AcProtect 1.41 外壳分析[69]

fs:[eax] 0058cc49 . 58 pop eax 0058cc4a . c3 retn sub_goto_end: 00592ece > e8 25000000 call <goto end> 00592ed3 42 inc edx 00592ed4 79 20 jns short 00592ef6 00592ed6 54 push esp 00592ed7 72 69 jb short 00592f42 00592ed9 61 popad 00592eda 6c ins byte ptr es:[edi],dx ; i/o command 00592edb 2041 43 and byte ptr ds:[ecx+43],al 00592ede 50 push eax 00592edf 72 6f jb short 00592f50 00592ee1 74 65 je short 00592f48 00592ee3 637400 73 arpl word ptr ds:[eax+eax+73],si 00592ee7 74 65 je short 00592f4e 00592ee9 72 65 jb short 00592f50 00592eeb 64:2041 43 and byte ptr fs:[ecx+43],al 00592eef 50 push eax 00592ef0 72 6f jb short 00592f61 00592ef2 74 65 je short 00592f59 00592ef4 637421 00 arpl word ptr ds:[ecx],si 00592ef8 > 6a 00 push 0 ; goto end改为jmp [addr] 的方式执行到fake oep地址 00592efa 83c4 10 add esp,10 00592efd 90 nop ...... 005930a9 e8 5290ffff call <sub_getebp >
005930ae 8b85 4b814100 mov eax,dword ptr ss:[ebp+41814b] 005930b4 0385 46f84000 add eax,dword ptr ss:[ebp+40f846] 005930ba 8985 4b814100 mov dword ptr ss:[ebp+41814b],eax ; 要去执行的地址 005930c0 e8 3b90ffff call <sub_getebp >
005930c5 c685 08814100 e>mov byte ptr ss:[ebp+418108],0e8 005930cc e8 2f90ffff call <sub_getebp >
005930d1 c785 09814100 f>mov dword ptr ss:[ebp+418109],25ff ; 改成jmp [address]的方式 005930db 8d85 4b814100 lea eax,dword ptr ss:[ebp+41814b] 005930e1 8985 0b814100 mov dword ptr ss:[ebp+41810b],eax 005930e7 e8 1490ffff call <sub_getebp >
005930ec 8dbd b87e4100 lea edi,dword ptr ss:[ebp+417eb8] 005930f2 8d8d fd804100 lea ecx,dword ptr ss:[ebp+4180fd] 005930f8 2bcf sub ecx,edi 005930fa c1e9 02 shr ecx,2 005930fd > e8 cc87ffff call <get_rnd_value> ; fill junk code 00593102 ab stos dword ptr es:[edi] 00593103 ^ e2 f8 loopd short <sub_fill_junk> ; 循环填上垃圾代码， 00593105 61 popad 00593106 eb 01 jmp short 00593109 00593108 90 nop 00593109 - ff25 4b315900 jmp dword ptr ds:[59314b] ; jmp to fake oep ok,分析篇到此结束，后面的脱壳篇基本上是体力活了。下次会脱出美女来的:-p。 再贴上acprotect 1.41