Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200610750
HistoryJul 28, 2006 - 12:00 a.m.

Dove gray modified feature free kill mccafé and Norton 8. 0 Enterprise Edition-vulnerability warning-the black bar safety net

2006-07-2800:00:00
佚名
www.myhack58.com
6
JSON

Today the rare is I in the school room and RUB into the machine, installed Norton and wheat coffee. Anyway, haven’t for these two antivirus ever madefree kill, so just change it for the better.
The positioning process on a free, given the feature code location:
Norton: the starting offset 000B9A4D offset size 0 0 0 0 0 0 0 7
Wheat coffee: as long as the modified 000B28B8 can complete thefree to kill

Mr. to a service end, followed by C32ASM Open With 1 6-ary, and press Ctrl+G to jump to the 000B9A4D, we see a large segment of string, these should be the program control name and property definition, the Modify case does not affect the program’s normal execution. Select the include 000B9A4D_000B9A54 including a segment, right click, Select“modify data”, Select“Case inversion”, and finally save the file, then use the Norton 8. 0 Corporate Edition virus database has been updated today killing, by, test on-line success.

PS: from the online information point of view, Norton’s signature is substantially positioned in the string, generally to modify the case you can complete the[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm&gt; a).

Next, in just modify thefree to kill, we again modify the mccafé signature.
With OC calculate the file offset 000B28B8 at the memory address for 004B9CB8, with OD loaded Pigeon the server, press Ctrl+G to jump to the 004B9CB8, look at the content

004B9CB8 4E dec esi

Here is the subtraction, we see it near the Assembly code.

004B9CB0 4E dec esi
004B9CB1 0 0 4 9 0 0 add byte ptr ds:[ecx],cl
004B9CB4 4 3 inc ebx
004B9CB5 004F 0 0 add byte ptr ds:[edi],cl
004B9CB8 4E dec esi
004B9CB9 0 0 0 0 add byte ptr ds:[eax],al

Each register with each other does not affect, nor the presence of the stack and the stack operations, we have to do is change the 004B9CB8 at the assembler code, so it changed the feature code, The simplest method is to 004B9CB8 at the code to write to the program behind the 0 region, and then use the JMP instruction to complete the jump. However, there is no need to do so, if the 004B9CB5 and 004B9CB8 the code at the switching moment, into the following form

004B9CB5 4E dec esi
004B9CB8 004F 0 0 add byte ptr ds:[edi],cl

Obviously the original 004B9CB8 of the code is replaced by a 004B9CB5 at, while 004B9CB5 at is replaced by a 004B9CB8 at the code, The Exchange after the order, save the file. With mccafé killing has been through the test on-line success.

The last is to use Resource Hacker and other resource editing tool to remove hacker resources, the modified service after the end of the file name for the CServer. dat coverage to the pigeons of the Cache directory. Not just to look for the Small 7 video)

JSON