AcProtect 1.41 外壳分析[52]

push esi 0058f077 ff95 2bfd4000 call dword ptr ss:[ebp+40fd2b] ; createfilea 0058f07d 0bc0 or eax,eax 0058f07f 74 75 je short 0058f0f6 0058f081 90 nop 0058f082 90 nop 0058f083 90 nop 0058f084 90 nop 0058f085 50 push eax 0058f086 6a 00 push 0 0058f088 8db5 b3f44000 lea esi,dword ptr ss:[ebp+40f4b3] 0058f08e 56 push esi 0058f08f ffb5 53814100 push dword ptr ss:[ebp+418153] 0058f095 8b9d 4f814100 mov ebx,dword ptr ss:[ebp+41814f] 0058f09b 039d 46f84000 add ebx,dword ptr ss:[ebp+40f846] 0058f0a1 2b9d 53814100 sub ebx,dword ptr ss:[ebp+418153] 0058f0a7 53 push ebx 0058f0a8 50 push eax 0058f0a9 ff95 53fd4000 call dword ptr ss:[ebp+40fd53] 0058f0af ff95 27fd4000 call dword ptr ss:[ebp+40fd27] 0058f0b5 8db5 98f34000 lea esi,dword ptr ss:[ebp+40f398] 0058f0bb 56 push esi ; /library name 0058f0bc ff95 24854100 call dword ptr ss:[ebp+418524] ; \loadlibrarya 0058f0c2 0bc0 or eax,eax 0058f0c4 74 30 je short 0058f0f6 ; 如 果载入失败则忽略并跳去执行后面的代码 0058f0c6 90 nop 0058f0c7 90 nop 0058f0c8 90 nop 0058f0c9 90 nop 0058f0ca 8985 3ef84000 mov dword ptr ss:[ebp+40f83e],eax 0058f0d0 8db5 c4f44000 lea esi,dword ptr ss:[ebp+40f4c4] ; 载入成功则获取zcf_decrypt的地址 0058f0d6 56 push esi ; /name 0058f0d7 ffb5 3ef84000 push dword ptr ss:[ebp+40f83e] ; |hmodule 0058f0dd ff95 1c854100 call dword ptr ss:[ebp+41851c] ; \getprocaddress 0058f0e3 8985 c4f44000 mov dword ptr ss:[ebp+40f4c4],eax 0058f0e9 0bc0 or eax,eax 0058f0eb 74 09 je short 0058f0f6 0058f0ed 90 nop 0058f0ee 90 nop 0058f0ef 90 nop 0058f0f0 90 nop 0058f0f1 e8 d5f7ffff call <reg_info> 0058f0f6 60 pushad ; 把 前面的代码加密回去 0058f0f7 e8 00000000 call 0058f0fc 0058f0fc 5e pop esi 0058f0fd 83ee 06 sub esi,6 0058f100 b9 12020000 mov ecx,212 0058f105 29ce sub esi,ecx 0058f107 ba 9a465152 mov edx,5251469a 0058f10c c1e9 02 shr ecx,2 0058f10f 83e9 02 sub ecx,2 0058f112 83f9 00 cmp ecx,0 0058f115 7c 1a jl short 0058f131 0058f117 8b048e mov eax,dword ptr ds:[esi+