Build is not killing the Black of the super Raiders-vulnerability warning-the black bar safety net

2006-09-25T00:00:00
ID MYHACK58:62200611935
Type myhack58
Reporter 佚名
Modified 2006-09-25T00:00:00

Description

Now the antivirus software is really more and more cattle, and sometimes hard to transfer to the broiler on the back door has not had time to put running on the tragically premature death, and often fame, the greater the back door is more likely to become the brightest antivirus blocked the object. What should we do, do we just do nothing? The answer of course is: no! In the following, we will talk about how in a short period of time to build is not killing the super black.

First look at our test subjects: remote control any of my line of Dell version. It will allow you like control your own computer as control someone else's computer, this stuff antivirus nature is to kill you didn't discuss-see Figure 1)。

!

Figure 1

Oh, let's do a bit of gamesmanship to confuse the Kaspersky uncle!

One, shelling

Our goal is to find out and modify the remote control any of my line is controlled to end the file of the signature, everything is hard in the beginning, we have it for shelling. A lot of people is because of not shelling or fear of shelling, haven't hit the road will be defeated. In fact, the shelling did not you imagine of so difficult, follow my ideas, you will believe what I say.

The first guy ready, check the shell tools PEiD, the debugging tool OllyDbg, enter the table Repair Tool Import REConstructor on. First with PEiD open controlled end of the file, the display file has been ASPack2. 1 2 Plus shell. (See Figure 2)

!

Figure 2

The second step is very critical, is in the online lookup on the ASPack2. 1 2 information. In the key community active with each release star like my idol fly various shelling of the article and each of the housing data abound, we may wish to first understand the opponent's characteristics, and then prescribe the right medicine, perhaps can also find shelling machine. Oh, the information display ASPack2. 1 and 2 is a strength of a small shell, not the input table is encrypted, there is no Stolen Code, not Anti function, it is easy to take off. Now have in mind the bottom of the bar, below the start hands.

The first method, using a shelling machine. I use the AspackDie1. 4 1, successfully took off the controlled end of the shell. (See Figure 3)There is a problem to note that some of the husking machine off the process to the target program is run again, it is recommended that everyone in the virtual machine off. On the virtual machine later chapters will be mentioned)however, such a simple case, why don't manually release it, lifting your own skill!

!

Figure 3

The second method, the manual shelling. With OllyDbg open is applied to the shell, the pop-up“automatic analysis”window when selected NO, because the shell code flowers instructions into the heap, the analysis is useless. At this point we interrupt the file at the entrance.

004FE001 R> 6 0 pushad

004FE002 E8 0 3 0 0 0 0 0 0 call RUNDLLL. 004FE00A

004FE007 - E9 EB045D45 jmp 45ACE4F7

004FE00C 5 5 push ebp

004FE00D C3 retn

004FE00E E8 0 1 0 0 0 0 0 0 call RUNDLLL. 004FE014

Remember the first instruction“pushad”, the ASPack2. 1 2 The feature is off at the outlet not far from there is a as opposed to the“popad”instruction, see it we will note, from the exit not far off. If you are willing, you can all the way to F7, F8 to track the best in a virtual machine debugging or..., but we already know it's features, you can directly Put a breakpoint in the“popad”. So we pull down the scroll bar, find the following code:

004FE3AF 6 1 popad

004FE3B0 7 5 0 8 jnz short RUNDLLL. 004FE3BA

004FE3B2 B8 0 1 0 0 0 0 0 0 mov eax,1

004FE3B7 C2 0C00 retn 0C

004FE3BA 6 8 0 0 0 0 0 0 0 0 push 0

004FE3BF C3 retn

In popad at double-click Next breakpoint, and then F9 to let the program run, and very soon the program will stop at the breakpoint, then the penultimate sentence has been changed:

004FE3AF 6 1 popad

004FE3B0 7 5 0 8 jnz short RUNDLLL. 004FE3BA

004FE3B2 B8 0 1 0 0 0 0 0 0 mov eax,1

004FE3B7 C2 0C00 retn 0C

004FE3BA 6 8 BC4D4A00 push RUNDLLL. 004A4DBC

004FE3BF C3 retn