edi x12

still no effect. I am very disappointed to read articles on the Internet to play. Inadvertently saw an article of Lao Luo, where he wrote a special note grateful to a person who helped him in the technology, pointed out that XXX should clear 0. It seems that he has encountered this problem, I add his code to my program, the miracle found that can be normal infection. I later looked up a lot of information and didn't find out what the structure was, only that it was the 11th member of the Image_

): Access violation - code c0000005 (!!! second chance !!!)*** ERROR: Symbol file could not be found. Defaulted to export symbols for F:\Program Files (x86)\Amazon\Kindle\Kindle.exe - eax=000000dd ebx=000004e4 ecx=00000000 edx=0022ed44 esi=0022ed68 edi=000000ddeip=0197383f esp=0022ed14 ebp=05920448 iopl=0 nv up ei pl nz na po nccs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202Kindle!std::_Init_locks::operator=+0x13

(SAVE) 00400476 33DB xor ebx, ebx00400478 EB jmp short 00400 47e0040047a 83c0 add eax, 0x40040047d, Inc ebx0040047e 8B0C24 mov ECX, DWORD ptr [ESP]; ECX = = Kernel32_imageBase00400481 8B10 mov edx, DWORD ptr [EAX]; API offset00400483 03d1 add edx, ecx; edx = = API Addr00400485 8BFA mov edi, edx; Sava Api Addr00400487 33c9 xor ecx, ecx00400489 push EAX ; Kernel32_exprottable_addrofnames (Sa

This article explains the use of assembly language to find the maximum value of a set of numbers, mainly related to the knowledge points have data segments, loops and so on.# Purpose: Find the largest number in the program # # Variable: The purpose of the Register # %edi-Save the data item index being checked # %EBX-the largest item currently found # %EAX-Current Data # # Use the following memory location: # Data_ Items-Contain

closehandle, hfilePop eax. ElseMoV eax, offset g_szfileopenerror. EndifRETGetpefilesize endp Ispefilemap proc pmapping: DWORDIf d_useseh EQ 1Local seh: sehEndif; d_useseh MoV g_dwvalidpe, falseMoV EDI, pmapping If d_useseh EQ 1Assume FS: NothingPush FS: [0]Pop Seh. prevlinkMoV Seh. currenthandler, offset sehhandlerMoV Seh. safeoffset, offset finalexitLea eax, sehMoV FS: [0], eaxMoV Seh. prevesp, ESPMoV Seh. prevebp, EBPEndif; d_useseh Assume

OnlySetInfectedMark 　　 ; Read all virus block tables Mov eax, ebp; read function number Call edi; read the block table to esi (@ 9) 　　 The following is a complete modification to handle the Winzip self-extracting file error. when you open the self-extracting file, The virus will not be infected. First, the virus obtains the ToRawData pointer of the 2nd block tables, Read the data and determine whether the data contains the "WinZip (R )" 　　 Xchg eax,

Here the "string" is not a single string, including all consecutive data (such as arrays); the string command is only used for memory operations. Move string commands: movsb, movsw, and movsd; from ESI-> EDI; after execution, the ESI and EDI address move the corresponding unit comparison string commands: cmpsb, cmpsw, cmpsd; compare ESI and EDI. After exe

functions during memory construction and analysis? Copy to clipboardprint? 74: manager m; 00401268 lea ecx, [ebp-4] 0040126B call @ ILT + 60 (manager: manager) (00401041) 75 :} 00401270 lea ecx, [ebp-4] 00401273 call @ ILT + 0 (manager ::~ Manager) (00401005) 00401278 pop edi 00401279 pop esi 004020.a pop ebx 004010000b add esp, 44 h 0040da-e cmp ebp, esp 00401280 call _ chkesp (00408760) 00401285 mov esp, ebp 00401287 pop ebp 74: manager m; 004012

Linux-0.11 Memory Management module is the source of the more difficult to understand the part, now the author's personal understanding publishedFirst hair Linux-0.11 kernel memory management get_free_page () function analysisHave time to write other functions or files:)/* *author:davidlin *date:2014-11-11pm *email: [email protected] or [email protected] *world:the City of SZ , in China *ver:000.000.001 *history:editor time do 1) Linpeng 2014-11-11 Created this file! 2) */Here is the source code

] SHL ECx, 3 XOR edX, EDX Lea EDI, [ECx + ESI + 78 H] Movzx eax, word PTR [ESI + 6 H] Imul eax, eax, 28 h Add EDI, eax; locate to the end of the last section ; Start filling in the new section struct This code is easy to locate at the end of the last section after the section table. You may use sizeofheader plus numberofsection * section size 28 h, but I still compare the method I am using. The reason is th

infection was like this, but one day, I found that the Notepad program that was infected with the virus could not be used. I always prompted "invalid Win32 program" that I wrote the virus again, I changed the code but it still didn't work. I am very disappointed to read articles online. I accidentally saw an article by Lao Luo. In one of the articles, he wrote a special comment. I am grateful to someone who helped him with the technology and pointed out that 0 should be cleared at XX. It seems

# generated by the protocol buffer compiler. Do not edit! From GOOGLE.PROTOBUF import descriptor to google.protobuf Import from Google.protobuf import reflection from Goo GLE.PROTOBUF Import DESCRIPTOR_PB2 # @ @protoc_insertion_point (Imports) descriptor = Descriptor. FileDescriptor (name= ' Datum.proto ', package= ' feat_extract ', serialized_pb= ' \n\x0b\x64\x61tum.proto\x12\x0c\x66\ ') X65\x61t_extract\ "i\n\x05\x44\x61tum\

It's free. Let's take a look.ODLoad directly as follows: 00414000> $ E8 00000000 call 0041400500414005 $ 5B pop ebx // locate the code00414006.81EB05024000 sub ebx, 00400205 // The code segment length, followed by a variable0041400C. 64: 8B3D 30000000 mov edi, dword ptr fs: [30] // FS [30]-> PEB, locate kernel32.dll00414013. 8B7F 0C mov edi, dword ptr [edi + C] /

EAX register to the memory location specified by value. Use the memory location of the variable address. as follows, multi-memory specifies multiple values in one command:values:. int 10,20,30,40,50,60,70this creates a series of data values that are contiguous in memory (similar to an array of high-level languages). When referencing data in an array, you must use the system to determine which memory location you want to access. The memory location is determined by the following expression:base_

If you returned a struct object, what would the return statement do? Here is the test code #include using namespace Std;struct BIG{Char buf[100];int i;Long D;}B,B2;Big Bigfun (Big B){b.i=100;return b;}int main (){B2=bigfun (B);return 0;}To set a breakpoint at the beginning and end of main8:int Main ()19: {004012A0 Push EBP004012A1 mov Ebp,esp004012a3 Sub esp,118hPuzzled at first, and analyzed for a long timeThe original (118h-40h) remaining memory block holds two big variablesLow address put bi

push EAX; block table size push edx; edx is the offset of the Virus code block table push esi; buffer address 　　 Combined virus code block and Virus code block table must be less than or equal to the amount of space not used Inc ECX push ecx; Save numberofsections+1 　　 SHL ecx, 03h; multiply 8 push ecx; reserved virus block table space 　　 Add ecx, eax add ecx, edx; offset of the body of the ecx+ file 　　 Sub ecx, (sizeofheaders-@9) [esi] Not ECX Inc ECX; ecx for file header size-offset of

Stack006af03c | ff95 4d0f0000 call dword ptr ss: [EBP + F4D]; kernel32.getmodulehandlea006af042 | 8985 26040000 mov dword ptr ss: [EBP + 426], eax; the handle of kernel32.dll is stored in EBP + 426006af048 8bf8 mov EDI, eax; kernel32.77e40000006af04a 8d5d 5E Lea EBX, dword ptr ss: [EBP + 5E]; "virtualalloc"006af04d 53 push EBX006af04e 50 push eax; kernel32.dll handle006af04f ff95 490f0000 call dword ptr ss: [EBP + f49]; getprocaddress006af055 8985 4d

operation adds ESP to 8, indicating that the stack growth direction is from high address to low address. 00c93a03 mov dword ptr [Sum], eax # function return value stored in eax in the sum variable # function call field int pushparametersorderapp (INT param1, int param2) {00e41f80 push EBP # Save the previous EBP pointer, esp + = 400e41f81 mov EBP, esp # assign the new ESP to EBP and direct it to 00e41f83 sub ESP at the bottom of the current function stack, 0d8h # reserve 216 (0d8) bytes for the

Static _ always_inline void * _ memcpy (void * To, const void * From, size_t N) {int D0, D1, D2; ASM volatile ("rep; movsl \ n \ t "" movl % 4, % ECx \ n \ t "" andl $3, % ECx \ n \ t "" JZ 1f \ n \ t "" rep; movsb \ n \ t "" 1: ":" = C "(D0 ), "= D" (D1), "= S" (D2): "0" (N/4), "G" (N ), "1" (long) to), "2" (long) from): "Memory"); return to;}/** this looks uugly, but the compiler can optimize it totally, * as the Count is const Ant. */static _ always_inline void * _ constant_memcpy (void *

/**author:davidlin*date:2014-11-11pm*email: [email protected] or [email protected]*world:the City of SZ, in China*ver:000.000.001*history:editor time do1) Linpeng 2014-11-11 created this file!2)*/Linux-0.11 Memory Management module is more difficult to understand in the source code part, now the author's personal understanding publishedFirst hair Linux-0.11 kernel memory management get_free_page () function analysisHave time to write other functions or files:)/** Get Physical Address of first (a