How to locate the file feature code, how to locate the file feature code and how to modify the memor

Method 1: Directly modify the hexadecimal method of the feature code.

1.Modification method: Change the hexadecimal system corresponding to the feature code to the hexadecimal system with a numerical difference of 1 or about the same.

2.Scope of application: Be sure to accurately locate the hexadecimal system corresponding to the feature code, and be sure to test it after modification.

No, normal use.

Method 2: Change the case of the string.

1.Modification method: The content corresponding to the feature code is a string, as long as the size of the word is swapped.

2.Scope of application: The content corresponding to the feature code must be a string, otherwise it will not succeed.

Method 3: Equivalent substitution method.

1.Modification method: Replace the assembly command command corresponding to the feature code with the function class instruction.

2.Scope of application: There must be an assembly instruction that can be replaced in the feature code. For example, jn, jne to jmp, etc.

If you don't understand compilation like me, you can check the 8080 compilation manual.

Method 4: Instruction order reversal method.

1.Modification method: Swap the order of ** with feature codes.

2.Scope of application: It has certain limitations, and it cannot affect the normal implementation of the program after the exchange.

Method 5: General jump method.

1.How to change it: Move the feature code to the zero region (the gap between **) and then jump back to execute a JMP.

。First of all, it is necessary to locate the feature code, use software to cut a virus file into n blocks, and then use antivirus software to check and kill them, and the alarm part is the part with the feature code, and finally refine it step by step. Know to target the shortest feature code.

The process is clear, and it is more difficult to change the features with CCL and WinHEX, because it is necessary to ensure that it can still run after the change, and the common method is to change the case of the feature code, or the instruction jump.

It can also be modified with winhex with od. ，

Recommended software myccl,There are instructions on the principle of how to use it, probably to split the file into n segments,Kill them one by one with antivirus software,Find out the feature part,Then locate and split,Lingzhou recheck (a bit like a dichotomy) ruler cherry cover,Memory part (some antivirus software can do memory scanning Songzhen),I had to do my own compilation。

...There are so many online tutorials, but it doesn't feel much use when the age is set to the silver position. Because you are positioning and others are positioning at the same time, but it works at the time.

It won't be out for a month, and it will be invalid. Antivirus software is not stupid. Let's learn some comprehensive no-kill techniques.

First of all, the killing software should be stopped, and then the generated client is opened with myccl, the number of blocks generated for the first time is best between 10-50, and then the generated directory is killed with the killing software, and then the second generation is completed after completion, continue to check and kill the directory until the location can not be found, and then the location of the kill will be recorded in the feature interval, double-click one of the feature positions, delete the directory on the desktop, and then write 100 points in the number of blocks to generate, repeat the first step. Until all the feature codes are located, the mantissa is 2, and it is basically determined. Look at it yourself and do it yourself!

I don't want to say too much about it, and I can't say it clearly. Now if you want to learn to avoid killing, you have to spend money, or you have to study it yourself. Brother go see the tutorial! You've also seen it, knowing that no one has your problem if you don't score it! .

Hehe! This requires professional knowledge! It's not an ordinary rookie who can settle down!

You first load the file you want to locate--- click on the directory [save the file that changed the file division to that directory] -- click OK--- set the number of blocks to about 100-200, which is the number of generated--- click to generate--- and then you use your antivirus software to check and kill the generated directory--- after killing and reading, click [Secondary Processing]-- Knowing that the antivirus software can't kill the virus--- then you check the feature interval --- there is a feature code displayed on it--- right-click to locate it--- next step is the same as the previous step, until it can't kill the virus. The final thing to get is the feature code. There are many types of positioning feature codes, such as file feature codes, memory feature codes, active positioning, etc.

The default MYCCL positioning padding is OO. The segment is also very regular, and the killing soft now has anti-positioning technology, which will not report the virus, or report the virus all, interfering with your positioning, and the accuracy is 2The algorithms for the two positioning are also different.

By default, the multiccl positioning and filling is random, and the segments are randomly named. The accuracy is 1.

The most important thing is that the thickness and width of the lump are not the same as the two positioning algorithms.