ZProtect IAT修复分析
标 题: 【原创】ZProtect IAT修复分析~作 者: hyperchem
时 间: 2009-02-23,21:43
链 接: http://bbs.pediy.com/showthread.php?t=82665
手上也有正版的ZProtect了,就加了几个样本玩儿了一下,总结出了一些小方法,分享给大家。
本文的目的旨在讨论如何去除ZP保护的程序(不带SDK)。主要讨论一下如何修复IAT。
第一个样品是个VB程序,按默认保护了输入表。
ZP中的输入表的保护方式有三种:
1,加密等级1
2,加密等级2
3,模拟
还有一个额外的输入表保护方式---Anti-Hook,这里不讨论修复这种保护。
默认保护下,IAT中的一部分函数使用的是等级1,剩下的使用的是等级2。至于模拟这种保护,貌似在ZP1.44中是被动选择。只能对GetModuleHandleA这个函数使用。知道了这个,修复这个函数也就不在话下。
闲话少说,OD载入,配置好StrongOD,确保程序能在OD中运行,这样会减少我们不少麻烦~
F7单步走几步,探索一下壳的代码。
走了一段时间就会看清楚ZP的代码变形引擎的本质:
ZP壳会把程序的代码按指令分割起来,然后用Jmp连接起来。
当然如果仅仅是这样的话,反跟踪的难度绝对不够的。还要对Jmp进行变形。
这里用下面的例子说明一下:
006E1ACF E8 02000000 call Farsight.006E1AD6
006E1AD4 6C ins byte ptr es:,dx---这两个是花指令
006E1AD5 19 ---
006E1AD6 872C24 xchg dword ptr ss:,ebp
006E1AD9 8DAD B0F9FFFF lea ebp,dword ptr ss:
006E1ADF 872C24 xchg dword ptr ss:,ebp
006E1AE2 C3 retn
上面的代码就相当于Jmp 006E1A6F
原理是这样:
call Farsight.006E1AD6这条指令指令完以后会把它下面指令的地址压入堆栈,所以现在=006E1AD4。
然后xchg dword ptr ss:,ebp 把006E1AD4传递给ebp。
接着lea ebp,dword ptr ss: 把ebp-650=006E1A6F
在赋值给esp,最后retn返回就返回到006E1A6F了。
这段代码的二进制是E8 02 00 00 0027 EB87 0C 24 8D 89 63 01 00 00 87 0C 24 C3
E8 02 00 00 00 这个是call 87 0C 24 8D 89 63 01 00 00 87 0C 24 C3
27 EB 是花指令,个数不确定,一般是0-2个
87 0C 24 其中的0C决定使用的寄存器。
8D 89 63 01 00 00其中89表示寄存器,后面的四个字节就是相应的差。
有一定编程能力的人,相信应该能写出去掉代码变形的工具。
弄清楚代码变形的过程 就不看在代码里面晃了,实在很痛苦。下面说一个通用的到达OEP的方法:
重新载入程序,然后F7走,一直看到Pushad这条指令以后,走过去,使用ESP定律,运行,停下来以后,走几步就到OEP了!
这个方法通用1.3x-1.4x保护的程序。其他版本没验证过…… 从这点来看,ZP在技术上还只算一个压缩壳……
好了,到了OEP,下面开始修复IAT。
00412940- E9 DBB73300 jmp manager.0074E120
00412945 90 nop
00412946- E9 11BB3300 jmp manager.0074E45C
0041294B 90 nop
0041294C- E9 FFBD3300 jmp manager.0074E750
00412951 90 nop
00412952- E9 65B83300 jmp manager.0074E1BC
00412957 90 nop
00412958- E9 7FB93300 jmp manager.0074E2DC
0041295D 90 nop
0041295E- E9 D9B63300 jmp manager.0074E03C
00412963 90 nop
00412964- E9 27B73300 jmp manager.0074E090
00412F0A- E9 F5B83300 jmp manager.0074E804
00412F0F 90 nop
00412F10 68 7C5B4100 push manager.00415B7C ; <---OEP
00412F15 E8 F0FFFFFF call manager.00412F0A VB的程序这个call应该是jmp.&msvbvm60.ThunRTMain 这个函数。
看来这处IAT调用00412F0A- E9 F5B83300 jmp manager.0074E804应该是跳转到ThunRTMain这个函数的
我们来仔细跟踪到这里看一下,下面是去掉了jmp和变型以后的代码
0074E804 68 14E693AD push AD93E614 《---注意这个值,这就是IAT调用的jmp执行以后的第一条指令
01504660 68 F9E1932D push 2D93E1F9
01526465 9C pushfd
01526466 E8 01000000 call 0152646C
0152646B 97 xchg eax,edi
0152646C 871424 xchg dword ptr ss:,edx
0152646F 8D92 3AD3FFFF lea edx,dword ptr ds:=== jmp 0015237A5
01526475 871424 xchg dword ptr ss:,edx
01526478 C3 retn
015237A5 83EC 3E sub esp,3E
0151D99C 896424 2C mov dword ptr ss:,esp
01521064 894424 28 mov dword ptr ss:,eax
0151BDBC 8B4424 42 mov eax,dword ptr ss:
0151CBF6 894424 36 mov dword ptr ss:,eax
015212DE 8B4424 3E mov eax,dword ptr ss:
015298E8 894424 1C mov dword ptr ss:,eax
0151F090 894C24 18 mov dword ptr ss:,ecx
jmp 1524BD1
01524BD1 895424 24 mov dword ptr ss:,edx
0151BFC3 891C24 mov dword ptr ss:,ebx
jmp 151EAF8
0151EAF8 896C24 0C mov dword ptr ss:,ebp
01526611 897424 14 mov dword ptr ss:,esi
015202C0 897C24 04 mov dword ptr ss:,edi
jmp 151B386
0151B386 834424 2C 46 add dword ptr ss:,46
01522D55 54 push esp
jmp 151F0FB
0151F0FB 55 push ebp
0152390F 8BEC mov ebp,esp
0152765C 83E4 F8 and esp,FFFFFFF8
0151DA6C 83EC 0C sub esp,0C
015233A9 53 push ebx
0152823D 56 push esi
0151D68B 57 push edi
0151EBE7 68 BC945101 push 15194BC
01522654 FF15 98C65001 call dword ptr ds: ; ntdll.RtlEnterCriticalSection
01528791 8B0D F89A5101 mov ecx,dword ptr ds:
015215F5 33F6 xor esi,esi
0152661B 90 nop
jmp 15283A9
015283A9 85C9 test ecx,ecx
015223B6 /0F84 C8510000 je 01527584
0151D8A3 A1 FC9A5101 mov eax,dword ptr ds:
0151ECC7 2BC1 sub eax,ecx
jmp 15265EF
015265EF C1F8 03 sar eax,3
0152221A 3BF0 cmp esi,eax
jmp 152905C
0152905C^\0F83 22E5FFFF jnb 01527584
0152065A 833CF1 00 cmp dword ptr ds:,0
015244E0 8D3CF1 lea edi,dword ptr ds:
0152397C /0F84 A8530000 je 01528D2A
01520E01 83C6 01 add esi,1
jmp 1525545
01525545 /E9 5F2E0000 jmp 015283A9
015283A9 85C9 test ecx,ecx
015223B6 /0F84 C8510000 je 01527584
0151D8A3 A1 FC9A5101 mov eax,dword ptr ds:
0151ECC7 2BC1 sub eax,ecx
jmp 15265EF
015265EF C1F8 03 sar eax,3
0152221A 3BF0 cmp esi,eax
jmp 152905C
0152905C^\0F83 22E5FFFF jnb 01527584
01528D2A 68 BC945101 push 15194BC
0151DEDE C707 01000000 mov dword ptr ds:,1
015205CE FF15 9CC65001 call dword ptr ds: ; ntdll.RtlLeaveCriticalSection
jmp 151C4C0
0151C4C0 8B75 08 mov esi,dword ptr ss:
015243C9 897E 08 mov dword ptr ds:,edi
jmp 151FCEC
0151FCEC 8B47 04 mov eax,dword ptr ds:
jmp 1524B35
01524B35 05 C0FF0000 add eax,0FFC0
jmp 152969B
0152969B 8BF8 mov edi,eax
01525B49 B9 0F000000 mov ecx,0F
0152341D F3:A5 rep movs dword ptr es:,dword ptr ds>
0152995A 8D48 FC lea ecx,dword ptr ds:
jmp 151B4B6
0151B4B6 66:A5 movs word ptr es:,word ptr ds:
jmp 151BCC5
0151BCC5 51 push ecx
jmp 15263C2
015263C2 8901 mov dword ptr ds:,eax
jmp 151E667
0151E667 8B6424 04 mov esp,dword ptr ss:
jmp 1521F66
01521F66 56 push esi
jmp 1524140
01524140 8B7424 08 mov esi,dword ptr ss:
jmp 151F723
0151F723 8B46 36 mov eax,dword ptr ds:
0151FD49 50 push eax
01527C5C C646 34 00 mov byte ptr ds:,0
jmp 1524DA1
01524DA1 FF15 80935101 call dword ptr ds:
01528833 A9 00000040 test eax,40000000
01527ED8 8946 36 mov dword ptr ds:,eax
0151C911 /0F84 D0A20000 je 01526BE7
01521FF8 8B0D A4945101 mov ecx,dword ptr ds:
0151D3FA 25 FFFFFFBF and eax,BFFFFFFF
jmp 1523987
01523987 894E 10 mov dword ptr ds:,ecx
0152797F 8946 36 mov dword ptr ds:,eax
0152248E 8B46 36 mov eax,dword ptr ds:
0152851F 85C0 test eax,eax
0151B213 /0F88 26E50000 js 0152973F
01524E11 8B0D F4945101 mov ecx,dword ptr ds:
01528329 03C1 add eax,ecx
015218C8 56 push esi
01527F32 8946 3A mov dword ptr ds:,eax
0152018A FF15 B8945101 call dword ptr ds:
015290DA 8B46 30 mov eax,dword ptr ds:
0151B904 A9 00000040 test eax,40000000
jmp 15299BF
015299BF^\0F84 9BF8FFFF je 01529260
0152939E 25 FFFFFFBF and eax,BFFFFFFF
015273FC 8946 30 mov dword ptr ds:,eax
jmp 1529260
01529260 807E 34 01 cmp byte ptr ds:,1
01521A36 /0F84 5B7A0000 je 01529497
015298A8 8B46 30 mov eax,dword ptr ds:
0151F0A9 85C0 test eax,eax
015208DF /0F88 5A8E0000 js 0152973F
jmp 1524E11
01526BE7 8B15 A0945101 mov edx,dword ptr ds:
jmp 151DB50
0151DB50 8956 10 mov dword ptr ds:,edx ; manager.00400000
0152248E 8B46 36 mov eax,dword ptr ds:
0152851F 85C0 test eax,eax
0151B213 /0F88 26E50000 js 0152973F
jmp 1524E11
0152973F 8B0D 80965101 mov ecx,dword ptr ds:
01523F52 8D9408 00000080 lea edx,dword ptr ds:
jmp 151DA83
0151DA83 8956 20 mov dword ptr ds:,edx
01529497 8BC6 mov eax,esi
01527A24 5E pop esi ; 0013FFB0
01527C3D C2 0400 retn 4
01527B37 8368 2C 08 sub dword ptr ds:,8
01522518 8B48 2C mov ecx,dword ptr ds:
0151C41E FF70 20 push dword ptr ds:
015201B8 8F41 04 pop dword ptr ds: ; 01591D91
01523E41 FF70 1C push dword ptr ds:
0152155E 8F01 pop dword ptr ds:
0151D6FA FF70 2C push dword ptr ds:
0151F312 FF70 04 push dword ptr ds: ; ntdll.7C92E900
0151F327 FF70 14 push dword ptr ds: ; ntdll.7C930208
01522D3E FF70 0C push dword ptr ds:
01521BC9 FF30 push dword ptr ds:
015223EF FF70 24 push dword ptr ds: ; ntdll.KiFastSystemCallRet
015231E4 FF70 18 push dword ptr ds:
0151BD79 FF70 28 push dword ptr ds:
0152655A 8B48 08 mov ecx,dword ptr ds:
01524545 C701 00000000 mov dword ptr ds:,0
01527B4F 58 pop eax
0151E226 59 pop ecx ; 0013FFB0
0151D283 5A pop edx ; ntdll.KiFastSystemCallRet
01520D75 5B pop ebx ; 7FFDA000
0151DB08 5D pop ebp ; 0013FFF0
0152917B 5E pop esi ; ntdll.7C930208
01526BD1 5F pop edi ; ntdll.7C92E900
01528C39 5C pop esp ; 0013FFB0
015279F7 9D popfd
0151E549 C3 retn
01591D91 60 pushad
015900D8 FF7424 20 push dword ptr ss:
015268F9 A1 B0945101 mov eax,dword ptr ds:
01525C36 80B8 E4000000 0>cmp byte ptr ds:,0
01522CB7 /0F84 64270000 je 01525421
01526102 FF15 14C75001 call dword ptr ds: ; kernel32.GetTickCount
0151D494 8BC8 mov ecx,eax
015286D0 2B0D 68935101 sub ecx,dword ptr ds: ; manager.00707416
01524042 81F9 88130000 cmp ecx,1388
0151FA0B /0F86 105A0000 jbe 01525421
0151E6F2 8B15 6C935101 mov edx,dword ptr ds:
01528235 52 push edx
015286B8 A3 68935101 mov dword ptr ds:,eax
015209E5 FF15 84C65001 call dword ptr ds: ; kernel32.ResumeThread
015215BA 833D 289B5101 0>cmp dword ptr ds:,3
01524837^\0F8C 8FF3FFFF jl 01523BCC
01523BCC 803D D8945101 0>cmp byte ptr ds:,0
0151FEAF B8 01000000 mov eax,1
0151D3C1 /0F84 FA900000 je 015264C1
015264C1 C705 289B5101 0>mov dword ptr ds:,0
0151CB28 A2 D8945101 mov byte ptr ds:,al
01525421 8B4424 04 mov eax,dword ptr ss:这里给eax 最开始装入的值
01524649 56 push esi ; ntdll.7C930208
0151CCB3 50 push eax
0151BD6C FF15 84935101 call dword ptr ds:这个call是用来获得函数序号
0151C582 8B0D C09A5101 mov ecx,dword ptr ds: 这里放入IAT基地址
01525B6E 85C9 test ecx,ecx
0151BCA0 8BF0 mov esi,eax这个eax装入函数序号
015291A2^\0F84 CA46FFFF je 0151D872
015220CC A1 C49A5101 mov eax,dword ptr ds: 这里保存IAT所在基地址的结束位置
0151DE9D 2BC1 sub eax,ecx
01527AAC C1F8 02 sar eax,2
01520AEA 3BF0 cmp esi,eax 比较是否超过函数序号
0152076C^\0F82 5FEFFFFF jb 0151F6D1
0151F6D1 8B0CB1 mov ecx,dword ptr ds: ; msvbvm60.ThunRTMain 这里获取函数地址
1519AC0进这里看看:
0181005473480836msvbvm60._adj_fpatan---11 这一段IAT是一段重复的IAT
018100587346C2FEmsvbvm60.__vbaVarIndexStore
0181005C73497559msvbvm60.__vbaFpI2
0181006073485CA6msvbvm60.GetMemStr
0181006473471766msvbvm60.__vbaStrVarMove
0181006873474C90msvbvm60.__vbaR8ErrVar
0181006C73469FC7msvbvm60.__vbaCastObjVar
0181007073497660msvbvm60.__vbaVarMul
018100747345BD78msvbvm60.__vbaStrToUnicode
0181007873485C74msvbvm60.GetMem8
0181007C73476CF5msvbvm60.rtcRightCharVar
01810080734893D3msvbvm60._CIsqrt
0181008473499957msvbvm60.__vbaVarCmpNe
0181008873462106msvbvm60.rtcGetDateVar
0181008C734755CBmsvbvm60.__vbaGetOwner4
018100907345C195msvbvm60.__vbaSetSystemError
0181009473474C6Dmsvbvm60.__vbaI4ErrVar
0181009873499589msvbvm60.__vbaVarAnd
0181009C73471819msvbvm60.__vbaUI1I2
018100A07345C09Fmsvbvm60.__vbaAryMove
018100A4734619A7msvbvm60.rtcGetMonthOfYear
018100A873485F89msvbvm60.PutMemNewObj
018100AC73476E26msvbvm60.rtcMidCharBstr
018100B073476A45msvbvm60.__vbaFreeStrList
018100B4734711BEmsvbvm60.rtcHexVarFromVar
018100B873469F9Emsvbvm60.__vbaVerifyVarObj
018100BC7347ED2Dmsvbvm60._allmul
018100C073475594msvbvm60.__vbaGetOwner3
018100C473498B5Dmsvbvm60.__vbaLateIdCallSt
018100C873470E6Amsvbvm60.__vbaI2Str
018100CC73485C8Bmsvbvm60.GetMemObj
018100D07348926Bmsvbvm60._CIlog
018100D4734599CFmsvbvm60.EVENT_SINK_AddRef
018100D873497587msvbvm60.__vbaFpR4
018100DC73479496msvbvm60.__vbaStrFixstr
018100E073470D93msvbvm60.rtcVarBstrFromAnsi
018100E473477465msvbvm60.rtcTrimVar
018100E873487532msvbvm60.rtcSaveSetting
018100EC73480781msvbvm60._adj_fprem1
018100F073499873msvbvm60.__vbaVarTstLt
018100F473461B66msvbvm60.rtcGetPresentDate
018100F87348017Amsvbvm60._adj_fdiv_m32i
018100FC73485DBFmsvbvm60.PutMemObj
0181010073470F58msvbvm60.__vbaDateStr
0181010473469DFBmsvbvm60.__vbaFreeObj
018101087346C474msvbvm60.__vbaLbound
0181010C734768EFmsvbvm60.__vbaLenVar
018101107349980Fmsvbvm60.__vbaVarTstNe
0181011473470E2Amsvbvm60.__vbaBoolStr
018101187346EDBAmsvbvm60.rtcErrObj
0181011C7349759Bmsvbvm60.__vbaFpR8
0181012073485C63msvbvm60.GetMem4
018101247349728Dmsvbvm60.__vbaVarVargNofree
0181012873466045msvbvm60.rtcFileLen
0181012C7347945Cmsvbvm60.__vbaFixstrConstruct
01810130734718B9msvbvm60.__vbaStrErrVarCopy
018101347349606Cmsvbvm60.__vbaForEachCollObj
0181013873477C6Amsvbvm60.rtcStringBstr
0181013C7349779Cmsvbvm60.__vbaVarInt
0181014073477BFDmsvbvm60.rtcSpaceBstr
0181014473470CFBmsvbvm60.rtcBstrFromAnsi
0181014873470E9Bmsvbvm60.__vbaI4Str
0181014C73469E6Bmsvbvm60.__vbaVarSetObj
018101507346CAD9msvbvm60.rtcRgb
018101547346C287msvbvm60.__vbaVarIndexLoad
018101587347182Fmsvbvm60.__vbaUI1I4
0181015C73495F13msvbvm60.__vbaNextEachCollVar
0181016073497570msvbvm60.__vbaFpI4
0181016473485C50msvbvm60.GetMem2
01810168734793DAmsvbvm60.__vbaStrCmp
0181016C73495ECEmsvbvm60.__vbaForEachCollVar
018101707346C4FAmsvbvm60.__vbaAryConstruct2
01810174734891C6msvbvm60._CIcos
01810178734804C9msvbvm60._adj_fprem
0181017C73497262msvbvm60.__vbaFreeVarList
0181018073496A0Amsvbvm60.__vbaFreeVarg
01810184734694A2msvbvm60.__vbaCheckTypeVar
018101887347545Cmsvbvm60.rtcFileLength
0181018C734747E2msvbvm60.__vbaOnError
0181019073474C74msvbvm60.__vbaI4Var
0181019473474624msvbvm60.__vbaExceptHandler
018101987346A050msvbvm60.__vbaNew
0181019C73498C98msvbvm60.__vbaLateMemCallSt
018101A073464E8Emsvbvm60.__vbaPrintObj
018101A4734977C1msvbvm60.__vbaVarAdd
018101A873499922msvbvm60.__vbaVarCmpEq
018101AC73485DA9msvbvm60.PutMem8
018101B0734771D1msvbvm60.__vbaInStrVar
018101B473496DF6msvbvm60.__vbaVarDup
018101B87346C548msvbvm60.__vbaAryUnlock
018101BC734993FAmsvbvm60.__vbaVarForNext
018101C073476EFBmsvbvm60.rtcAnsiValueBstr
018101C473497513msvbvm60.__vbaFPException
018101C80030006B
018101CC010C01B7
018101D000000000
018101D473480836msvbvm60._adj_fpatan---这是第一段IAT
018101D87346C2FEmsvbvm60.__vbaVarIndexStore
018101DC73497559msvbvm60.__vbaFpI2
018101E073485CA6msvbvm60.GetMemStr
018101E473471766msvbvm60.__vbaStrVarMove
018101E873474C90msvbvm60.__vbaR8ErrVar
018101EC73469FC7msvbvm60.__vbaCastObjVar
018101F073497660msvbvm60.__vbaVarMul
018101F47345BD78msvbvm60.__vbaStrToUnicode
018101F873485C74msvbvm60.GetMem8
018101FC73476CF5msvbvm60.rtcRightCharVar
01810200734893D3msvbvm60._CIsqrt
0181020473499957msvbvm60.__vbaVarCmpNe
0181020873462106msvbvm60.rtcGetDateVar
0181020C734755CBmsvbvm60.__vbaGetOwner4
018102107345C195msvbvm60.__vbaSetSystemError
0181021473474C6Dmsvbvm60.__vbaI4ErrVar
0181021873499589msvbvm60.__vbaVarAnd
0181021C73471819msvbvm60.__vbaUI1I2
018102207345C09Fmsvbvm60.__vbaAryMove
01810224734619A7msvbvm60.rtcGetMonthOfYear
0181022873485F89msvbvm60.PutMemNewObj
0181022C73476E26msvbvm60.rtcMidCharBstr
0181023073476A45msvbvm60.__vbaFreeStrList
01810234734711BEmsvbvm60.rtcHexVarFromVar
0181023873469F9Emsvbvm60.__vbaVerifyVarObj
0181023C7347ED2Dmsvbvm60._allmul
0181024073475594msvbvm60.__vbaGetOwner3
0181024473498B5Dmsvbvm60.__vbaLateIdCallSt
0181024873470E6Amsvbvm60.__vbaI2Str
0181024C73485C8Bmsvbvm60.GetMemObj
018102507348926Bmsvbvm60._CIlog
01810254734599CFmsvbvm60.EVENT_SINK_AddRef
0181025873497587msvbvm60.__vbaFpR4
0181025C73479496msvbvm60.__vbaStrFixstr
0181026073470D93msvbvm60.rtcVarBstrFromAnsi
0181026473477465msvbvm60.rtcTrimVar
0181026873487532msvbvm60.rtcSaveSetting
0181026C73480781msvbvm60._adj_fprem1
0181027073499873msvbvm60.__vbaVarTstLt
0181027473461B66msvbvm60.rtcGetPresentDate
018102787348017Amsvbvm60._adj_fdiv_m32i
0181027C73485DBFmsvbvm60.PutMemObj
0181028073470F58msvbvm60.__vbaDateStr
0181028473469DFBmsvbvm60.__vbaFreeObj
018102887346C474msvbvm60.__vbaLbound
0181028C734768EFmsvbvm60.__vbaLenVar
018102907349980Fmsvbvm60.__vbaVarTstNe
0181029473470E2Amsvbvm60.__vbaBoolStr
018102987346EDBAmsvbvm60.rtcErrObj
0181029C7349759Bmsvbvm60.__vbaFpR8
018102A073485C63msvbvm60.GetMem4
018102A47349728Dmsvbvm60.__vbaVarVargNofree
018102A873466045msvbvm60.rtcFileLen
018102AC7347945Cmsvbvm60.__vbaFixstrConstruct
018102B0734718B9msvbvm60.__vbaStrErrVarCopy
018102B47349606Cmsvbvm60.__vbaForEachCollObj
018102B873477C6Amsvbvm60.rtcStringBstr
018102BC7349779Cmsvbvm60.__vbaVarInt
018102C073477BFDmsvbvm60.rtcSpaceBstr
018102C473470CFBmsvbvm60.rtcBstrFromAnsi
018102C873470E9Bmsvbvm60.__vbaI4Str
018102CC73469E6Bmsvbvm60.__vbaVarSetObj
018102D07346CAD9msvbvm60.rtcRgb
018102D47346C287msvbvm60.__vbaVarIndexLoad
018102D87347182Fmsvbvm60.__vbaUI1I4
018102DC73495F13msvbvm60.__vbaNextEachCollVar
018102E073497570msvbvm60.__vbaFpI4
018102E473485C50msvbvm60.GetMem2
018102E8734793DAmsvbvm60.__vbaStrCmp
018102EC73495ECEmsvbvm60.__vbaForEachCollVar
018102F07346C4FAmsvbvm60.__vbaAryConstruct2
018102F4734891C6msvbvm60._CIcos
018102F8734804C9msvbvm60._adj_fprem
018102FC73497262msvbvm60.__vbaFreeVarList
0181030073496A0Amsvbvm60.__vbaFreeVarg
01810304734694A2msvbvm60.__vbaCheckTypeVar
018103087347545Cmsvbvm60.rtcFileLength
0181030C734747E2msvbvm60.__vbaOnError
0181031073474C74msvbvm60.__vbaI4Var
0181031473474624msvbvm60.__vbaExceptHandler
018103187346A050msvbvm60.__vbaNew
0181031C73498C98msvbvm60.__vbaLateMemCallSt
0181032073464E8Emsvbvm60.__vbaPrintObj
01810324734977C1msvbvm60.__vbaVarAdd
0181032873499922msvbvm60.__vbaVarCmpEq
0181032C73485DA9msvbvm60.PutMem8
01810330734771D1msvbvm60.__vbaInStrVar
0181033473496DF6msvbvm60.__vbaVarDup
018103387346C548msvbvm60.__vbaAryUnlock
0181033C734993FAmsvbvm60.__vbaVarForNext
0181034073476EFBmsvbvm60.rtcAnsiValueBstr
0181034473497513msvbvm60.__vbaFPException
01810348734598E0msvbvm60.EVENT_SINK_QueryInte**ce
0181034C73499841msvbvm60.__vbaVarTstGt
0181035073489100msvbvm60._CIatan
018103547346C156msvbvm60.__vbaRedim
0181035873497185msvbvm60.__vbaBoolVarNull
0181035C73480246msvbvm60._adj_fdivr_m16i
0181036073496AEEmsvbvm60.__vbaVarMove
0181036473474C5Fmsvbvm60.__vbaI2ErrVar
018103687346CF7Emsvbvm60.rtcMsgBox
0181036C73498D8Cmsvbvm60.__vbaVarLateMemCallLd
018103707345DF51msvbvm60.rtcDoEvents
0181037473474C66msvbvm60.__vbaI2Var
018103787346C2D0msvbvm60.__vbaVarIndexLoadRefLock
0181037C734972BEmsvbvm60.__vbaVargVar
018103807348737Cmsvbvm60.rtcGetSetting
0181038473489484msvbvm60._CItan
018103887346A083msvbvm60.__vbaNew2
0181038C73498CDCmsvbvm60.__vbaLateMemStAd
0181039073469E54msvbvm60.__vbaObjSetAddref
0181039473488804msvbvm60.rtcReplace
018103987346DCE5msvbvm60.VarPtr
0181039C734753CEmsvbvm60.rtcFileLocation
018103A073485D89msvbvm60.PutMem2
018103A47348027Amsvbvm60._adj_fdivr_m32i
018103A873485CFFmsvbvm60.GetMemNewObj
018103AC734640C2msvbvm60.rtcFreeFile
018103B073485D9Amsvbvm60.PutMem4
018103B47346B5A9msvbvm60.__vbaRecUniToAnsi
018103B8734801AEmsvbvm60._adj_fdivr_m32
018103BC73476BDEmsvbvm60.rtcLeftCharBstr
018103C073471785msvbvm60.__vbaStrVarVal
018103C4734960C4msvbvm60.__vbaNextEachCollObj
018103C873498CB8msvbvm60.__vbaLateMemCall
018103CC73499564msvbvm60.__vbaVarNot
018103D07347040Dmsvbvm60.__vbaStrDate
018103D473493A13msvbvm60.rtcArray
018103D873465B8Emsvbvm60.rtcKillFiles
018103DC7347DB51msvbvm60._CIexp
018103E073470B53msvbvm60.__vbaDateVar
018103E473476A74msvbvm60.__vbaStrMove
018103E87346C263msvbvm60.__vbaRefVarAry
018103EC7348932Emsvbvm60._CIsin
018103F07345E6A8msvbvm60.__vbaError
018103F4734768DFmsvbvm60.__vbaLenBstr
018103F873461964msvbvm60.rtcGetYear
018103FC7346C4A6msvbvm60.__vbaUbound
01810400734999C1msvbvm60.__vbaVarCmpGt
0181040473496BB8msvbvm60.__vbaVarCopy
0181040873485FF1msvbvm60.SetMemObj
0181040C7349998Cmsvbvm60.__vbaVarCmpGe
018104107346A0C0msvbvm60.__vbaHresultCheckObj
0181041473476E73msvbvm60.rtcMidCharVar
0181041873498C75msvbvm60.__vbaLateMemSt
0181041C73463B5Dmsvbvm60.__vbaFileOpen
0181042073498BA6msvbvm60.__vbaLateIdStAd
018104247339A3BFmsvbvm60.__vbaStrToAnsi
018104287347FBE9msvbvm60._adj_fdiv_r
0181042C7347488Dmsvbvm60.__vbaExitProc
018104307346C816msvbvm60.rtcIsNumeric
018104347346B5E3msvbvm60.__vbaRecAnsiToUni
018104387346CB51msvbvm60.rtcRandomNext
0181043C73497534msvbvm60.__vbaFpUI1
018104407346C525msvbvm60.__vbaAryLock
0181044473495DEDmsvbvm60.__vbaCastObj
018104487346C6A9msvbvm60.rtcGetTimer
0181044C73469E0Fmsvbvm60.__vbaFreeObjList
0181045073498B25msvbvm60.__vbaLateIdCallLd
01810454734800FAmsvbvm60._adj_fdiv_m64
0181045873470311msvbvm60.__vbaStrUI1
0181045C73476A8Emsvbvm60.__vbaStrCopy
018104607346C25Cmsvbvm60.__vbaGenerateBoundsError
0181046473470374msvbvm60.__vbaStrI4
0181046873496831msvbvm60.__vbaFreeVar
0181046C734995B2msvbvm60.__vbaVarOr
018104707339A0E5msvbvm60.DllFunctionCall
0181047473474826msvbvm60.__vbaResume
018104787346961Dmsvbvm60.rtcCreateObject2
0181047C734800AEmsvbvm60._adj_fdiv_m32
018104807346CB86msvbvm60.rtcRandomize
0181048473465AD6msvbvm60.rtcMakeDir
0181048873476CE2msvbvm60.rtcRightCharBstr
0181048C73497689msvbvm60.__vbaVarDiv
01810490733935A4msvbvm60.ThunRTMain
0181049473493A40msvbvm60.__vbaStr2Vec
01810498734977EAmsvbvm60.__vbaVarSub
0181049C73474B48msvbvm60.__vbaI4Abs
018104A073480146msvbvm60._adj_fdiv_m16i
018104A473469FF5msvbvm60.__vbaObjVar
018104A8734999F6msvbvm60.__vbaVarCmpLe
018104AC73469E3Dmsvbvm60.__vbaObjSet
018104B07345CCC3msvbvm60.rtcShell
018104B473485E8Fmsvbvm60.PutMemStr
018104B8734880D9msvbvm60.rtcInStrRev
018104BC73499828msvbvm60.__vbaVarTstGe
018104C0734755B0msvbvm60.__vbaPutOwner3
018104C4734767C1msvbvm60.__vbaVarCat
018104C873470F27msvbvm60.__vbaR8Str
018104CC7346B550msvbvm60.__vbaRecDestruct
018104D073470EF7msvbvm60.__vbaR4Str
018104D473480839msvbvm60._adj_fptan
018104D873487C1Bmsvbvm60.rtcSplit
018104DC73477C3Fmsvbvm60.rtcSpaceVar
018104E07348612AASCII "QWP="
018104E473469514msvbvm60.__vbaObjIs
018104E873462148msvbvm60.rtcGetTimeVar
018104EC734599E2msvbvm60.EVENT_SINK_Release
018104F073498B44msvbvm60.__vbaLateIdSt
018104F473471845msvbvm60.__vbaI2I4
018104F8734801FAmsvbvm60._adj_fdivr_m64
018104FC7348626Bmsvbvm60.rtcVarFromFormatVar
018105007346BF49msvbvm60.__vbaErase
0181050473477DEEmsvbvm60.rtcUpperCaseVar
018105087346C2A3msvbvm60.__vbaVarIndexLoadRef
0181050C734997F6msvbvm60.__vbaVarTstEq
0181051073465244msvbvm60.rtcDir
018105147339A27Emsvbvm60.__vbaInStr
0181051873463FCAmsvbvm60.__vbaFileClose
0181051C00000000
01810520006B009Fmanager.006B009F
018105240108012A
0181052873470BB0msvbvm60.__vbaBoolVar ----这是第二段IAT
0181052C73480836msvbvm60._adj_fpatan
018105307346C2FEmsvbvm60.__vbaVarIndexStore
0181053473497559msvbvm60.__vbaFpI2
0181053873485CA6msvbvm60.GetMemStr
0181053C73471766msvbvm60.__vbaStrVarMove
0181054073474C90msvbvm60.__vbaR8ErrVar
0181054473469FC7msvbvm60.__vbaCastObjVar
0181054873497660msvbvm60.__vbaVarMul
0181054C7345BD78msvbvm60.__vbaStrToUnicode
0181055073485C74msvbvm60.GetMem8
0181055473476CF5msvbvm60.rtcRightCharVar
01810558734893D3msvbvm60._CIsqrt
0181055C73499957msvbvm60.__vbaVarCmpNe
0181056073462106msvbvm60.rtcGetDateVar
01810564734755CBmsvbvm60.__vbaGetOwner4
018105687345C195msvbvm60.__vbaSetSystemError
0181056C73474C6Dmsvbvm60.__vbaI4ErrVar
0181057073499589msvbvm60.__vbaVarAnd
0181057473471819msvbvm60.__vbaUI1I2
018105787345C09Fmsvbvm60.__vbaAryMove
0181057C734619A7msvbvm60.rtcGetMonthOfYear
0181058073485F89msvbvm60.PutMemNewObj
0181058473476E26msvbvm60.rtcMidCharBstr
0181058873476A45msvbvm60.__vbaFreeStrList
0181058C734711BEmsvbvm60.rtcHexVarFromVar
0181059073469F9Emsvbvm60.__vbaVerifyVarObj
018105947347ED2Dmsvbvm60._allmul
0181059873475594msvbvm60.__vbaGetOwner3
0181059C73498B5Dmsvbvm60.__vbaLateIdCallSt
018105A073470E6Amsvbvm60.__vbaI2Str
018105A473485C8Bmsvbvm60.GetMemObj
018105A87348926Bmsvbvm60._CIlog
018105AC734599CFmsvbvm60.EVENT_SINK_AddRef
018105B073497587msvbvm60.__vbaFpR4
018105B473479496msvbvm60.__vbaStrFixstr
018105B873470D93msvbvm60.rtcVarBstrFromAnsi
018105BC73477465msvbvm60.rtcTrimVar
018105C073487532msvbvm60.rtcSaveSetting
018105C473480781msvbvm60._adj_fprem1
018105C873499873msvbvm60.__vbaVarTstLt
018105CC73461B66msvbvm60.rtcGetPresentDate
018105D07348017Amsvbvm60._adj_fdiv_m32i
018105D473485DBFmsvbvm60.PutMemObj
018105D873470F58msvbvm60.__vbaDateStr
018105DC73469DFBmsvbvm60.__vbaFreeObj
018105E07346C474msvbvm60.__vbaLbound
018105E4734768EFmsvbvm60.__vbaLenVar
018105E87349980Fmsvbvm60.__vbaVarTstNe
018105EC73470E2Amsvbvm60.__vbaBoolStr
018105F07346EDBAmsvbvm60.rtcErrObj
018105F47349759Bmsvbvm60.__vbaFpR8
018105F873485C63msvbvm60.GetMem4
018105FC7349728Dmsvbvm60.__vbaVarVargNofree
0181060073466045msvbvm60.rtcFileLen
018106047347945Cmsvbvm60.__vbaFixstrConstruct
01810608734718B9msvbvm60.__vbaStrErrVarCopy
0181060C7349606Cmsvbvm60.__vbaForEachCollObj
0181061073477C6Amsvbvm60.rtcStringBstr
018106147349779Cmsvbvm60.__vbaVarInt
0181061873477BFDmsvbvm60.rtcSpaceBstr
0181061C73470CFBmsvbvm60.rtcBstrFromAnsi
0181062073470E9Bmsvbvm60.__vbaI4Str
0181062473469E6Bmsvbvm60.__vbaVarSetObj
018106287346CAD9msvbvm60.rtcRgb
0181062C7346C287msvbvm60.__vbaVarIndexLoad
018106307347182Fmsvbvm60.__vbaUI1I4
0181063473495F13msvbvm60.__vbaNextEachCollVar
0181063873497570msvbvm60.__vbaFpI4
0181063C73485C50msvbvm60.GetMem2
01810640734793DAmsvbvm60.__vbaStrCmp
0181064473495ECEmsvbvm60.__vbaForEachCollVar
018106487346C4FAmsvbvm60.__vbaAryConstruct2
0181064C734891C6msvbvm60._CIcos
01810650734804C9msvbvm60._adj_fprem
0181065473497262msvbvm60.__vbaFreeVarList
0181065873496A0Amsvbvm60.__vbaFreeVarg
0181065C734694A2msvbvm60.__vbaCheckTypeVar
018106607347545Cmsvbvm60.rtcFileLength
01810664734747E2msvbvm60.__vbaOnError
0181066873474C74msvbvm60.__vbaI4Var
0181066C73474624msvbvm60.__vbaExceptHandler
018106707346A050msvbvm60.__vbaNew
0181067473498C98msvbvm60.__vbaLateMemCallSt
0181067873464E8Emsvbvm60.__vbaPrintObj
0181067C734977C1msvbvm60.__vbaVarAdd
0181068073499922msvbvm60.__vbaVarCmpEq
0181068473485DA9msvbvm60.PutMem8
01810688734771D1msvbvm60.__vbaInStrVar
0181068C73496DF6msvbvm60.__vbaVarDup
018106907346C548msvbvm60.__vbaAryUnlock
01810694734993FAmsvbvm60.__vbaVarForNext
0181069873476EFBmsvbvm60.rtcAnsiValueBstr
0181069C73497513msvbvm60.__vbaFPException
018106A0734598E0msvbvm60.EVENT_SINK_QueryInte**ce
018106A473499841msvbvm60.__vbaVarTstGt
018106A873489100msvbvm60._CIatan
018106AC7346C156msvbvm60.__vbaRedim
018106B073497185msvbvm60.__vbaBoolVarNull
018106B473480246msvbvm60._adj_fdivr_m16i
018106B873496AEEmsvbvm60.__vbaVarMove
018106BC73474C5Fmsvbvm60.__vbaI2ErrVar
018106C07346CF7Emsvbvm60.rtcMsgBox
018106C473498D8Cmsvbvm60.__vbaVarLateMemCallLd
018106C87345DF51msvbvm60.rtcDoEvents
018106CC73474C66msvbvm60.__vbaI2Var
018106D07346C2D0msvbvm60.__vbaVarIndexLoadRefLock
018106D4734972BEmsvbvm60.__vbaVargVar
018106D87348737Cmsvbvm60.rtcGetSetting
018106DC73489484msvbvm60._CItan
018106E07346A083msvbvm60.__vbaNew2
018106E473498CDCmsvbvm60.__vbaLateMemStAd
018106E873469E54msvbvm60.__vbaObjSetAddref
018106EC73488804msvbvm60.rtcReplace
018106F07346DCE5msvbvm60.VarPtr
018106F4734753CEmsvbvm60.rtcFileLocation
018106F873485D89msvbvm60.PutMem2
018106FC7348027Amsvbvm60._adj_fdivr_m32i
0181070073485CFFmsvbvm60.GetMemNewObj
01810704734640C2msvbvm60.rtcFreeFile
0181070873485D9Amsvbvm60.PutMem4
0181070C7346B5A9msvbvm60.__vbaRecUniToAnsi
01810710734801AEmsvbvm60._adj_fdivr_m32
0181071473476BDEmsvbvm60.rtcLeftCharBstr
0181071873471785msvbvm60.__vbaStrVarVal
0181071C734960C4msvbvm60.__vbaNextEachCollObj
0181072073498CB8msvbvm60.__vbaLateMemCall
0181072473499564msvbvm60.__vbaVarNot
018107287347040Dmsvbvm60.__vbaStrDate
0181072C73493A13msvbvm60.rtcArray
0181073073465B8Emsvbvm60.rtcKillFiles
018107347347DB51msvbvm60._CIexp
0181073873470B53msvbvm60.__vbaDateVar
0181073C73476A74msvbvm60.__vbaStrMove
018107407346C263msvbvm60.__vbaRefVarAry
018107447348932Emsvbvm60._CIsin
018107487345E6A8msvbvm60.__vbaError
0181074C734768DFmsvbvm60.__vbaLenBstr
0181075073461964msvbvm60.rtcGetYear
018107547346C4A6msvbvm60.__vbaUbound
01810758734999C1msvbvm60.__vbaVarCmpGt
0181075C73496BB8msvbvm60.__vbaVarCopy
0181076073485FF1msvbvm60.SetMemObj
018107647349998Cmsvbvm60.__vbaVarCmpGe
018107687346A0C0msvbvm60.__vbaHresultCheckObj
0181076C73476E73msvbvm60.rtcMidCharVar
0181077073498C75msvbvm60.__vbaLateMemSt
0181077473463B5Dmsvbvm60.__vbaFileOpen
0181077873498BA6msvbvm60.__vbaLateIdStAd
0181077C7339A3BFmsvbvm60.__vbaStrToAnsi
018107807347FBE9msvbvm60._adj_fdiv_r
018107847347488Dmsvbvm60.__vbaExitProc
018107887346C816msvbvm60.rtcIsNumeric
0181078C7346B5E3msvbvm60.__vbaRecAnsiToUni
018107907346CB51msvbvm60.rtcRandomNext
0181079473497534msvbvm60.__vbaFpUI1
018107987346C525msvbvm60.__vbaAryLock
0181079C73495DEDmsvbvm60.__vbaCastObj
018107A07346C6A9msvbvm60.rtcGetTimer
018107A473469E0Fmsvbvm60.__vbaFreeObjList
018107A873498B25msvbvm60.__vbaLateIdCallLd
018107AC734800FAmsvbvm60._adj_fdiv_m64
018107B073470311msvbvm60.__vbaStrUI1
018107B473476A8Emsvbvm60.__vbaStrCopy
018107B87346C25Cmsvbvm60.__vbaGenerateBoundsError
018107BC73470374msvbvm60.__vbaStrI4
018107C073496831msvbvm60.__vbaFreeVar
018107C4734995B2msvbvm60.__vbaVarOr
018107C87339A0E5msvbvm60.DllFunctionCall
018107CC73474826msvbvm60.__vbaResume
018107D07346961Dmsvbvm60.rtcCreateObject2
018107D4734800AEmsvbvm60._adj_fdiv_m32
018107D87346CB86msvbvm60.rtcRandomize
018107DC73465AD6msvbvm60.rtcMakeDir
018107E073476CE2msvbvm60.rtcRightCharBstr
018107E473497689msvbvm60.__vbaVarDiv
018107E8733935A4msvbvm60.ThunRTMain
018107EC73493A40msvbvm60.__vbaStr2Vec
018107F0734977EAmsvbvm60.__vbaVarSub
018107F473474B48msvbvm60.__vbaI4Abs
018107F873480146msvbvm60._adj_fdiv_m16i
018107FC73469FF5msvbvm60.__vbaObjVar
01810800734999F6msvbvm60.__vbaVarCmpLe
0181080473469E3Dmsvbvm60.__vbaObjSet
018108087345CCC3msvbvm60.rtcShell
0181080C73485E8Fmsvbvm60.PutMemStr
01810810734880D9msvbvm60.rtcInStrRev
0181081473499828msvbvm60.__vbaVarTstGe
01810818734755B0msvbvm60.__vbaPutOwner3
0181081C734767C1msvbvm60.__vbaVarCat
0181082073470F27msvbvm60.__vbaR8Str
018108247346B550msvbvm60.__vbaRecDestruct
0181082873470EF7msvbvm60.__vbaR4Str
0181082C73480839msvbvm60._adj_fptan
0181083073487C1Bmsvbvm60.rtcSplit
0181083473477C3Fmsvbvm60.rtcSpaceVar
018108387348612AASCII "QWP="
0181083C73469514msvbvm60.__vbaObjIs
0181084073462148msvbvm60.rtcGetTimeVar
01810844734599E2msvbvm60.EVENT_SINK_Release
0181084873498B44msvbvm60.__vbaLateIdSt
0181084C73471845msvbvm60.__vbaI2I4
01810850734801FAmsvbvm60._adj_fdivr_m64
018108547348626Bmsvbvm60.rtcVarFromFormatVar
018108587346BF49msvbvm60.__vbaErase
0181085C73477DEEmsvbvm60.rtcUpperCaseVar
018108607346C2A3msvbvm60.__vbaVarIndexLoadRef
01810864734997F6msvbvm60.__vbaVarTstEq
0181086873465244msvbvm60.rtcDir
0181086C7339A27Emsvbvm60.__vbaInStr
0181087073463FCAmsvbvm60.__vbaFileClose
01810874734860A6msvbvm60.SetMemNewObj
018108787347964Emsvbvm60.__vbaR8IntI4
0181087C73478E2Dmsvbvm60.rtcStrConvVar2
0181088073479637msvbvm60.__vbaR8IntI2
0181088473498B74msvbvm60.__vbaLateIdCall
0181088873463AA5msvbvm60.__vbaInputFile
0181088C73477529msvbvm60.__vbaLsetFixstr
0181089073486018msvbvm60.SetMemVar
01810894734993CCmsvbvm60.__vbaVarForInit
0181089873498C4Dmsvbvm60.__vbaLateMemCallLd
0181089C734623EDmsvbvm60.rtcDateAdd
018108A073470344msvbvm60.__vbaStrI2
018108A473498DC7msvbvm60.__vbaVarLateMemSt
018108A873498DA8msvbvm60.__vbaVarLateMemCallLdRf
018108AC73474C9Emsvbvm60.__vbaR8Var
018108B073476BF1msvbvm60.rtcLeftCharVar
018108B473493AECmsvbvm60.__vbaVar2Vec
018108B873465D5Amsvbvm60.rtcFileCopy
018108BC7346417Fmsvbvm60.rtcEndOfFile
018108C07349985Amsvbvm60.__vbaVarTstLe
018108C473477D91msvbvm60.rtcStringVar
018108C8734703A4msvbvm60.__vbaStrR4
018108CC7345BCE3msvbvm60.__vbaEnd
018108D073474C97msvbvm60.__vbaR4Var
018108D4734768BAmsvbvm60.__vbaStrCat
018108D873462628msvbvm60.rtcDateDiff
018108DC73462E44msvbvm60.rtcInputCountVar
018108E073476AC3msvbvm60.__vbaLenBstrB
018108E473476A30msvbvm60.__vbaFreeStr
018108E87345E6C1msvbvm60.__vbaErrorOverflow
018108EC7346B61Dmsvbvm60.__vbaRecDestructAnsi
018108F073485CE0msvbvm60.GetMemVar
018108F473485ED6msvbvm60.PutMemVar
018108F873470483msvbvm60.__vbaStrVarCopy
018108FC7346C185msvbvm60.__vbaRedimPreserve
018109007346C5A8msvbvm60.rtcBstrFromError
018109047346C04Amsvbvm60.__vbaAryDestruct
通过这个地址我们看到了IAT真正的位置,也找到了IAT的加密方法:
ZP按照函数的不同把函数分成不同几组,每组的处理的方式是不同。这些IAT组在内存中是间隔分开的。一般来说是分成两组,
组内的地址是连续的。所以这个ZP使用的调用方式是“组起始地址+编号”的形式调用的。
在处理IAT上,壳还会把一部分IAT进行若干次的重复(看上面那段重复的部分),排列在同一个内存段。但实际上有效的IAT只有两组。一般来说是最下面的一组和倒数第二组。
可能有人已经想到了:两组有效的IAT,对应的正是两个IAT加密等级。
调试一下会发现,其实的这两加密等级的解码call是同一个,只是前面的代码是不一样的~ 这些代码的的结果就是向1519AC0中放入不同的组的开始地址。
0151BD6C FF15 84935101 call dword ptr ds:这个call是用来获得函数序号
0151C582 8B0D C09A5101 mov ecx,dword ptr ds: 这里放入IAT基地址
修复方法如下:
IAT调用是连续 从起始位置循环就行了
比如说第一个00412940- E9 DBB73300 jmp manager.0074E120 *
第一步 读取dword ptr ds:这个值获取函数序号提取码。
第二步 判断属于第一组还是第二组。
第三步 调用壳的子函数call 来获得函数序号。
第四步 获取IAT组的开始地址。
第五步 通过上面的两个数据获得函数真实地址,然后修改*处
第六步 循环下一个
有兴趣的高人可以写一个脚本玩玩儿哦~
搞定了这个程序以后,继续研究一下Delphi的程序。
同样的办法到达OEP,随便找一下IAT调用。
还是被壳修改了,改的形式是一样的。
00407CDC- E9 9FA42D00 jmp Farsight.006E2180
00407CE1 90 nop
00407CE2 8BC0 mov eax,eax
00407CE4- E9 13B02D00 jmp Farsight.006E2CFC
00407CE9 90 nop
00407CEA 8BC0 mov eax,eax
跟踪一下就能看出来 IAT的处理方式是一模一样的。尤其是下面一段代码,几乎是很特征性的。
01526102 FF15 14C75001 call dword ptr ds: ; kernel32.GetTickCount
0151D494 8BC8 mov ecx,eax
015286D0 2B0D 68935101 sub ecx,dword ptr ds: ; manager.00707416
01524042 81F9 88130000 cmp ecx,1388
0151FA0B /0F86 105A0000 jbe 01525421
0151E6F2 8B15 6C935101 mov edx,dword ptr ds:
01528235 52 push edx
015286B8 A3 68935101 mov dword ptr ds:,eax
015209E5 FF15 84C65001 call dword ptr ds: ; kernel32.ResumeThread
015215BA 833D 289B5101 0>cmp dword ptr ds:,3
01524837^\0F8C 8FF3FFFF jl 01523BCC
01523BCC 803D D8945101 0>cmp byte ptr ds:,0
0151FEAF B8 01000000 mov eax,1
0151D3C1 /0F84 FA900000 je 015264C1
015264C1 C705 289B5101 0>mov dword ptr ds:,0
这个程序的IAT调用是FF25型的,修复的时候要先修复FF25,然后找个空白地方写入IAT地址就可以了~~~
对于FF15型的程序来说,也比较好辨别,以为程序在修改调用call的时候 改程序了 E9 XXXXXXXX形式,同FF15 XXXXXXXX的调用形式是差了一个字节,所以加壳以后 在IAT调用的call下面是有一个nop指令的。
上面就是对ZProtect加壳后程序的IAT修复的方法。脚本和修复工具就不附加了。偶的编程水平实在不行。有兴趣的大侠可以写个通用的脚本或工具。到时一定捧场~
最后说一下突破ZP的注册对话框,y3大侠的dll可以过不带试用框的ZP程序,貌似是hook了DialogBoxIndirectParam这个函数,希望y3大侠能公开方法~~ (带试用框就不用跳了吧,直接试用,然后脱壳就行了……)
小菜心得,欢迎批评!
HyperChem
02/23/2009 听说修复比较难 哈哈... 又被转过来了... HyperChem 应该从解密区移出来/:023 不错,很详细了。 听说 这个ZProtect IAT修复是很难的 看了大半天也没有明白/:L