花指令编写手册最新和一批花指令.docx
《花指令编写手册最新和一批花指令.docx》由会员分享,可在线阅读,更多相关《花指令编写手册最新和一批花指令.docx(16页珍藏版)》请在冰豆网上搜索。
花指令编写手册最新和一批花指令
花指令合集(0608)
【深层】伪装PEtite2.2->IanLuck汇编代码:
============================
伪装代码部分:
============================
moveax,0040E000
push004153F3
pushdwordptrfs:
[0]
movdwordptrfs:
[0],esp
pushfw
pushad
pusheax
xorebx,ebx
popeax
popad
popfw
popdwordptrfs:
[0]
popeax
jmpXXXXXXXX'执行到程序的原有OEP
============================
【深层】伪装WCRTLibrary(VisualC++)DLLMethod1->Jibz二进制代码+汇编代码:
============================
伪装代码部分:
============================
使用二进制粘贴以下代码:
558BEC837D0C017541A1C030001085C0740AFFD085C075046AFEEB17680C3000106808300010E88900000085C0595974086AFDFF150820001068043000106800300010E8520000005959
粘贴完毕后,再添加2行汇编语句:
jmpXXXXXXXX'执行到程序的原有OEP
retn0C
1。
伪装vc
VC++程序的入口代码:
PUSHEBP
MOVEBP,ESP
PUSH-1
push415448-\___
PUSH4021A8-/在这段代码中类似这样的操作数可以乱填
MOVEAX,DWORDPTRFS:
[0]
PUSHEAX
MOVDWORDPTRFS:
[0],ESP
ADDESP,-6C
PUSHEBX
PUSHESI
PUSHEDI
ADDBYTEPTRDS:
[EAX],AL/这条指令可以不要!
jmp跳转到程序原来的入口点
******************************************************************************************
2。
跳转
somewhere:
nop/"胡乱"跳转的开始...
jmp下一个jmp的地址/在附近随意跳
jmp.../...
jmp原入口的地址/跳到原始oep
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
新入口:
pushebp
movebp,esp
incecx
pushedx
nop
popedx
dececx
popebp
incecx
loopsomewhere/跳转到上面那段代码地址去!
3.伪装C
融合
把A的代码换成B的
pushebp
movebp,esp
push-1
push111111
push222222
moveax,fs:
[0]
pusheax
movfs:
[0],esp
popeax
movfs:
[0],eax
popeax
popeax
popeax
popeax
movebp,eax
jmp老入口
4.c++
pushebp
movebp,esp
push-1
push111111
push222222
moveax,fs:
[0]
pusheax
movfs:
[0],esp
popeax
movfs:
[0],eax
popeax
popeax
popeax
popeax
movebp,eax
5.MicrosoftVisualC++6.0
PUSH-1
PUSH0
PUSH0
MOVEAX,DWORDPTRFS:
[0]
PUSHEAX
MOVDWORDPTRFS:
[0],ESP
SUBESP,68
PUSHEBX
PUSHESI
PUSHEDI
POPEAX
POPEAX
POPEAX
ADDESP,68
POPEAX
MOVDWORDPTRFS:
[0],EAX
POPEAX
POPEAX
POPEAX
POPEAX
MOVEBP,EAX
JMP原入口
6.
在movebp,eax
后面加上
PUSHEAX
POPEAX
7:
防杀精灵一号防杀代码:
pushebp
movebp,esp
push-1
push666666
push888888
moveax,dwordptrfs:
[0]
pusheax
movdwordptrfs:
[0],esp
popeax
movdwordptrfs:
[0],eax
popeax
popeax
popeax
popeax
movebp,eax
jmp入口
8:
防杀精灵二号防杀代码:
pushebp
movebp,esp
push-1
push0
push0
moveax,dwordptrfs:
[0]
pusheax
movdwordptrfs:
[0],esp
subesp,68
pushebx
pushesi
pushedi
popeax
popeax
popeax
addesp,68
popeax
movdwordptrfs:
[0],eax
popeax
popeax
popeax
popeax
movebp,eax
jmp入口
9.
防杀精灵终极防杀代码
pushebp
movebp,esp
addesp,-0C
addesp,0C
pusheax
jmp入口
10:
木马彩衣(金色鱼锦衣)花代码
pushebp
movebp,esp
addesp,-0C
addesp,0C
moveax,原入口
pusheax
retn
11:
木马彩衣(虾米披风)花代码
pushebp
nop
nop
movebp,esp
incecx
nop
pushedx
nop
nop
popedx
nop
popebp
incecx
loopd/跳转到下面那段代码地址去!
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
nop/"胡乱"跳转的开始...
jmp下一个jmp的地址/在附近随意跳
jmp.../...
jmp原入口的地址/跳到原始oep
12.
VC++5.0代码(木马彩衣无限复活袍):
PUSHEBP
MOVEBP,ESP
PUSH-1
push415448-\___
PUSH4021A8-/在这段代码中类似这样的操作数可以乱填
MOVEAX,DWORDPTRFS:
[0]
PUSHEAX
MOVDWORDPTRFS:
[0],ESP
ADDESP,-6C
PUSHEBX
PUSHESI
PUSHEDI
ADDBYTEPTRDS:
[EAX],AL/这条指令可以不要!
jo00401000/原入口
jno00401000/原入口
db0e8h/花代码
xxxxxx:
nop\
/|\POPEAX|看了,其实这两部分就是花指令
|POPEAX|
|POPEAX/
|JMPyyyyyy(跳回旧入口点:
00100016DB)
|
|
|pushebp<-新入口点:
|movebp,esp
|incecx
|pushedx
|nop
|popedx
|dececx
|popebp
|incecx
|MOVDWORDPTRFS:
[0],EAX\
|POPEAX|
|POPEAX\
|MOVDWORDPTRFS:
[0],EAX|(注意了。
。
花指令)
|POPEAX/
|POPEAX|
|MOVDWORDPTRFS:
[0],EAX/
|loopxxxxxx(这里我向上跳~地址也是自己选的~~)
|_________________++++++(转到地址:
100036c3往回跳)
--------------------------------------------------------------
代码如下:
神话
nop
nop
nop
movebp,esp
push-1
push111111
push222222
moveax,dwordptrfs:
[0]
pusheax
movdwordptrfs:
[0],esp
popeax
movdwordptrfs:
[0],eax
popeax
popeax
popeax
popeax
movebp,eax
moveax,原入口
pusheax
retn
代码如下:
无极
nop
movebp,esp
push-1
push0A2C2A
push0D9038
moveax,fs:
[0]
pusheax
movfs:
[0],esp
popeax
movfs:
[0],eax
popeax
popeax
popeax
popeax
movebp,eax
moveax,原入口
jmpeax
代码如下:
金刚
nop
nop
movebp,esp
push-1
push415448
push4021A8
moveax,fs:
[0]
pusheax
movfs:
[0],esp
addesp,-6C
pushebx
pushesi
pushedi
add[eax],al
moveax,原入口
jmpeax
代码如下:
杀破浪
nop
movebp,esp
push-1
push0
push0
moveax,fs:
[0]
pusheax
movfs:
[0],esp
subesp,68
pushebx
pushesi
pushedi
popeax
popeax
popeax
addesp,68
popeax
movfs:
[0],eax
popeax
popeax
popeax
popeax
movebp,eax
moveax,原入口
jmpeax
代码如下:
痴情大圣
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
pushebp
movebp,esp
addesp,-0C
addesp,0C
moveax,原入口
pusheax
retn
代码如下:
如果*爱
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
pushebp
movebp,esp
incecx
pushedx
nop
popedx
dececx
popebp
incecx
moveax,原入口
jmpeax
--------------------------------------------------------
灰鸽子万能文件捆绑器VIP2005->葛军*
pushebp
movebp,esp
addesp,-124
pushebx
pushesi
pushedi
xoreax,eax
movdwordptrss:
[ebp-124],eax
jmp入口
----------------------------------------------------------
PUSHEBP
MOVEBP,ESP
MOVEAX,0
PUSHEAX
CALL下个指令↓
POPEAX
SUBEAX,0
MOVECX,0
MOVEDX,0
MOVESI,0
MOVEDI,0
MOVEBP,0
ADDEBP,EAX
POPEAX
POPEAX
POPEAX
POPEAX
POPEBP
PUSH入口点
RETN
----------------------------------------------------------------
//BorlandDelphi6.0-7.0
PUSHEBP
MOVEBP,ESP
MOVECX,6
PUSH0下面那个跳到这里
PUSH0
DECECX
JNZ往回跳
PUSHEBX
PUSHESI
PUSHEDI
POPEDI
POPESI
POPEBX
JMP入口点
-----------------------------------------------------------------
pushebp
movebp,esp
incedx
nop
popedx
dececx
popebp
incecx
jmp入口点
-----------------------------------------------------------------
pushebp
movebp,esp
pushebx
movebx,dwordptrss:
[ebp+8]
pushesi
movesi,dwordptrss:
[ebp+C]
pushedi
movedi,dwordptrss:
[ebp+10]
testesi,esi
jmp入口
-----------------------------------------------------------------
0046D4BApopeax
0046D4BBsubeax,7D
0046D4C0pusheax
0046D4C1C3retn
0046D4C2call0046D4BA
-------------------------------------------------------------------
伪装VC7。
0花
最近抓的伪装VC7。
0的花,很短
//---------------------------------
push70
push123456(数字随便)
callA(A为地址)
xorebx,ebx
A地址:
retn
升级会员 