手托ZP图文教程
今天朋友让我帮破解一个软件,打开一看是ZP加壳的,所以就做了个教程给他看,我是用系统只带的记事本程序加壳实例:我们用Zprotect加壳工具给系统记事本加壳,然后用查壳工具查壳:加壳后运行如下需要我们注册才能运行软件,那怎么办呢?首先我们想到的就是找版主花钱注册,如果不想花钱就只能破解注册机制,由于它是用Zprotect加的壳,所以只要我们把Zprotect壳脱掉就自动破解了它的注册机制。我们OD载入:01015CC2 >E801000000 call NOTEPAD_.01015CC8 OD入口01015CC7^ EB 87 jmp short NOTEPAD_.01015C5001015CC9 04 24 add al,0x2401015CCB 8D80 88F5FFFF lea eax,dword ptr ds:01015CD1 870424 xchg dword ptr ss:,eax01015CD4^ E9 76F5FFFF jmp NOTEPAD_.0101524F01015CD9 A2 37A658E9 mov byte ptr ds:,al01015CDE BD F9FFFFB0 mov ebp,0xB0FFFFF901015CE3 2967 83 sub dword ptr ds:,esp01015CE6 65:FC cld01015CE8 00E9 add cl,ch01015CEA^ 7F F9 jg short NOTEPAD_.01015CE5F9直接运行程序然后F12暂停,接着点OD上面的K键如下:77D56D7D >8BFF mov edi,edi 来到这里F2下断点77D56D7F 55 push ebp77D56D80 8BEC mov ebp,esp77D56D82 6A 02 push 0x277D56D84 FF75 18 push dword ptr ss:77D56D87 FF75 14 push dword ptr ss:77D56D8A FF75 10 push dword ptr ss:77D56D8D FF75 0C push dword ptr ss:77D56D90 FF75 08 push dword ptr ss:77D56D93 E8 38DCFCFF calluser32.DialogBoxIndirectParamAorW77D56D98 5D pop ebp ;user32.77D1941877D56D99 C2 1400 retn 0x14重载程序运行:01015CC2 >E8 01000000 call NOTEPAD_.01015CC8 F7步进01015CC7^ EB 87 jmp short NOTEPAD_.01015C50 01015CC9 04 24 add al,0x2401015CCB 8D80 88F5FFFF lea eax,dword ptr ds:01015CD1 870424 xchg dword ptr ss:,eax01015CD4^ E9 76F5FFFF jmp NOTEPAD_.0101524F 01015CC8 870424 xchg dword ptr ss:,eax 来到这里接着F8单步01015CCB 8D80 88F5FFFF lea eax,dword ptr ds:01015CD1 870424 xchg dword ptr ss:,eax01015CD4^ E9 76F5FFFF jmp NOTEPAD_.0101524F01015CD9 A2 37A658E9 mov byte ptr ds:,al01015CDE BD F9FFFFB0 mov ebp,0xB0FFFFF901015CE3 2967 83 sub dword ptr ds:,esp 0101524F 60 pushad 接着F8单步01015250 E9 B6060000 jmp NOTEPAD_.0101590B 在这里我们下ESP定律01015255 8361 93 89 and dword ptr ds:,-0x7701015259 45 inc ebp F9运行:0087C7E8^\E9 84A0FFFF jmp 00876871 F8单步0087C7ED AF scas dword ptr es:0087C7EE 3AB3 7053E802 cmp dh,byte ptr ds: 00876871 C3 retn 这里F8单步就返回到程序OEP地址了00876872 E9 03670000 jmp 0087CF7A00876877 8122 FFFFFF9F and dword ptr ds:,0x9FFFFFFF 0100739D 6A db 6A ;CHAR 'j'0100739E 70 db 70 ;CHAR 'p'0100739F 68 db 68 ;CHAR 'h'010073A0 98 db 98010073A1 18 db 18010073A2 00 db 00010073A3 01 db 01010073A4 E8 db E8010073A5 BF db BF010073A6 01 db 01010073A7 00 db 00010073A8 00 db 00010073A9 33 db 33 ;CHAR '3'010073AA DB db DB 如果出现这种情况就在OD里面右键—分析—从模块中删除分析0100739D 6A 70 push 0x70 这里就是程序的OEP地址(记录下这个地址一会有用) 0100739F 68 98180001 push NOTEPAD_.01001898010073A4 E8 BF010000 call NOTEPAD_.01007568010073A9 33DB xor ebx,ebx010073AB 53 push ebx010073AC 8B3D CC100001 mov edi,dword ptr ds: ; NOTEPAD_.01014240010073B2 FFD7 call edi010073B4 66:8138 4D5A cmp word ptr ds:,0x5A4D010073B9 75 1F jnz short NOTEPAD_.010073DA OEP地址:0100739DZprotect壳对IAT进行了加密,所以现在我们需要找IAT启始位置和结束位置Ctrl+B 二进制查找FF15或FF25这样我们就得到IAT的地址iat 起始地址 :01001000iat 结束地址: :01001344 然后查找0100739D 6A 70 push 0x700100739F 68 98180001 push NOTEPAD_.01001898010073A4 E8 BF010000 callNOTEPAD_.01007568010073A9 33DB xor ebx,ebx010073AB 53 push ebx010073AC 8B3D CC100001 mov edi,dword ptr ds: ; NOTEPAD_.01014240010073B2 FFD7 call edi010073B4 66:8138 4D5A cmp word ptr ds:,0x5A4D010073B9 75 1F jnz short NOTEPAD_.010073DA010073BB 8B48 3C mov ecx,dword ptr ds:010073BE 03C8 add ecx,eax010073C0 8139 50450000 cmp dword ptr ds:,0x4550010073C6 75 12 jnz short NOTEPAD_.010073DA010073C8 0FB741 18 movzx eax,word ptr ds:010073CC 3D 0B010000 cmp eax,0x10B010073D1 74 1F je short NOTEPAD_.010073F2010073D3 3D 0B020000 cmp eax,0x20B010073D8 74 05 je short NOTEPAD_.010073DF010073DA 895D E4 mov dword ptr ss:,ebx010073DD EB 27 jmp short NOTEPAD_.01007406010073DF 83B9 84000000 0>cmp dword ptrds:,0xE010073E6^ 76 F2 jbe short NOTEPAD_.010073DA010073E8 33C0 xor eax,eax010073EA 3999 F8000000 cmp dword ptr ds:,ebx010073F0 EB 0E jmp short NOTEPAD_.01007400010073F2 8379 74 0E cmp dword ptr ds:,0xE010073F6^ 76 E2 jbe short NOTEPAD_.010073DA010073F8 33C0 xor eax,eax010073FA 3999 E8000000 cmp dword ptr ds:,ebx01007400 0F95C0 setne al01007403 8945 E4 mov dword ptr ss:,eax01007406 895D FC mov dword ptr ss:,ebx01007409 6A 02 push 0x20100740B FF15 38130001 call dword ptr ds: 这里右键跟随 ; 010140B4 68 22DD9028 push 0x2890DD22010140B9 E9 86060000 jmp NOTEPAD_.01014744 这里右键跟随010140BE A8 2C test al,0x2C 01014744- E9 F3E083FF jmp 0085283C 这里右键跟随01014749 1000 adc byte ptr ds:,al0101474B 0063 00 add byte ptr ds:,ah 0085283C 60 pushad0085283D FF7424 20 push dword ptr ss: ; kernel32.7C839AB000852841 E8 DCF8FFFF call 00852122 这里右键跟随00852846 61 popad00852847 C3 retn 00852122 A1 44668500 mov eax,dword ptr ds:00852127 8078 34 00 cmp byte ptr ds:,0x00085212B 74 57 je short 008521840085212D FF15 E8108400 call dword ptr ds: ; kernel32.GetTickCount00852133 8BC8 mov ecx,eax00852135 2B0D 10658500 sub ecx,dword ptr ds:0085213B 81F9 88130000 cmp ecx,0x138800852141 76 41 jbe short 0085218400852143 FF35 14658500 push dword ptr ds:00852149 A3 10658500 mov dword ptr ds:,eax0085214E FF15 58108400 call dword ptr ds: ; kernel32.ResumeThread00852154 833D 9C6C8500 0>cmp dword ptrds:,0x30085215B 7C 08 jl short 008521650085215D 6A 00 push 0x00085215F FF15EC108400 call dword ptrds: ;kernel32.ExitProcess00852165 803D 90668500 0>cmp byte ptrds:,0x00085216C 74 08 je short 008521760085216E FF05 9C6C8500 inc dword ptr ds:00852174 EB 07 jmp short 0085217D00852176 8325 9C6C8500 0>and dword ptrds:,0x00085217D C605 90668500 0>mov byte ptrds:,0x100852184 56 push esi00852185 FF7424 08 push dword ptr ss:00852189 FF152C658500 call dword ptr ds: 记录下这个地址0085218F 8BF0 mov esi,eax00852191 A1 646C8500 mov eax,dword ptr ds:00852196 2B05 606C8500 sub eax,dword ptr ds:0085219C C1F8 02 sar eax,0x2 call dword ptrds:二进制黏贴如下代码:B8 00 30 47 00 8B 1883 FB 00 74 36 80 3B 68 75 40 8B 4B 01 50 51 FF 15 2C 65 B4 00 8B F0 A1 64 6CB4 00 2B 05 60 6C B4 00 C1 F8 02 3B F0 72 05 E8 E9 6A 8E FF A1 60 6C B4 00 8B04 B0 5F 57 89 07 58 83 C0 04 3D F4 36 47 00 72 B9 E9 74 39 49 FF 66 81 3B 5060 75 EA 80 7B 02 68 75 E4 8B 4B 03 EB B1修改后如下如下:01007604 B8 00100001 mov eax,NOTEPAD_.01001000这里修改IAT起始地址,并新建EIP01007609 8B18 mov ebx,dword ptr ds:0100760B 83FB 00 cmp ebx,0x00100760E 74 36 je short NOTEPAD_.0100764601007610 803B 68 cmp byte ptr ds:,0x6801007613 75 40 jnz short NOTEPAD_.0100765501007615 8B4B 01 mov ecx,dword ptr ds:01007618 50 push eax01007619 51 push ecx0100761A FF15 2C658500 call dword ptr ds: 这里修改CALL的数值01007620 8BF0 mov esi,eax01007622 A1 646C8500 mov eax,dword ptr ds:这里修改CALL的数值01007627 2B05 606C8500 sub eax,dword ptr ds: 这里修改CALL的数值0100762D C1F8 02 sar eax,0x201007630 3BF0 cmp esi,eax01007632 72 05 jb short NOTEPAD_.0100763901007634 E8 E96A8EFF call 008EE12201007639 A1 606C8500 mov eax,dword ptr ds: 这里修改CALL的数值0100763E 8B04B0 mov eax,dword ptr ds:01007641 5F pop edi ;kernel32.7C81776F01007642 57 push edi01007643 8907 mov dword ptr ds:,eax01007645 58 pop eax ;kernel32.7C81776F01007646 83C0 04 add eax,0x401007649 3D 44130001 cmp eax,NOTEPAD_.01001344 这里修改IAT结束地址0100764E^ 72 B9 jb short NOTEPAD_.0100760901007650^ E9 48FDFFFF jmp NOTEPAD_.010073这里修改OEP地址 并下F2断点01007655 66:813B 5060 cmp word ptr ds:,0x60500100765A^ 75 EA jnz short NOTEPAD_.010076460100765C 807B 02 68 cmp byte ptr ds:,0x6801007660^ 75 E4 jnz short NOTEPAD_.0100764601007662 8B4B 03 mov ecx,dword ptr ds:01007665^ EB B1 jmp short NOTEPAD_.01007618注意:CALL地址只取前2位数值替换如:0100761A FF15 2C65B400 call dword ptr ds:替换为:0100761A FF15 2C658500 call dword ptr ds:全部修改好后,删除除(01007650)外所有断点,F9运行01007650^ E9 48FDFFFF jmp NOTEPAD_.010073断在这里,然后单步到OEP 0100739D 6A 70 push 0x70 到这里就是全部解密完成的OEP0100739F 68 98180001 push NOTEPAD_.01001898010073A4 E8 BF010000 call NOTEPAD_.01007568010073A9 33DB xor ebx,ebx ;NOTEPAD_.010143B4010073AB 53 push ebx ;NOTEPAD_.010143B4010073AC 8B3D CC100001 mov edi,dword ptr ds: ; kernel32.GetModuleHandleA010073B2 FFD7 call edi ;NOTEPAD_.01001340010073B4 66:8138 4D5A cmp word ptr ds:,0x5A4D010073B9 75 1F jnz short NOTEPAD_.010073DA 然后进行脱壳,运行程序,发现不会再提示注册框了,到此ZP壳就算完全脱壳结束 欢迎大家关注我的微信公众平台,让我们在这里一起交流学习微信公众平台:XKLW8071liuxingyuu 发表于 2015-10-24 14:08
没有脚本哦,要不给你发个视频吧
发个视频也行,最主要是我学习下怎么脱这个ZP的壳 楼主,那段修复的代码是怎么来的啊,小白一个根据你的教程,我已到OEP就是不能修复,是不是没每个zp都能用那段代码
赞赞赞,重要的说三遍 楼主可否发个脚本脱这个壳的教程,手脱我看不懂{:301_999:} 没有脚本哦,要不给你发个视频吧 我也想要个视频 zp bypass容易,手拖,现在眼花缭乱
高手 顶你 楼主威武,ZP小菜只会跑脚本,多数情况搞不定,膜拜大牛 视频教程已上传地址:http://www.52pojie.cn/thread-424874-1-1.html 楼主不给个软件的地址吗。这样方便学习啊。补个吧。
页:
[1]
2