AcProtect 1.41 外壳分析[46]

="2">ax,ax 00590bd4 75 14 ||jnz short 00590bea 00590bd6 90 ||nop 00590bd7 90 ||nop 00590bd8 90 ||nop 00590bd9 90 ||nop 00590bda 50 ||push eax 00590bdb 66:8b85 075b410>||mov ax,word ptr ss:[ebp+415b07] 00590be2 66:01441f 02 ||add word ptr ds:[edi+ebx+2],ax 00590be7 58 ||pop eax 00590be8 ^ e2 bb ||loopd short 00590ba5 00590bea 66:48 ||dec ax 00590bec 66:0bc0 ||or ax,ax 00590bef 75 13 ||jnz short 00590c04 00590bf1 90 ||nop 00590bf2 90 ||nop 00590bf3 90 ||nop 00590bf4 90 ||nop 00590bf5 50 ||push eax 00590bf6 66:8b85 055b410>||mov ax,word ptr ss:[ebp+415b05] 00590bfd 66:01041f ||add word ptr ds:[edi+ebx],ax 00590c01 58 ||pop eax 00590c02 ^ e2 a1 ||loopd short 00590ba5 00590c04 66:48 ||dec ax 00590c06 66:0bc0 ||or ax,ax 00590c09 75 0f ||jnz short 00590c1a 00590c0b 90 ||nop 00590c0c 90 ||nop 00590c0d 90 ||nop 00590c0e 90 ||nop 00590c0f 50 ||push eax 00590c10 8b85 055b4100 ||mov eax,dword ptr ss:[ebp+415b05] 00590c16 01041f ||add dword ptr ds:[edi+ebx],eax 00590c19 58 ||pop eax 00590c1a ^ e2 89 |\loopd short 00590ba5 00590c1c 8bf2 |mov esi,edx 00590c1e ^ e9 61ffffff \jmp 00590b84 00590c23 > 61 popad 00590c24 c3 retn restore_jmp api table: 00590e56 > 60 pushad ; restore_jmp api table 00590e57 46 inc esi 00590e58 87d6 xchg esi,edx 00590e5a 66:81f1 8666 xor cx,6686 00590e5f eb 01 jmp short 00590e62 00590e61 eb 41 jmp short 00590ea4 00590e63 e8 01000000 call 00590e69 ...... 00591001 e8 fab0ffff call <sub_getebp >
00591006 b9 1c000000 mov ecx,1c 0059100b 8db5 fffc4000 lea esi,dword ptr ss:[ebp+40fcff] 00591011 8dbd ef074100 lea edi,dword ptr ss:[ebp+4107ef] ; 从58b7f6处开始还原api jmp 00591017 83c7 07 add edi,7 0059101a b0 90 mov al,90 0059101c aa stos byte ptr es:[edi] ; 还原成jmp [address] 0059101d b8 ff250000 mov eax,25ff 00591022 66:ab stos word ptr es:[edi] 00591024 8bc6 mov eax,esi 00591026 ab stos dword ptr es:[edi] 00591027 83c6 04 add esi,4 0059102a ^ e2 ee loopd short 0059101a 0059102c 60 pushad ; 再次加密回去 0059102d e8 00000000 call 00591032