55 8B EC 81 EC 00 01 00 00 80 A5 00 FF FF FF 00
00401FDB 00 db 00
00401FDC 00 db 00
//***********************************************************************************************************************
瑞星:
pchide.sys:
[特征] 00000D56_00000001
00010D4C: 6A 3B PUSH 3B
00010D4E: 59 POP ECX
00010D4F: 33C0 XOR EAX,EAX //sub eax,eax
00010D51: 8DBD 02FEFFFF LEA EDI,[EBP-1FE]
00010D57: F3 REP STOS DWORD PTR ES:[EDI]
//---------------------------------------------------------------------------------------------------------------------
pcmain.dll:(在这一段的起始位置, 有个跳转跳到1000BB49处, 将此处上一句的xor eax, eax nop掉就ok了……)
[特征] 0000BB49_00000001 1000C749
1000BB3A: 85C0 TEST EAX,EAX
1000BB3C: 74 08 JE SHORT 1000BB46
1000BB3E: 57 PUSH EDI
1000BB3F: 56 PUSH ESI
1000BB40: 53 PUSH EBX
1000BB41: FFD0 CALL EAX
1000BB43: 8945 0C MOV [EBP+C],EAX
1000BB46: 8B45 0C MOV EAX,[EBP+C]
1000BB49: 5F POP EDI
1000BB4A: 5E POP ESI
//---------------------------------------------------------------------------------------------------------------------
pcinit.exe
[特征] 00000673_00000001 00401273
00400664: 56 PUSH ESI
00400665: 8B31 MOV ESI, [DWORD DS:ECX]
00400667: 57 PUSH EDI
00400668: 66:8B7C24 0C MOV DI, [WORD SS:ESP+C]
0040066D: 66:893C96 MOV [WORD DS:ESI+EDX*4], DI
00400671: 8B31 MOV ESI, [DWORD DS:ECX]
00400673: 0FB710 MOVZX EDX, [WORD DS:EAX] //与上一行交换位置
00400676: 66:8B7C24 10 MOV DI, [WORD SS:ESP+10]
[特征] 00000827_00000001 00401427
0040081D: FFD6 CALL NEAR ESI
0040081F: 6A 06 PUSH 6 //此处在修改卡巴时已经修改过了:原来为:push 1
00400821: 58 POP EAX
00400822: 5F POP EDI
00400823: 5E POP ESI
00400824: 5B POP EBX
00400825: C9 LEAVE
00400826: C2 0C00 RETN C
[特征] 00000D5B_00000001 0040195B
00400D30: FF15 34204000 CALL NEAR [DWORD DS:402034]
00400D36: 8BF8 MOV EDI, EAX
00400D38: 897D EC MOV [DWORD SS:EBP-14], EDI
00400D3B: FF15 38204000 CALL NEAR [DWORD DS:402038]
00400D41: 3D B7000000 CMP EAX, B7
00400D46: 0F84 E1020000 JE 0040102D
00400D4C: 68 30750000 PUSH 7530
00400D51: 57 PUSH EDI
00400D52: FF15 6C204000 CALL NEAR [DWORD DS:40206C]
00400D58: 85C0 TEST EAX, EAX //改为:and eax,eax
//***********************************************************************************************************************
金山:
pchide.sys:
[特征] 00000D3E_00000001
00010D2A: 73 00 JNB SHORT 00010D2C
00010D2C: 5C POP ESP
00010D2D: 0000 ADD [EAX],AL
00010D2F: 0055 8B ADD [EBP-75],DL
00010D32: EC IN AL,DX
00010D33: 81EC 18020000 SUB ESP,218
00010D39: 56 PUSH ESI
00010D3A: 57 PUSH EDI
00010D3B: BE 020D0100 MOV ESI,10D02
00010D40: 8DBD F0FDFFFF LEA EDI,[EBP-210] //和上一行交换位置!
//---------------------------------------------------------------------------------------------------------------------
pcmain.dll:
反向:
[特征] 0000BAB4_00000001
1000BAB3: 55 PUSH EBP
1000BAB4: 8BEC MOV EBP,ESP //与下面一行互换, 然后后面的EBP+8等都再加4
1000BAB6: 53 PUSH EBX
1000BAB7: 8B5D 08 MOV EBX,[EBP+8]
1000BABA: 56 PUSH ESI
[特征] 0000BABB_00000001 //上一个已经改了, 在一起
[特征] 0000DE28_00000001 //这两处直接改大小写就ok了……(大写+20h=小写)
[特征] 0000DE79_00000001
//---------------------------------------------------------------------------------------------------------------------
pcinit.exe:
[特征] 00001238_00000001 00401E38
[特征] 00001265_00000001 00401E65
00401259: 8965 E8 MOV [EBP-18],ESP
0040125C: 33DB XOR EBX,EBX
0040125E: 895D FC MOV [EBP-4],EBX
00401261: 6A 02 PUSH 2
00401263: FF15 8C204000 CALL [40208C]
//***********************************************************************************************************************
江民:
pchide.sys:
[特征] 00000DAF_00000001
00010D96: 59 POP ECX
00010D97: 59 POP ECX
00010D98: 8D85 F0FDFFFF LEA EAX,[EBP-210]
00010D9E: 50 PUSH EAX
00010D9F: 8D45 F8 LEA EAX,[EBP-8]
00010DA2: 50 PUSH EAX
00010DA3: FF15 10030100 CALL NEAR [10310]
00010DA9: 68 200F0100 PUSH 10F20
00010DAE: 8D85 F8FEFFFF LEA EAX,[EBP-108] //将这一行与上面一行互换
00010DB4: 50 PUSH EAX
//---------------------------------------------------------------------------------------------------------------------
pcmain.dll:
[特征] 0000BB0A_00000001
1000BAF7: 90 NOP
1000BAF8: 90 NOP
1000BAF9: EB 4E JMP SHORT 1000BB49
1000BAFB: 57 PUSH EDI
1000BAFC: 56 PUSH ESI
1000BAFD: 53 PUSH EBX
1000BAFE: E8 F5F8FFFF CALL 1000B3F8
1000BB03: 83FE 01 CMP ESI,1
1000BB06: 8945 0C MOV [EBP+C],EAX //与上面一句互换位置!
1000BB09: 75 0C JNZ SHORT 1000BB17
1000BB0B: 85C0 TEST EAX,EAX
1000BB0D: 75 37 JNZ SHORT 1000BB46
//---------------------------------------------------------------------------------------------------------------------
pcinit.exe:
[特征] 000008BC_00000001 004014BC
[特征] 00000EE4_00000001 00401AE4
00400EC3: 50 PUSH EAX
00400EC4: 8D86 06080000 LEA EAX,[ESI+806]
00400ECA: 50 PUSH EAX
00400ECB: FFD3 CALL EBX
00400ECD: 8D86 06080000 LEA EAX,[ESI+806]
00400ED3: 68 78304000 PUSH 403078
00400ED8: 50 PUSH EAX
00400ED9: FFD3 CALL EBX
00400EDB: 8D8D 34FEFFFF LEA ECX,[EBP-1CC]
00400EE1: 8D86 06090000 LEA EAX,[ESI+906]
00400EE7: 51 PUSH ECX
00400EE8: 50 PUSH EAX
[特征] 000012BA_00000001 00401EBA //转移
00401EB8 (北联网教程,专业提供视频软件下载)
……