AcProtect 1.41 外壳分析[55]

id="5">ptr ss:[ebp+41852c] ; \messageboxa 005904ee 6a 00 push 0 ; /exitcode==0 005904f0 ff95 28854100 call dword ptr ss:[ebp+418528] ; \exitprocess 005904f6 > 60 pushad ; 载入dll后壳把dll名给清除掉 005904f7 2bc0 sub eax,eax 005904f9 > 8803 mov byte ptr ds:[ebx],al ; loop clea dllname 005904fb 43 inc ebx 005904fc 3803 cmp byte ptr ds:[ebx],al 005904fe ^ 75 f9 jnz short <loop clea dllname> 00590500 61 popad 00590501 8985 3ef84000 mov dword ptr ss:[ebp+40f83e],eax ; 保存hmodule 00590507 c785 42f84000 0>mov dword ptr ss:[ebp+40f842],0 00590511 8b95 46f84000 mov edx,dword ptr ss:[ebp+40f846] 00590517 8b06 mov eax,dword ptr ds:[esi] 00590519 0bc0 or eax,eax 0059051b 75 07 jnz short 00590524 0059051d 90 nop 0059051e 90 nop 0059051f 90 nop 00590520 90 nop 00590521 8b46 10 mov eax,dword ptr ds:[esi+10] 00590524 03c2 add eax,edx 00590526 0385 42f84000 add eax,dword ptr ss:[ebp+40f842] 0059052c 8b18 mov ebx,dword ptr ds:[eax] 0059052e 8b7e 10 mov edi,dword ptr ds:[esi+10] 00590531 03fa add edi,edx 00590533 03bd 42f84000 add edi,dword ptr ss:[ebp+40f842] 00590539 85db test ebx,ebx ; 判断当前dll的api有没有处理完 0059053b 0f84 62010000 je <disposal next dll> 00590541 f7c3 00000080 test ebx,80000000 ; 判断为api名字还是为序号 00590547 75 1d jnz short 00590566 00590549 90 nop 0059054a 90 nop 0059054b 90 nop 0059054c 90 nop 0059054d 03da add ebx,edx ; 如果是字符串，还得先还原出正确的api名字 0059054f 83c3 02 add ebx,2 00590552 56 push esi 00590553 57 push edi 00590554 50 push eax 00590555 8bf3 mov esi,ebx 00590557 8bfb mov edi,ebx 00590559 > ac lods byte ptr ds:[esi] ; restor_api_name 0059055a c0c0 03 rol al,3 0059055d aa stos byte ptr es:[edi] 0059055e 803f 00 cmp byte ptr ds:[edi],0 00590561 ^ 75 f6 jnz short <restor_api_name> 00590563 58 pop eax 00590564 5f pop edi 00590565 5e pop esi 00590566 3b9d 46f84000 cmp ebx,d