PC Share特征码公布及更改办法

[摘要]. 57 push edi55 8B EC 81 EC 00 01 00 00 80 A5 00 FF FF FF 0000401FDB 00...

. 57 push edi

55 8B EC 81 EC 00 01 00 00 80 A5 00 FF FF FF 00

00401FDB 00 db 00

00401FDC 00 db 00

//***********************************************************************************************************************

瑞星：

pchide.sys：

[特征] 00000D56_00000001

00010D4C: 6A 3B PUSH 3B

00010D4E: 59 POP ECX

00010D4F: 33C0 XOR EAX,EAX //sub eax,eax

00010D51: 8DBD 02FEFFFF LEA EDI,[EBP-1FE]

00010D57: F3 REP STOS DWORD PTR ES:[EDI]

//---------------------------------------------------------------------------------------------------------------------

pcmain.dll：(在这一段的起始位置，有个跳转跳到1000BB49处，将此处上一句的xor eax， eax nop掉就ok了……)

[特征] 0000BB49_00000001 1000C749

1000BB3A: 85C0 TEST EAX,EAX

1000BB3C: 74 08 JE SHORT 1000BB46

1000BB3E: 57 PUSH EDI

1000BB3F: 56 PUSH ESI

1000BB40: 53 PUSH EBX

1000BB41: FFD0 CALL EAX

1000BB43: 8945 0C MOV [EBP+C],EAX

1000BB46: 8B45 0C MOV EAX,[EBP+C]

1000BB49: 5F POP EDI

1000BB4A: 5E POP ESI

//---------------------------------------------------------------------------------------------------------------------

pcinit.exe

[特征] 00000673_00000001 00401273

00400664: 56 PUSH ESI

00400665: 8B31 MOV ESI, [DWORD DS:ECX]

00400667: 57 PUSH EDI

00400668: 66:8B7C24 0C MOV DI, [WORD SS:ESP+C]

0040066D: 66:893C96 MOV [WORD DS:ESI+EDX*4], DI

00400671: 8B31 MOV ESI, [DWORD DS:ECX]

00400673: 0FB710 MOVZX EDX, [WORD DS:EAX] //与上一行交换位置

00400676: 66:8B7C24 10 MOV DI, [WORD SS:ESP+10]

[特征] 00000827_00000001 00401427

0040081D: FFD6 CALL NEAR ESI

0040081F: 6A 06 PUSH 6 //此处在修改卡巴时已经修改过了：原来为：push 1

00400821: 58 POP EAX

00400822: 5F POP EDI

00400823: 5E POP ESI

00400824: 5B POP EBX

00400825: C9 LEAVE

00400826: C2 0C00 RETN C

[特征] 00000D5B_00000001 0040195B

00400D30: FF15 34204000 CALL NEAR [DWORD DS:402034]

00400D36: 8BF8 MOV EDI, EAX

00400D38: 897D EC MOV [DWORD SS:EBP-14], EDI

00400D3B: FF15 38204000 CALL NEAR [DWORD DS:402038]

00400D41: 3D B7000000 CMP EAX, B7

00400D46: 0F84 E1020000 JE 0040102D

00400D4C: 68 30750000 PUSH 7530

00400D51: 57 PUSH EDI

00400D52: FF15 6C204000 CALL NEAR [DWORD DS:40206C]

00400D58: 85C0 TEST EAX, EAX //改为：and eax,eax

//***********************************************************************************************************************

金山：

pchide.sys：

[特征] 00000D3E_00000001

00010D2A: 73 00 JNB SHORT 00010D2C

00010D2C: 5C POP ESP

00010D2D: 0000 ADD [EAX],AL

00010D2F: 0055 8B ADD [EBP-75],DL

00010D32: EC IN AL,DX

00010D33: 81EC 18020000 SUB ESP,218

00010D39: 56 PUSH ESI

00010D3A: 57 PUSH EDI

00010D3B: BE 020D0100 MOV ESI,10D02

00010D40: 8DBD F0FDFFFF LEA EDI,[EBP-210] //和上一行交换位置！

//---------------------------------------------------------------------------------------------------------------------

pcmain.dll：

反向：

[特征] 0000BAB4_00000001

1000BAB3: 55 PUSH EBP

1000BAB4: 8BEC MOV EBP,ESP //与下面一行互换，然后后面的EBP+8等都再加4

1000BAB6: 53 PUSH EBX

1000BAB7: 8B5D 08 MOV EBX,[EBP+8]

1000BABA: 56 PUSH ESI

[特征] 0000BABB_00000001 //上一个已经改了，在一起

[特征] 0000DE28_00000001 //这两处直接改大小写就ok了……（大写+20h=小写）

[特征] 0000DE79_00000001

//---------------------------------------------------------------------------------------------------------------------

pcinit.exe：

[特征] 00001238_00000001 00401E38

[特征] 00001265_00000001 00401E65

00401259: 8965 E8 MOV [EBP-18],ESP

0040125C: 33DB XOR EBX,EBX

0040125E: 895D FC MOV [EBP-4],EBX

00401261: 6A 02 PUSH 2

00401263: FF15 8C204000 CALL [40208C]

//***********************************************************************************************************************

江民：

pchide.sys：

[特征] 00000DAF_00000001

00010D96: 59 POP ECX

00010D97: 59 POP ECX

00010D98: 8D85 F0FDFFFF LEA EAX,[EBP-210]

00010D9E: 50 PUSH EAX

00010D9F: 8D45 F8 LEA EAX,[EBP-8]

00010DA2: 50 PUSH EAX

00010DA3: FF15 10030100 CALL NEAR [10310]

00010DA9: 68 200F0100 PUSH 10F20

00010DAE: 8D85 F8FEFFFF LEA EAX,[EBP-108] //将这一行与上面一行互换

00010DB4: 50 PUSH EAX

//---------------------------------------------------------------------------------------------------------------------

pcmain.dll：

[特征] 0000BB0A_00000001

1000BAF7: 90 NOP

1000BAF8: 90 NOP

1000BAF9: EB 4E JMP SHORT 1000BB49

1000BAFB: 57 PUSH EDI

1000BAFC: 56 PUSH ESI

1000BAFD: 53 PUSH EBX

1000BAFE: E8 F5F8FFFF CALL 1000B3F8

1000BB03: 83FE 01 CMP ESI,1

1000BB06: 8945 0C MOV [EBP+C],EAX //与上面一句互换位置！

1000BB09: 75 0C JNZ SHORT 1000BB17

1000BB0B: 85C0 TEST EAX,EAX

1000BB0D: 75 37 JNZ SHORT 1000BB46

//---------------------------------------------------------------------------------------------------------------------

pcinit.exe：

[特征] 000008BC_00000001 004014BC

[特征] 00000EE4_00000001 00401AE4

00400EC3: 50 PUSH EAX

00400EC4: 8D86 06080000 LEA EAX,[ESI+806]

00400ECA: 50 PUSH EAX

00400ECB: FFD3 CALL EBX

00400ECD: 8D86 06080000 LEA EAX,[ESI+806]

00400ED3: 68 78304000 PUSH 403078

00400ED8: 50 PUSH EAX

00400ED9: FFD3 CALL EBX

00400EDB: 8D8D 34FEFFFF LEA ECX,[EBP-1CC]

00400EE1: 8D86 06090000 LEA EAX,[ESI+906]

00400EE7: 51 PUSH ECX

00400EE8: 50 PUSH EAX

[特征] 000012BA_00000001 00401EBA //转移

00401EB8

关键词： PC Share特征码公布及更改办法