Zprotect1.4-1.6 patch KEY shelling

ZProtect 1.4.x series software can be completely shelled with an available machine code and key. For all software with ZProtect currently (ZP1.60) shelling, you can achieve perfect shelling with an available machine code and key. Suppose there is an available machine code and KEY: machine code: AAAA-BBBB-CCCC-DDDD serial number: bda-fa844e0e9a7f32810dd67b9c4dc086eb script process: 1, look for OEP breakpoint. This principle is very simple. The so-called ESP balance law is. 2. patch the machine code. Zprotect uses the DeviceIoControl function to obtain the machine code. You only need to set a breakpoint for this function. When you are prompted to enter the first eight digits of the machine number, in this example, enter AAAABBBB, And the last eight digits are CCCCDDDD. 3. Fix IAT. In this version, you still need to manually enter the start and end parts of IAT. 4. Use loadpe and IMR to fix the issue. Script content: Invalid VARSINIT // mov EipForOep_1, eipmov EipForOep_1, [ignore] and EipForOep_1, 0 ffcmp EipForOep_1, 60jne 1_bpforoep, espjmp restart: stojmp restart: /////////////// HWID_PATCH: bphws DeviceIoControl, "x" bp DeviceIoControlbphws VirtualAlloc, "x" bp VirtualAllocesto // HWID_PATCH_CHECK_NEXT: cmp eip, Virtu AlAllocjne HWID_PATCH_2bphwcbcmov A_SIZE, [esp + 08] rtrmov A_ADDRESS, eaxbphws DeviceIoControl, "x" bp DeviceIoControlbphws VirtualAlloc, "x" bp limit: // zenghw addesto ////////////////// FIND_STRING: mov tempdata, [esp] // zenghw addcmp tempdata, 77DA9559je HWID_PATCH_CHECK_NEXT_ZHWcmp eip, DeviceIoControlje HWID_PATCH_2find A_ADDRESS, # 0FB? 542410E9 # cmp $ RESULT, 00je paia_address, $ RESULTinc A_ADDRESSmov A_ADDRESS_BAK, $ RESULTmov dll, 01add A_ADDRESS, 04gci A_ADDRESS, DESTINATIONcmp $ RESULT, 00sub A_ADDRESS, 04je FIND_STRINGmov ABC, $ RESULTcmp [ABC + 03], 1124, 02 jne FIND_STRINGadd ABC, 05cmp [ABC], E8, 01jne FIND_STRING_Bmov call, 01 // FIND_STRING_ B: gci ABC, DESTINATIONcmp $ RESULT, 00sub ABC, 05j E FIND_STRINGmov ABC, $ RESULTcmp call, 01je FIND_STRING_Ccmp [ABC], 30, 01jne FIND_STRING ////////////// // FIND_STRING_C: mov A_ADDRESS, A_ADDRESS_BAKjmp restart HWID_PATCH // HWID_PATCH_2: bphwcbccmp dll, 01jne HWID_PATCH_2_Agmemi A_ADDRESS, MEMORYBASEmov VMBASE, $ RESULTmov $ RESULT, A_ADDRESSjmp found // HWID_PATCH_2_A: mov EXTRA, [esp] gmemi EXTRA, memybas Emov EXTRA, $ RESULTrtugmemi eip, MEMORYBASEcmp EXTRA, $ RESULTjne VMgmemi eip, MEMORYBASEmov EXTRA_2, $ RESULTcmp [EXTRA_2], 5A4D, 02jne VMrtrmov baceip, eip // SELFTEST: sticmp eip, baceipje SELFTEST ///////////// // VM: gmemi eip, MEMORYBASEmov VMBASE, $ RESULT // SEARCH: find VMBASE, # 0FB? 542410E9 # cmp $ RESULT, 00jne foundfind A_ADDRESS, # 0FB? 542410E9 # cmp $ RESULT, 00je SEARCH_3 // SEARCH_2: mov A_ADDRESS, $ RESULTgmemi A_ADDRESS, MEMORYBASEmov VMBASE, $ RESULTmov $ RESULT, A_ADDRESSjmp found // SEARCH_3: finf8 # 0FB? 542410E9 #, CODESECTIONcmp $ RESULT, 00jne SEARCH_3_Apausepausepause ////// // SEARCH_3_A: mov A_ADDRESS, $ RESULTgmemi A_ADDRESS, MEMORYBASEmov VMBASE, $ RESULTmov $ RESULT, A_ADDRESSjmp foundpausepause /////// // found: mov FOUND, $ RESULTadd PLUS_1, FOUNDsub PLUS_1, VMBASEmov PLUS_1, PLUS_1log PLUS_1bp FOUNDbphws FOUND, "x" estomov ID, [esp + 10] mov ID2, [esp + 14] alloc 1000mov mem, $ RESULTm Ov baceip, eip // Ask3: ask "Enter the first 8 bytes of the available machine code, such: AAAABBBB "cmp $ RESULT, 0je Ask3cmp $ RESULT,-1je Ask3mov ID_1, $ RESULT // Ask4: ask "Enter the last 8 bytes of the available machine code, such as CCCCDDDD" cmp $ RESULT, 0je Ask4cmp $ RESULT,-1je Ask4mov ID_2, $ RESULTmov temp2, eaxmov test, # + "0000-0000-0000-0000" mov [mem], testmov eax, ID_1shr eax, 10mov I1, axmov eax, ID_1mov I2, axitoa I1, 16.mov I1, $ RESULTlen I1cmp $ R ESULT, 04je CW_GO // AB1: cmp $ RESULT, 03jne AB2eval "0 {I1}" mov I1, $ RESULTjmp CW_GO // cmp $ RESULT, 02jne AB3eval "00 {I1}" mov I1, $ RESULTjmp CW_GO // cmp $ RESULT, 01jne AB4eval "000 {I1}" mov I1, $ RESULTjmp CW_GO // cmp $ RESULT, 00jne AB5mov I1, "0000" jmp CW_GO // AB5: pausepausepause // //cw_go: Itoa I2, 16.mov I2, $ RESULTlen I2cmp $ RESULT, 04je CW_GO_2 // AB1A: cmp $ RESULT, 03jne AB2Aeval "0 {I2}" mov I2, $ RESULTjmp CW_GO_2 // cmp $ RESULT, 02jne AB3Aeval "00 {I2}" mov I2, $ RESULTjmp CW_GO_2 // cmp $ RESULT, 01jne AB4eval "000 {I2}" mov I2, $ RESULTjmp CW_GO_2 // cmp $ RESULT, 00jne AB5Amov I2, "0000" jmp CW_GO_2 ///////// ///////// AB5A: pausepausepause //////// // CW_GO_2: eval "{I1}-{I2}" mov test, ##+ $ RESULTmov [mem], testmov eax, ID_2shr eax, 10mov I3, axmov eax, ID_2mov I4, axitoa I3, 16.mov I3, $ RESULTlen I3cmp $ RESULT, 04je CW_GO_3 // AB1B: cmp $ RESULT, 03jne AB2Beval "0 {I3}" mov I3, $ RESULTjmp CW_GO_3 // cmp $ RESULT, 02jne AB3Beval "00 {I3}" mov I3, $ RESULTjmp CW_GO_3 // //// // AB3B: cmp $ RESULT, 01jne AB4Beval "000 {I3}" mov I3, $ RESULTjmp CW_GO_3 // AB4B: cmp $ RESULT, 00jne AB5Bmov I3, "0000" jmp CW_GO_3 // AB5B: pausepausepause //////////////// CW_GO_3: itoa I4, 16.mov I4, $ RESULTlen I4cmp $ RESULT, 04je CW_GO_4 // AB1C: cmp $ RESULT, 03jne AB2Ceval "0 {I4}" mov I4, $ RESULTjmp CW_GO_4 // AB2C: cmp $ RESULT, 02jne AB3Ceval "00 {I4}" mov I4, $ RESULTjmp CW_GO_4 // AB3C: cmp $ RESULT, 01jne AB4Ceval "000 {I4}" mov I4, $ RESULTjmp CW_GO_4 // AB4C: cmp $ RESULT, 00jne AB5Cmov I4, "0000" jmp CW_GO_4 // AB5C: pausepausepause // CW_GO_4: eval "{I3}-{I4}" mov test, # + $ RESULTmov [mem + 0A], test // BIG_LOOP: mov CALC, mem ///////////////// /// BIG_LOOP_2: cmp [mem], 61, 01je 20cmp [mem], 62, 01je 20cmp [mem], 63, 01je 20cmp [mem], 64, 01je 20cmp [mem], 65, 01je 20cmp [mem], 66, 01je 20 // BIG_LOOP_3: inc meminc countacmp counta, 13je FERTIGjmp BIG_LOOP_2 // 20: sub [mem], 20jmp BIG_LOOP_3 //////////////// FERTIG: mov mem, CALCmov counta, 00cmp SECOND_LOOP, 01je END_SECOND_LOOPreadstr [mem], 13mov STRING, $ RESULTstr STRINGmov STRING, STRINGmov eax, temp2fill mem, 100, 00mov temp2, eaxmov test, ##+ "0000-0000-0000-0000" mov [mem], testmov eax, [esp + 10] mov I1, axshr eax, 10mov I2, axmov eax, [esp + 14] mov I3, axshr eax, 10mov I4, axitoa I1, 16.mov I1, $ RESULTlen I1cmp $ RESULT, 04je CW_GO_5 // AB1D: cmp $ RESULT, 03jne AB2Deval "0 {I1}" mov I1, $ RESULTjmp CW_GO_5 // cmp $ RESULT, 02jne AB3Deval "00 {I1}" mov I1, $ RESULTjmp CW_GO_5 // AB3D: cmp $ RESULT, 01jne AB4Deval "000 {I4}" mov I1, $ RESULTjmp CW_GO_5 // AB4D: cmp $ RESULT, 00jne AB5Dmov I1, "0000" jmp CW_GO_5 // AB5D: pausepausepause //////////////// CW_GO_5: itoa I2, 16.mov I2, $ RESULTlen I2cmp $ RESULT, 04je CW_GO_6 // AB1E: cmp $ RESULT, 03jne AB2Eeval "0 {I2} "mov I2, $ RESULTjmp CW_GO_6 // AB2E: cmp $ RESULT, 02jne AB3Eeval "00 {I2}" mov I2, $ RESULTjmp CW_GO_6 // cmp $ RESULT, 01jne AB4Eeval "000 {I2}" mov I2, $ RESULTjmp CW_GO_6 // cmp $ RESULT, 00jne AB5Emov I2, "0000" jmp CW_GO_6 // AB5E: pausepausepause // CW_GO_6: eval "{I1}-{I2}" mov test, ##+ $ RESULTmov [mem], testito A I3, 16.mov I3, $ RESULTlen I3cmp $ RESULT, 04je CW_GO_7 // AB1F: cmp $ RESULT, 03jne AB2Feval "0 {I3}" mov I3, $ RESULTjmp CW_GO_7 // cmp $ RESULT, 02jne AB3Feval "00 {I3}" mov I3, $ RESULTjmp CW_GO_7 // cmp $ RESULT, 01jne AB4Feval "000 {I3}" mov I3, $ RESULTjmp CW_GO_7 // cmp $ RESULT, 00jne AB5Fmov I3, "0000" jmp CW_GO_7 /////////// /////// AB5F: pausepausepause ////////// // /////cw_go_7: itoa I4, 16.mov I4, $ RESULTlen I4cmp $ RESULT, 04je CW_GO_8 // AB1G: cmp $ RESULT, 03jne AB2Geval "0 {I4}" mov I4, $ RESULTjmp CW_GO_8 // cmp $ RESULT, 02jne ab1_eval "00 {I4}" mov I4, $ RESULTjmp CW_GO_8 // cmp $ RESULT, 01jne AB4Geval "000 {I4}" mov I4, $ RESULTjmp CW_GO_8 // AB4G: Cmp $ RESULT, 00jne AB5Gmov I4, "0000" jmp CW_GO_8 // AB5G: pausepausepause // CW_GO_8: eval "{I3}-{I4}" mov test, ##+ $ RESULTmov [mem + 0A], testmov SECOND_LOOP, 01jmp BIG_LOOP // END_SECOND_LOOP: readstr [mem], 13mov STRING_2, $ RESULTstr STRING_2mov STRING_2, STRING_2mov eax, temp2fill mem, 100, 00mov SECOND_LOOP, 00mov [mem], ID_1mov [mem + 04], ID_2mov [me M + 12], [mem], 2mov [mem + 10], [mem + 2], 2mov [mem + 16], [mem + 4], 2mov [mem + 14], [mem + 6], 2mov ID_1, [mem + 10] mov ID_2, [mem + 14] fill mem, 100, 00bc FOUNDbphwcreadstr [eip], 0 Amov place, $ RESULTbuf placemov test, eipadd test, 05gci test, DESTINATIONmov ort, $ RESULTeval "jmp {mem}" asm eip, $ RESULTmov [mem], #81faaaaaaaaa751a81f9aaaaaaaa7512babbbbbbbbbbb9cccccc89542410894c24149090 # cmp $ RESULT, 01jmp END_S ECOND_LOOP_2 // END_SECOND_LOOP_2: add mem, 22mov [mem], placesub mem, 22mov [mem + 02], IDmov [mem + 0A], ID2mov [mem + 11], ID_1mov [mem + 16], ID_2eval "jmp {ort}" asm mem + 27, $ RESULTadd PLUS_2, ortsub PLUS_2, VMBASEmov PLUS_2, PLUS_2readstr [mem], 028 jmp FULL_ENDestopausepause ////// // //varsinit: ///////////// zenghw add /////// var tempdata var vmaddrvar apiaddrvar IAT_Startvar Too many variables too much oepvar too tmp1var tmp2var too EXTRAvar memvar too many variable testvar STRINGvar CALCvar I1var I2var I3var I4var too many CHECKvar too CODESECTIONvar too dllvar call ////////// //////// gpa "DeviceIoControl ", "kernel32.dll" mov DeviceIoControl, $ RESULTgpa "Vir TualAlloc "," kernel32.dll "mov VirtualAlloc, $ RESULTgpa" VirtualProtect "," kernel32.dll "mov VirtualProtect, $ RESULTgpa" MapViewOfFile "," kernel32.dll "mov MapViewOfFile, $ RESULTret // FULL_END: cmp TEMP_CHECK, 0je FULL_END_2free TEMP_CHECK //////////// // FULL_END_2: // pause // ret // start: findoep: BPHWCALLBPHWS bpforoep, "r" runmov EipForOep_2, eipmov EipForOep_2, [EipForOep_2] and EipFo ROep_2, 0 ffcmp EipForOep_2, E8je findoep2stostomov oep, eippause // you can view iat start and iat end, and then modify the corresponding content msg in fixiat, you can first view the start and end addresses of IAT, and then modify the corresponding IAT_Start and IAT_Start in fixiat! After "jmp fixiatfindoep2: // msg" is fixed, search for OEP manually! "Stistostostostostomov oep, eipfixiat: mov IAT_Start, 0040306C /////////////////////////////////////// /mov IAT_End, 00403098 /////////////////////////////////////// /fix: mov eip, [IAT_Start] mov cost, eipmov cost, [EipForOep_3] and EipForOep_3, 0 ffcmp cost, 68jne 1_tmp1, eipfind eip, # 7C # cmp $ RESULT, 0je F2mov tmp2, $ RESULTmov [tmp2], # EB # mov eip, tmp1F2: Runsto www.2cto. comcmp eip, 0734700ja fix2mov failed, eipsub failed, vmaddradd failed, failed [IAT_Start], vmapiaddradd IAT_Start, 4cmp IAT_Start, disable endcmp [IAT_Start], 0je implements fixfix2: mov eip, [IAT_Start] mov EipForOep_3, eipmov EipForOep_3, [EipForOep_3] and EipForOep_3, 0 ffcmp 1_, 68jne 1_tmp1, eipfind eip, # 7C # cmp $ RESULT, 0j E F3mov tmp2, $ RESULTmov [tmp2], # EB # mov eip, tmp1F3: runstomov apiaddr, eipmov [IAT_Start], apiaddradd IAT_Start, 4cmp IAT_Start, IAT_Endja endcmp [IAT_Start], 0je skipfixjmp fixskipfix: add IAT_Start, 4cmp [IAT_Start], 0je skipfixjmp fixskipfix2: add IAT_Start, 4cmp IAT_Start, IAT_Endja endjmp fixerror: msg "Fix IAT wrong! "Retend: BPHWCALLmov eip, oepAN eipret