AcProtect 1.41 外壳分析[56]

word ptr ss:[ebp+40f846] 0059056c 7c 11 jl short 0059057f ; 如果小于imagebase说明是序号 0059056e 90 nop 0059056f 90 nop 00590570 90 nop 00590571 90 nop 00590572 83bd 1a204000 0>cmp dword ptr ss:[ebp+40201a],0 00590579 75 0a jnz short 00590585 0059057b 90 nop 0059057c 90 nop 0059057d 90 nop 0059057e 90 nop 0059057f 81e3 ffffff0f and ebx,0fffffff 00590585 53 push ebx ; /api name 00590586 ffb5 3ef84000 push dword ptr ss:[ebp+40f83e] ; |hmodule 0059058c ff95 1c854100 call dword ptr ss:[ebp+41851c] ; \getprocaddress 00590592 3b9d 46f84000 cmp ebx,dword ptr ss:[ebp+40f846] 00590598 7c 0f jl short 005905a9 ; 如果是序号则跳 0059059a 90 nop 0059059b 90 nop 0059059c 90 nop 0059059d 90 nop 0059059e 60 pushad ; 如果是字符串名则清除api名 0059059f 2bc0 sub eax,eax 005905a1 > 8803 mov byte ptr ds:[ebx],al 005905a3 43 inc ebx 005905a4 3803 cmp byte ptr ds:[ebx],al 005905a6 ^ 75 f9 jnz short <clea api name> 005905a8 61 popad 005905a9 0bc0 or eax,eax ; 如果获取api地址失败则over 005905ab ^ 0f84 15ffffff je <fail message> 005905b1 3b85 2c854100 cmp eax,dword ptr ss:[ebp+41852c] ; 判断是否为特殊函数messageboxa 005905b7 74 20 je short 005905d9 005905b9 90 nop 005905ba 90 nop 005905bb 90 nop 005905bc 90 nop 005905bd 3b85 c4fd4000 cmp eax,dword ptr ss:[ebp+40fdc4] ; 判断是否为特殊函数registerhotkey 005905c3 74 09 je short 005905ce 005905c5 90 nop 005905c6 90 nop 005905c7 90 nop 005905c8 90 nop 005905c9 eb 14 jmp short 005905df 005905cb 90 nop 005905cc 90 nop 005905cd 90 nop 005905ce 8d85 31fe4000 lea eax,dword ptr ss:[ebp+40fe31] 005905d4 eb 09 jmp short 005905df 005905d6 90 nop 005905d7 90 nop 005905d8 90 nop 005905d9 8d85 4bfe4000 lea eax,dword ptr ss:[ebp+40fe4b] 005905df 56 push esi 005905e0 ffb5 3ef84000 push dword ptr ss:[ebp+40f83e] 005905e6 5e pop esi 005905e7 39b5 12204000 cmp dword ptr ss:[ebp+402012],esi ; 判断hmodule是否为kernel32.dll的句柄 005905ed 74 15 je short 00590604 005905ef 90 nop 005905f0 90 nop 005905f1 90 nop 005905f2 90 nop 005905f3 39b5 16204000