How to Use the Reverse Thinking of CCL to locate composite signatures

The reverse operation logic is as follows:

Preparations: Shell removal, etc.
0. a. preparation steps: Determine whether the file is a PE file. If the sample is copied, change the two bytes starting from the entry point to eb fe to prevent system problems caused by incorrect running of the generated file.
If the file is not a PE file, the memory location option is disabled. We recommend that you use the manual location method of the file used by CCL28.
B. Determine whether the available disk space is sufficient to accommodate 30 times of the sample size and greater than 30 MB. This is to keep enough margin for the disk and minimize the chance of errors when generating files.

1.. similarly, it is 0. First, calculate the size of the range to be located (marked as Tsize), locate the file pointer to the offset Kpoint of the sample file (beginning with the end of the file), and then start from the Kpoint, by 1, 2, 4, 8 ,...... Size of 2 ^ N Bytes (2 ^ N B. Use kill to test whether the data is identified. (You can also customize the location range), and find the minimum Ksize value in the file that is not killed as KxizeMIN. If all the data is killed, the signature is in the front, and Kpoint is moved forward to Ksize, Tsize = Tsize-Ksize, and then go back to step a to continue.
Principle: The unrecognized description file (or memory) does not have a complete signature, and the range of 0 is reduced. Once one is identified, the identified description has a complete set of signatures exposed.
C. determine the value of KsizeMIN, bitter KsizeMIN = 2, then the Kpoint forward a byte is just exposed pattern tail end (that is, KpointTAIL = Kpoint-1), if KsizeMIN = 1, then, Kpoint is the tail end (KpointTAIL = Kpoint). Record that KpointTAIL ends Step 1 and switches to step 2. If KsizeMIN is greater than 2, continue the following steps.
D. write down the point that was killed as the new Kpoint and the size of the 0 that was killed as the new Tsize, that is, the Kpoint moves forward to KsizeMIN/2, tsize = (TSIZE-KsizeMIN/2). All the bytes after the Kpoint are set to zero as the new sample. Go back to step a and continue.
▲Note that when locating a PE file, there should be a check box containing the file header (because some files that are soft, such as Kaspersky, do not recognize files with damaged file headers ), this check box is grayed out when the non-PE file is located, so that the compatibility is better.
When locating the memory, you must first check whether the file is a PE file. The file header cannot be contained and the entry point must be specially processed. Therefore, you must first eliminate the file signature. To avoid Operation errors.
You must determine whether the range of the file to be located is exceeded for each 0-cap. (Note that the file cannot be located beyond the file range, when the memory is located, it cannot go to the file header, and the file is replaced with zero to handle the entry point. Otherwise, errors or inaccurate positioning will occur)

2. The KpointTAIL obtained in step 1 is the end of a signature. Next, locate the end of the signature.
The original file sample KpointTAIL is all followed by zero, and KpointTAIL remains unchanged. This file is used as a new sample. In this case, the zero-byte forward method is used. Write the N (N in the range of 1-20) bytes before KpointEND as a Kpoint, and overwrite the Kpoint with 0 of a node. In this way, 20 files are generated, the generated file uses H_Kpoint_KpointTAIL_0. name of the extension.
Scan with anti-virus software. If all data is not killed, add the N range to 20 (that is, the second time range is 20 + 1 -- 20 + 20) until a file is killed. At this time, it is easy to find the smallest Kpoint of the file not to be killed by the sort method in sequence. This Kpoint is KpointHEAD.
From KpointHEAD to KpointTAIL is a complete set of compound signatures. Keep records. Generally, the size of a clip is up to 64 bytes. If it is 100 bytes, you only need five rounds to complete this step.
▲Note: In this step, only 20 files are generated at a time. One is to save disk space, and the other is to save memory space during memory location. Each time a file is generated in this step, the range must be determined. You only need to determine the maximum value range of N.

3. After positioning one item, use 0 to cover it as a new sample, and test whether the anti-soft program can be identified. Other explanations and combinations can be recognized, repeat the steps in step 1 in the previous step for this modified file to enter a new round of positioning.
4. In this way, the first 1 2 3 is true, so it is true that it will not be killed for soft identification.

(It also includes file location and memory location. Do you need to process the file features first? Do you want to remove files before locating in memory)

In this way, you only need to open one thread (and check whether the operation needs to be aborted using the response interface). Up to two threads are required), and up to 21 files can be generated at a time, A maximum of 21 files can be loaded when the memory is located. This is because the binary method is used. The worst case is that each group of signatures is located at the top (1KB) and 1 MB (2 ^ 20 bytes) the file can be completed at most 20 times in a round (20 + 5-X, assuming that the tail end of a set of signatures is 2 ^ X from the start end of the positioning range ). Efficiency should be good.
After this correction scheme, the algorithm is also very concise, and the efficiency is several times higher than the initial scheme.

▲▲ Note:
A. Use anti-virus software to scan each generated file (when files are fully loaded when the memory is located) to make sure that the anti-virus software is correctly judged. One-step identification of travel errors or errors will lead to inaccurate positioning of the entire round.
B. when moving forward, you must determine whether the file is beyond the scope to be located. (Note that the file cannot be located beyond the scope of the file, when the memory is located, it cannot go to the file header, and the file is replaced with zero to handle the entry point. Otherwise, errors or inaccurate positioning will occur)
C. to prevent system problems caused by misrunning of the generated file, change the two bytes at the entry point to eb fe after each 0-bit PE file is built, thus forming an endless loop. After the command is run by mistake, KILL it and load it again when the memory is located.

It can be said that CCL and MyCCL are integrated. The operation is more convenient and concise than MyCCL.
In this way, no matter how many composite signatures the other side has, or where the signatures are located, the key points can be located.
This method is semi-automatic positioning and can be used as an extension of CCL.