对于ZProtect1.4.x版本的系列软件,只要有其一个可用的机器码和key就可实现完美脱壳。对于ZProtect目前版本(ZP1.60)加壳的所有软件,只要有其一个可用的机器码和key就可实现完美脱壳。假设已有一个可用的机器码和KEY:
机器码:AAAA-BBBB-CCCC-DDDD
序列号:B131FA844E0E9A7F32810DD67B9C4DC086EB脚本流程:
1,寻找OEP断点。这个原理很简单,所谓的ESP平衡定律就是了。
2,对机器码进行补丁。zprotect用DeviceIoControl函数获取机器码相关,只要对该函数设置断点即可。当提示需输入机器号的前8位时,本例中,输入AAAABBBB,后8位即为CCCCDDDD。
3,修复IAT。本版本中IAT的起始和结束部分仍然需要手动填入。4,用loadpe和IMR修复即可。脚本内容:
BC
BPMC
BPHWC
callVARSINIT
//pausesti
FIND_OEP:
movEipForOep_1,eip
movEipForOep_1,[EipForOep_1]
andEipForOep_1,0ff
cmpEipForOep_1,60
jneOEP_NEXT
sti
movbpforoep,esp
jmpHWIDPatchStartOEP_NEXT:
sto
jmpFIND_OEPHWIDPatchStart:
////////////////////HWID_PATCH:
bphwsDeviceIoControl,”x”
bpDeviceIoControl
bphwsVirtualAlloc,”x”
bpVirtualAlloc
esto
////////////////////
HWID_PATCH_CHECK_NEXT:
cmpeip,VirtualAlloc
jneHWID_PATCH_2
bphwc
bc
movA_SIZE,[esp+08]
rtr
movA_ADDRESS,eax
bphwsDeviceIoControl,”x”
bpDeviceIoControl
bphwsVirtualAlloc,”x”
bpVirtualAlloc
HWID_PATCH_CHECK_NEXT_ZHW://zenghwadd
esto
////////////////////
FIND_STRING:
movtempdata,[esp]//zenghwadd
cmptempdata,77DA9559
jeHWID_PATCH_CHECK_NEXT_ZHW
cmpeip,DeviceIoControl
jeHWID_PATCH_2
findA_ADDRESS,#0FB?542410E9#
cmp$RESULT,00
jeHWID_PATCH_CHECK_NEXT
movA_ADDRESS,$RESULT
incA_ADDRESS
movA_ADDRESS_BAK,$RESULT
movdll,01
addA_ADDRESS,04
gciA_ADDRESS,DESTINATION
cmp$RESULT,00
subA_ADDRESS,04
jeFIND_STRING
movABC,$RESULT
cmp[ABC+03],1124,02
jneFIND_STRING
addABC,05
cmp[ABC],E8,01
jneFIND_STRING_B
movcall,01
////////////////////
FIND_STRING_B:
gciABC,DESTINATION
cmp$RESULT,00
subABC,05
jeFIND_STRING
movABC,$RESULT
cmpcall,01
jeFIND_STRING_C
cmp[ABC],30,01
jneFIND_STRING
////////////////////
FIND_STRING_C:
movA_ADDRESS,A_ADDRESS_BAK
jmpHWID_PATCH_2jmpHWID_PATCH
////////////////////
HWID_PATCH_2:
bphwc
bc
cmpdll,01
jneHWID_PATCH_2_A
gmemiA_ADDRESS,MEMORYBASE
movVMBASE,$RESULT
mov$RESULT,A_ADDRESS
jmpfound
////////////////////
HWID_PATCH_2_A:
movEXTRA,[esp]
gmemiEXTRA,MEMORYBASE
movEXTRA,$RESULT
rtu
gmemieip,MEMORYBASE
cmpEXTRA,$RESULT
jneVM
gmemieip,MEMORYBASE
movEXTRA_2,$RESULT
cmp[EXTRA_2],5A4D,02
jneVM
rtr
movbaceip,eip
////////////////////
SELFTEST:
sti
cmpeip,baceip
jeSELFTEST
////////////////////
VM:
gmemieip,MEMORYBASE
movVMBASE,$RESULT
////////////////////
SEARCH:
findVMBASE,#0FB?542410E9#
cmp$RESULT,00
jnefound
findA_ADDRESS,#0FB?542410E9#
cmp$RESULT,00
jeSEARCH_3
////////////////////
SEARCH_2:
movA_ADDRESS,$RESULT
gmemiA_ADDRESS,MEMORYBASE
movVMBASE,$RESULT
mov$RESULT,A_ADDRESS
jmpfound
////////////////////
SEARCH_3:
findmem#0FB?542410E9#,CODESECTION
cmp$RESULT,00
jneSEARCH_3_A
pause
pause
pause
////////////////////
SEARCH_3_A:
movA_ADDRESS,$RESULT
gmemiA_ADDRESS,MEMORYBASE
movVMBASE,$RESULT
mov$RESULT,A_ADDRESS
jmpfound
pause
pause
////////////////////
found:
movFOUND,$RESULT
addPLUS_1,FOUND
subPLUS_1,VMBASE
movPLUS_1,PLUS_1
logPLUS_1
bpFOUND
bphwsFOUND,”x”
esto
movID,[esp+10]
movID2,[esp+14]
alloc1000
movmem,$RESULT
movbaceip,eip
////////////////////
Ask3:
ask”输入可用机器码的前8个字节,如:AAAABBBB”
cmp$RESULT,0
jeAsk3
cmp$RESULT,-1
jeAsk3
movID_1,$RESULT
////////////////////
Ask4:
ask”输入可用机器码的后8个字节,如:CCCCDDDD”
cmp$RESULT,0
jeAsk4
cmp$RESULT,-1
jeAsk4
movID_2,$RESULT
movtemp2,eax
movtest,##+”0000-0000-0000-0000″
mov[mem],test
moveax,ID_1
shreax,10
movI1,ax
moveax,ID_1
movI2,ax
itoaI1,16.
movI1,$RESULT
lenI1
cmp$RESULT,04
jeCW_GO
////////////////////
AB1:
cmp$RESULT,03
jneAB2
eval”0{I1}”
movI1,$RESULT
jmpCW_GO
////////////////////
AB2:
cmp$RESULT,02
jneAB3
eval”00{I1}”
movI1,$RESULT
jmpCW_GO
////////////////////
AB3:
cmp$RESULT,01
jneAB4
eval”000{I1}”
movI1,$RESULT
jmpCW_GO
////////////////////
AB4:
cmp$RESULT,00
jneAB5
movI1,”0000″
jmpCW_GO
////////////////////
AB5:
pause
pause
pause
////////////////////
CW_GO:
itoaI2,16.
movI2,$RESULT
lenI2
cmp$RESULT,04
jeCW_GO_2
////////////////////
AB1A:
cmp$RESULT,03
jneAB2A
eval”0{I2}”
movI2,$RESULT
jmpCW_GO_2
////////////////////
AB2A:
cmp$RESULT,02
jneAB3A
eval”00{I2}”
movI2,$RESULT
jmpCW_GO_2
////////////////////
AB3A:
cmp$RESULT,01
jneAB4
eval”000{I2}”
movI2,$RESULT
jmpCW_GO_2
////////////////////
AB4A:
cmp$RESULT,00
jneAB5A
movI2,”0000″
jmpCW_GO_2
////////////////////
AB5A:
pause
pause
pause
////////////////////
CW_GO_2:
eval”{I1}-{I2}”
movtest,##+$RESULT
mov[mem],test
moveax,ID_2
shreax,10
movI3,ax
moveax,ID_2
movI4,ax
itoaI3,16.
movI3,$RESULT
lenI3
cmp$RESULT,04
jeCW_GO_3
////////////////////
AB1B:
cmp$RESULT,03
jneAB2B
eval”0{I3}”
movI3,$RESULT
jmpCW_GO_3
////////////////////
AB2B:
cmp$RESULT,02
jneAB3B
eval”00{I3}”
movI3,$RESULT
jmpCW_GO_3
////////////////////
AB3B:
cmp$RESULT,01
jneAB4B
eval”000{I3}”
movI3,$RESULT
jmpCW_GO_3
////////////////////
AB4B:
cmp$RESULT,00
jneAB5B
movI3,”0000″
jmpCW_GO_3
//////开发云主机域名//////////////
AB5B:
pause
pause
pause
////////////////////
CW_GO_3:
itoaI4,16.
movI4,$RESULT
lenI4
cmp$RESULT,04
jeCW_GO_4
////////////////////
AB1C:
cmp$RESULT,03
jneAB2C
eval”0{I4}”
movI4,$RESULT
jmpCW_GO_4
////////////////////
AB2C:
cmp$RESULT,02
jneAB3C
eval”00{I4}”
movI4,$RESULT
jmpCW_GO_4
////////////////////
AB3C:
cmp$RESULT,01
jneAB4C
eval”000{I4}”
movI4,$RESULT
jmpCW_GO_4
////////////////////
AB4C:
cmp$RESULT,00
jneAB5C
movI4,”0000″
jmpCW_GO_4
////////////////////
AB5C:
pause
pause
pause
////////////////////
CW_GO_4:
eval”{I3}-{I4}”
movtest,##+$RESULT
mov[mem+0A],test
////////////////////
BIG_LOOP:
movCALC,mem
////////////////////
BIG_LOOP_2:
cmp[mem],61,01
je20
cmp[mem],62,01
je20
cmp[mem],63,01
je20
cmp[mem],64,01
je20
cmp[mem],65,01
je20
cmp[mem],66,01
je20
////////////////////
BIG_LOOP_3:
incmem
inccounta
cmpcounta,13
jeFERTIG
jmpBIG_LOOP_2
////////////////////
20:
sub[mem],20
jmpBIG_LOOP_3
////////////////////
FERTIG:
movmem,CALC
movcounta,00
cmpSECOND_LOOP,01
jeEND_SECOND_LOOP
readstr[mem],13
movSTRING,$RESULT
strSTRING
movSTRING,STRING
moveax,temp2
fillmem,100,00
movtemp2,eax
movtest,##+”0000-0000-0000-0000″
mov[mem],test
moveax,[esp+10]
movI1,ax
shreax,10
movI2,ax
moveax,[esp+14]
movI3,ax
shreax,10
movI4,ax
itoaI1,16.
movI1,$RESULT
lenI1
cmp$RESULT,04
jeCW_GO_5
////////////////////
AB1D:
cmp$RESULT,03
jneAB2D
eval”0{I1}”
movI1,$RESULT
jmpCW_GO_5
////////////////////
AB2D:
cmp$RESULT,02
jneAB3D
eval”00{I1}”
movI1,$RESULT
jmpCW_GO_5
////////////////////
AB3D:
cmp$RESULT,01
jneAB4D
eval”000{I4}”
movI1,$RESULT
jmpCW_GO_5
////////////////////
AB4D:
cmp$RESULT,00
jneAB5D
movI1,”0000″
jmpCW_GO_5
////////////////////
AB5D:
pause
pause
pause
////////////////////
CW_GO_5:
itoaI2,16.
movI2,$RESULT
lenI2
cmp$RESULT,04
jeCW_GO_6
////////////////////
AB1E:
cmp$RESULT,03
jneAB2E
eval”0{I2}”
movI2,$RESULT
jmpCW_GO_6
////////////////////
AB2E:
cmp$RESULT,02
jneAB3E
eval”00{I2}”
movI2,$RESULT
jmpCW_GO_6
////////////////////
AB3E:
cmp$RESULT,01
jneAB4E
eval”000{I2}”
movI2,$RESULT
jmpCW_GO_6
////////////////////
AB4E:
cmp$RESULT,00
jneAB5E
movI2,”0000″
jmpCW_GO_6
////////////////////
AB5E:
pause
pause
pause
////////////////////
CW_GO_6:
eval”{I1}-{I2}”
movtest,##+$RESULT
mov[mem],test
itoaI3,16.
movI3,$RESULT
lenI3
cmp$RESULT,04
jeCW_GO_7
////////////////////
AB1F:
cmp$RESULT,03
jneAB2F
eval”0{I3}”
movI3,$RESULT
jmpCW_GO_7
////////////////////
AB2F:
cmp$RESULT,02
jneAB3F
eval”00{I3}”
movI3,$RESULT
jmpCW_GO_7
////////////////////
AB3F:
cmp$RESULT,01
jneAB4F
eval”000{I3}”
movI3,$RESULT
jmpCW_GO_7
////////////////////
AB4F:
cmp$RESULT,00
jneAB5F
movI3,”0000″
jmpCW_GO_7
////////////////////
AB5F:
pause
pause
pause
////////////////////
CW_GO_7:
itoaI4,16.
movI4,$RESULT
lenI4
cmp$RESULT,04
jeCW_GO_8
////////////////////
AB1G:
cmp$RESULT,03
jneAB2G
eval”0{I4}”
movI4,$RESULT
jmpCW_GO_8
////////////////////
AB2G:
cmp$RESULT,02
jneAB3G
eval”00{I4}”
movI4,$RESULT
jmpCW_GO_8
////////////////////
AB3G:
cmp$RESULT,01
jneAB4G
eval”000{I4}”
movI4,$RESULT
jmpCW_GO_8
////////////////////
AB4G:
cmp$RESULT,00
jneAB5G
movI4,”0000″
jmpCW_GO_8
////////////////////
AB5G:
pause
pause
pause
////////////////////
CW_GO_8:
eval”{I3}-{I4}”
movtest,##+$RESULT
mov[mem+0A],test
movSECOND_LOOP,01
jmpBIG_LOOP
////////////////////
END_SECOND_LOOP:
readstr[mem],13
movSTRING_2,$RESULT
strSTRING_2
movSTRING_2,STRING_2
moveax,temp2
fillmem,100,00
movSECOND_LOOP,00
mov[mem],ID_1
mov[mem+04],ID_2
mov[mem+12],[mem],2
mov[mem+10],[mem+2],2
mov[mem+16],[mem+4],2
mov[mem+14],[mem+6],2
movID_1,[mem+10]
movID_2,[mem+14]
fillmem,100,00
bcFOUND
bphwc
readstr[eip],0A
movplace,$RESULT
bufplace
movtest,eip
addtest,05
gcitest,DESTINATION
movort,$RESULT
eval”jmp{mem}”
asmeip,$RESULTmov[mem],#81FAAAAAAAAA751A81F9AAAAAAAA7512BABBBBBBBBB9CCCCCCCC89542410894C24149090#
cmp$RESULT,01
jmpEND_SECOND_LOOP_2
////////////////////
END_SECOND_LOOP_2:
addmem,22
mov[mem],place
submem,22
mov[mem+02],ID
mov[mem+0A],ID2
mov[mem+11],ID_1
mov[mem+16],ID_2
eval”jmp{ort}”
asmmem+27,$RESULT
addPLUS_2,ort
subPLUS_2,VMBASE
movPLUS_2,PLUS_2readstr[mem],028
jmpFULL_END
esto
pause
pause
////////////////////
VARSINIT:
/////////////////ZENGHWADD////////
vartempdatavarvmaddr
varapiaddr
varIAT_Start
varIAT_End
varvmapiaddrvarEipForOep_1
varEipForOep_2
varEipForOep_3
varoep
varbpforoep
vartmp1
vartmp2
varEXTRA_2
varEXTRA
varmemvarSECOND_LOOP
varSTRING_2
varcounta
vartest
varSTRING
varCALC
varI1
varI2
varI3
varI4
varPLUS_1
varPLUS_2
varCHECK
varTEMP_CHECK
varCODESECTION
varCODESECTION_SIZE
vardll
varcall////////////////////
gpa”DeviceIoControl”,”kernel32.dll”
movDeviceIoControl,$RESULT
gpa”VirtualAlloc”,”kernel32.dll”
movVirtualAlloc,$RESULT
gpa”VirtualProtect”,”kernel32.dll”
movVirtualProtect,$RESULT
gpa”MapViewOfFile”,”kernel32.dll”
movMapViewOfFile,$RESULTret
////////////////////
FULL_END:
cmpTEMP_CHECK,0
jeFULL_END_2
freeTEMP_CHECK
////////////////////
FULL_END_2://pause
//ret
//start:
findoep:
BPHWCALL
BPHWSbpforoep,”r”
runmovEipForOep_2,eip
movEipForOep_2,[EipForOep_2]
andEipForOep_2,0ff
cmpEipForOep_2,E8
jefindoep2sto
sto
movoep,eip
pause//此处暂停后,可先查看IATSTART和IATEND,然后修改fixiat里面的对应内容
msg”此处暂停后,可先查看IAT的起始和终止地址,然后修改fixiat里面对应的IAT_Start和IAT_Start!”
jmpfixiatfindoep2:
//msg”修复后,请手动查找OEP!”
sti
sto
sto
sto
sto
sto
movoep,eipfixiat:
movIAT_Start,0040306C////////////////////////////////////////
movIAT_End,00403098////////////////////////////////////////fix:
moveip,[IAT_Start]movEipForOep_3,eip
movEipForOep_3,[EipForOep_3]
andEipForOep_3,0ff
cmpEipForOep_3,68
jneskipfix2sto
sto
sto
sto
sto
stimovtmp1,eip
findeip,#7C#
cmp$RESULT,0
jeF2
movtmp2,$RESULT
mov[tmp2],#EB#
moveip,tmp1F2:
run
stocmpeip,07000000
jafix2movvmapiaddr,eip
subvmapiaddr,vmaddr
addvmapiaddr,kernel32base
mov[IAT_Start],vmapiaddr
addIAT_Start,4
cmpIAT_Start,IAT_End
jaend
cmp[IAT_Start],0
jeskipfix
jmpfixfix2:
moveip,[IAT_Start]movEipForOep_3,eip
movEipForOep_3,[EipForOep_3]
andEipForOep_3,0ff
cmpEipForOep_3,68
jneskipfix2sto
sto
sto
sto
sto
stimovtmp1,eip
findeip,#7C#
cmp$RESULT,0
jeF3
movtmp2,$RESULT
mov[tmp2],#EB#
moveip,tmp1F3:
run
sto
movapiaddr,eip
mov[IAT_Start],apiaddr
addIAT_Start,4
cmpIAT_Start,IAT_End
jaend
cmp[IAT_Start],0
jeskipfix
jmpfixskipfix:
addIAT_Start,4
cmp[IAT_Start],0
jeskipfix
jmpfixskipfix2:
addIAT_Start,4
cmpIAT_Start,IAT_End
jaend
jmpfixerror:
msg”FixIATwrong!”
retend:
BPHWCALL
moveip,oep
ANeip
ret
我们都知道测试很重要,但作为开发人员来说,对测试又是很轻视。这问题很严重,但也很自然。我最近一段时间在研究load test,一直琢磨load test能给我们带来什么。坦白说,如果不是客户特别要求,我们一般都不会做这个测试,即使做了这个测试,这些图表,也没有…
免责声明:本站发布的图片视频文字,以转载和分享为主,文章观点不代表本站立场,本站不承担相关法律责任;如果涉及侵权请联系邮箱:360163164@qq.com举报,并提供相关证据,经查实将立刻删除涉嫌侵权内容。
微信扫一扫 
