Unpack ZProtect
本帖最后由 Liquor 于 2013-8-20 16:07 编辑【文章标题】: Unpack ZProtect
【文章作者】: Crack_Qs
【作者邮箱】: qs#ff0000.cc(#换@)
【加壳方式】: ZProtect 1.4.9.0 Preview 2
【操作平台】: Win xp Sp3
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
——————————————————————————–
【详细过程】
最近身体不好,很少上,今天基友找我问下ZProtect的脱壳,我抽时间写了下。
只是简单记录,大牛飞过。
————————————————————-
ZProtect如何到达oep我就不想写了,esp即可。
00457D60 55 push ebp ; oep
00457D61 8BEC mov ebp,esp
00457D63 6A FF push -0×1
00457D65 68 F8C95400 push m3g0718.0054C9F8
00457D6A 68 F4A54500 push m3g0718.0045A5F4
00457D6F 64:A1 00000000mov eax,dword ptr fs:
00457D75 50 push eax
00457D76 64:8925 0000000>mov dword ptr fs:,esp
00457D7D 83EC 58 sub esp,0×58
00457D80 53 push ebx
00457D81 56 push esi
00457D82 57 push edi
00457D83 8965 E8 mov dword ptr ss:,esp
00457D86 FF15 78A14700 call dword ptr ds: ; m3g0718.0059DE94
00457D8C 33D2 xor edx,edx
00457D8E 8AD4 mov dl,ah
00457D90 8915 1CF65800 mov dword ptr ds:,edx
00457D96 8BC8 mov ecx,eax
ZProtect已经被很多前人剖析过了,多不胜数,我也就不献丑了。
我们接下来用ImportREC来获取指针,453个,全部无效。
记录IAT起始和IAT的结束
起始:0047A000
结束:0047A740
接下来要寻找Patch VA和Zero VA
00457D82 57 push edi
00457D83 8965 E8 mov dword ptr ss:,esp
00457D86 FF15 78A14700 call dword ptr ds: ; 第一个CALL,Enter
00457D8C 33D2 xor edx,edx
00457D8E 8AD4 mov dl,ah
来到下面这段代码
0059DE94 68 78C4A967 push 0x67A9C478
0059DE99^ E9 2AF9FFFF jmp m3g0718.0059D7C8 ; 继续Enter
0059DE9E 8A4C68 A9 mov cl,byte ptr ds:
0059DEA2 C4A9 67E91EF9 les ebp,fword ptr ds:
继续
0059D7C8– E9 6F507500 jmp 00CF283C ; 类似这种代码,就是最后一次了。继续Enter
0059D7CD 0000 add byte ptr ds:,al
0059D7CF 0024A1 add byte ptr ds:,ah
0059D7D2 07 pop es
来到了Patch VA
00CF283C 60 pushad
00CF283D FF7424 20 push dword ptr ss:
00CF2841 E8 DCF8FFFF call 00CF2122 ; 这里Enter,找Zero VA地址
00CF2846 61 popad
00CF2847 C3 retn ; 这个retn 就是Patch VA,记录地址
00CF2848 E9 6DE90200 jmp 00D211BA
00CF284D CC int3
00CF2122 A1 4466CF00 mov eax,dword ptr ds: ; Enter后,来到这。
00CF2127 8078 34 00 cmp byte ptr ds:,0×0
00CF212B 74 57 je X00CF2184
00CF212D FF15 E810CE00 call dword ptr ds: ; kernel32.GetTickCount
00CF2133 8BC8 mov ecx,eax
00CF2135 2B0D 1065CF00 sub ecx,dword ptr ds:
00CF213B 81F9 88130000 cmp ecx,0×1388
00CF2141 76 41 jbe X00CF2184
00CF2143 FF35 1465CF00 push dword ptr ds:
00CF2149 A3 1065CF00 mov dword ptr ds:,eax
00CF214E FF15 5810CE00 call dword ptr ds: ; kernel32.ResumeThread
00CF2154 833D 9C6CCF00 0>cmp dword ptr ds:,0×3 ; 0xcf6c9c为Zero VA
00CF215B 7C 08 jl X00CF2165
00CF215D 6A 00 push 0×0
Ps:ResumeThread函数下面,附近唯一一处 cmp dword ptr ds:,0×3记录的值,此为Zero VA.
接下来找段空代码写入以下代码。
BE ?? ?? ?? ?? BF ?? ?? ?? ?? B9 ?? ?? ?? ?? 83 C1 05 83 C7 04 8B 06 89 31 8A 10 80 FA 68 74 02
EB 0A 8A 50 05 80 FA E9 75 F6 FF D0 83 C6 04 C6 05 ?? ?? ?? ?? 00 3B F7 74 0B 8B 06 85 C0 75 D5
83 C6 04 EB D0 33 C0
经过修改后用于此程序代码为:
BE 00 A0 47 00 BF 40 A7 47 00 B9 47 28 CF 00 83 C1 05 83 C7 04 8B 06 89 31 8A 10 80 FA 68 74 02
EB 0A 8A 50 05 80 FA E9 75 F6 FF D0 83 C6 04 C6 05 9C 6C CF 00 00 3B F7 74 0B 8B 06 85 C0 75 D5
83 C6 04 EB D0 33 C0
//此下为代码注释
00FA0000 BE 00A04700 mov esi,0x47A000 ; 填入IAT起始
00FA0005 BF 40A74700 mov edi,0x47A740 ; 填入IAT结束
00FA000A B9 4728CF00 mov ecx,0xCF2847 ; 填入Patch VA
00FA000F 83C1 05 add ecx,0×5
00FA0012 83C7 04 add edi,0×4
00FA0015 8B06 mov eax,dword ptr ds:
00FA0017 8931 mov dword ptr ds:,esi
00FA0019 8A10 mov dl,byte ptr ds:
00FA001B 80FA 68 cmp dl,0×68
00FA001E 74 02 je X00FA0022
00FA0020 EB 0A jmp X00FA002C
00FA0022 8A50 05 mov dl,byte ptr ds:
00FA0025 80FA E9 cmp dl,0xE9
00FA0028^ 75 F6 jnz X00FA0020
00FA002A FFD0 call eax
00FA002C 83C6 04 add esi,0×4
00FA002F C605 9C6CCF00 0>mov byte ptr ds:,0×0 ; 填入Zero VA
00FA0036 3BF7 cmp esi,edi
00FA0038 74 0B je X00FA0045
00FA003A 8B06 mov eax,dword ptr ds:
00FA003C 85C0 test eax,eax
00FA003E^ 75 D5 jnz X00FA0015
00FA0040 83C6 04 add esi,0×4
00FA0043^ EB D0 jmp X00FA0015
00FA0045 33C0 xor eax,eax
00FA0000 BE 00A04700 mov esi,0x47A000 ; 此处新建EIP
00FA0005 BF 40A74700 mov edi,0x47A740
00FA000A B9 4728CF00 mov ecx,0xCF2847
00FA000F 83C1 05 add ecx,0×5
00FA0012 83C7 04 add edi,0×4
00FA0015 8B06 mov eax,dword ptr ds:
00FA0017 8931 mov dword ptr ds:,esi
00FA0019 8A10 mov dl,byte ptr ds:
00FA001B 80FA 68 cmp dl,0×68
00FA001E 74 02 je X00FA0022
00FA0020 EB 0A jmp X00FA002C
00FA0022 8A50 05 mov dl,byte ptr ds:
00FA0025 80FA E9 cmp dl,0xE9
00FA0028^ 75 F6 jnz X00FA0020
00FA002A FFD0 call eax
00FA002C 83C6 04 add esi,0×4
00FA002F C605 9C6CCF00 0>mov byte ptr ds:,0×0
00FA0036 3BF7 cmp esi,edi
00FA0038 74 0B je X00FA0045
00FA003A 8B06 mov eax,dword ptr ds:
00FA003C 85C0 test eax,eax
00FA003E^ 75 D5 jnz X00FA0015
00FA0040 83C6 04 add esi,0×4
00FA0043^ EB D0 jmp X00FA0015
00FA0045 33C0 xor eax,eax ; F2下断,F9运行。
再次打开ImportREC,IAT指针全部有效。
0047A00077DA7842advapi32.RegOpenKeyExA
0047A00477DAEAD7advapi32.RegSetValueExA
0047A00877DCBB5Dadvapi32.RegQueryValueA
0047A00C77DAE9E4advapi32.RegCreateKeyExA
0047A01077DA6C17advapi32.RegCloseKey
0047A01400000000
0047A0185D1765CFcomctl32.InitCommonControls
0047A01C5D1803D8comctl32.ImageList_Destroy
0047A02000000000
0047A02477F06F5Agdi32.Escape
0047A02877EFD3FAgdi32.ExtTextOutA
0047A02C77EFBA4Fgdi32.TextOutA
0047A03077EF821Bgdi32.RectVisible
0047A03477F26807gdi32.PtVisible
0047A03877EF7CF1gdi32.GetViewportExtEx
0047A03C77EF7874gdi32.ExtSelectClipRgn
0047A04077EF869Bgdi32.PatBlt
0047A04477EFE01Bgdi32.FillRgn
0047A04877EF7786gdi32.CreateRectRgn
0047A04C77EF95E7gdi32.CombineRgn
0047A05077EF61A5gdi32.CreateSolidBrush
0047A05477EF61C1gdi32.GetStockObject
0047A05877EFECCEgdi32.CreateFontIndirectA
0047A05C77F0DC61gdi32.EndPage
0047A06077F0DEF1gdi32.EndDoc
0047A06477EF6E5Fgdi32.DeleteDC
0047A06877F25E79gdi32.StartDocA
0047A06C77F0F49Egdi32.StartPage
0047A07077EF6F79gdi32.BitBlt
0047A07477EF5FE0gdi32.CreateCompatibleDC
0047A07877EFE9BEgdi32.Rectangle
0047A07C77EFD4C7gdi32.LPtoDP
0047A08077EFE611gdi32.DPtoLP
0047A08477EF833Dgdi32.GetCurrentObject
0047A08877F1C632gdi32.RoundRect
0047A08C77EFEF1Cgdi32.GetTextExtentPoint32A
0047A09077EF5A71gdi32.GetDeviceCaps
0047A09477EFD997gdi32.LineTo
0047A09877EFA21Agdi32.MoveToEx
0047A09C77EF90ECgdi32.ExcludeClipRect
0047A0A077EF6AA1gdi32.GetClipBox
0047A0A477EFDF45gdi32.GetTextMetricsA
0047A0A877EF8EECgdi32.GetMapMode
0047A0AC77EFA155gdi32.CreatePen
0047A0B077EF8D25gdi32.GetObjectA
0047A0B477EF5B70gdi32.SelectObject
0047A0B877EF61EFgdi32.CreateBitmap
0047A0BC77EFB7D2gdi32.CreateDCA
0047A0C077EF700Agdi32.CreateCompatibleBitmap
0047A0C477F03672gdi32.GetPolyFillMode
0047A0C877F23BAEgdi32.GetStretchBltMode
0047A0CC77EFEC02gdi32.GetROP2
0047A0D077EF8F5Bgdi32.GetBkColor
0047A0D477F03605gdi32.GetBkMode
0047A0D877EF8FAFgdi32.GetTextColor
0047A0DC77EFBFF5gdi32.CreateRoundRectRgn
0047A0E077F24A0Agdi32.CreateEllipticRgn
0047A0E477F26228gdi32.PathToRegion
0047A0E877F0D530gdi32.EndPath
0047A0EC77F0D4B0gdi32.BeginPath
0047A0F077EFDA1Egdi32.GetWindowOrgEx
0047A0F477EF7C01gdi32.GetViewportOrgEx
0047A0F877EF7C79gdi32.GetWindowExtEx
0047A0FC77EF9FA5gdi32.GetDIBits
0047A10077EFEA5Bgdi32.RealizePalette
0047A10477F1D6AEgdi32.ScaleWindowExtEx
0047A10877F072D4gdi32.SetWindowExtEx
0047A10C77EF8E14gdi32.SetWindowOrgEx
0047A11077F1D5CDgdi32.ScaleViewportExtEx
0047A11477F0737Dgdi32.SetViewportExtEx
0047A11877EFC016gdi32.OffsetViewportOrgEx
0047A11C77EF7B4Cgdi32.SetViewportOrgEx
0047A12077EF8632gdi32.SelectPalette
0047A12477EFB6D0gdi32.StretchBlt
0047A12877EFB5EAgdi32.CreatePalette
0047A12C77EFBA9Egdi32.GetSystemPaletteEntries
0047A13077EFAD23gdi32.CreateDIBitmap
0047A13477EF6BFAgdi32.DeleteObject
0047A13877EF7AA0gdi32.SelectClipRgn
0047A13C77EFA8BAgdi32.CreatePolygonRgn
0047A14077EF6AD6gdi32.GetClipRgn
0047A14477EF8597gdi32.SetStretchBltMode
0047A14877EF827Cgdi32.CreateRectRgnIndirect
0047A14C77EF5E29gdi32.SetBkColor
0047A15077F0C567gdi32.Ellipse
0047A15477EF941Fgdi32.SetMapMode
0047A15877EF5D77gdi32.SetTextColor
0047A15C77EFD8D0gdi32.SetROP2
0047A16077F00817gdi32.SetPolyFillMode
0047A16477EF5EDBgdi32.SetBkMode
0047A16877EF8B28gdi32.RestoreDC
0047A16C77EF8BEEgdi32.SaveDC
0047A17000000000
0047A1747C81419Fkernel32.GetTimeZoneInformation
0047A1787C811752kernel32.GetVersion
0047A17C7C812F81kernel32.RaiseException
0047A1807C80A874kernel32.GetLocalTime
0047A1847C80176Fkernel32.GetSystemTime
0047A1887C94AA79ntdll.RtlUnwind
0047A18C7C801EF2kernel32.GetStartupInfoA
0047A1907C812D1Fkernel32.GetOEMCP
0047A1947C810BC6kernel32.GetCPInfo
0047A1987C80ACAFkernel32.SetErrorMode
0047A19C7C83677Akernel32.GlobalFlags
0047A1A07C80998Bkernel32.GetCurrentThread
0047A1A47C83261Dkernel32.GetFileTime
0047A1A87C8097E0kernel32.TlsGetValue
0047A1AC7C8133E0kernel32.LocalReAlloc
0047A1B07C809C65kernel32.TlsSetValue
0047A1B47C81F62Bkernel32.TlsFree
0047A1B87C813D9Dkernel32.GlobalHandle
0047A1BC7C810AEFkernel32.TlsAlloc
0047A1C07C809A2Dkernel32.LocalAlloc
0047A1C47C81382Ckernel32.lstrcmpA
0047A1C87C85C2DBkernel32.GlobalGetAtomNameA
0047A1CC7C8360B1kernel32.GlobalAddAtomA
0047A1D07C8360CBkernel32.GlobalFindAtomA
0047A1D47C813673kernel32.GlobalDeleteAtom
0047A1D87C80BB41kernel32.lstrcmpiA
0047A1DC7C80A4B5kernel32.GetThreadLocale
0047A1E07C832A46kernel32.SetEndOfFile
0047A1E47C832CBCkernel32.UnlockFile
0047A1E87C832D61kernel32.LockFile
0047A1EC7C812BB9kernel32.FlushFileBuffers
0047A1F07C80DE9Ekernel32.DuplicateHandle
0047A1F47C8101E1kernel32.lstrcpynA
0047A1F87C80E906kernel32.FileTimeToLocalFileTime
0047A1FC7C80E88Ckernel32.FileTimeToSystemTime
0047A2007C830EC4kernel32.FormatMessageA
0047A2047C8099CFkernel32.LocalFree
0047A2087C80A174kernel32.WideCharToMultiByte
0047A20C7C80981Akernel32.InterlockedDecrement
0047A2107C809806kernel32.InterlockedIncrement
0047A2147C92FE30ntdll.RtlSetLastWin32Error
0047A2187C809C98kernel32.MultiByteToWideChar
0047A21C7C801E1Akernel32.TerminateProcess
0047A2207C80DE95kernel32.GetCurrentProcess
0047A2247C810FEFkernel32.GetFileSize
0047A2287C811106kernel32.SetFilePointer
0047A22C7C810B6Dkernel32.CreateSemaphoreA
0047A2307C8332F7kernel32.ResumeThread
0047A2347C80C04Dkernel32.ReleaseSemaphore
0047A2387C921000ntdll.RtlEnterCriticalSection
0047A23C7C9210E0ntdll.RtlLeaveCriticalSection
0047A2407C822BBDkernel32.GetProfileStringA
0047A2447C8112FFkernel32.WriteFile
0047A2487C801812kernel32.ReadFile
0047A24C7C92FE21ntdll.RtlGetLastWin32Error
0047A2507C80A0FDkernel32.WaitForMultipleObjects
0047A2547C801A28kernel32.CreateFileA
0047A2587C80A0B7kernel32.SetEvent
0047A25C7C80BF29kernel32.FindResourceA
0047A2607C80A055kernel32.LoadResource
0047A2647C80CD37kernel32.SetHandleCount
0047A2687C80B56Fkernel32.GetModuleFileNameA
0047A26C7C8097D0kernel32.GetCurrentThreadId
0047A2707C81D20Akernel32.ExitProcess
0047A2747C813E81kernel32.GlobalSize
0047A2787C80FCFFkernel32.GlobalFree
0047A27C7C93137Antdll.RtlDeleteCriticalSection
0047A2807C809F91kernel32.InitializeCriticalSection
0047A2847C813E21kernel32.lstrcatA
0047A2887C862585kernel32.WinExec
0047A28C7C80BEA1kernel32.lstrcpyA
0047A2907C813F91kernel32.FindNextFileA
0047A2947C80982Ekernel32.InterlockedExchange
0047A2987C812931kernel32.GlobalReAlloc
0047A29C7C92FF2Dntdll.RtlFreeHeap
0047A2A07C938477ntdll.RtlReAllocateHeap
0047A2A47C80AC61kernel32.GetProcessHeap
0047A2A87C9300C4ntdll.RtlAllocateHeap
0047A2AC7C81F854kernel32.GetFullPathNameA
0047A2B07C80AC7Ekernel32.FreeLibrary
0047A2B47C801D7Bkernel32.LoadLibraryA
0047A2B87C80BE56kernel32.lstrlenA
0047A2BC7C810830kernel32.GetVersionExA
0047A2C07C835D5Ckernel32.WritePrivateProfileStringA
0047A2C47C810707kernel32.CreateThread
0047A2C87C813366kernel32.CreateEventA
0047A2CC7C802446kernel32.Sleep
0047A2D07C80FDFDkernel32.GlobalAlloc
0047A2D47C80FFE9kernel32.GlobalLock
0047A2D87C80FF52kernel32.GlobalUnlock
0047A2DC7C81F731kernel32.FindFirstFileA
0047A2E07C80EE9Ckernel32.FindClose
0047A2E47C812CFAkernel32.SetFileAttributesA
0047A2E87C811AB4kernel32.GetFileAttributesA
0047A2EC7C8360E5kernel32.SetCurrentDirectoryA
0047A2F07C8232CDkernel32.GetVolumeInformationA
0047A2F47C80B741kernel32.GetModuleHandleA
0047A2F87C80AE40kernel32.GetProcAddress
0047A2FC7C809866kernel32.MulDiv
0047A3007C810C6Dkernel32.GetCommandLineA
0047A3047C80934Akernel32.GetTickCount
0047A3087C802530kernel32.WaitForSingleObject
0047A30C7C809BE7kernel32.CloseHandle
0047A3107C9304DDntdll.RtlSizeHeap
0047A3147C8099B5kernel32.GetACP
0047A3187C864042kernel32.UnhandledExceptionFilter
0047A31C7C81DDE7kernel32.FreeEnvironmentStringsA
0047A3207C81583Fkernel32.FreeEnvironmentStringsW
0047A3247C81D38Bkernel32.GetEnvironmentStringsA
0047A3287C810C58kernel32.GetEnvironmentStringsW
0047A32C7C80CD37kernel32.SetHandleCount
0047A3307C810C89kernel32.GetStdHandle
0047A3347C8113C9kernel32.GetFileType
0047A3387C81584Akernel32.GetEnvironmentVariableA
0047A33C7C811470kernel32.HeapDestroy
0047A3407C810908kernel32.HeapCreate
0047A3447C809B84kernel32.VirtualFree
0047A3487C833E78kernel32.SetEnvironmentVariableA
0047A34C7C838DF0kernel32.LCMapStringA
0047A3507C80CD48kernel32.LCMapStringW
0047A3547C809AF1kernel32.VirtualAlloc
0047A3587C809F19kernel32.IsBadWritePtr
0047A35C7C8449CDkernel32.SetUnhandledExceptionFilter
0047A3607C838A14kernel32.GetStringTypeA
0047A3647C80A530kernel32.GetStringTypeW
0047A3687C80D117kernel32.CompareStringA
0047A36C7C80A3FEkernel32.CompareStringW
0047A3707C809EA1kernel32.IsBadReadPtr
0047A3747C80BD6Fkernel32.IsBadCodePtr
0047A3787C81DA73kernel32.SetStdHandle
0047A37C7C810975kernel32.GetProcessVersion
0047A38000000000
0047A384770F6C03oleaut32.VariantChangeType
0047A388770F4D6Foleaut32.VariantCopy
0047A38C770F4920oleaut32.VariantClear
0047A390770F51CColeaut32.SafeArrayGetUBound
0047A39477113395oleaut32.VariantTimeToSystemTime
0047A398770F4C7Eoleaut32.SysStringLen
0047A39C770F4BA7oleaut32.SysAllocStringLen
0047A3A0770F4C98oleaut32.SysAllocStringByteLen
0047A3A4770F4E76oleaut32.SafeArrayGetElemsize
0047A3A8770F4FFFoleaut32.SafeArrayGetDim
0047A3AC770F51BColeaut32.SafeArrayUnaccessData
0047A3B0770F518Doleaut32.SafeArrayAccessData
0047A3B4770F5218oleaut32.SafeArrayGetLBound
0047A3B8770F4880oleaut32.SysFreeString
0047A3BC77114B04oleaut32.OleCreateFontIndirect
0047A3C0770F7A30oleaut32.LoadTypeLib
0047A3C4770FCCFDoleaut32.RegisterTypeLib
0047A3C87715DB75oleaut32.UnRegisterTypeLib
0047A3CC770FAA79oleaut32.SafeArrayCreate
0047A3D0770F4C05oleaut32.SysAllocString
0047A3D400000000
0047A3D87D5F8C76shell32.Shell_NotifyIconA
0047A3DC7D611200shell32.ShellExecuteA
0047A3E000000000
0047A3E477D2A340user32.PeekMessageA
0047A3E877D4F3F6user32.SetMenu
0047A3EC77D314BAuser32.GetMenu
0047A3F077D2C17Euser32.DefWindowProcA
0047A3F477D3EBFFuser32.GetClassInfoA
0047A3F877D2CED3user32.DeleteMenu
0047A3FC77D2B222user32.GetSystemMenu
0047A40077D29C8Auser32.IsZoomed
0047A40477D2CA5Auser32.PostQuitMessage
0047A40877D56C91user32.CopyAcceleratorTableA
0047A40C77D29ED9user32.GetKeyState
0047A41077D2FAC4user32.TranslateAcceleratorA
0047A41477D2977Auser32.IsWindowEnabled
0047A41877D2AF56user32.ShowWindow
0047A41C77D27C08user32.LoadImageA
0047A42077D23A67user32.EnumDisplaySettingsA
0047A42477D29B60user32.ClientToScreen
0047A42877D2D2C4user32.EnableMenuItem
0047A42C77D2D896user32.GetSubMenu
0047A43077D2AF1Buser32.GetDlgCtrlID
0047A43477D53497user32.CreateAcceleratorTableA
0047A43877D297FFuser32.IsIconic
0047A43C77D2B112user32.SetFocus
0047A44077D2C2E8user32.GetActiveWindow
0047A44477D29655user32.GetWindow
0047A44877D3FE8Duser32.DestroyAcceleratorTable
0047A44C77D2E528user32.SetWindowRgn
0047A45077D2996Cuser32.GetMessagePos
0047A45477D297A0user32.ScreenToClient
0047A45877D2200Buser32.ChildWindowFromPointEx
0047A45C77D2A042user32.CopyRect
0047A46077D2473Cuser32.LoadBitmapA
0047A46477D2F306user32.CreateMenu
0047A46877D18C42user32.KillTimer
0047A46C77D18C2Euser32.SetTimer
0047A47077D2C37Auser32.ReleaseCapture
0047A47477D194DAuser32.GetCapture
0047A47877D2C35Euser32.SetCapture
0047A47C77D2F787user32.GetScrollRange
0047A48077D2F99Buser32.SetScrollRange
0047A48477D2F750user32.SetScrollPos
0047A48877D298D5user32.InflateRect
0047A48C77D28FA6user32.SetRect
0047A49077D28F1Fuser32.IntersectRect
0047A49477D2D312user32.DestroyIcon
0047A49877D277C5user32.PostThreadMessageA
0047A49C77D5BF27user32.GetNextDlgGroupItem
0047A4A077D18EABuser32.GetSysColorBrush
0047A4A477D29719user32.PtInRect
0047A4A877D29011user32.OffsetRect
0047A4AC77D29E3Duser32.IsWindowVisible
0047A4B077D29849user32.EnableWindow
0047A4B477D29944user32.RedrawWindow
0047A4B877D1945Duser32.GetWindowLongA
0047A4BC77D2C29Duser32.SetWindowLongA
0047A4C077D18E78user32.GetSysColor
0047A4C477D27822user32.SetActiveWindow
0047A4C877D561B3user32.SetCursorPos
0047A4CC77D2D33Euser32.LoadCursorA
0047A4D077D29930user32.SetCursor
0047A4D477D186C7user32.GetDC
0047A4D877D29C2Fuser32.FillRect
0047A4DC77D298FEuser32.IsRectEmpty
0047A4E077D1869Duser32.ReleaseDC
0047A4E477D1970Euser32.IsChild
0047A4E877D2D39Duser32.DestroyMenu
0047A4EC77D242EDuser32.SetForegroundWindow
0047A4F077D290B4user32.GetWindowRect
0047A4F477D29E81user32.EqualRect
0047A4F877D2AEABuser32.UpdateWindow
0047A4FC77D2FBBDuser32.ValidateRect
0047A50077D28FD5user32.InvalidateRect
0047A50477D2908Euser32.GetClientRect
0047A50877D298C8user32.GetFocus
0047A50C77D2910Fuser32.GetParent
0047A51077D2F25Buser32.GetTopWindow
0047A51477D2AAFDuser32.PostMessageA
0047A51877D29313user32.IsWindow
0047A51C77D2C7F9user32.SetParent
0047A52077D2D312user32.DestroyIcon
0047A52477D2F3C2user32.SendMessageA
0047A52877D299F3user32.SetWindowPos
0047A52C77D31F7Buser32.MessageBeep
0047A53077D507EAuser32.MessageBoxA
0047A53477D2974Euser32.GetCursorPos
0047A53877D18F9Cuser32.GetSystemMetrics
0047A53C77D30D96user32.EmptyClipboard
0047A54077D30F9Euser32.SetClipboardData
0047A54477D30277user32.OpenClipboard
0047A54877D30DBAuser32.GetClipboardData
0047A54C77D30265user32.CloseClipboard
0047A55077D1A8ADuser32.wsprintfA
0047A55477D4F20Buser32.ModifyMenuA
0047A55877D31B0Euser32.AppendMenuA
0047A55C77D1F601user32.CreatePopupMenu
0047A56077D2CB84user32.DrawIconEx
0047A56477D57134user32.CreateIconFromResource
0047A56877D1D354user32.CreateIconFromResourceEx
0047A56C77D18E28user32.RegisterWindowMessageA
0047A57077D29CBAuser32.SetRectEmpty
0047A57477D196B8user32.DispatchMessageA
0047A57877D2772Buser32.GetMessageA
0047A57C77D29766user32.WindowFromPoint
0047A58077D2F94Fuser32.DrawFocusRect
0047A58477D3E940user32.DrawFrameControl
0047A58877D2E8F6user32.LoadIconA
0047A58C77D18BF6user32.TranslateMessage
0047A59077D2DEB2user32.SystemParametersInfoA
0047A59477D2D1D2user32.GetDesktopWindow
0047A59877D2F45Fuser32.GetClassNameA
0047A59C77D2436Euser32.GetDlgItem
0047A5A077D3214Auser32.FindWindowExA
0047A5A477D289A3user32.UnregisterClassA
0047A5A877D3216Buser32.GetWindowTextA
0047A5AC77D3EE5Duser32.WinHelpA
0047A5B077D2FBF6user32.DrawEdge
0047A5B477D4F18Buser32.GetWindowTextLengthA
0047A5B877D18D2Buser32.CharUpperA
0047A5BC77D19021user32.GetWindowDC
0047A5C077D28FE9user32.BeginPaint
0047A5C477D28FFDuser32.EndPaint
0047A5C877D5A5E5user32.TabbedTextOutA
0047A5CC77D3C702user32.DrawTextA
0047A5D077D55B05user32.GrayStringA
0047A5D477D2B19Cuser32.DestroyWindow
0047A5D877D39B28user32.CreateDialogIndirectParamA
0047A5DC77D24A4Euser32.EndDialog
0047A5E077D237C3user32.GetNextDlgTabItem
0047A5E477D303C7user32.GetWindowPlacement
0047A5E877D18E28user32.RegisterWindowMessageA
0047A5EC77D29823user32.GetForegroundWindow
0047A5F077D3157Auser32.GetLastActivePopup
0047A5F477D29DE0user32.GetMessageTime
0047A5F877D30094user32.RemovePropA
0047A5FC77D2A97Duser32.CallWindowProcA
0047A60077D30042user32.GetPropA
0047A60477D2D5F3user32.UnhookWindowsHookEx
0047A60877D30000user32.SetPropA
0047A60C77D2F4F1user32.GetClassLongA
0047A61077D2B3C6user32.CallNextHookEx
0047A61477D31211user32.SetWindowsHookExA
0047A61877D2E4A9user32.CreateWindowExA
0047A61C77D4F1C8user32.GetMenuItemID
0047A62077D2EF1Cuser32.GetMenuItemCount
0047A62477D2EA5Euser32.RegisterClassA
0047A62877D2F704user32.GetScrollPos
0047A62C77D2E7EAuser32.AdjustWindowRectEx
0047A63077D29507user32.MapWindowPoints
0047A63477D3C2E7user32.SendDlgItemMessageA
0047A63877D30187user32.ScrollWindowEx
0047A63C77D3C689user32.IsDialogMessageA
0047A64077D2F56Buser32.SetWindowTextA
0047A64477D2B29Euser32.MoveWindow
0047A64877D31ABDuser32.CheckMenuItem
0047A64C77D4FAB2user32.SetMenuItemBitmaps
0047A65077D1F967user32.GetMenuState
0047A65477D502F9user32.GetMenuCheckMarkDimensions
0047A65877D2C8B0user32.CharNextA
0047A65C77D3FDD9user32.SetWindowContextHelpId
0047A66077D5BE4Cuser32.MapDialogRect
0047A66477D2C908user32.LoadStringA
0047A66800000000
0047A66C76B2A4EEwinmm.midiStreamOut
0047A67076B28DC5winmm.midiOutPrepareHeader
0047A67476B2A33Dwinmm.midiStreamProperty
0047A67876B15FB6winmm.waveOutGetNumDevs
0047A67C76B15201winmm.waveOutOpen
0047A68076B28FBAwinmm.midiOutUnprepareHeader
0047A68476B2BBF3winmm.waveOutReset
0047A68876B2BB77winmm.waveOutPause
0047A68C76B15A4Awinmm.waveOutWrite
0047A69076B159D9winmm.waveOutPrepareHeader
0047A69476B157C8winmm.waveOutUnprepareHeader
0047A69876B15726winmm.waveOutClose
0047A69C76B2A3F9winmm.midiStreamStop
0047A6A076B2925Awinmm.midiOutReset
0047A6A476B2A2ABwinmm.midiStreamClose
0047A6A876B2A457winmm.midiStreamRestart
0047A6AC76B29F78winmm.midiStreamOpen
0047A6B000000000
0047A6B472F74D40winspool.ClosePrinter
0047A6B872F83757winspool.OpenPrinterA
0047A6BC72F8665Fwinspool.DocumentPropertiesA
0047A6C000000000
0047A6C471A30991ws2_32.WSAAsyncSelect
0047A6C871A23E2Bws2_32.closesocket
0047A6CC71A23FEDws2_32.WSACleanup
0047A6D071A22FF7ws2_32.recvfrom
0047A6D471A23F50ws2_32.ioctlsocket
0047A6D871A2676Fws2_32.recv
0047A6DC71A245C1ws2_32.inet_ntoa
0047A6E071A30B68ws2_32.getpeername
0047A6E471A31040ws2_32.accept
0047A6E800000000
0047A6EC7632EE36comdlg32.ChooseColorA
0047A6F07632309Fcomdlg32.GetOpenFileNameA
0047A6F476337C10comdlg32.GetSaveFileNameA
0047A6F876322563comdlg32.GetFileTitleA
0047A6FC00000000
0047A700769F579Cole32.StgCreateDocfileOnILockBytes
0047A704769F566Cole32.CreateILockBytesOnHGlobal
0047A708769DFBB1ole32.CoFreeUnusedLibraries
0047A70C76A05F7Fole32.CoRegisterMessageFilter
0047A710769D9E58ole32.CoRevokeClassObject
0047A71476A2ADC9ole32.OleFlushClipboard
0047A71876A2AC17ole32.OleIsCurrentClipboard
0047A71C76A8CA62ole32.StgOpenStorageOnILockBytes
0047A720769ACFFCole32.CoTaskMemFree
0047A724769AD018ole32.CoTaskMemAlloc
0047A728769C8332ole32.CLSIDFromProgID
0047A72C769E0925ole32.CLSIDFromString
0047A730769E322Fole32.OleUninitialize
0047A734769B1BF2ole32.OleInitialize
0047A738769C5205ole32.CoGetClassObject
0047A73C00000000
0047A74074CA096Aoledlg.OleUIBusyA
至此脱壳完毕。
样本文件:样本
——————————————————————————–
【版权声明】: 本文原创于Crack_Qs, 转载请注明作者并保持文章的完整, 谢谢!
2013年07月26日 17:31:43
原来QS爹改名了,赶紧膜拜! E_eYYF 发表于 2013-8-20 16:07 static/image/common/back.gif
原来QS爹改名了,赶紧膜拜!
哦?是吗。。不错不错!学习下ZP
最近身体不好,很少上
大牛 注意身体 小撸才怡情{:1_931:}
O(∩_∩)O
支持原创 淡然出尘 发表于 2013-8-20 16:15 static/image/common/back.gif
大牛 注意身体 小撸才怡情
O(∩_∩)O
支持原创
淡然师傅好,小弟qs敬上
ZP修复,表示膜拜。 表示看不懂啊。 感谢提供分享! 我还奇怪
写着原创
怎么两个名字不一样 您好,大神,对于破解有些疑问,已邮件给您,也在您的博客上留言了,有时间的话能否帮忙看看。谢谢了。
页:
[1]
2