AcProtect 1.41 外壳分析[58]

82 90 nop 00590683 90 nop 00590684 90 nop 00590685 81e9 01010000 sub ecx,101 0059068b f7d1 not ecx 0059068d 89948d ebe84000 mov dword ptr ss:[ebp+ecx*4+40e8eb],edx 00590694 61 popad 00590695 8907 mov dword ptr ds:[edi],eax ; 填充api地址 00590697 8385 42f84000 0>add dword ptr ss:[ebp+40f842],4 0059069e ^ e9 6efeffff jmp 00590511 005906a3 > 83c6 14 add esi,14 ; disposal next dll 005906a6 8b95 46f84000 mov edx,dword ptr ss:[ebp+40f846] 005906ac ^ e9 d0fdffff jmp <loop fill iat> 005906b1 > 8dbd ebec4000 lea edi,dword ptr ss:[ebp+40eceb] 005906b7 33c0 xor eax,eax 005906b9 b9 00010000 mov ecx,100 005906be f3:ab rep stos dword ptr es:[edi] ; 清场代码 005906c0 60 pushad ; 加密代码 005906c1 e8 00000000 call 005906c6 005906c6 5e pop esi 005906c7 83ee 06 sub esi,6 005906ca b9 70020000 mov ecx,270 005906cf 29ce sub esi,ecx 005906d1 ba bf51e4ce mov edx,cee451bf 005906d6 c1e9 02 shr ecx,2 005906d9 83e9 02 sub ecx,2 005906dc 83f9 00 cmp ecx,0 005906df 7c 1a jl short 005906fb 005906e1 8b048e mov eax,dword ptr ds:[esi+ecx*4] 005906e4 8b5c8e 04 mov ebx,dword ptr ds:[esi+ecx*4+4] 005906e8 03c3 add eax,ebx 005906ea c1c8 08 ror eax,8 005906ed 2bc2 sub eax,edx 005906ef 81ea 792fbab2 sub edx,b2ba2f79 005906f5 89048e mov dword ptr ds:[esi+ecx*4],eax 005906f8 49 dec ecx 005906f9 ^ eb e1 jmp short 005906dc 005906fb 61 popad 005906fc 61 popad 005906fd e8 d9d9ffff call <sub_chek_crc> 00590702 c3 retn sub_chek_crc: 0058e0db > 60 pushad ; sub_chek_crc,检测文件修改 0058e0dc 77 02 ja short 0058e0e0 0058e0de 8bd7 mov edx,edi 0058e0e0 78 01 js short 0058e0e3 0058e0e2 f8 clc 0058e0e3 50 push eax 0058e0e4 e8 01000000 call 0058e0ea 0058e0e9 ^ 74 83 je short 0058e06e ...... 0058e286 . e8 75deffff call <sub_getebp >
0058e28b . 68 20030000 push 320 ; /bufsize = 320 (800.) 0058e290 . 8dbd 11184000 lea edi,dword ptr ss:[ebp+401811] ; | 0058e296 . 57 push edi ; |pathbuffer = maincon.0057c811 0058e297 . 6a 00 push 0 ; |hmodule = null 0058e299 . ff95 73fd4000 call dword