现在还有人搞zp的壳了吗?
本帖最后由 jlsyysj 于 2024-1-19 13:57 编辑最近在zp壳上遇到点问题了
ZProtect 1.6 Unpacking(全面分析ZP 1.6)
本机系统win11
调试工具Eugenio,zp fixer
目标test_zp.exe
载入停在下面代码处
0046D302 >68 0ED34600 push test_zp.0046D30E
0046D307 E9 11000000 jmp test_zp.0046D31D
0046D30C 04 34 add al,0x34
0046D30E E9 0A000000 jmp test_zp.0046D31D
0046D313 5A pop edx
0046D314 65:E1 46 loopde Xtest_zp.0046D35D
0046D317^ 7F CA jg Xtest_zp.0046D2E3
0046D319 78 6F js Xtest_zp.0046D38A
0046D31B^ 73 DE jnb Xtest_zp.0046D2FB
0046D31D 60 pushad
0046D31E 68 26D34600 push test_zp.0046D326
0046D323 C3 retn
0046D324 8DB454 E9020000 lea esi,dword ptr ss:
0046D32B 0055 D7 add byte ptr ss:,dl
0046D32E 68 3AD34600 push test_zp.0046D33A
0046D333 E9 99070000 jmp test_zp.0046DAD1
0046D338 F71F neg dword ptr ds:
0046D33A E9 0A000000 jmp test_zp.0046D349
到OEP很简单,脚本,esp都可以
004536D8 55 push ebp ; OEP / Near at OEP!
004536D9 8BEC mov ebp,esp
004536DB 83C4 F0 add esp,-0x10
004536DE B8 70204500 mov eax,test_zp.00452070
004536E3 E8 402DFBFF call test_zp.00406428
004536E8 A1 30594500 mov eax,dword ptr ds:
004536ED 8B00 mov eax,dword ptr ds:
004536EF E8 E8CEFFFF call test_zp.004505DC
004536F4 8B0D 145A4500 mov ecx,dword ptr ds: ; test_zp.004595A0
004536FA A1 30594500 mov eax,dword ptr ds:
004536FF 8B00 mov eax,dword ptr ds:
00453701 8B15 D01E4500 mov edx,dword ptr ds: ; test_zp.00451F1C
00453707 E8 E8CEFFFF call test_zp.004505F4
0045370C A1 30594500 mov eax,dword ptr ds:
00453711 8B00 mov eax,dword ptr ds:
00453713 E8 5CCFFFFF call test_zp.00450674
00453718 E8 370EFBFF call test_zp.00404554
0045371D 8D40 00 lea eax,dword ptr ds:
来到OEP处,DUMP下,打开ImpREC ,OEP处输入536d8,IAT搜索,获取IAT表,全部无效,
IAT起始RVA 45A6C4
IAT结整 RVA 45AC68
按教程里面的,在OEP处的第一个CALL中跟随,
004536D9 8BEC mov ebp,esp
004536DB 83C4 F0 add esp,-0x10
004536DE B8 70204500 mov eax,test_zp.00452070
004536E3 E8 402DFBFF call test_zp.00406428 //跟随
004536E8 A1 30594500 mov eax,dword ptr ds:
004536ED 8B00 mov eax,dword ptr ds:
来到这里
00406428 53 push ebx
00406429 8BD8 mov ebx,eax
0040642B 33C0 xor eax,eax
0040642D A3 88474500 mov dword ptr ds:,eax
00406432 6A 00 push 0x0
00406434 E8 2BFFFFFF call test_zp.00406364 //跟随
00406439 A3 F4874500 mov dword ptr ds:,eax
0040643E A1 F4874500 mov eax,dword ptr ds:
00406443 A3 94474500 mov dword ptr ds:,eax
00406448 33C0 xor eax,eax
0040644A A3 98474500 mov dword ptr ds:,eax
0040644F 33C0 xor eax,eax
00406451 A3 9C474500 mov dword ptr ds:,eax
来到这里
00406361 8D40 00 lea eax,dword ptr ds:
00406364 $FF25 84A74500 jmp dword ptr ds: ;test_zp.0046B540 //跟随
0040636A 8BC0 mov eax,eax
0040636C $FF25 80A74500 jmp dword ptr ds: ;test_zp.0046B27C
00406372 8BC0 mov eax,eax
00406374 $FF25 7CA74500 jmp dword ptr ds: ;test_zp.0046BE58
0040637A 8BC0 mov eax,eax
0040637C $FF25 78A74500 jmp dword ptr ds: ;test_zp.0046BC78
00406382 8BC0 mov eax,eax
00406384/$50 push eax
来到这
0046B540 68 7358E708 push 0x8E75873
0046B545 E9 7A000000 jmp test_zp.0046B5C4 //跟随
0046B54A CB retf
0046B54B 7E 68 jle Xtest_zp.0046B5B5
0046B54D 2157 E7 and dword ptr ds:,edx
到这
0046B5C4- E9 EFFAFB01 jmp 0242B0B8 //跟随
0046B5C9 0000 add byte ptr ds:,al
0046B5CB 0000 add byte ptr ds:,al
0046B5CD 0000 add byte ptr ds:,al
来到这里了
0242B0B8 9C pushfd
0242B0B9 60 pushad
0242B0BA FF7424 24 push dword ptr ss:
0242B0BE E8 05ECFFFF call 02429CC8
0242B0C3 61 popad
0242B0C4 9D popfd
0242B0C5 C3 retn //这里的242b0c5是就patch va
0242B0C6 A1 F4A84302 mov eax,dword ptr ds:
在上面的call 02429cc8处跟随,找到zero va,
02429CC8 A1 F4A84302 mov eax,dword ptr ds:
02429CCD 80B8 BB000000 0>cmp byte ptr ds:,0x0
02429CD4 74 57 je X02429D2D
02429CD6 FF15 F0104202 call dword ptr ds: ; kernel32.GetTickCount
02429CDC 8BC8 mov ecx,eax
02429CDE 2B0D A0A74302 sub ecx,dword ptr ds:
02429CE4 81F9 88130000 cmp ecx,0x1388
02429CEA 76 41 jbe X02429D2D
02429CEC FF35 A4A74302 push dword ptr ds:
02429CF2 A3 A0A74302 mov dword ptr ds:,eax
02429CF7 FF15 40104202 call dword ptr ds: ; kernel32.ResumeThread
02429CFD 833D 60AF4302 0>cmp dword ptr ds:,0x3 //这个0x243af60 就是zero va
02429D04 7C 08 jl X02429D0E
02429D06 6A 00 push 0x0
02429D08 FF15 00114202 call dword ptr ds: ; kernel32.ExitProcess
02429D0E 803D ACA74302 0>cmp byte ptr ds:,0x0
现在打开zp fixer
进程id, loadpe里就可以看到 1a84
code start 45a6c4
code end 45ac68
patch va 242b0c5
zero va 243af60
点Start
提示New Address:2520000
ctrl+G2520000
来到
02520000 BE C4A64500 mov esi,0x45A6C4 //这里新建EIP
02520005 BF 68AC4500 mov edi,0x45AC68
0252000A B9 C5B04202 mov ecx,0x242B0C5
0252000F 83C1 05 add ecx,0x5
02520012 83C7 04 add edi,0x4
02520015 8B06 mov eax,dword ptr ds:
02520017 8931 mov dword ptr ds:,esi
02520019 8A10 mov dl,byte ptr ds:
0252001B 80FA 68 cmp dl,0x68
0252001E 74 02 je X02520022
02520020 EB 0A jmp X0252002C
02520022 8A50 05 mov dl,byte ptr ds:
02520025 80FA E9 cmp dl,0xE9
02520028^ 75 F6 jnz X02520020
0252002A FFD0 call eax
0252002C 83C6 04 add esi,0x4
0252002F C605 60AF4302 0>mov byte ptr ds:,0x0
02520036 3BF7 cmp esi,edi
02520038 74 0B je X02520045
0252003A 8B06 mov eax,dword ptr ds:
0252003C 85C0 test eax,eax
0252003E^ 75 D5 jnz X02520015
02520040 83C6 04 add esi,0x4
02520043^ EB D0 jmp X02520015
02520045 33C0 xor eax,eax //这里下F2断点
然后F9
停到断点处,在数据窗口,ctrl+G 来到45a6c4
此时iat已经显示正常了
0045A6C000000000
0045A6C476B3F810oleaut32.SysFreeString
0045A6C876B43C20oleaut32.SysReAllocStringLen
0045A6CC76B405E0oleaut32.SysAllocStringLen
0045A6D000000000
0045A6D476AAECB0advapi32.RegQueryValueExA
0045A6D876AAEEA0advapi32.RegOpenKeyExA
0045A6DC76AAEDA0advapi32.RegCloseKey
0045A6E000000000
0045A6E4758B9D80user32.GetKeyboardType
0045A6E875868390jmp 到 win32u.NtUserDestroyWindow
0045A6EC7585EB30user32.LoadStringA
0045A6F0758AA740user32.MessageBoxA
0045A6F47585DE80user32.CharNextA
来到import REC 再次点获得输入表,
发现kernel32.dll里有三个未识别的指针,这里自动追踪1级就可以修复,
最最关键的是,也是我现在想说的是上面有一个
?FThunk:0005a78c 函数数A2(十进制:162) 有效:否
点开全是下面,,看来要截图了
到这就整不下去了,是系统平台的问题还是什么???
有没有大佬说一下?
往下看了看
发现问题了
这个0005a9d4 ntdll.dll是什么鬼??
显示无效是这效果
说是这三个函数无效,是系统平台的问题吗?
搞了个win732位的虚拟机脱了一下
发现上面的问题没有了
只不过修复iat后不能运行。跟踪了一下修复后的代码,发现有一个跳转到0061xxxx的地址后就崩了。
是不是还要修复区段?
页:
[1]