Compilation escape the antivirus production methods-vulnerability warning-the black bar safety net

2006-07-09T00:00:00
ID MYHACK58:62200610292
Type myhack58
Reporter 佚名
Modified 2006-07-09T00:00:00

Description

Today I to famous hacking software dove gray VIP2005, for example, said the following What about the use of pseudo-SMC in the art to add a little pseudo-flower instructions to transform your ownfree killTrojan! It says here that the pseudo-SMC mean the use of SMC principles of the transfer code plus a little pseudo-spend instruction(that is, the garbage code), not make any changes(I don't know what to increase the What function). \\Spend instruction:an anti-decompilation tricks(with a bunch of nothing with the code and the boring jump harassment Cracker of disassembly) (If place is not enough you can use the TOP or ZeroAdd add segments,the Dove of the service end is the place to be, it does not say that the two software were used,the TOP can not in WIN2000 under the use of Oh) Required tools(http://geren.3322.org 都 有 提供): the 1, the shell tool \\please choose 2, resource hacker \\Download: Station download 3, the loadPE \\download: http://geren.3322.org/down_view.asp?id=53 4, the ollydbg \\download: http://geren.3322.org/down_view.asp?id=55 Mr. dove gray VIP2005 services end here omitted 导出 MAINDLL.DLL \\RCData_2. bin is killed, after the export to modify the suffix of DLL or EXE, the other is not modified can be deleted(not killed) Note: You can from the MAINDLL. DLL inside and then export the two DLL GETKEY.DLL 与 HOOK.DLL)

Description: 这里的RCData_2.dll就是MAINDLL.DLL that

Then we start to RCData_2. dll plus the shell all of the program recommended to the packers after the modifications, since the modified can not be re-applied shell, shell tool can be your own choice Below we start the packers,I have chosen to use the big Dipper plus the housing program made of the good stuff)

We first use the antivirus to test whether killed~~~~vomiting~~~~toxic is my PC only the card bar, the other I test also can by

The following is the main step to begin.~~~~ open your eyes, Oh~ 为了 节省 时间 我们 这里 直接 修改 RCData_2.dll(就是 MAINDLL.DLL,inside the small DLL is also using the same method) With loadpe open our RCData_4. dll record entry point and base address for RVA Entry point: 000DF647 +the following base address for RVA,= The base RVA of: 1 3 1 4 0 0 0 0 The new entrance address: 13266ED0 \\I selected here

然后 用 Ollydbg 打开 RCData_2.dll Keep down to find a blank place to select an address for the new entry address(please record this address, I put him at the top↑)

Sequentially input the following code: push ebp mov ebp,esp inc ecx push edx nop pop edx dec ecx pop ebp inc ecx the loop space of a at the new address

To the A: \\13266EE4 nop jmp j1 \\JMP is the jump mean, the J1 is another blank address

j1: jmp j2 \\jump to the J1 input to jump to another address(J2) nop ............... This time, I jump~~ jmp jn \\jump N times to JN jn: jmp to old entry address(entry point+base RVA)1321F647 \\JN at the jump, of course, is to put him to jump back. Then select our modified code,copy to executable section, select the section, and then save the file

Finally with loadpe modify just saved the file the new entry is the recording of the new entrance 13266ED0 - (base address RVA)1 3 1 4 0 0 0 0 =126ED0 save OK after OK We then antivirus look at~~~~~~~~~~

Success!! Finally the way, you turned back to the DLL after you can also use this method to modify 服务 端 程序 .exe I'm not a demo, otherwise this video would be too big!