Beidou 4.1 shell and shell modification command

From: jgaoabc Space

In connection with "modifying Beidou 4.1 shell with equivalent replacement code method", we continue to kill it. This is the Add flower command. The flower command we want to add is not common in the world, the flower instruction we added has the actual operation function and simulates some actions of the shell software. The main purpose is to make the soft killer confused. First, look for an empty area. After adding the Beidou shell, there are very few blank areas of the program. Let's change it. You can change it to a version and a map segment in the empty area, these two paragraphs are at the beginning of the program. After modification, the program running is not affected. Modify the version. Use C32ASM to open the compressed file. At the beginning, the next point is the version position. It is a character followed by a 00 structure. Select a period of padding 00, then add the following code:

0043A1A6> 60 pushad current entry point
0043A1A7 E8 00000000 call Server_0.0043A1AC
0043A1AC 5D pop ebp
0043A1AD 83C5 10 add ebp, 10
0043A1B0 3E: 8D45 56 lea eax, dword ptr ds: [ebp + 56]
0043A1B4 8B8D 5C030000 mov ecx, dword ptr ss: [ebp + 35C]
0043A1BA 36: 8B18 mov ebx, dword ptr ss: [eax]
0043A1BD 53 push ebx
0043A1BE 51 push ecx
0043A1BF 6A 01 push 1
0043A1C1 899D 5C030000 mov dword ptr ss: [ebp + 35C], ebx
0043A1C7 8B8D 6C050000 mov ecx, dword ptr ss: [ebp + 56C]
0043A1CD 51 push ecx
0043A1CE 03D8 add ebx, eax
0043A1D0 3E: 895D 56 mov dword ptr ds: [ebp + 56], ebx
0043A1D4 8A5D E9 mov bl, byte ptr ss: [ebp-17]
0043A1D7 80FB 00 cmp bl, 0
0043A1DA ^ 75 E1 jnz short Server_0.0043A1BD
0043A1DC 8D4D 40 lea ecx, dword ptr ss: [ebp + 40]
0043A1DF 58 pop eax
0043A1E0 8985 6C050000 mov dword ptr ss: [ebp + 56C], eax
0043A1E6 5B pop ebx
0043A1E7 03D8 add ebx, eax
0043A1E9 59 pop ecx
0043A1EA 898D 5C030000 mov dword ptr ss: [ebp + 35C], ecx
0043A1F0 58 pop eax
0043A1F1 3E: 8945 56 mov dword ptr ds: [ebp + 56], eax
0043A1F5 8A5D E8 mov bl, byte ptr ss: [ebp-18]
0043A1F8 80FB 00 cmp bl, 0
0043A1FB 61 popad
0043A1FC 0F84 18080000 je Server_0.0043AA1A original entry point

Paste the binary code directly. The binary code is:

60 E8 00 00 00 00 5D 83 C5 10 3E 8D 45 56 8B 8D 5C 03 00 00 36 8B 18 53 51 6A 01 89 9D 5C 03 00 00 8B 8D 6C 05 00 51 03 D8 3E 89 5D 56 8A 5D E9 80 FB 00 75 E1 8D 4D 40 58 89 85 6C 05 00 5B 03 D8 59 89 8D 5C 03 00 00 58 3E 89 45 56 8A 5D E8 80 FB 00 61 0F 84 18 08 00 00

Note that the last sentence should be changed to the original entry point of the program, and then the entry point of the program will be changed to the new entry point by using LOADPE, so that it is OK. You can also add any code after the last sentence, which will not be executed, mainly for anti-virus software. You can also place the commands that jump to the entry point in the middle of the waste code, which is more confusing.

As for the meaning of the flower command, you can understand it by yourself. It is mainly to change some software values through register storage, and then change them back through register storage. (Ebp-17) and (ebp-18) are the top two of the program entry point, to ensure that it is 00.

Example of version segments: