edx,esi 00590b98 ad |lods dword ptr ds:[esi] 00590b99 03f8 |add edi,eax 00590b9b ad |lods dword ptr ds:[esi] 00590b9c 03d0 |add edx,eax 00590b9e 83e8 08 |sub eax,8 00590ba1 d1e8 |shr eax,1 00590ba3 8bc8 |mov ecx,eax 00590ba5 66:ad |/lods word ptr ds:[esi] 00590ba7 66:0bc0 ||or ax,ax 00590baa 74 70 ||je short 00590c1c 00590bac 90 ||nop 00590bad 90 ||nop 00590bae 90 ||nop 00590baf 90 ||nop 00590bb0 0fb7d8 ||movzx ebx,ax 00590bb3 81e3 ff0f0000 ||and ebx,0fff 00590bb9 e8 67000000 ||call 00590c25 00590bbe 83bd 07574100 0>||cmp dword ptr ss:[ebp+415707],0 00590bc5 75 53 ||jnz short 00590c1a 00590bc7 90 ||nop 00590bc8 90 ||nop 00590bc9 90 ||nop 00590bca 90 ||nop 00590bcb 66:c1e8 0c ||shr ax,0c 00590bcf 66:48 ||dec ax 00590bd1 66:0bc0 ||or