Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200610292
HistoryJul 09, 2006 - 12:00 a.m.

Compilation escape the antivirus production methods-vulnerability warning-the black bar safety net

2006-07-0900:00:00
佚名
www.myhack58.com
14
JSON

Today I to famous hacking software dove gray VIP2005, for example, said the following What about the use of pseudo-SMC in the art to add a little pseudo-flower instructions to transform your ownfree killTrojan! It says here that the pseudo-SMC mean the use of SMC principles of the transfer code plus a little pseudo-spend instruction(that is, the garbage code), not make any changes(I don’t know what to increase the What function).
\\Spend instruction:an anti-decompilation tricks(with a bunch of nothing with the code and the boring jump harassment Cracker of disassembly)
(If place is not enough you can use the TOP or ZeroAdd add segments,the Dove of the service end is the place to be, it does not say that the two software were used,the TOP can not in WIN2000 under the use of Oh)
Required tools(http://geren.3322.org 都 有 提供): the
1, the shell tool \\please choose
2, resource hacker \\Download: Station download
3, the loadPE \\download: http://geren.3322.org/down_view.asp?id=53
4, the ollydbg \\download: http://geren.3322.org/down_view.asp?id=55
Mr. dove gray VIP2005 services end here omitted
导出 MAINDLL.DLL \\RCData_2. bin is killed, after the export to modify the suffix of DLL or EXE, the other is not modified can be deleted(not killed)
Note: You can from the MAINDLL. DLL inside and then export the two DLL GETKEY.DLL 与 HOOK.DLL)

Description: 这里的RCData_2.dll就是MAINDLL.DLL that

Then we start to RCData_2. dll plus the shell all of the program recommended to the packers after the modifications, since the modified can not be re-applied shell, shell tool can be your own choice
Below we start the packers,I have chosen to use the big Dipper plus the housing program made of the good stuff)

We first use the antivirus to test whether killedvomitingtoxic is my PC only the card bar, the other I test also can by

The following is the main step to begin.~~~~ open your eyes, Oh~
为了 节省 时间 我们 这里 直接 修改 RCData_2.dll(就是 MAINDLL.DLL,inside the small DLL is also using the same method)
With loadpe open our RCData_4. dll record entry point and base address for RVA
Entry point: 000DF647 +the following base address for RVA,=
The base RVA of: 1 3 1 4 0 0 0 0
The new entrance address: 13266ED0 \\I selected here

然后 用 Ollydbg 打开 RCData_2.dll
Keep down to find a blank place to select an address for the new entry address(please record this address, I put him at the top↑)

Sequentially input the following code:
push ebp
mov ebp,esp
inc ecx
push edx
nop
pop edx
dec ecx
pop ebp
inc ecx
the loop space of a at the new address

To the A: \\13266EE4
nop
jmp j1 \\JMP is the jump mean, the J1 is another blank address

j1: jmp j2 \\jump to the J1 input to jump to another address(J2)
nop

This time, I jump~~
jmp jn \\jump N times to JN
jn: jmp to old entry address(entry point+base RVA)1321F647 \\JN at the jump, of course, is to put him to jump back.
Then select our modified code,copy to executable section, select the section, and then save the file

Finally with loadpe modify just saved the file the new entry is the recording of the new entrance 13266ED0 - (base address RVA)1 3 1 4 0 0 0 0 =126ED0 save OK after OK
We then antivirus look at~~~~~~~~~~

Success!!
Finally the way, you turned back to the DLL after you can also use this method to modify 服务 端 程序 .exe
I’m not a demo, otherwise this video would be too big!

JSON