Virus program source code instance analysis-example code of CIH virus [2] can be referred to push eax; block table size
Push edx; edx is the offset of the virus code block table
Push esi; buffer address
The total size of the merged virus code block and virus code block tables must be smaller than or equal to the unused space size.
Inc ecx
Push ecx; Save NumberOfSections + 1
Shl ecx, 03 h; multiply by
push EAX; block table size
push edx; edx is the offset of the Virus code block table
push esi; buffer address
Combined virus code block and Virus code block table must be less than or equal to the amount of space not used
Inc ECX
push ecx; Save numberofsections+1
SHL ecx, 03h; multiply 8
push ecx; reserved virus block table space
Add ecx, eax
add ecx, edx
address for all 6F statements ). This CALL is called not only when the money and wood population changes, but even when the Organization is created or destroyed. All we need here is to HOOK the call to the change of money and wood. After all, other abnormal functions have already been written by our predecessors and there is no need to repeat the wheel. (If you are interested, you can analyze it yourself)
You only need to determine the value of edx
compiler used to compile. cpp.We are talking about C + + negotiation folding, so the source file if the. cpp can. (The const constant of C is the last word)
The results of the above program run at least two points:(1) I and J address the same, point to the same piece of space, I though is a collapsible constant, but I do have their own space(2) I and J point to the same piece of memory, but *J = 1 after the memory modification, according to rea
the contents of RAM inside pull. You can go to "see the snow" to learn a simple assembler command.
004f3b9c/$ PUSH EBX
004f3b9d |. 83C4 F8 ADD esp,-8
004f3ba0 |. 8BDA MOV Ebx,edx; Data Destination address after decryption
004f3ba2 |. 8bd4 MOV Edx,esp; Data Delivery Destination Address
004f3ba4 |. B9 04000000 MOV ecx,4; The number of passes is 4
004f3ba9 |. E8 12eef8ff call client.004829c0; Pass the 4 valu
The annual "big project" for reinstallation of the system has been under construction.
Sort out the tools and materials of last year. Today, we start to give our customers a bit of gameplay assistance. (The customer will not mind if it has been more than a year)
Today is the first article.
Analysis notes of long Xiang mi Chuan
Blame
Breakthrough:
Ce searches for the change value and does not stop selecting the blame. Locate the following:Code:
00413b5e-89 be B0 00 00-mov [ESI +
follows:Figure 1 shell check for pandatvIt can be seen that this program is not shelled, so it does not involve shelling, and it is written by Borland Delphi 6.0-7.0. The Code Compiled by Delphi is different from the code written by VC ++. The two most obvious differences are as follows:1. When a function is called, parameters are not transferred completely using stacks, but mainly using registers. That is, the Delphi compiler transfers function parameters using register by default. This is tot
, the MOV instruction has a data format and two operands, so the general form is [Movx s D]. where x is the data format, S is the source operand and D is the purpose operand.Here's a simple example, such as we have an instruction for MOVL%edx%eax. The execution process is as shown.As you can see, the contents of the%edx register are copied to the%EAX register after the instruction is executed. It is necessa
that some characters have been entered in the "Serial Number" column. Leave it empty, enter 123456789 in the "Registration Code" column, and then press the "register" button.ProgramInterrupt at 0x004f0b60, trace and find that the input length is required, re-enter 1234567890 abcdef in the "Registration Code" column, and then press the "register" button. After the interruption, the following code will be tracked:
Code: 004f0bbb mov eax, [EBP + var_10]; [eax] = "1234567890 abcdef"Code: 004f0bbe
will still be stored in the memory; this reference will be reused by firefox in several functions, as shown below:
// In "js::GCMarker::processMarkStackTop()" / mozjs.dll [...] 0x00C07AC3 mov ecx, [edi+14h]// retrieve the ref to the freed object [...] 0x00C07AD8 mov ecx, [ecx]// read into the freed object [...] 0x00C07ADF mov edx, ecx 0x00C07AE1 shr edx, 3 0x00C07AE4 mov [esp+44h+obj], ecx 0x00C07AE8 and
model. Of course, this security model consists of multiple periods.
Sometimes user-State jobs cannot be completed without the core-level functions, which is why native APIs are introduced. Native APIs are non-documented internal function sets and run in kernel mode. Native APIS exist to provide some ways to securely call kernel-mode services in user mode.
A user application can call the native API exported by NTDLL. dll. A large number of functions exported by NTDLL. dll are used to en
\x7a\x1c\ X01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74 "" \x65\x01\x68\x6b\x65\x6e\x42\x68\x40\x42\x72\x6f\x89\xe1\xfe " "\x49\x0b\x31\xc0\x51\x50\xff\xd7" ; int Main (int argc, char **ARGV) {int (*f) (); f = (int (*) ()) Shellcode; (int) (*f) (); After running, a window pops up:The first reaction is the use of the MessageBox, with WinDbg hang a bit, incredibly several versions of the MessageBox have not broken down, carefully think about, this console program does not load User32.
It turns out that there have been checksum-related cracking on the internet. I will interview the checksum compilation code and the vb version for cracking.Currently, I am using the checksum code of vb.Assembly Code of checksum:GOOGLECHECK proc nearVar_8 = dword ptr-8Var_4 = dword ptr-4Url_offset = dword ptr 8Url_length = dword ptr 0ChMagic_dword = dword ptr 10 hPush ebpMov ebp, espPush ecxPush ecxMov eax, [ebp + url_length]Cmp eax, 0ChPush ebxPush esiMov esi, [ebp + magic_dword]; = 0xE6359A60Pu
, that is, taking the pixel (x, y) as the center, to (x-radius, Y) and (x + radius, Y) after the pixels are multiplied by weights, the new pixels are obtained and written to the corresponding points on the target image.
The process ends.
Since the above processing process only performs a "Ten" operation on each pixel of the image, the operation on each pixel point is greatly reduced, and the greater the fuzzy length, the more reduced. As mentioned above, the Q = 3 and r = 5 Fuzzy Operations only
constraint to directly specify the register name.
A % eax
B % ebx
C % ecx
D % edx
S % esi
D % edi
Memory operand constraints (m)
When the operands are in the memory, any operation performed on them will occur directly in the memory location, which is the opposite of the register constraint, the latter stores the value in the register to be modified, and then writes it back to the memory location. But register constraints are generally used
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.