AcProtect 1.41 外壳分析[47]

00591032 5e pop esi 00591033 83ee 06 sub esi,6 00591036 b9 2b000000 mov ecx,2b 0059103b 29ce sub esi,ecx 0059103d ba 4bf05729 mov edx,2957f04b 00591042 c1e9 02 shr ecx,2 00591045 83e9 02 sub ecx,2 00591048 83f9 00 cmp ecx,0 0059104b 7c 1a jl short 00591067 0059104d 8b048e mov eax,dword ptr ds:[esi+ecx*4] 00591050 8b5c8e 04 mov ebx,dword ptr ds:[esi+ecx*4+4] 00591054 33c3 xor eax,ebx 00591056 c1c8 0d ror eax,0d 00591059 33c2 xor eax,edx 0059105b 81c2 10b43c8d add edx,8d3cb410 00591061 89048e mov dword ptr ds:[esi+ecx*4],eax 00591064 49 dec ecx 00591065 ^ eb e1 jmp short 00591048 00591067 61 popad 00591068 61 popad 00591069 c3 retn sub_sdk_disposal: 0059106a > 60 pushad ; sub_sdk_disposal 0059106b e8 90b0ffff call <sub_getebp >
00591070 33d2 xor edx,edx 00591072 > 8bb495 3d1b4000 mov esi,dword ptr ss:[ebp+edx*4+401b3d] ; 如果用了sdk这里面的值不为空. 00591079 0bf6 or esi,esi ; 如果没有用sdk或sdk处理部分已经操作完成则跳 0059107b 74 31 je short <finished> 0059107d 90 nop 0059107e 90 nop 0059107f 90 nop 00591080 90 nop 00591081 03b5 46f84000 add esi,dword ptr ss:[ebp+40f846] ; 把rva转为va 00591087 8b8c95 cd1c4000 mov ecx,dword ptr ss:[ebp+edx*4+401ccd] ; 加密的代码大小 0059108e 60 pushad 0059108f 52 push edx 00591090 51 push ecx ; /memsize 00591091 6a 40 push 40 ; |flags = gptr 00591093 ff95 fffc4000 call dword ptr ss:[ebp+40fcff] ; \globalalloc 00591099 5a pop edx 0059109a 898495 5d1e4000 mov dword ptr ss:[ebp+edx*4+401e5d],eax ; 保存动态申请的地址 005910a1 61 popad 005910a2 8bbc95 5d1e4000 mov edi,dword ptr ss:[ebp+edx*4+401e5d] 005910a9 f3:a4 rep movs byte ptr es:[edi],byte ptr ds:[>; 把代码复制到动态申请的地址空间 005910ab 42 inc edx 005910ac ^ eb c4 jmp short <loop memcopy> 005910ae > 61 popad 005910af c3 retn 也就是说壳加密时已经处理好了。这个壳只是加载一而已，看看数据窗口，总结一下就这么回事： 0057cb3d d1 ab 02 00 a1 de 02 00 d6 cc 01 00 32 c9 06 00 勋.∞.痔
.2?. ;这里就是用了sdk的各地址的rva 0057cb4d df 3a 02 00 38 fc 05 00 c8 2e 06 00 0f 2c 05 00 ?.8?.?.,. 0057cb5d 0f 93 03 00 71 fe 00 00 8b 61 06 00 7d c7 03 00 ?.q?.媋.}?. 0057cb6d 3d fa 03 00 bd 2d 04 00 7d 60 04 00 3d 93 04 00 =?.?.}`.=?. 0057