首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. CTF对抗
    3. 发新帖
ZProtect 1.3 1 crackme
发表于: 2008-8-25 22:37 5770

ZProtect 1.3 1 crackme

hxqlky 活跃值
2008-8-25 22:37
5770
/*
OllyDbg & Fantom
*/
var iat_st
var iat_end
var func
var chek
var chj
var oep
var jf
var pf
var iat_sz
var scopy
var ocopy
var chj
var diff
var lbase
var ch2b
var srh
var masc
var mjp

mov srh,401000
var espval
gpa  "VirtualAlloc","kernel32.dll"
bp $RESULT
mov espval,esp-4
erun
erun
bc eip
bphws espval,"r"
erun
mov oep,ebx
bphwc espval
bphws oep, "x"
erun
bphwc oep

cmt eip, "<---OEP"
MSGYN "Oep Faund! Fix Import Continue?"
cmp $RESULT,0
je quitno

Alloc 10000
Cmp $RESULT,0
Je abort
mov iat_stall ,$RESULT
mov scopy,iat_stall

mov oep,eip

mov iat_st,460814
mov ocopy,iat_st

mov iat_end,460f28
mov iat_sz,iat_end
sub iat_sz,iat_st
mov pf,[iat_st]

mov srh,401000

mov pf,00E76509
/*
00E76505    894C24 2C       MOV DWORD PTR SS:[ESP+2C],ECX <----point write edit for you
00E76509    E9 DD000000     JMP 00E765EB
00E7650E    CD 8B           INT 8B

00E50000  4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ?........ < --base engine
00E50010  B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ?......@.......
00E50020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00E50030  00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00  ............?..
00E50040  0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68  ?.???L?Th
00E50050  69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F  is program canno
00E50060  74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20  t be run in DOS
*/

mov [iat_stall],ecx//eax
add iat_stall,4
add iat_st,4

loop:
cmp iat_end,iat_st
je quit

cmp [iat_st],0
je nextf
mov chj,[iat_st]
cmp chj,00E5FDD0
je gmh
cmp chj,003Ac430
je gpra
and chj,FFFF0000
cmp chj,460000
je iprrep
and chj,FFFF0000
cmp chj,FA0000
je iprstels

add iat_st,4
jmp loop

iprrep:
mov masc,0
mov mjp,0
mov masc,[iat_st]
mov mjp,masc
eval "call {masc}"
mov masc,$RESULT

lr:
FINDCMD srh, masc
cmp $RESULT,0
jne rep

lrj:

eval "jmp {mjp}"
mov mjp,$RESULT
lrjn:
FINDCMD srh, mjp
cmp $RESULT,0
jne repj
ipr:
mov eip,[iat_st]
bp pf

erun

mov [iat_stall],ecx//eax
add iat_stall,4
add iat_st,4

jmp loop

nextf:
cmp [iat_st+4],0
je scz
add iat_stall,4
add iat_st,4
jmp loop
scz:
add iat_st,4
jmp nextf

gmh:
gpa  "GetModuleHandleA","kernel32.dll"
mov [iat_stall],$RESULT
add iat_stall,4
add iat_st,4
jmp loop

gpra:
gpa  "GetProcAddress","kernel32.dll"
mov [iat_stall],$RESULT
add iat_stall,4
add iat_st,4
jmp loop

quit:
pause

MEMCPY ocopy,scopy,iat_sz
mov eip,oep
ret
quitno:
ret

rep:
mov [$RESULT],#FF15#
mov [$RESULT+2],iat_st
jmp lr

iprstels:
mov masc,0
mov masc,[iat_st]
add masc,3
mov masc,[masc]

eval "push {masc}"
mov masc,$RESULT
FINDCMD 46c000, masc
cmp $RESULT,0
je ipr
mov masc,0
mov mjp,0
mov masc,$RESULT
mov mjp,masc
eval "call {masc}"
mov masc,$RESULT
jmp lr

repj:
mov [$RESULT],#FF25#
mov [$RESULT+2],iat_st
jmp lrjn

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 0
支持
分享
最新回复 (5)
xiaojiam
雪    币: 261
活跃值: (10)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
2
LZ本人很菜没看懂这汇编是啥子意思!能多两句说明吗?
2008-8-26 09:35
0
lunglungyu
雪    币: 207
活跃值: (10)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
3
不是汇編,是脱壳脚本  ?!
2008-8-26 14:01
0
foresee
雪    币: 222
活跃值: (10)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
4
这个也能刷了?
2008-9-27 17:27
0
范范love
雪    币: 317
活跃值: (93)
能力值: ( LV9,RANK:140 )
在线值:
发帖
回帖
粉丝
私信
5
楼主这个脚本冒似是修复IAT的!
2008-9-28 03:15
0
蚊香
雪    币: 557
活跃值: (10)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
私信
6
ZProtect 1.3 1 crackme  ????????
2008-9-28 13:08
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//