This time for everyone to do a variety of antivirus software[free to kill]()tutorial. This tutorial is mainly to dove gray VIP2006 service terminal, for example! Now online a lot of[free to kill]()tutorial, and I've seen a lot, but the[free to kill]()the effect is not very good, with not a few days will be killed, so the real[free kill]()pigeons, or modify the antivirus signatures. Such[free kill]()the effect is better, can achieve long-term[free kill](a). Today this lesson is mainly to tell you over the card bar memory[free kill]()and appearance of[free to kill](), to achieve the overall[free kill](), as long as you learned this method, after do it yourself your own DIY free kill pigeons can be! Okay nonsense not say more, everyone just take a good look at my operation! This is I have to generate a good VIP2006 service end, below we begin the service side need to do[free kill]()the DLL to export to! 这就是鸽子 VIP2006 服务端程序 .exe→MAINDLL.dll→GETKEY.dll everyone saw it, 2 0 0 6 one less hook. the dll file. Previous VIP2005 with HOOK. DLL file, now 2 0 0 6 There are no pull! Do it[free to kill]()it is convenient for some! We first put the card bar virus database upgrade to the latest, and then in the Kabbah check we need to do[free kill]()this 3 files. As you can see, are listed as blacklist. Introduce the card bar the power bar, card bar my personal feeling is now antivirus the most cattle. Oh not to advertise. We do first GETKEY in. DLL is a Keylogger hook. Below to see my action bar, first to a larger location, the first time the first positioning 5 seconds 1 0 0 0 Byte right, as long as it is newspaper toxic, we choose. Then the 2nd location, 5 seconds 3, 2-byte, promising my operation Oh, don't forget to delete the last location. Better to save the result, and then to a detailed 8-byte locator, which can improve[free kill]()efficiency. OK positioned to engage the top of it, then we go with the C32 tool to modify the characteristics of the code can be used in case the modification method, you can also use the jump method, specifically with what we're going to look at it. As you can see, there are letters, then we use the UE to the upper and lower case letters, we here to kill the poison bar, the file is not reported to poison, take a look at the memory of it, with OLB loaded into memory. Killed, illustrate the positioning or not enough accurate, so in time more accurate 4-byte positioning, Oh, it seems there is a to continue. OK last detail of the positioning results out of it, we go to save it. Let's analyze the results of it, the first size 6 0 now, the following are the same right, then we'll choose the first one, to modify the characteristics of the code, use the jump method, see my action bar, use the C32 tool, find 0000B1CA is probably here to pull, if you don't know 1 6-ary words, you can get UE to see Oh, to continue, we put this section of the NOP out, then go below to find the program is void, that is 0 0 0 0 district: 0000B1CB: 6 8 E4BE4000 PUSH 40BEE4 0000B1D0: E8 A7FBFFFF CALL 0000AD7C \--------------------------------------------------0000B1D5 The new entry point JMP 0000B916 that is, returns above the mean? Oh I'm sorry here because of the JMP 0000B1D5 OK to save it, we have to check the poison bar, the file does not Alarm pull, our memory killing, because the Find we just save the DLL, the OK memory has[free to kill](), we now take a look at the guide back to the service end can on-line. The backup of the deleted you can. now we pass to the space up, then use the virtual IE running, we changed keymiansha. exe is transmitted to the space bar, open the virtual host, uploaded it, wait a minute Oh, and the virtual machine to start slow you can fast forward a bit to watch. Open dove VIP2006 waiting on the line, just on the line of these not Oh, I'm a dedicated packet pull, wait a minute, Oh, the first Cup of coffee now, huh. Good pull, we go in, download the just uploaded KEY free to kill the service end of the bar. Because the last time to do the experiment right, also forgot to uninstall optimistic about the pull, I put him removed. OK, ha ha on the line to pull, we look at the function. The function can be, okay, we remove it.

Query Builder