好友
阅读权限10
听众
最后登录1970-1-1
|
本帖最后由 Liquor 于 2013-8-20 16:07 编辑
【文章标题】: Unpack ZProtect
【文章作者】: Crack_Qs[FF0000 TeAm]
【作者邮箱】: qs#ff0000.cc(#换@)
【加壳方式】: ZProtect 1.4.9.0 Preview 2
【操作平台】: Win xp Sp3
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
——————————————————————————–
【详细过程】
最近身体不好,很少上,今天基友找我问下ZProtect的脱壳,我抽时间写了下。
只是简单记录,大牛飞过。
————————————————————-
ZProtect如何到达oep我就不想写了,esp即可。
00457D60 55 push ebp ; oep
00457D61 8BEC mov ebp,esp
00457D63 6A FF push -0×1
00457D65 68 F8C95400 push m3g0718.0054C9F8
00457D6A 68 F4A54500 push m3g0718.0045A5F4
00457D6F 64:A1 00000000 mov eax,dword ptr fs:[0]
00457D75 50 push eax
00457D76 64:8925 0000000>mov dword ptr fs:[0],esp
00457D7D 83EC 58 sub esp,0×58
00457D80 53 push ebx
00457D81 56 push esi
00457D82 57 push edi
00457D83 8965 E8 mov dword ptr ss:[ebp-0x18],esp
00457D86 FF15 78A14700 call dword ptr ds:[0x47A178] ; m3g0718.0059DE94
00457D8C 33D2 xor edx,edx
00457D8E 8AD4 mov dl,ah
00457D90 8915 1CF65800 mov dword ptr ds:[0x58F61C],edx
00457D96 8BC8 mov ecx,eax
ZProtect已经被很多前人剖析过了,多不胜数,我也就不献丑了。
我们接下来用ImportREC来获取指针,453个,全部无效。
记录IAT起始和IAT的结束
起始:0047A000
结束:0047A740
接下来要寻找Patch VA和Zero VA
00457D82 57 push edi
00457D83 8965 E8 mov dword ptr ss:[ebp-0x18],esp
00457D86 FF15 78A14700 call dword ptr ds:[0x47A178] ; 第一个CALL,Enter
00457D8C 33D2 xor edx,edx
00457D8E 8AD4 mov dl,ah
来到下面这段代码
0059DE94 68 78C4A967 push 0x67A9C478
0059DE99 ^ E9 2AF9FFFF jmp m3g0718.0059D7C8 ; 继续Enter
0059DE9E 8A4C68 A9 mov cl,byte ptr ds:[eax+ebp*2-0x57]
0059DEA2 C4A9 67E91EF9 les ebp,fword ptr ds:[ecx+0xF91EE967]
继续
0059D7C8 – E9 6F507500 jmp 00CF283C ; 类似这种代码,就是最后一次了。继续Enter
0059D7CD 0000 add byte ptr ds:[eax],al
0059D7CF 0024A1 add byte ptr ds:[ecx],ah
0059D7D2 07 pop es
来到了Patch VA
00CF283C 60 pushad
00CF283D FF7424 20 push dword ptr ss:[esp+0x20]
00CF2841 E8 DCF8FFFF call 00CF2122 ; 这里Enter,找Zero VA地址
00CF2846 61 popad
00CF2847 C3 retn ; 这个retn 就是Patch VA,记录地址
00CF2848 E9 6DE90200 jmp 00D211BA
00CF284D CC int3
00CF2122 A1 4466CF00 mov eax,dword ptr ds:[0xCF6644] ; Enter后,来到这。
00CF2127 8078 34 00 cmp byte ptr ds:[eax+0x34],0×0
00CF212B 74 57 je X00CF2184
00CF212D FF15 E810CE00 call dword ptr ds:[0xCE10E8] ; kernel32.GetTickCount
00CF2133 8BC8 mov ecx,eax
00CF2135 2B0D 1065CF00 sub ecx,dword ptr ds:[0xCF6510]
00CF213B 81F9 88130000 cmp ecx,0×1388
00CF2141 76 41 jbe X00CF2184
00CF2143 FF35 1465CF00 push dword ptr ds:[0xCF6514]
00CF2149 A3 1065CF00 mov dword ptr ds:[0xCF6510],eax
00CF214E FF15 5810CE00 call dword ptr ds:[0xCE1058] ; kernel32.ResumeThread
00CF2154 833D 9C6CCF00 0>cmp dword ptr ds:[0xCF6C9C],0×3 ; 0xcf6c9c为Zero VA
00CF215B 7C 08 jl X00CF2165
00CF215D 6A 00 push 0×0
Ps:ResumeThread函数下面,附近唯一一处 cmp dword ptr ds:[xxxxxx],0×3 记录[xxxxxx]的值,此为Zero VA.
接下来找段空代码写入以下代码。
BE ?? ?? ?? ?? BF ?? ?? ?? ?? B9 ?? ?? ?? ?? 83 C1 05 83 C7 04 8B 06 89 31 8A 10 80 FA 68 74 02
EB 0A 8A 50 05 80 FA E9 75 F6 FF D0 83 C6 04 C6 05 ?? ?? ?? ?? 00 3B F7 74 0B 8B 06 85 C0 75 D5
83 C6 04 EB D0 33 C0
经过修改后用于此程序代码为:
BE 00 A0 47 00 BF 40 A7 47 00 B9 47 28 CF 00 83 C1 05 83 C7 04 8B 06 89 31 8A 10 80 FA 68 74 02
EB 0A 8A 50 05 80 FA E9 75 F6 FF D0 83 C6 04 C6 05 9C 6C CF 00 00 3B F7 74 0B 8B 06 85 C0 75 D5
83 C6 04 EB D0 33 C0
//此下为代码注释
00FA0000 BE 00A04700 mov esi,0x47A000 ; 填入IAT起始
00FA0005 BF 40A74700 mov edi,0x47A740 ; 填入IAT结束
00FA000A B9 4728CF00 mov ecx,0xCF2847 ; 填入Patch VA
00FA000F 83C1 05 add ecx,0×5
00FA0012 83C7 04 add edi,0×4
00FA0015 8B06 mov eax,dword ptr ds:[esi]
00FA0017 8931 mov dword ptr ds:[ecx],esi
00FA0019 8A10 mov dl,byte ptr ds:[eax]
00FA001B 80FA 68 cmp dl,0×68
00FA001E 74 02 je X00FA0022
00FA0020 EB 0A jmp X00FA002C
00FA0022 8A50 05 mov dl,byte ptr ds:[eax+0x5]
00FA0025 80FA E9 cmp dl,0xE9
00FA0028 ^ 75 F6 jnz X00FA0020
00FA002A FFD0 call eax
00FA002C 83C6 04 add esi,0×4
00FA002F C605 9C6CCF00 0>mov byte ptr ds:[0xCF6C9C],0×0 ; 填入Zero VA
00FA0036 3BF7 cmp esi,edi
00FA0038 74 0B je X00FA0045
00FA003A 8B06 mov eax,dword ptr ds:[esi]
00FA003C 85C0 test eax,eax
00FA003E ^ 75 D5 jnz X00FA0015
00FA0040 83C6 04 add esi,0×4
00FA0043 ^ EB D0 jmp X00FA0015
00FA0045 33C0 xor eax,eax
00FA0000 BE 00A04700 mov esi,0x47A000 ; 此处新建EIP
00FA0005 BF 40A74700 mov edi,0x47A740
00FA000A B9 4728CF00 mov ecx,0xCF2847
00FA000F 83C1 05 add ecx,0×5
00FA0012 83C7 04 add edi,0×4
00FA0015 8B06 mov eax,dword ptr ds:[esi]
00FA0017 8931 mov dword ptr ds:[ecx],esi
00FA0019 8A10 mov dl,byte ptr ds:[eax]
00FA001B 80FA 68 cmp dl,0×68
00FA001E 74 02 je X00FA0022
00FA0020 EB 0A jmp X00FA002C
00FA0022 8A50 05 mov dl,byte ptr ds:[eax+0x5]
00FA0025 80FA E9 cmp dl,0xE9
00FA0028 ^ 75 F6 jnz X00FA0020
00FA002A FFD0 call eax
00FA002C 83C6 04 add esi,0×4
00FA002F C605 9C6CCF00 0>mov byte ptr ds:[0xCF6C9C],0×0
00FA0036 3BF7 cmp esi,edi
00FA0038 74 0B je X00FA0045
00FA003A 8B06 mov eax,dword ptr ds:[esi]
00FA003C 85C0 test eax,eax
00FA003E ^ 75 D5 jnz X00FA0015
00FA0040 83C6 04 add esi,0×4
00FA0043 ^ EB D0 jmp X00FA0015
00FA0045 33C0 xor eax,eax ; F2下断,F9运行。
再次打开ImportREC,IAT指针全部有效。
0047A000 77DA7842 advapi32.RegOpenKeyExA
0047A004 77DAEAD7 advapi32.RegSetValueExA
0047A008 77DCBB5D advapi32.RegQueryValueA
0047A00C 77DAE9E4 advapi32.RegCreateKeyExA
0047A010 77DA6C17 advapi32.RegCloseKey
0047A014 00000000
0047A018 5D1765CF comctl32.InitCommonControls
0047A01C 5D1803D8 comctl32.ImageList_Destroy
0047A020 00000000
0047A024 77F06F5A gdi32.Escape
0047A028 77EFD3FA gdi32.ExtTextOutA
0047A02C 77EFBA4F gdi32.TextOutA
0047A030 77EF821B gdi32.RectVisible
0047A034 77F26807 gdi32.PtVisible
0047A038 77EF7CF1 gdi32.GetViewportExtEx
0047A03C 77EF7874 gdi32.ExtSelectClipRgn
0047A040 77EF869B gdi32.PatBlt
0047A044 77EFE01B gdi32.FillRgn
0047A048 77EF7786 gdi32.CreateRectRgn
0047A04C 77EF95E7 gdi32.CombineRgn
0047A050 77EF61A5 gdi32.CreateSolidBrush
0047A054 77EF61C1 gdi32.GetStockObject
0047A058 77EFECCE gdi32.CreateFontIndirectA
0047A05C 77F0DC61 gdi32.EndPage
0047A060 77F0DEF1 gdi32.EndDoc
0047A064 77EF6E5F gdi32.DeleteDC
0047A068 77F25E79 gdi32.StartDocA
0047A06C 77F0F49E gdi32.StartPage
0047A070 77EF6F79 gdi32.BitBlt
0047A074 77EF5FE0 gdi32.CreateCompatibleDC
0047A078 77EFE9BE gdi32.Rectangle
0047A07C 77EFD4C7 gdi32.LPtoDP
0047A080 77EFE611 gdi32.DPtoLP
0047A084 77EF833D gdi32.GetCurrentObject
0047A088 77F1C632 gdi32.RoundRect
0047A08C 77EFEF1C gdi32.GetTextExtentPoint32A
0047A090 77EF5A71 gdi32.GetDeviceCaps
0047A094 77EFD997 gdi32.LineTo
0047A098 77EFA21A gdi32.MoveToEx
0047A09C 77EF90EC gdi32.ExcludeClipRect
0047A0A0 77EF6AA1 gdi32.GetClipBox
0047A0A4 77EFDF45 gdi32.GetTextMetricsA
0047A0A8 77EF8EEC gdi32.GetMapMode
0047A0AC 77EFA155 gdi32.CreatePen
0047A0B0 77EF8D25 gdi32.GetObjectA
0047A0B4 77EF5B70 gdi32.SelectObject
0047A0B8 77EF61EF gdi32.CreateBitmap
0047A0BC 77EFB7D2 gdi32.CreateDCA
0047A0C0 77EF700A gdi32.CreateCompatibleBitmap
0047A0C4 77F03672 gdi32.GetPolyFillMode
0047A0C8 77F23BAE gdi32.GetStretchBltMode
0047A0CC 77EFEC02 gdi32.GetROP2
0047A0D0 77EF8F5B gdi32.GetBkColor
0047A0D4 77F03605 gdi32.GetBkMode
0047A0D8 77EF8FAF gdi32.GetTextColor
0047A0DC 77EFBFF5 gdi32.CreateRoundRectRgn
0047A0E0 77F24A0A gdi32.CreateEllipticRgn
0047A0E4 77F26228 gdi32.PathToRegion
0047A0E8 77F0D530 gdi32.EndPath
0047A0EC 77F0D4B0 gdi32.BeginPath
0047A0F0 77EFDA1E gdi32.GetWindowOrgEx
0047A0F4 77EF7C01 gdi32.GetViewportOrgEx
0047A0F8 77EF7C79 gdi32.GetWindowExtEx
0047A0FC 77EF9FA5 gdi32.GetDIBits
0047A100 77EFEA5B gdi32.RealizePalette
0047A104 77F1D6AE gdi32.ScaleWindowExtEx
0047A108 77F072D4 gdi32.SetWindowExtEx
0047A10C 77EF8E14 gdi32.SetWindowOrgEx
0047A110 77F1D5CD gdi32.ScaleViewportExtEx
0047A114 77F0737D gdi32.SetViewportExtEx
0047A118 77EFC016 gdi32.OffsetViewportOrgEx
0047A11C 77EF7B4C gdi32.SetViewportOrgEx
0047A120 77EF8632 gdi32.SelectPalette
0047A124 77EFB6D0 gdi32.StretchBlt
0047A128 77EFB5EA gdi32.CreatePalette
0047A12C 77EFBA9E gdi32.GetSystemPaletteEntries
0047A130 77EFAD23 gdi32.CreateDIBitmap
0047A134 77EF6BFA gdi32.DeleteObject
0047A138 77EF7AA0 gdi32.SelectClipRgn
0047A13C 77EFA8BA gdi32.CreatePolygonRgn
0047A140 77EF6AD6 gdi32.GetClipRgn
0047A144 77EF8597 gdi32.SetStretchBltMode
0047A148 77EF827C gdi32.CreateRectRgnIndirect
0047A14C 77EF5E29 gdi32.SetBkColor
0047A150 77F0C567 gdi32.Ellipse
0047A154 77EF941F gdi32.SetMapMode
0047A158 77EF5D77 gdi32.SetTextColor
0047A15C 77EFD8D0 gdi32.SetROP2
0047A160 77F00817 gdi32.SetPolyFillMode
0047A164 77EF5EDB gdi32.SetBkMode
0047A168 77EF8B28 gdi32.RestoreDC
0047A16C 77EF8BEE gdi32.SaveDC
0047A170 00000000
0047A174 7C81419F kernel32.GetTimeZoneInformation
0047A178 7C811752 kernel32.GetVersion
0047A17C 7C812F81 kernel32.RaiseException
0047A180 7C80A874 kernel32.GetLocalTime
0047A184 7C80176F kernel32.GetSystemTime
0047A188 7C94AA79 ntdll.RtlUnwind
0047A18C 7C801EF2 kernel32.GetStartupInfoA
0047A190 7C812D1F kernel32.GetOEMCP
0047A194 7C810BC6 kernel32.GetCPInfo
0047A198 7C80ACAF kernel32.SetErrorMode
0047A19C 7C83677A kernel32.GlobalFlags
0047A1A0 7C80998B kernel32.GetCurrentThread
0047A1A4 7C83261D kernel32.GetFileTime
0047A1A8 7C8097E0 kernel32.TlsGetValue
0047A1AC 7C8133E0 kernel32.LocalReAlloc
0047A1B0 7C809C65 kernel32.TlsSetValue
0047A1B4 7C81F62B kernel32.TlsFree
0047A1B8 7C813D9D kernel32.GlobalHandle
0047A1BC 7C810AEF kernel32.TlsAlloc
0047A1C0 7C809A2D kernel32.LocalAlloc
0047A1C4 7C81382C kernel32.lstrcmpA
0047A1C8 7C85C2DB kernel32.GlobalGetAtomNameA
0047A1CC 7C8360B1 kernel32.GlobalAddAtomA
0047A1D0 7C8360CB kernel32.GlobalFindAtomA
0047A1D4 7C813673 kernel32.GlobalDeleteAtom
0047A1D8 7C80BB41 kernel32.lstrcmpiA
0047A1DC 7C80A4B5 kernel32.GetThreadLocale
0047A1E0 7C832A46 kernel32.SetEndOfFile
0047A1E4 7C832CBC kernel32.UnlockFile
0047A1E8 7C832D61 kernel32.LockFile
0047A1EC 7C812BB9 kernel32.FlushFileBuffers
0047A1F0 7C80DE9E kernel32.DuplicateHandle
0047A1F4 7C8101E1 kernel32.lstrcpynA
0047A1F8 7C80E906 kernel32.FileTimeToLocalFileTime
0047A1FC 7C80E88C kernel32.FileTimeToSystemTime
0047A200 7C830EC4 kernel32.FormatMessageA
0047A204 7C8099CF kernel32.LocalFree
0047A208 7C80A174 kernel32.WideCharToMultiByte
0047A20C 7C80981A kernel32.InterlockedDecrement
0047A210 7C809806 kernel32.InterlockedIncrement
0047A214 7C92FE30 ntdll.RtlSetLastWin32Error
0047A218 7C809C98 kernel32.MultiByteToWideChar
0047A21C 7C801E1A kernel32.TerminateProcess
0047A220 7C80DE95 kernel32.GetCurrentProcess
0047A224 7C810FEF kernel32.GetFileSize
0047A228 7C811106 kernel32.SetFilePointer
0047A22C 7C810B6D kernel32.CreateSemaphoreA
0047A230 7C8332F7 kernel32.ResumeThread
0047A234 7C80C04D kernel32.ReleaseSemaphore
0047A238 7C921000 ntdll.RtlEnterCriticalSection
0047A23C 7C9210E0 ntdll.RtlLeaveCriticalSection
0047A240 7C822BBD kernel32.GetProfileStringA
0047A244 7C8112FF kernel32.WriteFile
0047A248 7C801812 kernel32.ReadFile
0047A24C 7C92FE21 ntdll.RtlGetLastWin32Error
0047A250 7C80A0FD kernel32.WaitForMultipleObjects
0047A254 7C801A28 kernel32.CreateFileA
0047A258 7C80A0B7 kernel32.SetEvent
0047A25C 7C80BF29 kernel32.FindResourceA
0047A260 7C80A055 kernel32.LoadResource
0047A264 7C80CD37 kernel32.SetHandleCount
0047A268 7C80B56F kernel32.GetModuleFileNameA
0047A26C 7C8097D0 kernel32.GetCurrentThreadId
0047A270 7C81D20A kernel32.ExitProcess
0047A274 7C813E81 kernel32.GlobalSize
0047A278 7C80FCFF kernel32.GlobalFree
0047A27C 7C93137A ntdll.RtlDeleteCriticalSection
0047A280 7C809F91 kernel32.InitializeCriticalSection
0047A284 7C813E21 kernel32.lstrcatA
0047A288 7C862585 kernel32.WinExec
0047A28C 7C80BEA1 kernel32.lstrcpyA
0047A290 7C813F91 kernel32.FindNextFileA
0047A294 7C80982E kernel32.InterlockedExchange
0047A298 7C812931 kernel32.GlobalReAlloc
0047A29C 7C92FF2D ntdll.RtlFreeHeap
0047A2A0 7C938477 ntdll.RtlReAllocateHeap
0047A2A4 7C80AC61 kernel32.GetProcessHeap
0047A2A8 7C9300C4 ntdll.RtlAllocateHeap
0047A2AC 7C81F854 kernel32.GetFullPathNameA
0047A2B0 7C80AC7E kernel32.FreeLibrary
0047A2B4 7C801D7B kernel32.LoadLibraryA
0047A2B8 7C80BE56 kernel32.lstrlenA
0047A2BC 7C810830 kernel32.GetVersionExA
0047A2C0 7C835D5C kernel32.WritePrivateProfileStringA
0047A2C4 7C810707 kernel32.CreateThread
0047A2C8 7C813366 kernel32.CreateEventA
0047A2CC 7C802446 kernel32.Sleep
0047A2D0 7C80FDFD kernel32.GlobalAlloc
0047A2D4 7C80FFE9 kernel32.GlobalLock
0047A2D8 7C80FF52 kernel32.GlobalUnlock
0047A2DC 7C81F731 kernel32.FindFirstFileA
0047A2E0 7C80EE9C kernel32.FindClose
0047A2E4 7C812CFA kernel32.SetFileAttributesA
0047A2E8 7C811AB4 kernel32.GetFileAttributesA
0047A2EC 7C8360E5 kernel32.SetCurrentDirectoryA
0047A2F0 7C8232CD kernel32.GetVolumeInformationA
0047A2F4 7C80B741 kernel32.GetModuleHandleA
0047A2F8 7C80AE40 kernel32.GetProcAddress
0047A2FC 7C809866 kernel32.MulDiv
0047A300 7C810C6D kernel32.GetCommandLineA
0047A304 7C80934A kernel32.GetTickCount
0047A308 7C802530 kernel32.WaitForSingleObject
0047A30C 7C809BE7 kernel32.CloseHandle
0047A310 7C9304DD ntdll.RtlSizeHeap
0047A314 7C8099B5 kernel32.GetACP
0047A318 7C864042 kernel32.UnhandledExceptionFilter
0047A31C 7C81DDE7 kernel32.FreeEnvironmentStringsA
0047A320 7C81583F kernel32.FreeEnvironmentStringsW
0047A324 7C81D38B kernel32.GetEnvironmentStringsA
0047A328 7C810C58 kernel32.GetEnvironmentStringsW
0047A32C 7C80CD37 kernel32.SetHandleCount
0047A330 7C810C89 kernel32.GetStdHandle
0047A334 7C8113C9 kernel32.GetFileType
0047A338 7C81584A kernel32.GetEnvironmentVariableA
0047A33C 7C811470 kernel32.HeapDestroy
0047A340 7C810908 kernel32.HeapCreate
0047A344 7C809B84 kernel32.VirtualFree
0047A348 7C833E78 kernel32.SetEnvironmentVariableA
0047A34C 7C838DF0 kernel32.LCMapStringA
0047A350 7C80CD48 kernel32.LCMapStringW
0047A354 7C809AF1 kernel32.VirtualAlloc
0047A358 7C809F19 kernel32.IsBadWritePtr
0047A35C 7C8449CD kernel32.SetUnhandledExceptionFilter
0047A360 7C838A14 kernel32.GetStringTypeA
0047A364 7C80A530 kernel32.GetStringTypeW
0047A368 7C80D117 kernel32.CompareStringA
0047A36C 7C80A3FE kernel32.CompareStringW
0047A370 7C809EA1 kernel32.IsBadReadPtr
0047A374 7C80BD6F kernel32.IsBadCodePtr
0047A378 7C81DA73 kernel32.SetStdHandle
0047A37C 7C810975 kernel32.GetProcessVersion
0047A380 00000000
0047A384 770F6C03 oleaut32.VariantChangeType
0047A388 770F4D6F oleaut32.VariantCopy
0047A38C 770F4920 oleaut32.VariantClear
0047A390 770F51CC oleaut32.SafeArrayGetUBound
0047A394 77113395 oleaut32.VariantTimeToSystemTime
0047A398 770F4C7E oleaut32.SysStringLen
0047A39C 770F4BA7 oleaut32.SysAllocStringLen
0047A3A0 770F4C98 oleaut32.SysAllocStringByteLen
0047A3A4 770F4E76 oleaut32.SafeArrayGetElemsize
0047A3A8 770F4FFF oleaut32.SafeArrayGetDim
0047A3AC 770F51BC oleaut32.SafeArrayUnaccessData
0047A3B0 770F518D oleaut32.SafeArrayAccessData
0047A3B4 770F5218 oleaut32.SafeArrayGetLBound
0047A3B8 770F4880 oleaut32.SysFreeString
0047A3BC 77114B04 oleaut32.OleCreateFontIndirect
0047A3C0 770F7A30 oleaut32.LoadTypeLib
0047A3C4 770FCCFD oleaut32.RegisterTypeLib
0047A3C8 7715DB75 oleaut32.UnRegisterTypeLib
0047A3CC 770FAA79 oleaut32.SafeArrayCreate
0047A3D0 770F4C05 oleaut32.SysAllocString
0047A3D4 00000000
0047A3D8 7D5F8C76 shell32.Shell_NotifyIconA
0047A3DC 7D611200 shell32.ShellExecuteA
0047A3E0 00000000
0047A3E4 77D2A340 user32.PeekMessageA
0047A3E8 77D4F3F6 user32.SetMenu
0047A3EC 77D314BA user32.GetMenu
0047A3F0 77D2C17E user32.DefWindowProcA
0047A3F4 77D3EBFF user32.GetClassInfoA
0047A3F8 77D2CED3 user32.DeleteMenu
0047A3FC 77D2B222 user32.GetSystemMenu
0047A400 77D29C8A user32.IsZoomed
0047A404 77D2CA5A user32.PostQuitMessage
0047A408 77D56C91 user32.CopyAcceleratorTableA
0047A40C 77D29ED9 user32.GetKeyState
0047A410 77D2FAC4 user32.TranslateAcceleratorA
0047A414 77D2977A user32.IsWindowEnabled
0047A418 77D2AF56 user32.ShowWindow
0047A41C 77D27C08 user32.LoadImageA
0047A420 77D23A67 user32.EnumDisplaySettingsA
0047A424 77D29B60 user32.ClientToScreen
0047A428 77D2D2C4 user32.EnableMenuItem
0047A42C 77D2D896 user32.GetSubMenu
0047A430 77D2AF1B user32.GetDlgCtrlID
0047A434 77D53497 user32.CreateAcceleratorTableA
0047A438 77D297FF user32.IsIconic
0047A43C 77D2B112 user32.SetFocus
0047A440 77D2C2E8 user32.GetActiveWindow
0047A444 77D29655 user32.GetWindow
0047A448 77D3FE8D user32.DestroyAcceleratorTable
0047A44C 77D2E528 user32.SetWindowRgn
0047A450 77D2996C user32.GetMessagePos
0047A454 77D297A0 user32.ScreenToClient
0047A458 77D2200B user32.ChildWindowFromPointEx
0047A45C 77D2A042 user32.CopyRect
0047A460 77D2473C user32.LoadBitmapA
0047A464 77D2F306 user32.CreateMenu
0047A468 77D18C42 user32.KillTimer
0047A46C 77D18C2E user32.SetTimer
0047A470 77D2C37A user32.ReleaseCapture
0047A474 77D194DA user32.GetCapture
0047A478 77D2C35E user32.SetCapture
0047A47C 77D2F787 user32.GetScrollRange
0047A480 77D2F99B user32.SetScrollRange
0047A484 77D2F750 user32.SetScrollPos
0047A488 77D298D5 user32.InflateRect
0047A48C 77D28FA6 user32.SetRect
0047A490 77D28F1F user32.IntersectRect
0047A494 77D2D312 user32.DestroyIcon
0047A498 77D277C5 user32.PostThreadMessageA
0047A49C 77D5BF27 user32.GetNextDlgGroupItem
0047A4A0 77D18EAB user32.GetSysColorBrush
0047A4A4 77D29719 user32.PtInRect
0047A4A8 77D29011 user32.OffsetRect
0047A4AC 77D29E3D user32.IsWindowVisible
0047A4B0 77D29849 user32.EnableWindow
0047A4B4 77D29944 user32.RedrawWindow
0047A4B8 77D1945D user32.GetWindowLongA
0047A4BC 77D2C29D user32.SetWindowLongA
0047A4C0 77D18E78 user32.GetSysColor
0047A4C4 77D27822 user32.SetActiveWindow
0047A4C8 77D561B3 user32.SetCursorPos
0047A4CC 77D2D33E user32.LoadCursorA
0047A4D0 77D29930 user32.SetCursor
0047A4D4 77D186C7 user32.GetDC
0047A4D8 77D29C2F user32.FillRect
0047A4DC 77D298FE user32.IsRectEmpty
0047A4E0 77D1869D user32.ReleaseDC
0047A4E4 77D1970E user32.IsChild
0047A4E8 77D2D39D user32.DestroyMenu
0047A4EC 77D242ED user32.SetForegroundWindow
0047A4F0 77D290B4 user32.GetWindowRect
0047A4F4 77D29E81 user32.EqualRect
0047A4F8 77D2AEAB user32.UpdateWindow
0047A4FC 77D2FBBD user32.ValIDAteRect
0047A500 77D28FD5 user32.InvalidateRect
0047A504 77D2908E user32.GetClientRect
0047A508 77D298C8 user32.GetFocus
0047A50C 77D2910F user32.GetParent
0047A510 77D2F25B user32.GetTopWindow
0047A514 77D2AAFD user32.PostMessageA
0047A518 77D29313 user32.IsWindow
0047A51C 77D2C7F9 user32.SetParent
0047A520 77D2D312 user32.DestroyIcon
0047A524 77D2F3C2 user32.SendMessageA
0047A528 77D299F3 user32.SetWindowPos
0047A52C 77D31F7B user32.MessageBeep
0047A530 77D507EA user32.MessageBoxA
0047A534 77D2974E user32.GetCursorPos
0047A538 77D18F9C user32.GetSystemMetrics
0047A53C 77D30D96 user32.EmptyClipboard
0047A540 77D30F9E user32.SetClipboardData
0047A544 77D30277 user32.OpenClipboard
0047A548 77D30DBA user32.GetClipboardData
0047A54C 77D30265 user32.CloseClipboard
0047A550 77D1A8AD user32.wsprintfA
0047A554 77D4F20B user32.ModifyMenuA
0047A558 77D31B0E user32.AppendMenuA
0047A55C 77D1F601 user32.CreatePopupMenu
0047A560 77D2CB84 user32.DrawIconEx
0047A564 77D57134 user32.CreateIconFromResource
0047A568 77D1D354 user32.CreateIconFromResourceEx
0047A56C 77D18E28 user32.RegisterWindowMessageA
0047A570 77D29CBA user32.SetRectEmpty
0047A574 77D196B8 user32.DispatchMessageA
0047A578 77D2772B user32.GetMessageA
0047A57C 77D29766 user32.WindowFromPoint
0047A580 77D2F94F user32.DrawFocusRect
0047A584 77D3E940 user32.DrawFrameControl
0047A588 77D2E8F6 user32.LoadIconA
0047A58C 77D18BF6 user32.TranslateMessage
0047A590 77D2DEB2 user32.SystemParametersInfoA
0047A594 77D2D1D2 user32.GetDesktopWindow
0047A598 77D2F45F user32.GetClassNameA
0047A59C 77D2436E user32.GetDlgItem
0047A5A0 77D3214A user32.FindWindowExA
0047A5A4 77D289A3 user32.UnregisterClassA
0047A5A8 77D3216B user32.GetWindowTextA
0047A5AC 77D3EE5D user32.WinHelpA
0047A5B0 77D2FBF6 user32.DrawEdge
0047A5B4 77D4F18B user32.GetWindowTextLengthA
0047A5B8 77D18D2B user32.CharUpperA
0047A5BC 77D19021 user32.GetWindowDC
0047A5C0 77D28FE9 user32.BeginPaint
0047A5C4 77D28FFD user32.EndPaint
0047A5C8 77D5A5E5 user32.TabbedTextOutA
0047A5CC 77D3C702 user32.DrawTextA
0047A5D0 77D55B05 user32.GrayStringA
0047A5D4 77D2B19C user32.DestroyWindow
0047A5D8 77D39B28 user32.CreateDialogIndirectParamA
0047A5DC 77D24A4E user32.EndDialog
0047A5E0 77D237C3 user32.GetNextDlgTabItem
0047A5E4 77D303C7 user32.GetWindowPlacement
0047A5E8 77D18E28 user32.RegisterWindowMessageA
0047A5EC 77D29823 user32.GetForegroundWindow
0047A5F0 77D3157A user32.GetLastActivePopup
0047A5F4 77D29DE0 user32.GetMessageTime
0047A5F8 77D30094 user32.RemovePropA
0047A5FC 77D2A97D user32.CallWindowProcA
0047A600 77D30042 user32.GetPropA
0047A604 77D2D5F3 user32.UnhookWindowsHookEx
0047A608 77D30000 user32.SetPropA
0047A60C 77D2F4F1 user32.GetClassLongA
0047A610 77D2B3C6 user32.CallNextHookEx
0047A614 77D31211 user32.SetWindowsHookExA
0047A618 77D2E4A9 user32.CreateWindowExA
0047A61C 77D4F1C8 user32.GetMenuItemID
0047A620 77D2EF1C user32.GetMenuItemCount
0047A624 77D2EA5E user32.RegisterClassA
0047A628 77D2F704 user32.GetScrollPos
0047A62C 77D2E7EA user32.AdjustWindowRectEx
0047A630 77D29507 user32.MapWindowPoints
0047A634 77D3C2E7 user32.SendDlgItemMessageA
0047A638 77D30187 user32.ScrollWindowEx
0047A63C 77D3C689 user32.IsDialogMessageA
0047A640 77D2F56B user32.SetWindowTextA
0047A644 77D2B29E user32.MoveWindow
0047A648 77D31ABD user32.CheckMenuItem
0047A64C 77D4FAB2 user32.SetMenuItemBitmaps
0047A650 77D1F967 user32.GetMenuState
0047A654 77D502F9 user32.GetMenuCheckMarkDimensions
0047A658 77D2C8B0 user32.CharNextA
0047A65C 77D3FDD9 user32.SetWindowContextHelpId
0047A660 77D5BE4C user32.MapDialogRect
0047A664 77D2C908 user32.LoadStringA
0047A668 00000000
0047A66C 76B2A4EE winmm.midiStreamOut
0047A670 76B28DC5 winmm.midiOutPrepareHeader
0047A674 76B2A33D winmm.midiStreamProperty
0047A678 76B15FB6 winmm.waveOutGetNumDevs
0047A67C 76B15201 winmm.waveOutOpen
0047A680 76B28FBA winmm.midiOutUnprepareHeader
0047A684 76B2BBF3 winmm.waveOutReset
0047A688 76B2BB77 winmm.waveOutPause
0047A68C 76B15A4A winmm.waveOutWrite
0047A690 76B159D9 winmm.waveOutPrepareHeader
0047A694 76B157C8 winmm.waveOutUnprepareHeader
0047A698 76B15726 winmm.waveOutClose
0047A69C 76B2A3F9 winmm.midiStreamStop
0047A6A0 76B2925A winmm.midiOutReset
0047A6A4 76B2A2AB winmm.midiStreamClose
0047A6A8 76B2A457 winmm.midiStreamRestart
0047A6AC 76B29F78 winmm.midiStreamOpen
0047A6B0 00000000
0047A6B4 72F74D40 winspool.ClosePrinter
0047A6B8 72F83757 winspool.OpenPrinterA
0047A6BC 72F8665F winspool.DocumentPropertiesA
0047A6C0 00000000
0047A6C4 71A30991 ws2_32.WSAAsyncSelect
0047A6C8 71A23E2B ws2_32.closesocket
0047A6CC 71A23FED ws2_32.WSACleanup
0047A6D0 71A22FF7 ws2_32.recvfrom
0047A6D4 71A23F50 ws2_32.ioctlsocket
0047A6D8 71A2676F ws2_32.recv
0047A6DC 71A245C1 ws2_32.inet_ntoa
0047A6E0 71A30B68 ws2_32.getpeername
0047A6E4 71A31040 ws2_32.accept
0047A6E8 00000000
0047A6EC 7632EE36 comdlg32.ChooseColorA
0047A6F0 7632309F comdlg32.GetOpenFileNameA
0047A6F4 76337C10 comdlg32.GetSaveFileNameA
0047A6F8 76322563 comdlg32.GetFileTitleA
0047A6FC 00000000
0047A700 769F579C ole32.StgCreateDocfileOnILockBytes
0047A704 769F566C ole32.CreateILockBytesOnHGlobal
0047A708 769DFBB1 ole32.CoFreeUnusedLibraries
0047A70C 76A05F7F ole32.CoRegisterMessageFilter
0047A710 769D9E58 ole32.CoRevokeClassObject
0047A714 76A2ADC9 ole32.OleFlushClipboard
0047A718 76A2AC17 ole32.OleIsCurrentClipboard
0047A71C 76A8CA62 ole32.StgOpenStorageOnILockBytes
0047A720 769ACFFC ole32.CoTaskMemFree
0047A724 769AD018 ole32.CoTaskMemAlloc
0047A728 769C8332 ole32.CLSIDFromProgID
0047A72C 769E0925 ole32.CLSIDFromString
0047A730 769E322F ole32.OleUninitialize
0047A734 769B1BF2 ole32.OleInitialize
0047A738 769C5205 ole32.CoGetClassObject
0047A73C 00000000
0047A740 74CA096A oledlg.OleUIBusyA
至此脱壳完毕。
样本文件:样本
——————————————————————————–
【版权声明】: 本文原创于Crack_Qs, 转载请注明作者并保持文章的完整, 谢谢!
2013年07月26日 17:31:43
|
免费评分
-
查看全部评分
|
发表于 2013-8-20 16:14
发表于 2013-8-20 16:15
|
发表于 2013-8-20 16:23
|楼主
收藏
淘帖
有用
分享到朋友圈
