[Author mailbox]: a474528738@163.com
[Software name]: XXX email promotion
[Tools]: OD, exeinfoPE
[Operating platform]: XP SP3
[Author's statement]: I am only interested and have no other purpose. For errors, please enlighten us!
--------------------------------------------------------------------------------
[Detailed process]
The Zp shelling instance information is relatively small in our forum. I saw a ZP shelling software on my computer, so I took it off and wrote it to me.
. Mistakes and omissions are inevitable when you write your documents for the first time! Thank you.
OD loading, F7 single step, arrival
009C89DC 60 PUSHAD
009C89DD ^ E9 F7FCFFFF JMP 009C86D9 <--- after this step, set the breakpoint: hr esp
After the breakpoint is finished, run F9. The registration dialog box is displayed. Click trial, stop, and F7 in one step to reach OEP:
0084F914 55 push ebp <------ OEP
0084F915 8BEC mov ebp, ESP
0084F917 83C4 F0 add esp,-10
0084F91A B8 9CEA8400 mov eax, 0084EA9C
0084F91F E8 8489 bbff call 004082A8 <----
0084F924 A1 0C738600 mov eax, dword ptr ds: [86730C]
0084F929 8B00 mov eax, dword ptr ds: [EAX]
0084F92B E8 48CAC5FF CALL 004AC378
0084F930 A1 0C738600 mov eax, dword ptr ds: [86730C]
Go to CALL 004082A8, and then enter the first call:
004081CC-FF25 B0138700 jmp dword ptr ds: [8713B0]; 201772.009cae9c
004081D2 8BC0 mov eax, EAX
004081D4-FF25 AC138700 jmp dword ptr ds: [8713AC]
004081DA 8BC0 mov eax, EAX
004081DC-FF25 A8138700 jmp dword ptr ds: [8713A8]; 41072.009c9ef4
004081E2 8BC0 mov eax, EAX
004081E4-FF25 A4138700 jmp dword ptr ds: [8713A4]
IAT has been encrypted, followed to the data window --> memory address, see
008713B0 009CAE9C rj72.009cae9c <-------- first Encryption
008713B4 00000000
008713B8 009CA578 201772.009ca578
008713BC 009 CAAAC 201772.009caaac
008713C0 01AF0196 <---------- type 2 Encryption
008713C4 01AF01A4
008713C8 01AF01B2
To the end of IAT:
00871CA8 01B001F8 <-------- third Encryption
00871CAC 01B00206
00871CB0 01B00214
00871CB4 01B00222
00871CB8 00000000
00871CBC 009CAB48 41072.009cab48
00871CC0 01B00230
First encryption, XXXXX
Type 2 encryption, 01 AXXXXX
Third Type of encryption, 01 BXXXXX
Create an EIP on the first type of encryption in 008713B0 009CAE9C 201772.009cae9c <--------. Note that do not delete the hardware breakpoint that was previously used to reach the OEP! F8.
Coming
018673DD C3 RETN
The decrypted stack address is displayed:
0012FFC0 7C80B741 kernel32.GetModuleHandleA
The 018673DD is the jump after the IAT decryption is complete. The key to the first encryption is 018673DD.
Create an EIP and follow the two encryption methods. You can see the following format:
PUSH EAX
PUSHAD
PUSH XXXXXXXX
CALL 018A43A0
POPAD
RETN
In RETN, the stack has also decrypted the actual address.
Here, CALL 018A43A0 is a key point for analysis.
Now it's easy to fix IAT. I wrote a script for your reference:
Var cur_addr
Var old_esp
Var old_eip
Var end_addr
Var bp_addr
Mov old_esp, esp; save eip, esp. After the script is run, we want to restore
Mov old_eip, eip
Www.2cto.com
Bphwc; delete all breakpoints
Bc
Ask "Enter the starting IAT address-4"
Cmp $ RESULT, 0
Je exit
Mov cur_addr, $ RESULT; IAT start address-4
Ask "input end IAT address + 4"
Cmp $ RESULT, 0
Je exit
Mov end_addr, $ RESULT
Mainloop:
BPHWC
BC
Mov esp, old_esp
Add cur_addr, 4
Cmp cur_addr, end_addr; IAT end + 4. The current address is greater than this value, and IAT is repaired.
Jae exit
Cmp [cur_addr], 0; DLL end, not processed
Je mainloop
CMP [cur_addr], 00A00000
JB loop1; redirection to the first type of Encryption
JMP loop2; redirection to the second three types of Encryption
Loop:
Mov eip, [cur_addr]; create an EIP at the target address
Esto
Mov [cur_addr], [esp]; the real function address is displayed at the top of the stack, and we write it back to IAT
Jmp mainloop
Loop1:; the first type of Encryption
BPHWS 018673DD
JMP loop
Loop2:; the second three types of encryption processing
MOV bp_addr, [cur_addr]
ADD bp_addr, 0D
BPHWS bp_addr, "x"
JMP loop
Exit:
Mov eip, old_eip
Mov esp, old_esp
Bc
BPHWC
Ret
Starting IAT-4 = 008712A4
End IAT + 4 = 00871D78
This script has passed the test. ZProtect will be relatively large on the PE Header, pay attention to when fixing
Deselect lordpe, select "paste PE Header from disk file", and then DUMP to fix it. Success! Why?
It turns out that the PE Header pasted from the disk file (shelling file) was used when the image was captured off the shell,
For Shell files, the resource table is modified. This will cause errors.