Home > Cloud Computing > Cloud Security

Shell removal method for Bjfnt v1.3

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

I have seen some people asking me how to remove the bjfnt 1.2 shell over the past few days. So I wrote this article because the latest version is version 1.3, so I will only talk about the 1.3 shell here, I think 1.2 is simpler than 1.3. of course there are countless experts here, but they don't have time to write something out, so I just have to do it.

There are countless instructions. My total experience is to keep F8 until I can see that a loop cannot go through, and then stop and analyze it. There is a large loop in the end, I transferred it in for 10 minutes, Khan ..., I would like to remind you again that we should never use F10 here, because it's all instructions, and it just jumps out in a twinkling of an eye. I'm dizzy ~~~~~~~

In this example, notepad.exe with shell is used.

Program: http://flyfancy.my.west163.com/n.exe

Let's start with the following:

0187: 0040D07D 75EA JNZ 0040D069 (JUMP) // g 0040D07F

0187: 0040D07F EB02 jmp short 0040D083

0187: 0040D081 CD20 INT 20

0187: 0040D083 D9E0 FCHS

0187: 0040D085 6E OUTSB

... (Representing a long F8)

0187: 0040D15E 75E8 JNZ 0040D148 (JUMP) // g 0040D160

0187: 0040D160 EB03 jmp short 0040D165

0187: 0040D162 CD20 INT 20

0187: 0040D164 ebeb jmp short 0040D151

0187: 0040D166 01EB add ebx, EBP

0187: 0040D168 53 PUSH EBX

0187: 0040D169 8B6047 mov esp, [EAX + 47]

0187: 0040D16C 47 INC EDI

0187: 0040D16D 674C DEC ESP

......

0187: 0040D1F1 E2D6 LOOP 0040D1C9 // g 0040D1F3

0187: 0040D1F3 EB03 jmp short 0040D1F8

......

0187: 0040D2DE 75DC JNZ 0040D2BC (JUMP) // g 0040D2E0

0187: 0040D2E0 EB02 jmp short 0040D2E4

0187: 0040D2E2 CD20 INT 20

......

0187: 0040D41B 0F852D040000 jnz near 0040D84E (no jump) // g 0040D84E

0187: 0040D421 EB04 jmp short 0040D427

0187: 0040D423 CD20 INT 20

0187: 0040D425 EB02 jmp short 0040D429

0187: 0040D427 EB02 jmp short 0040D42B

0187: 0040D429 CD20 INT 20

......

0187: 0040D888 754F JNZ 0040D8D9 (no jump) // Haha, I got used to it. I jumped out of the g 0040D8D9 result. Do not be misled!

0187: 0040D88A EB02 jmp short 0040D88E

......

0187: 0040D8B8 E2FB LOOP 0040D8B5 // g 0040D8BA

0187: 0040D8BA EB04 jmp short 0040D8C0

0187: 0040D8BC CD20 INT 20

......

0187: 0040D99B E2F1 LOOP 0040D98E // g 0040D99D

0187: 0040D99D EB02 jmp short 0040D9A1

......

0187: 0040D9FD 75EA JNZ 0040D9E9 (JUMP) // g 0040D9FF

0187: 0040D9FF EB02 jmp short 0040DA03

......

0187: 0040DA30 75F0 JNZ 0040DA22 (JUMP) // 0040DA32

0187: 0040DA32 EB02 jmp short 0040DA36

0187: 0040DA34 c785e8030020.72 + mov dword [EBP + 03E8], 04EB7200

0187: 0040DA3E 58 POP EAX

......

0187: 0040DA47 EB03 jmp short 0040DA4C

0187: 0040DA49 CD20 INT 20

0187: 0040DA4B C7 DB C7

0187: 0040DA4C 9D POPF

0187: 0040DA4D EB03 & nb

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
spyware removal for android another name for method best spyware removal for android virus removal for android apk rules for writing main method return type for method missing best attack method for ddos
Related Article
How does personal cloud security guarantee data security?
Model-driven cloud security-automating cloud security with cl...
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More