AcProtect 1.41 外壳分析[49]

">call 0058d1bb 0058d1bb 5e pop esi 0058d1bc 83ee 06 sub esi,6 0058d1bf b9 4b000000 mov ecx,4b 0058d1c4 29ce sub esi,ecx 0058d1c6 ba d0d6b318 mov edx,18b3d6d0 0058d1cb c1e9 02 shr ecx,2 0058d1ce 83e9 02 sub ecx,2 0058d1d1 83f9 00 /cmp ecx,0 0058d1d4 7c 1a |jl short 0058d1f0 0058d1d6 8b048e |mov eax,dword ptr ds:[esi+ecx*4] 0058d1d9 8b5c8e 04 |mov ebx,dword ptr ds:[esi+ecx*4+4] 0058d1dd 03c3 |add eax,ebx 0058d1df c1c8 13 |ror eax,13 0058d1e2 03c2 |add eax,edx 0058d1e4 81c2 b0b2e98f |add edx,8fe9b2b0 0058d1ea 89048e |mov dword ptr ds:[esi+ecx*4],eax 0058d1ed 49 |dec ecx 0058d1ee ^ eb e1 \jmp short 0058d1d1 0058d1f0 61 popad 0058d1f1 61 popad 0058d1f2 c3 retn sub_kernel: 0058ed39 > 60 pushad ; sub_kernel 0058ed3a f8 clc 0058ed3b 66:be da51 mov si,51da 0058ed3f 45 inc ebp 0058ed40 90 nop 0058ed41 90 nop 0058ed42 90 nop 0058ed43 90 nop ...... 0058eee4 e8 17d2ffff call <sub_getebp >
0058eee9 80bd a5524100 c>cmp byte ptr ss:[ebp+4152a5],0c3 0058eef0 74 09 je short <finishediat> 0058eef2 90 nop 0058eef3 90 nop 0058eef4 90 nop 0058eef5 90 nop 0058eef6 e8 aa130000 call <sub_disposal iat> 0058eefb > 66:c785 2cf5400>mov word ptr ss:[ebp+40f52c],0 0058ef04 83bd 4f814100 0>cmp dword ptr ss:[ebp+41814f],0 ; 这里判断是否用了acprotect定义的机器码函数那个选项,是否用rsa1024 0058ef0b 0f84 e5010000 je 0058f0f6 ; 没有用则跳 0058ef11 8db5 98f34000 lea esi,dword ptr ss:[ebp+40f398] ; 如果有则先强行生成一个cid.dll文件 0058ef17 56 push esi ; /buffer 0058ef18 68 ff000000 push 0ff ; |size 0058ef1d ff95 5bfd4000 call dword ptr ss:[ebp+40fd5b] ; \gettemppatha 0058ef23 b9 ffff0000 mov ecx,0ffff 0058ef28 8dbd 98f34000 lea edi,dword ptr ss:[ebp+40f398] 0058ef2e 33c0 xor eax,eax 0058ef30 f2:ae repne scas byte ptr es:[edi] ; 获取长度 0058ef32 4f dec edi 0058ef33 60 pushad 0058ef34 83bd 59814100 0>cmp dword ptr ss:[ebp+418159],0 0058ef3b 0f84 ad000000 je 0058efee 0058ef41 c707 4349442e mov dword ptr ds:[edi],2e444943 0058ef47 c747 04 646c6c6>mov dword ptr <