会脱Acprotect的高手帮忙看一下,下面一段代码是壳代码吗?
软件名称:同益起名大师
下载页面:
http://www2.skycn.com/soft/109.html
我想先脱掉它的壳,但acp的壳没经验,教程里的看了一下,并不适合,因为这个软件在最后一次异常后用内存断点法并不奏效,所以在这里请教一下高人。
用OllyScript插件“passSEH.txt”通过46H个int 3异常后,在005762D9设硬件执行断点,运行就直达005762D9。这以后的一段代码不象是在解码,在访问注册表,进行什么运算,请问这是壳代码吗?Stolen Code在这之前还是之后?
00576477 mov edx,Goodname.0057695C ; ASCII "Appid"
0057647C mov eax,dword ptr ss:[ebp-14]
0057647F call Goodname.0043D870
00576484 mov dword ptr ss:[ebp-8],eax
00576487 lea ecx,dword ptr ss:[ebp-C]
0057648A mov edx,Goodname.0057696C ; ASCII "Serial"
0057648F mov eax,dword ptr ss:[ebp-14]
00576492 call Goodname.0043D7E4
00576497 lea ecx,dword ptr ss:[ebp-10]
0057649A mov edx,Goodname.0057697C ; ASCII "FName"
0057649F mov eax,dword ptr ss:[ebp-14]
005764A2 call Goodname.0043D7E4
005764A7 lea edx,dword ptr ss:[ebp-18]
005764AA mov eax,dword ptr ss:[ebp-10]
005764AD call Goodname.00409070
005764B2 mov edx,dword ptr ss:[ebp-18]
005764B5 lea eax,dword ptr ss:[ebp-10]
005764B8 call Goodname.004047A8
005764BD xor ecx,ecx
005764BF mov edx,Goodname.0057698C ; ASCII "License"
005764C4 mov eax,dword ptr ss:[ebp-14]
005764C7 call Goodname.0043D43C
005764CC test al,al
005764CE jnz short Goodname.005764E2
005764D0 xor eax,eax
005764D2 pop edx
005764D3 pop ecx
005764D4 pop ecx
005764D5 mov dword ptr fs:[eax],edx
005764D8 call Goodname.00404194
005764DD jmp Goodname.005768A8
005764E2 mov edx,Goodname.0057699C ; ASCII "RegSeq"
005764E7 mov eax,dword ptr ss:[ebp-14]
005764EA call Goodname.0043D870
005764EF mov word ptr ds:[583F4E],ax
005764F5 cmp word ptr ds:[583F4E],2
005764FD jnz short Goodname.00576508
005764FF mov byte ptr ds:[583F49],0
00576506 jmp short Goodname.0057650F
00576508 mov byte ptr ds:[583F49],1
0057650F mov edx,Goodname.005769AC ; ASCII "RegMod"
00576514 mov eax,dword ptr ss:[ebp-14]
00576517 call Goodname.0043D870
0057651C mov word ptr ds:[583F4E],ax
00576522 lea edx,dword ptr ss:[ebp-1C]
00576525 mov eax,dword ptr ss:[ebp-10]
00576528 call Goodname.00409070
0057652D mov eax,dword ptr ss:[ebp-1C]
00576530 call Goodname.004049D0
00576535 dec eax
00576536 jle short Goodname.00576577
00576538 lea ecx,dword ptr ss:[ebp-28]
0057653B mov edx,Goodname.005769BC ; ASCII "Value"
00576540 mov eax,dword ptr ss:[ebp-14]
00576543 call Goodname.0043D7E4
00576548 mov eax,dword ptr ss:[ebp-28]
0057654B lea edx,dword ptr ss:[ebp-24]
0057654E call Goodname.00409070
00576553 mov eax,dword ptr ss:[ebp-24]
00576556 lea ecx,dword ptr ss:[ebp-20]
00576559 mov edx,Goodname.005769CC ; ASCII "CFE37613C6ACB1"
0057655E call Goodname.004F53A4
等等,省略,未全列出。
[课程]Linux pwn 探索篇!