-
Anonymous users2024-02-07What is a feature code?
1.What it means: A string of features no larger than 64 bytes that can identify a program as a virus.
2.In order to reduce the false positive rate, antivirus software will extract multiple feature strings, and in this case, we can often change one place to achieve this.
No-kill effect, of course, some antivirus software has to change several places at the same time to avoid killing. (These methods will be described in more detail later).
3.The following is a schematic diagram to understand the specific concept of feature code.
Positioning and principle of feature codes.
1.How to find the feature code: The feature code in the file is replaced by the data we fill in (such as 0), which is anti-virus.
will not alarm the location of the feature code.
2.The working principle of the feature locator is that some bytes in the original file are replaced with 0, and then a new file is generated, and then the code is killed.
The virus software detects the results of these files to determine the location of the signature.
Learn about tools for positioning and modifying feature codes.
Feature code locator).
Modification of feature codes).
A gadget used to calculate the address from a file to a memory address.
Hexadecimal device for manual accurate positioning or modification of feature codes).
How to modify the feature code.
Feature code modification includes file feature code modification and memory feature code modification, because these two feature code modification methods are common. Therefore, we will make a general section on the current popular feature code modification methods.
Method 1: Directly modify the hexadecimal method of the feature code.
1.Modification method: Change the hexadecimal system corresponding to the feature code to the hexadecimal system with a numerical difference of 1 or about the same.
2.Scope of application: Be sure to accurately locate the hexadecimal system corresponding to the feature code, and be sure to test it after modification.
No, normal use.
Method 2: Change the case of the string.
1.Modification method: The content corresponding to the feature code is a string, as long as the size of the word is swapped.
2.Scope of application: The content corresponding to the feature code must be a string, otherwise it will not succeed.
Method 3: Equivalent substitution method.
1.Modification method: Replace the assembly command command corresponding to the feature code with the function class instruction.
2.Scope of application: There must be an assembly instruction that can be replaced in the feature code. For example, jn, jne to jmp, etc.
If you don't understand compilation like me, you can check the 8080 compilation manual.
Method 4: Instruction order reversal method.
1.Modification method: Swap the order of ** with feature codes.
2.Scope of application: It has certain limitations, and it cannot affect the normal implementation of the program after the exchange.
Method 5: General jump method.
1.How to change it: Move the feature code to the zero region (the gap between **) and then jump back to execute a JMP.
Details:
-
Anonymous users2024-02-06The attribute code is used to determine which computer field a piece of data belongs to. 40 characters in total.
It is no longer possible to simply take out a paragraph of **, but to segment it, and it can contain arbitrary content in the middle (that is, some "mask bytes" that do not participate in the comparison are added, and where the "mask bytes" appear, nothing appears to participate in the comparison). This is the concept of broad-spectrum feature codes that have been proposed.
-
Anonymous users2024-02-05Recommended software myccl,There are instructions on the principle of how to use it, probably to split the file into n segments,Kill them one by one with antivirus software,Find out the feature part,Then locate and split,Lingzhou recheck (a bit like a dichotomy) ruler cherry cover,Memory part (some antivirus software can do memory scanning Songzhen),I had to do my own compilation。
-
Anonymous users2024-02-04...There are so many online tutorials, but it doesn't feel much use when the age is set to the silver position. Because you are positioning and others are positioning at the same time, but it works at the time.
It won't be out for a month, and it will be invalid. Antivirus software is not stupid. Let's learn some comprehensive no-kill techniques.
Last year, my puppy was lost for more than a month, and the whole family died in a hurry, thinking that they would definitely not be able to find it. As a result, a Weibo netizen asked me to contact "Yihai Xingkong Network", and she also had a lost item that could not be recovered, and later the master helped her find her things through the six trigrams. I immediately contacted the master, and after the hexagram, the master told me that the puppy has now been adopted by someone else, and if it is to be retrieved, it needs to go west, and there will be results within a week! >>>More
When it comes to mobile phones, what does it mean to be three or five?
OSID code is an abbreviation for Open Science Identity. **The author's scientific and academic influence has been dramatically increased by the four-layer interaction generated by the OSID code; Readers can understand faster and clearer, save time and energy to read huge materials, and can communicate directly with the author one-on-one, and cooperate with tens of millions of scientific and technological and academic workers in the same industry and field.
That is, the network access license of each mobile phone. Identification Information.
Outstanding Period: Simply put, it provides a buffer period for planners to deal with it in advance. Under the logic of reverse scheduling, for example, the start date of the planned order created by MRP is 5 days, and the open period is 3 days, then if the current date is 1st, it has not yet entered the open period, and the planner does not need to process the planned order so early, and if the current date is 3 days, it is in the open period, at this time, there will be an exception message 05 generated in MD04, which is used to prompt the planner to convert the planned order into a production order or a purchase requisition. This gives the planner enough time to process the order. >>>More