关于作者

sha

上一篇 / 下一篇  2008-01-27 16:48:52

查看( 49 ) / 评论( 0 ) / 评分( 0 / 0 )

用卡吧做免杀

发表于:2008年1月13日 18时27分41秒阅读(2)评论(0)本文链接:http://user.qzone.qq.com/543002966/blog/1200220061
 

用卡吧做免杀

发表于:2008年1月13日 18时27分41秒阅读(2)评论(0)本文链接:http://user.qzone.qq.com/543002966/blog/1200220061
    一、首先对NSPACK3.6的测试

    用OD载入被加过NSPACK壳的DT,复制出前十几行,如下(蓝色加粗是要被修改的部位,以下格式如一)
    004CF302     E8 00000000      call 复件_(2).004CF307
    004CF307     5D               pop ebp
    004CF308     83C5 F9          sub ebp,7
    004CF30B     8D85 0CFFFFFF    lea eax,dword ptr ss:[ebp-F4]
    004CF311     8338 01          cmp dword ptr ds:[eax],1
    004CF314     0F84 47020000    je 复件_(2).004CF561
    004CF31A     C700 01000000    mov dword ptr ds:[eax],1
    004CF320     8BD5             mov edx,ebp
    004CF322     2B95 A0FEFFFF    sub edx,dword ptr ss:[ebp-160]
    004CF328     8995 A0FEFFFF    mov dword ptr ss:[ebp-160],edx
    004CF32E     1195 D0FEFFFF    add dword ptr ss:[ebp-130],edx
    004CF334     8DB5 14FFFFFF    lea esi,dword ptr ss:[ebp-EC]
    004CF33A     1116             add dword ptr ds:[esi],edx

     修改成如下(红色部分)
    004CF302     E8 00000000      call 复件_(2).004CF307
    004CF307     5D               pop ebp
    004CF308     83C5 F9          add ebp,-7
    004CF30B     8D85 0CFFFFFF    lea eax,dword ptr ss:[ebp-F4]
    004CF311     8338 01          cmp dword ptr ds:[eax],1
    004CF314     0F84 47020000    je 复件_(2).004CF561
    004CF31A     C700 01000000    mov dword ptr ds:[eax],1
    004CF320     8BD5             mov edx,ebp
    004CF322     2B95 A0FEFFFF    sub edx,dword ptr ss:[ebp-160]
    004CF328     8995 A0FEFFFF    mov dword ptr ss:[ebp-160],edx
    004CF32E     1195 D0FEFFFF    adc dword ptr ss:[ebp-130],edx
    004CF334     8DB5 14FFFFFF    lea esi,dword ptr ss:[ebp-EC]
    004CF33A     1116             adc dword ptr ds:[esi],edx
    之后保存文件,用卡巴扫描,不再报毒。

    二、FSG2.0的测试
    OD载入被FSG2.0加了壳的DT

    复制出前十几行,如下
    00400154 f>  8725 2C115300    xchg dword ptr ds:[53112C],esp
    0040015A     61               popad
    0040015B     94               xchg eax,esp
    0040015C     55               push ebp
    0040015D     A4               movs byte ptr es:[edi],byte ptr ds:>
    0040015E     B6 80            mov dh,80
    00400160     FF13             call dword ptr ds:[ebx]
    00400162   ^ 77 F9            jnb short fsg2_0.0040015D
    00400164     33C9             xor ecx,ecx
    00400166     FF13             call dword ptr ds:[ebx]
    00400168     77 16            jnb short fsg2_0.00400180
    0040016A     33C0             xor eax,eax

    修改后如下
    00400154 f>  8725 2C115300    xchg dword ptr ds:[53112C],esp
    0040015A     61               popad
    0040015B     94               xchg eax,esp
    0040015C     55               push ebp
    0040015D     A4               movs byte ptr es:[edi],byte ptr ds:>
    0040015E     B6 80            mov dh,80
    00400160     FF13             call dword ptr ds:[ebx]
    00400162   ^ 77 F9            ja short fsg2_0.0040015D
    00400164     33C9             xor ecx,ecx
    00400166     FF13             call dword ptr ds:[ebx]
    00400168     77 16            ja short fsg2_0.00400180
    0040016A     33C0             xor eax,eax
    一、首先对NSPACK3.6的测试

    用OD载入被加过NSPACK壳的DT,复制出前十几行,如下(蓝色加粗是要被修改的部位,以下格式如一)
    004CF302     E8 00000000      call 复件_(2).004CF307
    004CF307     5D               pop ebp
    004CF308     83C5 F9          sub ebp,7
    004CF30B     8D85 0CFFFFFF    lea eax,dword ptr ss:[ebp-F4]
    004CF311     8338 01          cmp dword ptr ds:[eax],1
    004CF314     0F84 47020000    je 复件_(2).004CF561
    004CF31A     C700 01000000    mov dword ptr ds:[eax],1
    004CF320     8BD5             mov edx,ebp
    004CF322     2B95 A0FEFFFF    sub edx,dword ptr ss:[ebp-160]
    004CF328     8995 A0FEFFFF    mov dword ptr ss:[ebp-160],edx
    004CF32E     1195 D0FEFFFF    add dword ptr ss:[ebp-130],edx
    004CF334     8DB5 14FFFFFF    lea esi,dword ptr ss:[ebp-EC]
    004CF33A     1116             add dword ptr ds:[esi],edx

     修改成如下(红色部分)
    004CF302     E8 00000000      call 复件_(2).004CF307
    004CF307     5D               pop ebp
    004CF308     83C5 F9          add ebp,-7
    004CF30B     8D85 0CFFFFFF    lea eax,dword ptr ss:[ebp-F4]
    004CF311     8338 01          cmp dword ptr ds:[eax],1
    004CF314     0F84 47020000    je 复件_(2).004CF561
    004CF31A     C700 01000000    mov dword ptr ds:[eax],1
    004CF320     8BD5             mov edx,ebp
    004CF322     2B95 A0FEFFFF    sub edx,dword ptr ss:[ebp-160]
    004CF328     8995 A0FEFFFF    mov dword ptr ss:[ebp-160],edx
    004CF32E     1195 D0FEFFFF    adc dword ptr ss:[ebp-130],edx
    004CF334     8DB5 14FFFFFF    lea esi,dword ptr ss:[ebp-EC]
    004CF33A     1116             adc dword ptr ds:[esi],edx
    之后保存文件,用卡巴扫描,不再报毒。

    二、FSG2.0的测试
    OD载入被FSG2.0加了壳的DT

    复制出前十几行,如下
    00400154 f>  8725 2C115300    xchg dword ptr ds:[53112C],esp
    0040015A     61               popad
    0040015B     94               xchg eax,esp
    0040015C     55               push ebp
    0040015D     A4               movs byte ptr es:[edi],byte ptr ds:>
    0040015E     B6 80            mov dh,80
    00400160     FF13             call dword ptr ds:[ebx]
    00400162   ^ 77 F9            jnb short fsg2_0.0040015D
    00400164     33C9             xor ecx,ecx
    00400166     FF13             call dword ptr ds:[ebx]
    00400168     77 16            jnb short fsg2_0.00400180
    0040016A     33C0             xor eax,eax

    修改后如下

用卡吧做免杀

发表于:2008年1月13日 18时27分41秒阅读(2)评论(0)本文链接:http://user.qzone.qq.com/543002966/blog/1200220061
    一、首先对NSPACK3.6的测试

    用OD载入被加过NSPACK壳的DT,复制出前十几行,如下(蓝色加粗是要被修改的部位,以下格式如一)
    004CF302     E8 00000000      call 复件_(2).004CF307
    004CF307     5D               pop ebp
    004CF308     83C5 F9          sub ebp,7
    004CF30B     8D85 0CFFFFFF    lea eax,dword ptr ss:[ebp-F4]
    004CF311     8338 01          cmp dword ptr ds:[eax],1
    004CF314     0F84 47020000    je 复件_(2).004CF561
    004CF31A     C700 01000000    mov dword ptr ds:[eax],1
    004CF320     8BD5             mov edx,ebp
    004CF322     2B95 A0FEFFFF    sub edx,dword ptr ss:[ebp-160]
    004CF328     8995 A0FEFFFF    mov dword ptr ss:[ebp-160],edx
    004CF32E     1195 D0FEFFFF    add dword ptr ss:[ebp-130],edx
    004CF334     8DB5 14FFFFFF    lea esi,dword ptr ss:[ebp-EC]
    004CF33A     1116             add dword ptr ds:[esi],edx

     修改成如下(红色部分)
    004CF302     E8 00000000      call 复件_(2).004CF307
    004CF307     5D               pop ebp
    004CF308     83C5 F9          add ebp,-7
    004CF30B     8D85 0CFFFFFF    lea eax,dword ptr ss:[ebp-F4]
    004CF311     8338 01          cmp dword ptr ds:[eax],1
    004CF314     0F84 47020000    je 复件_(2).004CF561
    004CF31A     C700 01000000    mov dword ptr ds:[eax],1
    004CF320     8BD5             mov edx,ebp
    004CF322     2B95 A0FEFFFF    sub edx,dword ptr ss:[ebp-160]
    004CF328     8995 A0FEFFFF    mov dword ptr ss:[ebp-160],edx
    004CF32E     1195 D0FEFFFF    adc dword ptr ss:[ebp-130],edx
    004CF334     8DB5 14FFFFFF    lea esi,dword ptr ss:[ebp-EC]
    004CF33A     1116             adc dword ptr ds:[esi],edx
    之后保存文件,用卡巴扫描,不再报毒。

    二、FSG2.0的测试
    OD载入被FSG2.0加了壳的DT

    复制出前十几行,如下
    00400154 f>  8725 2C115300    xchg dword ptr ds:[53112C],esp
    0040015A     61               popad
    0040015B     94               xchg eax,esp
    0040015C     55               push ebp
    0040015D     A4               movs byte ptr es:[edi],byte ptr ds:>
    0040015E     B6 80            mov dh,80
    00400160     FF13             call dword ptr ds:[ebx]
    00400162   ^ 77 F9            jnb short fsg2_0.0040015D
    00400164     33C9             xor ecx,ecx
    00400166     FF13             call dword ptr ds:[ebx]
    00400168     77 16            jnb short fsg2_0.00400180
    0040016A     33C0             xor eax,eax

    修改后如下
    00400154 f>  8725 2C115300    xchg dword ptr ds:[53112C],esp
    0040015A     61               popad
    0040015B     94               xchg eax,esp
    0040015C     55               push ebp
    0040015D     A4               movs byte ptr es:[edi],byte ptr ds:>
    0040015E     B6 80            mov dh,80
    00400160     FF13             call dword ptr ds:[ebx]
    00400162   ^ 77 F9            ja short fsg2_0.0040015D
    00400164     33C9             xor ecx,ecx
    00400166     FF13             call dword ptr ds:[ebx]
    00400168     77 16            ja short fsg2_0.00400180
    0040016A     33C0             xor eax,eax

    00400154 f>  8725 2C115300    xchg dword ptr ds:[53112C],esp
    0040015A     61               popad
    0040015B     94               xchg eax,esp
    0040015C     55               push ebp
    0040015D     A4               movs byte ptr es:[edi],byte ptr ds:>
    0040015E     B6 80            mov dh,80
    00400160     FF13             call dword ptr ds:[ebx]
    00400162   ^ 77 F9            ja short fsg2_0.0040015D
    00400164     33C9             xor ecx,ecx
    00400166     FF13             call dword ptr ds:[ebx]
    00400168     77 16            ja short fsg2_0.00400180
    0040016A     33C0             xor eax,eax

导入论坛 引用链接 收藏 分享给好友 推荐到圈子 管理 举报

TAG:

 

评分:0

我来说两句

显示全部

:loveliness: :handshake :victory: :funk: :time: :kiss: :call: :hug: :lol :'( :Q :L ;P :$ :P :o :@ :D :( :)