首页/杀毒教程/内容

PC Share特征码公布及更改办法

杀毒教程2024-02-27 阅读()
[摘要]. 57 push edi55 8B EC 81 EC 00 01 00 00 80 A5 00 FF FF FF 0000401FDB 00...
.  57                    push    edi

55 8B EC 81 EC 00 01 00 00 80 A5 00 FF FF FF 00

00401FDB      00                    db      00

00401FDC      00                    db      00

//***********************************************************************************************************************

瑞星:

pchide.sys:

[特征] 00000D56_00000001

00010D4C:  6A 3B                      PUSH 3B

00010D4E:  59                         POP ECX

00010D4F:  33C0                       XOR EAX,EAX          //sub eax,eax

00010D51:  8DBD 02FEFFFF              LEA EDI,[EBP-1FE]

00010D57:  F3                         REP STOS DWORD PTR ES:[EDI]

//---------------------------------------------------------------------------------------------------------------------

pcmain.dll:(在这一段的起始位置, 有个跳转跳到1000BB49处, 将此处上一句的xor eax, eax nop掉就ok了……)

[特征] 0000BB49_00000001              1000C749

1000BB3A:  85C0                       TEST EAX,EAX

1000BB3C:  74 08                      JE SHORT 1000BB46

1000BB3E:  57                         PUSH EDI

1000BB3F:  56                         PUSH ESI

1000BB40:  53                         PUSH EBX

1000BB41:  FFD0                       CALL EAX

1000BB43:  8945 0C                    MOV [EBP+C],EAX

1000BB46:  8B45 0C                    MOV EAX,[EBP+C]

1000BB49:  5F                         POP EDI

1000BB4A:  5E                         POP ESI

//---------------------------------------------------------------------------------------------------------------------

pcinit.exe

[特征] 00000673_00000001  00401273

00400664:  56                         PUSH ESI

00400665:  8B31                       MOV ESI, [DWORD DS:ECX]

00400667:  57                         PUSH EDI

00400668:  66:8B7C24 0C               MOV DI, [WORD SS:ESP+C]

0040066D:  66:893C96                  MOV [WORD DS:ESI+EDX*4], DI

00400671:  8B31                       MOV ESI, [DWORD DS:ECX]

00400673:  0FB710                     MOVZX EDX, [WORD DS:EAX]       //与上一行交换位置

00400676:  66:8B7C24 10               MOV DI, [WORD SS:ESP+10]

[特征] 00000827_00000001  00401427

0040081D:  FFD6                       CALL NEAR ESI

0040081F:  6A 06                      PUSH 6                   //此处在修改卡巴时已经修改过了:原来为:push 1

00400821:  58                         POP EAX

00400822:  5F                         POP EDI

00400823:  5E                         POP ESI

00400824:  5B                         POP EBX

00400825:  C9                         LEAVE

00400826:  C2 0C00                    RETN C

[特征] 00000D5B_00000001  0040195B

00400D30:  FF15 34204000              CALL NEAR [DWORD DS:402034]

00400D36:  8BF8                       MOV EDI, EAX

00400D38:  897D EC                    MOV [DWORD SS:EBP-14], EDI

00400D3B:  FF15 38204000              CALL NEAR [DWORD DS:402038]

00400D41:  3D B7000000                CMP EAX, B7

00400D46:  0F84 E1020000              JE 0040102D

00400D4C:  68 30750000                PUSH 7530

00400D51:  57                         PUSH EDI

00400D52:  FF15 6C204000              CALL NEAR [DWORD DS:40206C]

00400D58:  85C0                       TEST EAX, EAX              //改为:and  eax,eax

//***********************************************************************************************************************

金山:

pchide.sys:

[特征] 00000D3E_00000001

00010D2A:  73 00                      JNB     SHORT 00010D2C

00010D2C:  5C                         POP     ESP

00010D2D:  0000                       ADD     [EAX],AL

00010D2F:  0055 8B                    ADD     [EBP-75],DL

00010D32:  EC                         IN      AL,DX

00010D33:  81EC 18020000              SUB     ESP,218

00010D39:  56                         PUSH    ESI

00010D3A:  57                         PUSH    EDI

00010D3B:  BE 020D0100                MOV     ESI,10D02

00010D40:  8DBD F0FDFFFF              LEA     EDI,[EBP-210]   //和上一行交换位置!

//---------------------------------------------------------------------------------------------------------------------

pcmain.dll:

反向:

[特征] 0000BAB4_00000001

1000BAB3:  55                         PUSH EBP

1000BAB4:  8BEC                       MOV EBP,ESP  //与下面一行互换, 然后后面的EBP+8等都再加4

1000BAB6:  53                         PUSH EBX

1000BAB7:  8B5D 08                    MOV EBX,[EBP+8]

1000BABA:  56                         PUSH ESI

[特征] 0000BABB_00000001           //上一个已经改了, 在一起

[特征] 0000DE28_00000001              //这两处直接改大小写就ok了……(大写+20h=小写)

[特征] 0000DE79_00000001

//---------------------------------------------------------------------------------------------------------------------

pcinit.exe:

[特征] 00001238_00000001  00401E38

[特征] 00001265_00000001  00401E65

00401259:  8965 E8                    MOV [EBP-18],ESP

0040125C:  33DB                       XOR EBX,EBX

0040125E:  895D FC                    MOV [EBP-4],EBX

00401261:  6A 02                      PUSH 2

00401263:  FF15 8C204000              CALL [40208C]

//***********************************************************************************************************************

江民:

pchide.sys:

[特征] 00000DAF_00000001

00010D96:  59                         POP     ECX

00010D97:  59                         POP     ECX

00010D98:  8D85 F0FDFFFF              LEA     EAX,[EBP-210]

00010D9E:  50                         PUSH    EAX

00010D9F:  8D45 F8                    LEA     EAX,[EBP-8]

00010DA2:  50                         PUSH    EAX

00010DA3:  FF15 10030100              CALL    NEAR [10310]

00010DA9:  68 200F0100                PUSH    10F20

00010DAE:  8D85 F8FEFFFF              LEA     EAX,[EBP-108]     //将这一行与上面一行互换

00010DB4:  50                         PUSH    EAX

//---------------------------------------------------------------------------------------------------------------------

pcmain.dll:

[特征] 0000BB0A_00000001

1000BAF7:  90                         NOP

1000BAF8:  90                         NOP

1000BAF9:  EB 4E                      JMP SHORT 1000BB49

1000BAFB:  57                         PUSH EDI

1000BAFC:  56                         PUSH ESI

1000BAFD:  53                         PUSH EBX

1000BAFE:  E8 F5F8FFFF                CALL 1000B3F8

1000BB03:  83FE 01                    CMP ESI,1

1000BB06:  8945 0C                    MOV [EBP+C],EAX          //与上面一句互换位置!

1000BB09:  75 0C                      JNZ SHORT 1000BB17

1000BB0B:  85C0                       TEST EAX,EAX

1000BB0D:  75 37                      JNZ SHORT 1000BB46

//---------------------------------------------------------------------------------------------------------------------

pcinit.exe:

[特征] 000008BC_00000001  004014BC

[特征] 00000EE4_00000001  00401AE4

00400EC3:  50                         PUSH EAX

00400EC4:  8D86 06080000              LEA EAX,[ESI+806]

00400ECA:  50                         PUSH EAX

00400ECB:  FFD3                       CALL EBX

00400ECD:  8D86 06080000              LEA EAX,[ESI+806]

00400ED3:  68 78304000                PUSH 403078

00400ED8:  50                         PUSH EAX

00400ED9:  FFD3                       CALL EBX

00400EDB:  8D8D 34FEFFFF              LEA ECX,[EBP-1CC]

00400EE1:  8D86 06090000              LEA EAX,[ESI+906]

00400EE7:  51                         PUSH ECX

00400EE8:  50                         PUSH EAX

[特征] 000012BA_00000001  00401EBA         //转移

00401EB8  (北联网教程,专业提供视频软件下载)

第1页  第2页  第3页  第4页  第5页  第6页  第7页  第8页  第9页  第10页  第11页  第12页  第13页  第14页 

……

相关阅读