UPX 文件头前=NOP
-----------------------------------------------------------------
somewhere:
nop /"胡乱"跳转的开始...
jmp 下一个jmp的地址 /在附近随意跳 这里可以直接跳到程序的OEP
jmp ... /...
jmp 原入口的地址 /跳到原始oep
---
push ebp
mov ebp,esp
push -1
push 111111
push 222222
mov eax,dword ptr fs:[0]
push eax
mov dword ptr fs:[0],esp
add esp,-6C
push ebx
push esi
push edi
push ebp
mov ebp,esp
inc ecx
push edx
nop
pop edx
dec ecx
pop ebp
inc ecx
loop 往上跳
nop
jmp 入口点
新入口点加1 vmprotect转存 北斗2.3加壳
-----------------------------------------------------------------
eb 01 3次
nop
jmp 入口
3 nop
C4
PUSH EBP
MOV EBP,ESP
PUSH -1
PUSH 416698 0
PUSH 413D3C 0
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
MOV DWORD PTR FS:[0],ESP
SUB ESP,68
PUSH EBX
PUSH ESI
PUSH EDI
XOR EBX,EBX
PUSH 2
ADD ESP,0C
POP EBX
ADD ESP,68
POP DWORD PTR FS:[0]
ADD ESP,0C
POP EBP
JMP 入口
PUSH EBP
MOV EBP,ESP
PUSH -1
PUSH 414895 0
PUSH 403678 0
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
MOV DWORD PTR FS:[0],ESP
ADD ESP,-6C
PUSH EBX
PUSH ESI
PUSH EDI
ADD BYTE PTR DS:[EAX],AL
JO SHORT 入口
JNO SHORT 入口
CALL 0045687D
B1 01 mov cl,1
2C 90 sub al,90
95 xchg eax,ebp
4D dec ebp
65:42 inc edx
40 inc eax
20C4 and ah,al
8350 06 6E adc dword ptr ds:[eax+6],6E
226A E4 and ch,byte ptr ds:[edx-1C]
E8 B15FBC5B call 入口点
55 push ebp
8BEC mov ebp,esp
51 push ecx
53 push ebx
8BD8 mov ebx,eax
8BC3 mov eax,ebx
04 9F add al,9F
2C 1A sub al,1A
73 03 jnb 入口点
ADD BYTE PTR DS:[EAX],AL
push ebp
mov ebp,esp
inc ecx
push edx
nop
pop edx
dec ecx
pop ebp
inc ecx
call 原入口点
call 原入口点
retn
NOP
PUSH EDX
MOV EDX,ESP
POP EDX
ADD EDI,90
NOP
JMP ‘下一个地址,即 ADD EDI,-90’
ADD EDI,-90
NOP
PUSHAD
NOP
POPAD
NOP
LOOPD ‘PUSHAD的上一个地址,即NOP’
NOP
jmp 入口
NOP
(对吧?)
push ebp
pop ebp
mov cl, 1
sub al, 90
xchg eax, ebp
dec ebp
inc edx
inc eax
and ah, al
adc dword ptr [eax+6], 6E
and ch, [edx-1C]
nop
nop
nop
nop
call 004A1E48
nop
nop
nop
nop
push ebp
nop
nop
pop ebp
inc ecx
nop
mov dword ptr fs:[0],esp
nop
push edx
nop
pop edx
inc ecx
nop
add esp,-0C
nop
add esp,0C
nop
mov dword ptr fs:[0],esp
sub esp, 68
push ebx
push esi
push edi
pop eax
pop eax
pop eax
add esp, 68
mov eax, 原入口
push eax
retn
新花指令收集
00881000 > 50 PUSH EAX
00881001 58 POP EAX
00881002 90 NOP
00881003 8BEC MOV EBP,ESP
00881005 6A FF PUSH -1
00881007 68 11111100 PUSH 111111
0088100C 68 22222200 PUSH 222222
00881011 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00881017 50 PUSH EAX
00881018 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
0088101F 58 POP EAX
00881020 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
00881026 58 POP EAX
00881027 58 POP EAX
00881028 58 POP EAX
00881029 58 POP EAX
0088102A 8BE8 MOV EBP,EAX
0088102C B8 34A64000 MOV EAX,40A634
00881031 50 PUSH EAX
00881032 C3 RETN
00881033 90 NOP
50 58 90 8B EC 6A FF 68 11 11 11 00 68 22 22 22 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 B8 34 A6 40 00 50 C3 90
00881000 > 93 XCHG EAX,EBX ; getkey.<模块入口点>
00881001 8BEC MOV EBP,ESP
00881003 6A FF PUSH -1
00881005 68 2A2C0A00 PUSH 0A2C2A
0088100A 68 38900D00 PUSH 0D9038
0088100F 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00881015 50 PUSH EAX
00881016 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
0088101D 58 POP EAX
0088101E 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
00881024 58 POP EAX
00881025 58 POP EAX
00881026 58 POP EAX
00881027 58 POP EAX
00881028 8BE8 MOV EBP,EAX
0088102A B8 34A64000 MOV EAX,40A634
0088102F FFE0 JMP EAX
00881031 90 NOP
93 8B EC 6A FF 68 2A 2C 0A 00 68 38 90 0D 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 B8 34 A6 40 00 FF E0 90
00881000 > 50 PUSH EAX
00881001 58 POP EAX
00881002 8BEC MOV EBP,ESP
00881004 6A FF PUSH -1
00881006 68 48544100 PUSH 415448
0088100B 68 A8214000 PUSH 4021A8
00881010 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00881016 50 PUSH EAX
00881017 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
0088101E 83C4 94 ADD ESP,-6C
00881021 53 PUSH EBX
00881022 56 PUSH ESI
00881023 57 PUSH EDI
00881024 0000 ADD BYTE PTR DS:[EAX],AL
00881026 B8 34A64000 MOV EAX,40A634
0088102B FFE0 JMP EAX
0088102D 90 NOP
50 58 8B EC 6A FF 68 48 54 41 00 68 A8 21 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 C4 94 53 56 57 00 00 B8 34 A6 40 00 FF E0 90
00881000 > 93 XCHG EAX,EBX ; getkey.<模块入口点>
00881001 8BEC MOV EBP,ESP
00881003 6A FF PUSH -1
00881005 68 00000000 PUSH 0
0088100A 68 00000000 PUSH 0
0088100F 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00881015 50 PUSH EAX
00881016 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
0088101D 83EC 68 SUB ESP,68
00881020 53 PUSH EBX
00881021 56 PUSH ESI
00881022 57 PUSH EDI
00881023 58 POP EAX
00881024 58 POP EAX
00881025 58 POP EAX
00881026 83C4 68 ADD ESP,68
00881029 58 POP EAX
0088102A 67:64:A3 0000 MOV DWORD PTR FS:[0],EAX
0088102F 58 POP EAX
00881030 58 POP EAX
00881031 58 POP EAX
00881032 58 POP EAX
00881033 8BE8 MOV EBP,EAX
00881035 B8 34A64000 MOV EAX,40A634
0088103A FFE0 JMP EAX
0088103C 90 NOP
93 8B EC 6A FF 68 00 00 00 00 68 00 00 00 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 58 58 58 83 C4 68 58 67 64 A3 00 00 58 58 58 58 8B E8 B8 34 A6 40 00 FF E0 90
00881000 > 90 NOP
00881001 93 XCHG EAX,EBX
00881002 90 NOP
00881003 93 XCHG EAX,EBX
00881004 90 NOP
00881005 90 NOP
00881006 90 NOP
00881007 50 PUSH EAX
00881008 90 NOP
00881009 58 POP EAX
0088100A 90 NOP
0088100B 90 NOP
0088100C 90 NOP
0088100D 90 NOP
0088100E 90 NOP
0088100F 90 NOP
00881010 55 PUSH EBP
00881011 8BEC MOV EBP,ESP
00881013 83C4 F4 ADD ESP,-0C
00881016 83C4 0C ADD ESP,0C
00881019 B8 34A64000 MOV EAX,40A634
0088101E 50 PUSH EAX
0088101F C3 RETN
90 93 90 93 90 90 90 50 90 58 90 90 90 90 90 90 55 8B EC 83 C4 F4 83 C4 0C B8 34 A6 40 00 50 C3
00881000 > 90 NOP
00881001 90 NOP
00881002 50 PUSH EAX
00881003 90 NOP
00881004 58 POP EAX
00881005 90 NOP
00881006 90 NOP
00881007 93 XCHG EAX,EBX
00881008 90 NOP
00881009 90 NOP
0088100A 93 XCHG EAX,EBX
0088100B 90 NOP
0088100C 90 NOP
0088100D 90 NOP
0088100E 90 NOP
0088100F 90 NOP
00881010 55 PUSH EBP
00881011 8BEC MOV EBP,ESP
00881013 41 INC ECX
00881014 52 PUSH EDX
00881015 90 NOP
00881016 5A POP EDX
00881017 49 DEC ECX
00881018 5D POP EBP
00881019 41 INC ECX
0088101A B8 34A64000 MOV EAX,40A634
0088101F FFE0 JMP EAX
00881021 90 NOP
00881022 90 NOP
90 90 50 90 58 90 90 93 90 90 93 90 90 90 90 90 55 8B EC 41 52 90 5A 49 5D 41 B8 34 A6 40 00 FF E0 90 90
somewhere:
nop /"胡乱"跳转的开始...
jmp 下一个jmp的地址 /在附近随意跳 这里可以直接跳到程序的OEP
jmp ... /...
jmp 原入口的地址 /跳到原始oep
---
push ebp
mov ebp,esp
push -1
push 111111
push 222222
mov eax,dword ptr fs:[0]
push eax
mov dword ptr fs:[0],esp
add esp,-6C
push ebx
push esi
push edi
push ebp
mov ebp,esp
inc ecx
push edx
nop
pop edx
dec ecx
pop ebp
inc ecx
loop 往上跳
转储加北斗
PUSHAD
ADD EAX,EAX
ADD EAX,EAX
PUSH ECX
PUSH ECX
PUSH EDX
PUSH EAX
PUSH ECX
PUSH EBX
PUSH ECX
PUSH EDX
PUSH EDX
AND EAX,EAX
POP EBX
POP EAX
POP EDX
ADD EAX,EAX
POP ECX
POP EAX
POP EDX
POP EBX
POP EAX
POP EDX
POPAD
CALL 004C4000
RETN
00 00 00 00 00 00 60 03 C0 03 C0 90 03 C0 90 51 51 52 50 51 53 51 52 52 21 C0 5B 58 5A 03 C0 59
58 5A 5B 58 5A 61 E8 4F F7 FF FF C3 00 00 00 00 00 00 00 00 00 00 00 00
************************************************************************
1.伪装vc++5.0代码:
PUSH EBP
MOV EBP,ESP
PUSH -1
push 415448 -\___
PUSH 4021A8 -/ 在这段代码中类似这样的操作数可以乱填
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
MOV DWORD PTR FS:[0],ESP
ADD ESP,-6C
PUSH EBX
PUSH ESI
PUSH EDI
ADD BYTE PTR DS:[EAX],AL /这条指令可以不要!
jmp 原入口地址
************************************************************************
2.胡乱跳转代码:
nop
push ebp
mov ebp,esp
inc ecx
push edx
nop
pop edx
dec ecx
pop ebp
inc ecx
loop somewhere /跳转到上面那段代码地址去!
somewhere:
nop /"胡乱"跳转的开始...
jmp 下一个jmp的地址 /在附近随意跳
jmp ... /...
jmp 原入口地址 /跳到原始oep
90 55 8B EC 41 52 90 5A 49 5D 41
转储免杀
************************************************************************
3.伪装c++代码:
push ebp
mov ebp,esp
push -1
push 111111
push 222222
mov eax,fs:[0]
push eax
mov fs:[0],esp
pop eax
mov fs:[0],eax
pop eax
pop eax
pop eax
pop eax
mov ebp,eax
jmp 原入口地址
************************************************************************
4.伪装Microsoft Visual C++ 6.0代码:
PUSH -1
PUSH 0
PUSH 0
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
MOV DWORD PTR FS:[0],ESP
SUB ESP,68
PUSH EBX
PUSH ESI
PUSH EDI
POP EAX
POP EAX
POP EAX
ADD ESP,68
POP EAX
MOV DWORD PTR FS:[0],EAX
POP EAX
POP EAX
POP EAX
POP EAX
MOV EBP,EAX
JMP 原入口地址
push ebp
mov ebp,esp
jmp
************************************************************************
5.伪装防杀精灵一号防杀代码:
push ebp
mov ebp,esp
push -1
push 666666
push 888888
mov eax,dword ptr fs:[0]
push eax
mov dword ptr fs:[0],esp
pop eax
mov dword ptr fs:[0],eax
pop eax
pop eax
pop eax
pop eax
mov ebp,eax
jmp 原入口地址
************************************************************************
6.伪装防杀精灵二号防杀代码:
push ebp
mov ebp,esp
push -1
push 0
push 0
mov eax,dword ptr fs:[0]
push eax
mov dword ptr fs:[0],esp
sub esp,68
push ebx
push esi
push edi
pop eax
pop eax
pop eax
add esp,68
pop eax
mov dword ptr fs:[0],eax
pop eax
pop eax
pop eax
pop eax
mov ebp,eax
jmp 原入口地址
************************************************************************
7.伪装木马彩衣(无限复活袍)代码:
PUSH EBP
MOV EBP,ESP
PUSH -1
push 415448 -\___
PUSH 4021A8 -/ 在这段代码中类似这样的操作数可以乱填
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
MOV DWORD PTR FS:[0],ESP
ADD ESP,-6C
PUSH EBX
PUSH ESI
PUSH EDI
ADD BYTE PTR DS:[EAX],AL /这条指令可以不要!
jo 原入口地址
jno 原入口地址
call 下一地址
************************************************************************
8.伪装木马彩衣(虾米披风)代码:
push ebp
nop
nop
mov ebp,esp
inc ecx
nop
push edx
nop
nop
pop edx
nop
pop ebp
inc ecx
loop somewhere /跳转到下面那段代码地址去!
someshere:
nop /"胡乱"跳转的开始...
jmp 下一个jmp的地址 /在附近随意跳
jmp ... /...
jmp 原入口的地址 /跳到原始oep
************************************************************************
9.伪装花花添加器(神话)代码:-----------根据C++改
nop
nop
nop
mov ebp,esp
push -1
push 111111
push 222222
mov eax,dword ptr fs:[0]
push eax
mov dword ptr fs:[0],esp
pop eax
mov dword ptr fs:[0],eax
pop eax
pop eax
pop eax
pop eax
mov ebp,eax
mov eax,原入口地址
push eax
retn
有机会加我QQ吧,小伙子!327721467
nop是空字节,相当于空格
jmp 标号or指针,是跳转,转去执行标号或指针处指令
pop 寄存器,是出栈,从栈中弹出字节到寄存器
你先把王爽的那本16位汇编看了,20天就可以看完了,先把汇编入门再说
你那个最佳答案关键跳随便改有时候会把程序改乱的,还是先读懂程序的意思再改吧。
搞定了汇编在考虑你的免杀,破解,逆向工程吧,别还不会走呢就想跑了。
给我分吧~我教你汇编~~