AcProtect 1.41 外壳分析[53]

="2">ecx*4] 0058f11a 8b5c8e 04 mov ebx,dword ptr ds:[esi+ecx*4+4] 0058f11e 03c3 add eax,ebx 0058f120 c1c8 1a ror eax,1a 0058f123 2bc2 sub eax,edx 0058f125 81c2 4f6b073c add edx,3c076b4f 0058f12b 89048e mov dword ptr ds:[esi+ecx*4],eax 0058f12e 49 dec ecx 0058f12f ^ eb e1 jmp short 0058f112 0058f131 61 popad ...... 0058f2dc e8 1fceffff call <sub_getebp >
; 开始执行判断是否用了注册提示,是否显示机器码信息框之类的 0058f2e1 66:81bd 2cf5400>cmp word ptr ss:[ebp+40f52c],0ff00 0058f2ea 0f84 ac000000 je 0058f39c 0058f2f0 66:81bd 2cf5400>cmp word ptr ss:[ebp+40f52c],0ff01 ; 这几个判断没有认真去看 0058f2f9 74 39 je short 0058f334 0058f2fb 90 nop 0058f2fc 90 nop 0058f2fd 90 nop 0058f2fe 90 nop 0058f2ff 66:81bd 2cf5400>cmp word ptr ss:[ebp+40f52c],0ff02 0058f308 74 53 je short 0058f35d ...... 0058f4e0 60 pushad ; 加密回去 0058f4e1 e8 00000000 call 0058f4e6 0058f4e6 5e pop esi 0058f4e7 83ee 06 sub esi,6 0058f4ea b9 04020000 mov ecx,204 0058f4ef 29ce sub esi,ecx 0058f4f1 ba b615f109 mov edx,9f115b6 0058f4f6 c1e9 02 shr ecx,2 0058f4f9 83e9 02 sub ecx,2 0058f4fc 83f9 00 cmp ecx,0 0058f4ff 7c 1a jl short 0058f51b 0058f501 8b048e mov eax,dword ptr ds:[esi+ecx*4] 0058f504 8b5c8e 04 mov ebx,dword ptr ds:[esi+ecx*4+4] 0058f508 2bc3 sub eax,ebx 0058f50a c1c8 14 ror eax,14 0058f50d 2bc2 sub eax,edx 0058f50f 81c2 94655aa2 add edx,a25a6594 0058f515 89048e mov dword ptr ds:[esi+ecx*4],eax 0058f518 49 dec ecx 0058f519 ^ eb e1 jmp short 0058f4fc 0058f51b 61 popad 0058f51c 61 popad 0058f51d e8 4c050000 call <sub_check_reg> 0058f522 c3 retn sub_disposal iat: 005902a5 > 60 pushad ; import table disposal 005902a6 eb 01 jmp short 005902a9 005902a8 7a 87 jpe short 00590231 005902aa c5eb lds ebp,ebx ; illegal use of register 005902ac 017a 66 add dword ptr ds:[edx+66],edi 005902af ba 78e17a03 mov edx,37ae178 ...... 00590450 e8 abbcffff call <sub_getebp >
00590455 c685 a5524100 c>mov byte ptr ss:[ebp+4152a5],0c3 ; 如果执行完了则不再执行 0059045c c785 0bf94000 0>mov dword ptr ss:[ebp+40f90b],00401000 00590466 01ad 0bf94000 add dword ptr