Zprotect1.4-1.6patch KEY shelling 01/29 Update SLTechnology News&Howtos

Zprotect1.4-1.6patch KEY shelling

2025-01-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >

Shulou(Shulou.com)06/03 Report--

For the ZProtect 1.4.x series of software, as long as it has an available machine code and key, it can be perfectly shelled.

For all the software that has been shelled in the current version of ZProtect (ZP1.60), it can be perfectly shelled as long as there is one available machine code and key.

Suppose you already have a machine code and KEY available:

Machine code: AAAA-BBBB-CCCC-DDDD

Serial number: B131FA844E0E9A7F32810DD67B9C4DC086EB

Script flow:

1. Look for the OEP breakpoint. This principle is very simple, the so-called ESP equilibrium law is.

2, patch the machine code. Zprotect uses the DeviceIoControl function to get the machine code correlation, as long as the breakpoint is set on the function. When prompted to enter the first eight digits of the machine number, in this case, enter AAAABBBB, and the last eight digits are CCCCDDDD.

3. Repair IAT. The beginning and end of IAT in this release still need to be filled in manually.

4. Repair it with loadpe and IMR.

Content of the script:

BPMC

BPHWC

Call VARSINIT

/ / pause

Sti

FIND_OEP:

Mov EipForOep_1, eip

Mov EipForOep_1, [EipForOep_1]

And EipForOep_1, 0ff

Cmp EipForOep_1, 60

Jne OEP_NEXT

Sti

Mov bpforoep, esp

Jmp HWIDPatchStart

OEP_NEXT:

Sto

Jmp FIND_OEP

HWIDPatchStart:

HWID_PATCH:

Bphws DeviceIoControl, "x"

Bp DeviceIoControl

Bphws VirtualAlloc, "x"

Bp VirtualAlloc

Esto

HWID_PATCH_CHECK_NEXT:

Cmp eip, VirtualAlloc

Jne HWID_PATCH_2

Bphwc

Mov A_SIZE, [esp+08]

Rtr

Mov A_ADDRESS, eax

Bphws DeviceIoControl, "x"

Bp DeviceIoControl

Bphws VirtualAlloc, "x"

Bp VirtualAlloc

HWID_PATCH_CHECK_NEXT_ZHW: / / zenghw add

Esto

FIND_STRING:

Mov tempdata, [esp] / / zenghw add

Cmp tempdata,77DA9559

Je HWID_PATCH_CHECK_NEXT_ZHW

Cmp eip, DeviceIoControl

Je HWID_PATCH_2

Find A_ADDRESS, # 0FB?542410E9#

Cmp $RESULT, 00

Je HWID_PATCH_CHECK_NEXT

Mov A_ADDRESS, $RESULT

Inc A_ADDRESS

Mov A_ADDRESS_BAK, $RESULT

Mov dll, 01

Add A_ADDRESS, 04

Gci A_ADDRESS, DESTINATION

Cmp $RESULT, 00

Sub A_ADDRESS, 04

Je FIND_STRING

Mov ABC, $RESULT

Cmp [ABC+03], 1124, 02

Jne FIND_STRING

Add ABC, 05

Cmp [ABC], E8, 01

Jne FIND_STRING_B

Mov call, 01

FIND_STRING_B:

Gci ABC, DESTINATION

Cmp $RESULT, 00

Sub ABC, 05

Je FIND_STRING

Mov ABC, $RESULT

Cmp call, 01

Je FIND_STRING_C

Cmp [ABC], 30, 01

Jne FIND_STRING

FIND_STRING_C:

Mov A_ADDRESS, A_ADDRESS_BAK

Jmp HWID_PATCH_2

Jmp HWID_PATCH

HWID_PATCH_2:

Bphwc

Cmp dll, 01

Jne HWID_PATCH_2_A

Gmemi A_ADDRESS, MEMORYBASE

Mov VMBASE, $RESULT

Mov $RESULT, A_ADDRESS

Jmp found

HWID_PATCH_2_A:

Mov EXTRA, [esp]

Gmemi EXTRA, MEMORYBASE

Mov EXTRA, $RESULT

Rtu

Gmemi eip, MEMORYBASE

Cmp EXTRA, $RESULT

Jne VM

Gmemi eip, MEMORYBASE

Mov EXTRA_2, $RESULT

Cmp [EXTRA_2], 5A4D, 02

Jne VM

Rtr

Mov baceip, eip

SELFTEST:

Sti

Cmp eip, baceip

Je SELFTEST

VM:

Gmemi eip, MEMORYBASE

Mov VMBASE, $RESULT

SEARCH:

Find VMBASE, # 0FB?542410E9#

Cmp $RESULT, 00

Jne found

Find A_ADDRESS, # 0FB?542410E9#

Cmp $RESULT, 00

Je SEARCH_3

SEARCH_2:

Mov A_ADDRESS, $RESULT

Gmemi A_ADDRESS, MEMORYBASE

Mov VMBASE, $RESULT

Mov $RESULT, A_ADDRESS

Jmp found

SEARCH_3:

Findmem # 0FB?542410E9#, CODESECTION

Cmp $RESULT, 00

Jne SEARCH_3_A

Pause

SEARCH_3_A:

Mov A_ADDRESS, $RESULT

Gmemi A_ADDRESS, MEMORYBASE

Mov VMBASE, $RESULT

Mov $RESULT, A_ADDRESS

Jmp found

Pause

Found:

Mov FOUND, $RESULT

Add PLUS_1, FOUND

Sub PLUS_1, VMBASE

Mov PLUS_1, PLUS_1

Log PLUS_1

Bp FOUND

Bphws FOUND, "x"

Esto

Mov ID, [esp+10]

Mov ID2, [esp+14]

Alloc 1000

Mov mem, $RESULT

Mov baceip, eip

Ask3:

Ask "enter the first 8 bytes of available machine code, such as: AAAABBBB"

Cmp $RESULT,0

Je Ask3

Cmp $RESULT,-1

Je Ask3

Mov ID_1, $RESULT

Ask4:

Ask "enter the last 8 bytes of available machine code, such as: CCCCDDDD"

Cmp $RESULT,0

Je Ask4

Cmp $RESULT,-1

Je Ask4

Mov ID_2, $RESULT

Mov temp2,eax

Mov test, # + "0000-0000-0000-0000"

Mov [mem], test

Mov eax, ID_1

Shr eax, 10

Mov I1, ax

Mov eax, ID_1

Mov I2, ax

Itoa I1, 16.

Mov I1, $RESULT

Len I1

Cmp $RESULT, 04

Je CW_GO

AB1:

Cmp $RESULT, 03

Jne AB2

Eval "0 {I1}"

Mov I1, $RESULT

Jmp CW_GO

AB2:

Cmp $RESULT, 02

Jne AB3

Eval "00 {I1}"

Mov I1, $RESULT

Jmp CW_GO

AB3:

Cmp $RESULT, 01

Jne AB4

Eval "000 {I1}"

Mov I1, $RESULT

Jmp CW_GO

AB4:

Cmp $RESULT, 00

Jne AB5

Mov I1, "0000"

Jmp CW_GO

AB5:

Pause

CW_GO:

Itoa I2, 16.

Mov I2, $RESULT

Len I2

Cmp $RESULT, 04

Je CW_GO_2

AB1A:

Cmp $RESULT, 03

Jne AB2A

Eval "0 {I2}"

Mov I2, $RESULT

Jmp CW_GO_2

AB2A:

Cmp $RESULT, 02

Jne AB3A

Eval "00 {I2}"

Mov I2, $RESULT

Jmp CW_GO_2

AB3A:

Cmp $RESULT, 01

Jne AB4

Eval "000 {I2}"

Mov I2, $RESULT

Jmp CW_GO_2

AB4A:

Cmp $RESULT, 00

Jne AB5A

Mov I2, "0000"

Jmp CW_GO_2

AB5A:

Pause

CW_GO_2:

Eval "{I1}-{I2}"

Mov test, # # + $RESULT

Mov [mem], test

Mov eax, ID_2

Shr eax, 10

Mov I3, ax

Mov eax, ID_2

Mov I4, ax

Itoa I3, 16.

Mov i3, $RESULT

Len I3

Cmp $RESULT, 04

Je CW_GO_3

AB1B:

Cmp $RESULT, 03

Jne AB2B

Eval "0 {I3}"

Mov i3, $RESULT

Jmp CW_GO_3

AB2B:

Cmp $RESULT, 02

Jne AB3B

Eval "00 {I3}"

Mov i3, $RESULT

Jmp CW_GO_3

AB3B:

Cmp $RESULT, 01

Jne AB4B

Eval "000 {I3}"

Mov i3, $RESULT

Jmp CW_GO_3

AB4B:

Cmp $RESULT, 00

Jne AB5B

Mov I3, "0000"

Jmp CW_GO_3

AB5B:

Pause

CW_GO_3:

Itoa I4, 16.

Mov I4, $RESULT

Len I4

Cmp $RESULT, 04

Je CW_GO_4

AB1C:

Cmp $RESULT, 03

Jne AB2C

Eval "0 {I4}"

Mov I4, $RESULT

Jmp CW_GO_4

AB2C:

Cmp $RESULT, 02

Jne AB3C

Eval "00 {I4}"

Mov I4, $RESULT

Jmp CW_GO_4

AB3C:

Cmp $RESULT, 01

Jne AB4C

Eval "000 {I4}"

Mov I4, $RESULT

Jmp CW_GO_4

AB4C:

Cmp $RESULT, 00

Jne AB5C

Mov I4, "0000"

Jmp CW_GO_4

AB5C:

Pause

CW_GO_4:

Eval "{I3}-{I4}"

Mov test, # # + $RESULT

Mov [mem+0A], test

BIG_LOOP:

Mov CALC, mem

BIG_LOOP_2:

Cmp [mem], 61, 01

Je 20

Cmp [mem], 62, 01

Je 20

Cmp [mem], 63, 01

Je 20

Cmp [mem], 64, 01

Je 20

Cmp [mem], 65, 01

Je 20

Cmp [mem], 66, 01

Je 20

BIG_LOOP_3:

Inc mem

Inc counta

Cmp counta, 13

Je FERTIG

Jmp BIG_LOOP_2

20:

Sub [mem], 20

Jmp BIG_LOOP_3

FERTIG:

Mov mem, CALC

Mov counta, 00

Cmp SECOND_LOOP, 01

Je END_SECOND_LOOP

Readstr [mem], 13

Mov STRING, $RESULT

Str STRING

Mov STRING, STRING

Mov eax, temp2

Fill mem, 100, 00

Mov temp2, eax

Mov test, # + "0000-0000-0000-0000"

Mov [mem], test

Mov eax, [esp+10]

Mov I1, ax

Shr eax, 10

Mov I2, ax

Mov eax, [esp+14]

Mov I3, ax

Shr eax, 10

Mov I4, ax

Itoa I1, 16.

Mov I1, $RESULT

Len I1

Cmp $RESULT, 04

Je CW_GO_5

AB1D:

Cmp $RESULT, 03

Jne AB2D

Eval "0 {I1}"

Mov I1, $RESULT

Jmp CW_GO_5

AB2D:

Cmp $RESULT, 02

Jne AB3D

Eval "00 {I1}"

Mov I1, $RESULT

Jmp CW_GO_5

AB3D:

Cmp $RESULT, 01

Jne AB4D

Eval "000 {I4}"

Mov I1, $RESULT

Jmp CW_GO_5

AB4D:

Cmp $RESULT, 00

Jne AB5D

Mov I1, "0000"

Jmp CW_GO_5

AB5D:

Pause

CW_GO_5:

Itoa I2, 16.

Mov I2, $RESULT

Len I2

Cmp $RESULT, 04

Je CW_GO_6

AB1E:

Cmp $RESULT, 03

Jne AB2E

Eval "0 {I2}"

Mov I2, $RESULT

Jmp CW_GO_6

AB2E:

Cmp $RESULT, 02

Jne AB3E

Eval "00 {I2}"

Mov I2, $RESULT

Jmp CW_GO_6

AB3E:

Cmp $RESULT, 01

Jne AB4E

Eval "000 {I2}"

Mov I2, $RESULT

Jmp CW_GO_6

AB4E:

Cmp $RESULT, 00

Jne AB5E

Mov I2, "0000"

Jmp CW_GO_6

AB5E:

Pause

CW_GO_6:

Eval "{I1}-{I2}"

Mov test, # # + $RESULT

Mov [mem], test

Itoa I3, 16.

Mov i3, $RESULT

Len I3

Cmp $RESULT, 04

Je CW_GO_7

AB1F:

Cmp $RESULT, 03

Jne AB2F

Eval "0 {I3}"

Mov i3, $RESULT

Jmp CW_GO_7

AB2F:

Cmp $RESULT, 02

Jne AB3F

Eval "00 {I3}"

Mov i3, $RESULT

Jmp CW_GO_7

AB3F:

Cmp $RESULT, 01

Jne AB4F

Eval "000 {I3}"

Mov i3, $RESULT

Jmp CW_GO_7

AB4F:

Cmp $RESULT, 00

Jne AB5F

Mov I3, "0000"

Jmp CW_GO_7

AB5F:

Pause

CW_GO_7:

Itoa I4, 16.

Mov I4, $RESULT

Len I4

Cmp $RESULT, 04

Je CW_GO_8

AB1G:

Cmp $RESULT, 03

Jne AB2G

Eval "0 {I4}"

Mov I4, $RESULT

Jmp CW_GO_8

AB2G:

Cmp $RESULT, 02

Jne AB3G

Eval "00 {I4}"

Mov I4, $RESULT

Jmp CW_GO_8

AB3G:

Cmp $RESULT, 01

Jne AB4G

Eval "000 {I4}"

Mov I4, $RESULT

Jmp CW_GO_8

AB4G:

Cmp $RESULT, 00

Jne AB5G

Mov I4, "0000"

Jmp CW_GO_8

AB5G:

Pause

CW_GO_8:

Eval "{I3}-{I4}"

Mov test, # # + $RESULT

Mov [mem+0A], test

Mov SECOND_LOOP, 01

Jmp BIG_LOOP

END_SECOND_LOOP:

Readstr [mem], 13

Mov STRING_2, $RESULT

Str STRING_2

Mov STRING_2, STRING_2

Mov eax, temp2

Fill mem, 100, 00

Mov SECOND_LOOP, 00

Mov [mem], ID_1

Mov [mem+04], ID_2

Mov [mem+12], [mem], 2

Mov [mem+10], [mem+2], 2

Mov [mem+16], [mem+4], 2

Mov [mem+14], [mem+6], 2

Mov ID_1, [mem+10]

Mov ID_2, [mem+14]

Fill mem, 100, 00

Bc FOUND

Bphwc

Readstr [eip], 0A

Mov place, $RESULT

Buf place

Mov test,eip

Add test, 05

Gci test, DESTINATION

Mov ort, $RESULT

Eval "jmp {mem}"

Asm eip, $RESULT

Mov [mem], # 81FAAAAAAAAA751A81F9AAAAAAAA7512BABBBBBBBBB9CCCCCCCC89542410894C24149090#

Cmp $RESULT, 01

Jmp END_SECOND_LOOP_2

END_SECOND_LOOP_2:

Add mem, 22

Mov [mem], place

Sub mem, 22

Mov [mem+02], ID

Mov [mem+0A], ID2

Mov [mem+11], ID_1

Mov [mem+16], ID_2

Eval "jmp {ort}"

Asm mem+27, $RESULT

Add PLUS_2, ort

Sub PLUS_2, VMBASE

Mov PLUS_2, PLUS_2

Readstr [mem], 028

Jmp FULL_END

Esto

Pause

VARSINIT:

/ ZENGHW ADD /

Var tempdata

Var vmaddr

Var apiaddr

Var IAT_Start

Var IAT_End

Var vmapiaddr

Var EipForOep_1

Var EipForOep_2

Var EipForOep_3

Var oep

Var bpforoep

Var tmp1

Var tmp2

Var EXTRA_2

Var EXTRA

Var mem

Var SECOND_LOOP

Var STRING_2

Var counta

Var test

Var STRING

Var CALC

Var I1

Var I2

Var I3

Var I4

Var PLUS_1

Var PLUS_2

Var CHECK

Var TEMP_CHECK

Var CODESECTION

Var CODESECTION_SIZE

Var dll

Var call

Gpa "DeviceIoControl", "kernel32.dll"

Mov DeviceIoControl, $RESULT

Gpa "VirtualAlloc", "kernel32.dll"

Mov VirtualAlloc, $RESULT

Gpa "VirtualProtect", "kernel32.dll"

Mov VirtualProtect, $RESULT

Gpa "MapViewOfFile", "kernel32.dll"

Mov MapViewOfFile, $RESULT

Ret

FULL_END:

Cmp TEMP_CHECK, 0

Je FULL_END_2

Free TEMP_CHECK

FULL_END_2:

/ / pause

/ / ret

/ / start:

Findoep:

BPHWCALL

BPHWS bpforoep, "r"

Run

Mov EipForOep_2, eip

Mov EipForOep_2, [EipForOep_2]

And EipForOep_2, 0ff

Cmp EipForOep_2, E8

Je findoep2

Sto

Mov oep, eip

Pause / / after pausing here, you can check IAT START and IAT END first, and then modify the corresponding content in fixiat.

Msg "after pausing here, you can first check the start and end addresses of the IAT, and then modify the corresponding IAT_Start and IAT_Start in the fixiat!"

Jmp fixiat

Findoep2:

/ / msg "after repair, please look for OEP manually!"

Sti

Sto

Mov oep, eip

Fixiat:

Mov IAT_Start, 0040306C / /

Mov IAT_End, 00403098 / /

Fix:

Mov eip, [IAT_Start]

Mov EipForOep_3, eip

Mov EipForOep_3, [EipForOep_3]

And EipForOep_3, 0ff

Cmp EipForOep_3, 68

Jne skipfix2

Sto

Sti

Mov tmp1, eip

Find eip, # 7C#

Cmp $RESULT, 0

Je F2

Mov tmp2, $RESULT

Mov [tmp2], # EB#

Mov eip, tmp1

F2:

Run

Sto

Cmp eip, 07000000

Ja fix2

Mov vmapiaddr, eip

Sub vmapiaddr, vmaddr

Add vmapiaddr, kernel32base

Mov [IAT_Start], vmapiaddr

Add IAT_Start,4

Cmp IAT_Start, IAT_End

Ja end

Cmp [IAT_Start], 0

Je skipfix

Jmp fix

Fix2:

Mov eip, [IAT_Start]

Mov EipForOep_3, eip

Mov EipForOep_3, [EipForOep_3]

And EipForOep_3, 0ff

Cmp EipForOep_3, 68

Jne skipfix2

Sto

Sti

Mov tmp1, eip

Find eip, # 7C#

Cmp $RESULT, 0

Je F3

Mov tmp2, $RESULT

Mov [tmp2], # EB#

Mov eip, tmp1

F3:

Run

Sto

Mov apiaddr, eip

Mov [IAT_Start], apiaddr

Add IAT_Start,4

Cmp IAT_Start, IAT_End

Ja end

Cmp [IAT_Start], 0

Je skipfix

Jmp fix

Skipfix:

Add IAT_Start,4

Cmp [IAT_Start], 0

Je skipfix

Jmp fix

Skipfix2:

Add IAT_Start,4

Cmp IAT_Start, IAT_End

Ja end

Jmp fix

Error:

Msg "Fix IAT wrong!"

Ret

End:

BPHWCALL

Mov eip, oep

AN eip

Ret

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.