ZProtect加壳程序脱壳重点笔记

ZProtectZPIATZProtect加壳程序完整脱壳笔记。犯之处，敬请见谅。目的程序在附件中。~lpkhookDialogBoxIndirectParamapi232C即可。膜拜一下卡卡大大强大代码。把这个lpk放在软件名目下就没有注册框了。当前可以OD载入了~1OEP去OEP方式就是用ESP定律。pushadHrESP然后就到了。FF25觉察壳没有解决IATIAT1.4.0-1.4.4之间某个版本。2IATFF25很简洁拟定IAT位置。1.1.005A319000641378店铺珍宝.006413782.005A319400641798店铺珍宝.006417983.005A319800641B10店铺珍宝.00641B104.005A319C00E300005.005A31A000E3000E6.005A31A400641048店铺珍宝.006410487.005A31A8006411E0店铺珍宝.006411E0复制代码复制代码依照我上篇分析文章结论，两种加密方式最终是殊途同归：push提取码call依据隐蔽IAT基址+序号方式来寻址。call调用方式。方式一00406A54-FF2564325A00 jmpdwordptrds:[5A3264]ds:[005A3264]=00E301421.1.00E3014250pusheax2.00E3014360pushad3.00E30144687695B4ADpushADB495764. 00E30149 E8310DE7FF call00CA0E7F00CA0E7F A17448CA00 moveax,dwordptrds:[CA4874]00CA0E84 80780C00 cmpbyteptrds:[eax+C],000CA0E88 7457 jeshort00CA0EE100CA0E8A FF152810C900 calldwordptrds:[C91028] ；kernel32.GetTickCount00CA0E90 8BC8 movecx,eax00CA0E92 2B0D4046CA00 subecx,dwordptrds:[CA4640]11. 00CA0E98 81F988130000 cmpecx,138800CA0E9E 7641 jbeshort00CA0EE100CA0EA0 FF354446CA00 pushdwordptrds:[CA4644]00CA0EA6 A34046CA00 movdwordptrds:[CA4640],eax00CA0EAB FF155810C900 calldwordptrds:[C91058] ；kernel32.ResumeThread00CA0EB1 833D944ECA000>cmpdwordptrds:[CA4E94],300CA0EB8 7C08 jlshort00CA0EC200CA0EBA 6A00 push000CA0EBC FF151C10C900 calldwordptrds:[C9101C] ；kernel32.ExitProcess00CA0EC2 803DB848CA000>cmpbyteptrds:[CA48B8],000CA0EC9 7408 jeshort00CA0ED300CA0ECB FF05944ECA00 incdwordptrds:[CA4E94]00CA0ED1 EB07 jmpshort00CA0EDA00CA0ED3 8325944ECA000>anddwordptrds:[CA4E94],000CA0EDA C605B848CA000>movbyteptrds:[CA48B8],100CA0EE1 56 pushesi00CA0EE2 57 pushedi00CA0EE3 FF74240C pushdwordptrss:[esp+C]00CA0EE7 FF155C46CA00 calldwordptrds:[CA465C]00CA0EED 8BF8 movedi,eax00CA0EEF BE644ECA00 movesi,0CA4E6432. 00CA0EF4 E86941FFFF call00C9506200CA0EF9 8B00 moveax,dwordptrds:[eax]00CA0EFB 5F popedi00CA0EFC 8944242C movdwordptrss:[esp+2C],eax36.00CA0F005Epopesi37.00CA0F01C20400retn438.00E3014E61popad39. 00E3014F39. 00E3014FC3retn复制代码复制代码方式二00406A64 /FF255C325A00 jmpdwordptrds:[5A325C] ds:[005A325C]=00641A44(店铺珍宝.00641A44)00641A44686B95B4ADpushADB4956B 这个就是提取码了~2. 00641A49/E95E070000jmp店铺珍宝.006421AC3. 006421AC-E917F26500jmp00CA13C800CA13C860pushad00CA13C9FF742420pushdwordptrss:[esp+20]00CA13CDE8ADFAFFFFcall00CA0E7F00CA0E7FA17448CA00moveax,dwordptrds:[CA4874]00CA0E8480780C00cmpbyteptrds:[eax+C],000CA0E887457jeshort00CA0EE100CA0E8AFF152810C900calldwordptrds:[C91028]；kernel32.GetTickCount00CA0E908BC8movecx,eax00CA0E922B0D4046CA00subecx,dwordptrds:[CA4640]13. 00CA0E9881F988130000cmpecx,138800CA0E9E7641jbeshort00CA0EE100CA0EA0FF354446CA00pushdwordptrds:[CA4644]00CA0EA6A34046CA00movdwordptrds:[CA4640],eax00CA0EABFF155810C900calldwordptrds:[C91058]；kernel32.ResumeThread00CA0EB1833D944ECA000>cmpdwordptrds:[CA4E94],300CA0EB87C08jlshort00CA0EC200CA0EBA6A00push000CA0EBCFF151C10C900calldwordptrds:[C9101C]；kernel32.ExitProcess00CA0EC2803DB848CA000>cmpbyteptrds:[CA48B8],000CA0EC97408jeshort00CA0ED300CA0ECBFF05944ECA00incdwordptrds:[CA4E94]00CA0ED1EB07jmpshort00CA0EDA00CA0ED38325944ECA000>anddwordptrds:[CA4E94],000CA0EDAC605B848CA000>movbyteptrds:[CA48B8],100CA0EE156pushesi00CA0EE257pushedi00CA0EE3FF74240Cpushdwordptrss:[esp+C] 这里就是push提取码00CA0EE7FF155C46CA00calldwordptrds:[CA465C] 00CA0EE7FF155C46CA00calldwordptrds:[CA465C] 00CA0EED8BF8movedi,eax00CA0EEFBE644ECA00movesi,0CA4E6400CA0EF4E86941FFFFcall00C95062 这个call就是通过序号和基址猎取API地址00CA0EF98B00moveax,dwordptrds:[eax] 这里[eax]就是真实API地址00CA0EFB5Fpopedi00CA0EFC8944242Cmovdwordptrss:[esp+2C],eax00CA0F005Epopesi39. 00CA0F01C20400retn400CA13D261popad00CA13D3C3retn复制代码复制代码其她都是同样。IAT调用所在位置。2.0059BB038038IAT调用所在位置。2.0059BB038038FFcmpbyteptrds:[eax],0FF FF253.0059BB06753Ejnzshort店铺珍宝.0059BB464. 0059BB08 807801255. 0059BB0C 7538cmpbyteptrds:[eax+1],25jnzshort店铺珍宝.0059BB466.0059BB0E66:8378045A cmpwordptrds:[eax+4],5A 这里是为了防止查找错5AIAT所在位置为保险起见，推断下一种指令是不是push15. 0059BB29751Bjnzshort店铺珍宝.0059BB461.1.0059BAFEB814134000moveax,店铺珍宝.00401314 7.0059BB137531jnzshort店铺珍宝.0059BB468.0059BB158B5802ebx,dwordptrds:[eax+2]---IAT指针9.0059BB18833B00cmpdwordptrds:[ebx],0 IAT010.0059BB1B7429jeshort店铺珍宝.0059BB4612.11.0059BB1F0059BB1D66:813950608B0Bmovecx,dwordptrds:[ebx]cmpwordptrds:[ecx],6050 1.13.0059BB24742Ejeshort店铺珍宝.0059BB5414.0059BB26803968cmpbyteptrds:[ecx],68 2，假设是话，16. ==============================================================================0059BB2B 50 pusheax0059BB2C FF7101 pushdwordptrds:[ecx+1]0059BB2F FF155C46CA00 calldwordptrds:[CA465C]0059BB35 8BF8 movedi,eax0059BB37 BE644ECA00 movesi,0CA4E64 IAT解码函数猎取真正API地址，应用到其她程序时，请自行修改22. 0059BB3C E821956F00 call00C950620059BB41 8B10 movedx,dwordptrds:[eax]0059BB43 8913 movdwordptrds:[ebx],edx IAT0059BB45 58 popeax26. ==============================================================================27. 0059BB46 83C001 addeax,1 连续查找28. 0059BB49 3D00005900 cmpeax,店铺珍宝.00590000 这个值是IAT调用查找上限，请自行修改0059BB4E^72B3 jbshort店铺珍宝.0059BB030059BB50 EB10 jmpshort店铺珍宝.0059BB62 执行到这里就表达完毕了31. 0059BB52 90 nop32. 0059BB53 90 nop0059BB54 80790268 cmpbyteptrds:[ecx+2],68 1某些0059BB58^75EC jnzshort店铺珍宝.0059BB460059BB5A 50 pusheax0059BB5B FF7103 pushdwordptrds:[ecx+3]0059BB5E^EBCF jmpshort店铺珍宝.0059BB2F0059BB60 0000 addbyteptrds:[eax],al39. 0059BB62 6A00 push040. 0059BB64 6875BB5900 push店铺珍宝.0059BB75 ；ASCII“Finish“41. 0059BB69 6875BB5900 push店铺珍宝.0059BB75 ；ASCII“Finish“42. 0059BB6E 6A00 push043. 0059BB70 E8754C7B77 MessageBoxa显示一种完毕对话框。44. 0059BB7544. 0059BB7546incesi45. 0059BB76 696E6973680000imulebp,dwordptrds:[esi+69],687346. 0059BB7D90nop47. 0059BB7E^E90DFFFFFFjmp店铺珍宝.0059BA90复制代码复制代码1.1.二进制2.00CCB8141340008038FF753E807801257538668378045A75318B5802833B00743.298B0B6681395060742E803968751B50FF7101FF155C46CA0