AcProtect 1.41 外壳分析[54]

d="2">ss:[ebp+40f90b],ebp 0059046c 8385 0bf94000 1>add dword ptr ss:[ebp+40f90b],10 00590473 8b95 46f84000 mov edx,dword ptr ss:[ebp+40f846] ; 取imagebase 00590479 8bb5 07f94000 mov esi,dword ptr ss:[ebp+40f907] ; [ebp+40f907]记录着程序输入表的起始位置rva==beb88 0059047f 03f2 add esi,edx ; 转为va 00590481 > 8b46 0c mov eax,dword ptr ds:[esi+c] 00590484 0bc0 or eax,eax 00590486 0f84 25020000 je <finished> ; 处理完则跳去结束处 0059048c 8366 0c 00 and dword ptr ds:[esi+c],0 ; 开始清除原iat结构,nop掉 00590490 03c2 add eax,edx 00590492 8bd8 mov ebx,eax 00590494 56 push esi 00590495 57 push edi 00590496 50 push eax 00590497 8bf3 mov esi,ebx 00590499 8bfb mov edi,ebx 0059049b > ac lods byte ptr ds:[esi] ; decrypt_dll_name 0059049c c0c0 03 rol al,3 ; 还原出正确的dll名 0059049f aa stos byte ptr es:[edi] 005904a0 803f 00 cmp byte ptr ds:[edi],0 005904a3 ^ 75 f6 jnz short <decrypt_dll_name> 005904a5 58 pop eax 005904a6 5f pop edi 005904a7 5e pop esi 005904a8 50 push eax ; /modulename 005904a9 ff95 20854100 call dword ptr ss:[ebp+418520] ; \getmodulehandlea 005904af 0bc0 or eax,eax 005904b1 75 43 jnz short <dll_is_loaded> 005904b3 90 nop 005904b4 90 nop 005904b5 90 nop 005904b6 90 nop 005904b7 53 push ebx ; /dllname 005904b8 ff95 24854100 call dword ptr ss:[ebp+418524] ; \loadlibrarya 005904be 0bc0 or eax,eax 005904c0 75 34 jnz short <dll_is_loaded> 005904c2 90 nop 005904c3 90 nop 005904c4 90 nop 005904c5 90 nop 005904c6 > 8b95 46f84000 mov edx,dword ptr ss:[ebp+40f846] ; 载入失败的路 005904cc 0195 351b4000 add dword ptr ss:[ebp+401b35],edx 005904d2 0195 391b4000 add dword ptr ss:[ebp+401b39],edx 005904d8 6a 00 push 0 ; /style 005904da ffb5 351b4000 push dword ptr ss:[ebp+401b35] ; |caption 005904e0 ffb5 391b4000 push dword ptr ss:[ebp+401b39] ; |text 005904e6 6a 00 push 0 ; |howner = null 005904e8 ff95 2c854100 call dword