AcProtect 1.41 外壳分析[67]

jo short 0058dc3e 0058dc3b 66:8bce mov cx,si 0058dc3e f8 clc ...... 0058dde3 . e8 18e3ffff call <sub_getebp >
0058dde8 . e8 df020000 call <eax=0 do something> 0058dded . 0bc0 or eax,eax 0058ddef . 75 34 jnz short <not found debug> 0058ddf1 . 90 nop 0058ddf2 . 90 nop 0058ddf3 . 90 nop 0058ddf4 . 90 nop 0058ddf5 . c685 382c4100>mov byte ptr ss:[ebp+412c38],0c3 ; 如果执行了相关功能则在入口入改为ret 0058ddfc . ff95 47fd4000 call dword ptr ss:[ebp+40fd47] ; [isdebuggerpresent 0058de02 . 0bc0 or eax,eax 0058de04 . 74 1f je short <not found debug> 0058de06 . 90 nop 0058de07 . 90 nop 0058de08 . 90 nop 0058de09 . 90 nop 0058de0a . 8bb5 4b814100 mov esi,dword ptr ss:[ebp+41814b] 0058de10 . 03b5 46f84000 add esi,dword ptr ss:[ebp+40f846] 0058de16 > ac lods byte ptr ds:[esi] 0058de17 > 3c e8 cmp al,0e8 0058de19 . 74 08 je short 0058de23 0058de1b . 90 nop 0058de1c . 90 nop 0058de1d . 90 nop 0058de1e . 90 nop 0058de1f . 3c e9 cmp al,0e9 0058de21 .^ 75 f3 jnz short 0058de16 0058de23 > 8906 mov dword ptr ds:[esi],eax ; 写上垃圾代码 0058de25 > > 60 pushad ; 没有找到调试器,则跳到这里 0058de26 . e8 00000000 call 0058de2b 0058de2b $ 5e pop esi 0058de2c . 83ee 06 sub esi,6 0058de2f . b9 42000000 mov ecx,42 0058de34 . 29ce sub esi,ecx 0058de36 . ba 83cf06dd mov edx,dd06cf83 0058de3b . c1e9 02 shr ecx,2 0058de3e . 83e9 02 sub ecx,2 0058de41 > > 83f9 00 cmp ecx,0 0058de44 . 7c 1a jl short 0058de60 0058de46 . 8b048e mov eax,dword ptr ds:[esi+ecx*4] 0058de49 . 8b5c8e 04 mov ebx,dword ptr ds:[esi+ecx*4+4] 0058de4d . 03c3 add eax,ebx 0058de4f . c1c0 09 rol eax,9 0058de52 . 2bc2 sub eax,edx 0058de54 . 81c2 ac5210a3 add edx,a31052ac 0058de5a . 89048e mov dword ptr ds:[esi+ecx*4],eax 0058de5d . 49 dec ecx 0058de5e .^ eb e1 jmp short <crypt code> 0058de60 > 61 popad 0058de61 > 61 popad 0058de62 . c3 retn sub_check_unhandledexceptionfilter: 0058d324 > 60 pushad ; 检测该函数入口处是否下了cc断点 0058d325 87f8 xchg eax,edi 0058d327 49 dec ecx 0058d328 47 inc edi 0058d329 f9 stc ...... 0058d4cf > \e8 2cecffff call <