ZProtect加壳程序脱壳重点笔记

1.005A319000641378店铺宝贝.006413782.005A319400641798店铺宝贝.006417983.005A319800641B10店铺宝贝.00641B104.005A319C00E300005.005A31A000E3000E6.005A31A400641048店铺宝贝.006410487.005A31A8006411E0店铺宝贝.006411E0复制代码1.00E3014250pusheax2.00E3014360pushad3.00E30144687695B4ADpushADB49576ZProtect加壳程序脱壳笔记之前写了一种ZPIAT加密方式分析，这里继续接着前面文章，写一种ZProtect加壳程序完整脱壳笔记。目的程序是一种用ZP二次加密程序，也许是某位大侠作品，小弟这里只是随手拿来做个演示，有什么冒犯之处，敬请见谅。目的程序在附件中。运营一下程序，程序提示只能运营三次，每次只能运营十分钟，看来这个是要先干掉这个对话框再说了~写个lpkhookDialogBoxIndirectParam这个api然后返回232C即可。膜拜一下卡卡大大强大代码。把这个lpk放在软件目录下就没有注册框了。当前可以OD载入了~1，到OEP去上次我分析里面说了，如何最快到达OEP方式就是用ESP定律。过了pushad后来，下HrESP然后就到了。查找FF25发现壳没有解决IAT调用代码，只是对IAT进行了加密，看来这个应当是1.4.0-1.4.4之间某个版本。2，修复IAT通过查找FF25很容易拟定IAT位置。下面是一某些IAT，可以看出IAT解决方式有两种。修复时候也要分两种状况进行修复。依照我上篇分析文章结论，两种加密方式最后是殊途同归：push提取码调用获取函数序号call按照隐藏IAT基址+序号方式来寻址。下面看看两种不同方式提取码和call调用方式。方式一00406A54-FF2564325A00jmpdwordptrds:[5A3264]ds:[005A3264]=00E301424.00E30149E8310DE7FFcall00CA0E7F5.00CA0E7FA17448CA00moveax,dwordptrds:[CA4874]6.00CA0E8480780C00cmpbyteptrds:[eax+C],07.00CA0E887457jeshort00CA0EE18.00CA0E8AFF152810C900calldwordptrds:[C91028]；kernel32.GetTickCount9.00CA0E908BC8movecx,eax10.00CA0E922B0D4046CA00subecx,dwordptrds:[CA4640]11.00CA0E9881F988130000cmpecx,138812.00CA0E9E7641jbeshort00CA0EE113.00CA0EA0FF354446CA00pushdwordptrds:[CA4644]14.00CA0EA6A34046CA00movdwordptrds:[CA4640],eax15.00CA0EABFF155810C900calldwordptrds:[C91058]；kernel32.ResumeThread16.00CA0EB1833D944ECA000cmpdwordptrds:[CA4E94],317.00CA0EB87C08jlshort00CA0EC218.00CA0EBA6A00push019.00CA0EBCFF151C10C900calldwordptrds:[C9101C]；kernel32.ExitProcess20.00CA0EC2803DB848CA000cmpbyteptrds:[CA48B8],021.00CA0EC97408jeshort00CA0ED322.00CA0ECBFF05944ECA00incdwordptrds:[CA4E94]23.00CA0ED1EB07jmpshort00CA0EDA24.00CA0ED38325944ECA000anddwordptrds:[CA4E94],025.00CA0EDAC605B848CA000movbyteptrds:[CA48B8],126.00CA0EE156pushesi27.00CA0EE257pushedi28.00CA0EE3FF74240Cpushdwordptrss:[esp+C]29.00CA0EE7FF155C46CA00calldwordptrds:[CA465C]30.00CA0EED8BF8movedi,eax31.00CA0EEFBE644ECA00movesi,0CA4E6432.00CA0EF4E86941FFFFcall00C9506233.00CA0EF98B00moveax,dwordptrds:[eax]34.00CA0EFB5Fpopedi35.00CA0EFC8944242Cmovdwordptrss:[esp+2C],eax36.00CA0F005Epopesi37.00CA0F01C20400retn438.00E3014E61popad复制代码方式二00406A64/FF255C325A00jmpdwordptrds:[5A325C]ds:[005A325C]=00641A44(店铺宝贝.00641A44)1.00641A44686B95B4ADpushADB4956B----------------------这个就是提取码了~2.00641A49/E95E070000jmp店铺宝贝.006421AC3.006421AC-E917F26500jmp00CA13C84.00CA13C860pushad5.00CA13C9FF742420pushdwordptrss:[esp+20]6.00CA13CDE8ADFAFFFFcall00CA0E7F7.00CA0E7FA17448CA00moveax,dwordptrds:[CA4874]8.00CA0E8480780C00cmpbyteptrds:[eax+C],09.00CA0E887457jeshort00CA0EE110.00CA0E8AFF152810C900calldwordptrds:[C91028]；kernel32.GetTickCount11.00CA0E908BC8movecx,eax12.00CA0E922B0D4046CA00subecx,dwordptrds:[CA4640]13.00CA0E9881F988130000cmpecx,138814.00CA0E9E7641jbeshort00CA0EE115.00CA0EA0FF354446CA00pushdwordptrds:[CA4644]16.00CA0EA6A34046CA00movdwordptrds:[CA4640],eax17.00CA0EABFF155810C900calldwordptrds:[C91058]；kernel32.ResumeThread18.00CA0EB1833D944ECA000cmpdwordptrds:[CA4E94],319.00CA0EB87C08jlshort00CA0EC220.00CA0EBA6A00push021.00CA0EBCFF151C10C900calldwordptrds:[C9101C]；kernel32.ExitProcess22.00CA0EC2803DB848CA000cmpbyteptrds:[CA48B8],023.00CA0EC97408jeshort00CA0ED324.00CA0ECBFF05944ECA00incdwordptrds:[CA4E94]25.00CA0ED1EB07jmpshort00CA0EDA26.00CA0ED38325944ECA000anddwordptrds:[CA4E94],027.00CA0EDAC605B848CA000movbyteptrds:[CA48B8],128.00CA0EE156pushesi29.00CA0EE257pushedi30.00CA0EE3FF74240Cpushdwordptrss:[esp+C]---------这里就是push提取码39.00E3014FC3retn一种IAT调用所在位置。2.0059BB038038FFcmpbyteptrds:[eax],0FF----按字节寻找FF253.0059BB06753Ejnzshort店铺宝贝.0059BB464.0059BB08807801255.0059BB0C7538cmpbyteptrds:[eax+1],25jnzshort店铺宝贝.0059BB466.0059BB0E66:8378045Acmpwordptrds:[eax+4],5A----这里是为了防止查找错误而设立，其中5A是IAT所在位置为保险起见，判断下一种指令是不是push15.0059BB29751Bjnzshort店铺宝贝.0059BB46复制代码1.0059BAFEB814134000moveax,店铺宝贝.00401314----通过查找FF25，拟定第从上面可以看出来，两种方式最后调用是同一子程序。这样两种方式除了获取提取码过程稍微不同以外，其她都是同样。理解清晰了，下面就可以自己写代码来修复IAT了。下面是我自己写一段patch代码，给人们参照一下。7.0059BB137531jnzshort店铺宝贝.0059BB468.0059BB158B5802movebx,dwordptrds:[eax+2]---传递该处调用IAT指针9.0059BB18833B00cmpdwordptrds:[ebx],0------比较IAT中地址与否为010.0059BB1B7429jeshort店铺宝贝.0059BB4612.11.0059BB1F0059BB1D66:813950608B0Bmovecx,dwordptrds:[ebx]cmpwordptrds:[ecx],6050----判断是不是加密方式1.13.0059BB24742Ejeshort店铺宝贝.0059BB5414.0059BB26803968cmpbyteptrds:[ecx],68------解决加密方式2，如果是话，31.00CA0EE7FF155C46CA00calldwordptrds:[CA465C]---------这个call就是获取函数序号32.00CA0EED8BF8movedi,eax33.00CA0EEFBE644ECA00movesi,0CA4E6434.00CA0EF4E86941FFFFcall00C95062---------------------这个call就是通过序号和基址获取API地址35.00CA0EF98B00moveax,dwordptrds:[eax]--------这里[eax]就是真实API地址36.00CA0EFB5Fpopedi37.00CA0EFC8944242Cmovdwordptrss:[esp+2C],eax38.00CA0F005Epopesi39.00CA0F01C20400retn440.00CA13D261popad41.00CA13D3C3retn16.==============================================================================17.0059BB2B50pusheax18.0059BB2CFF7101pushdwordptrds:[ecx+1]19.0059BB2FFF155C46CA00calldwordptrds:[CA465C]20.0059BB358BF8movedi,eax21.0059BB37BE644ECA00movesi,0CA4E64