AcProtect 1.41 外壳分析[65]

b5 c11e4100 lea esi,dword ptr ss:[ebp+411ec1] 0058ce1a > > 6a 00 push 0 ; /htemplatefile = null 0058ce1c . 68 80000000 push 80 ; |attributes = normal 0058ce21 . 6a 03 push 3 ; |mode = open_existing 0058ce23 . 6a 00 push 0 ; |psecurity = null 0058ce25 . 6a 03 push 3 ; |sharemode = file_share_read|file_share_write 0058ce27 . 68 000000c0 push c0000000 ; |access = generic_read|generic_write 0058ce2c . 56 push esi ; |filename = "\\.\sice" 0058ce2d . 50 push eax ; | 0058ce2e . 8b85 2bfd4000 mov eax,dword ptr ss:[ebp+40fd2b] ; | 0058ce34 . 0fb600 movzx eax,byte ptr ds:[eax] ; |检测api入口处有没有下cc断点 0058ce37 . 83e8 33 sub eax,33 ; | 0058ce3a . 3d 99000000 cmp eax,99 ; | 0058ce3f . 74 10 je short 0058ce51 ; | 0058ce41 . 90 nop ; | 0058ce42 . 90 nop ; | 0058ce43 . 90 nop ; | 0058ce44 . 90 nop ; | 0058ce45 . 58 pop eax ; | 0058ce46 . ff95 2bfd4000 call dword ptr ss:[ebp+40fd2b] ; \createfilea 0058ce4c . eb 17 jmp short 0058ce65 0058ce4e 90 nop 0058ce4f 90 nop 0058ce50 90 nop 0058ce51 > b8 e8030000 mov eax,3e8 0058ce56 . e8 73eaffff call <get_rnd_value> 0058ce5b . 8dbd 615d4000 lea edi,dword ptr ss:[ebp+405d61] 0058ce61 . 03f8 add edi,eax 0058ce63 . ab stos dword ptr es:[edi] 0058ce64 . 58 pop eax 0058ce65 > 40 inc eax 0058ce66 . 75 53 jnz short <found debug> 0058ce68 . 90 nop 0058ce69 . 90 nop 0058ce6a . 90 nop 0058ce6b . 90 nop 0058ce6c . 48 dec eax 0058ce6d . 50 push eax 0058ce6e . 50 push eax 0058ce6f . 8b85 27fd4000 mov eax,dword ptr ss:[ebp+40fd27] ; kernel32.closehandle 0058ce75 . 0fb600 movzx eax,byte ptr ds:[eax] 0058ce78 . 83e8 33 sub eax,33 0058ce7b . 3d 99000000 cmp eax,99 0058ce80 . 74 10 je short 0058ce92 0058ce82 . 90 nop 0058ce83 . 90 nop 0058ce84 . 90 nop 0058ce85 . 90 nop 0058ce86 . 58 pop eax 0058ce87 . ff95 27fd4000 call dword ptr ss:[ebp+40fd27] ; closehandle 0058ce8d . eb 17 jmp short 0058cea6 0058ce8f