Is it better to add flowers or shells to do no kill?

It depends on the actual situation. Isn't there a saying that "whether it's a black cat or a white cat, it's a good cat that can catch mice".

Flower is to transfer to other blank places at the feature code. Then add the jump command to the feature code just now. Jump to that empty space where you are transferred.

In fact, it's just jumping around. I guess flower means fancy here. in a rage.

But be careful not to disrupt the balance of the stack

Packing refers to "actually using a special algorithm to compress and encrypt the resources in the exe and dll files." Similar to the effect of winzip, except that this compressed file can be run independently, and the decompression process is completely hidden, all completed in memory. They are attached to the original program and loaded into memory through the windows loader, executed before the original program, get control, decrypt and restore the original program during the execution process, and then return the control to the original program after the restoration is completed, and execute the original ** part.

After adding the shell, the original program ** generally exists in the encrypted form in the disk file, and is only restored in memory when executed, so that it can effectively prevent the cracker from illegally modifying the program file, and at the same time, it can also prevent the program from being statically decompiled"=

All belong to packing.

Distinguish. The shell of the protection type is a change in the directive. At the beginning of the program, it will be changed back by an inverse algorithm.

The compression class has the same meaning as winrar, and it needs to be decompressed when it is run (the shell decompresses itself, and it can't be seen).

You have a lot of questions. Just 5 points. It's really picky.。。

The case is hypothetical, I wrote a program myself. There's some core in it that you don't want others to see.

If you don't want others to decompile and crack the registration mechanism part of the software), then use a protective shell to encrypt the core.

Example: VMPotect is a new generation of software protection system that puts the protected ** into a virtual machine, which will make it extremely difficult to analyze the decompiled ** and crack it. Using a map file or the built-in decompilation engine, you can quickly select which ones you need to protect.

At the moment it is more difficult to break the shell).

In this way, the antivirus software cannot be detected

Kill-free, as the name suggests, means to avoid being killed by anti-virus software! There are also many ways to avoid killing, and we use different methods for different situations. File no-kill:

Flower Modify the feature code of the file Packing Modify the packed file. Memory no-kill: modifies the feature code.

Acts are exempt from killing. Now I'm going to unravel the mystery of no-kill. (I don't do an in-depth discussion of no-kill here, only analyze the principle, after all, this is not a hacker tutorial) Add flowers Add flowers is a common means of virus free killing, and the principle of adding flowers is to add flower instructions (some garbage instructions, useless statements such as adding 1 minus 1) so that the antivirus software can not detect the feature code.

Flowering can be divided into adding flowers in the area and adding flowers to the head. (only to understand, not to explain) Feature code modification Some antivirus software will not be recognized after adding flowers, but some stronger antivirus software, such as Kaspersky, may still be killed, at this time, it is necessary to locate the feature code modification, to modify the feature code, it is necessary to locate the feature code located by the virus database of the antivirus software, which has a certain degree of difficulty, especially the positioning of the composite feature code, but although the composite feature code increases the difficulty of locating the feature code, the composite feature code also has its weaknesses, Because defining a composite signature requires several times the virus database of a single signature code, which is inconvenient for users to upgrade the virus database, antivirus software vendors do not make too many composite signatures except for particularly popular viruses. After locating the feature code, it is time to modify the feature code, and there are two main methods:

Direct modification method, jump modification method. The direct modification method uses the replacement of equivalent instructions, or the change of the order of instructions does not affect the effect of execution. Another is that if the feature code is an ascll code, you can directly modify the case, replace the lowercase with the upper case, and replace the lowercase with the upper case.

The main principle is to remove the nop with the feature code, and then write the statement of the nop into the blank 0000 area, and then connect it through the jmp jump, so that the antivirus software can not find the feature code, so as to achieve the purpose of avoiding killing. The principle of packing is to add a protection program to the original program, which has the function of protection and encryption, and the files after running the packing first run the shell and then run the real file, so as to play a protective role. Of course, unshelling is to remove the protection program, if you want to achieve the effect of no-kill after packing, then you have to add the latest no-kill shell!

Don't use anti-kill software, just write a virus by hand. That's what I wrote last time: Pure handwriting is hung by behavior defense k, and what kind of non-killing software is used to scan the file k.

Changing the feature code is the most common!

Viruses want to run,Or in memory,Packing is just a way to avoid killing files,Even if the file can't pass the memory,Besides, now the major antivirus software has taken the characteristic codes of various common shells as virus signature codes,If you really want to kill through packing,You should also add an unpopular shell,Or simply write a shell yourself,I've read the article of a senior on Security Focus before,The idea of distortion and transformation encryption he proposed is still very good。

It's not that shelling is useless.

Let's put it this way:1Killing soft has the ability to shed its shell.

2.The feature code of the shell is included in the killing soft.

You can add two shells. Or after shelling.

Do something tricky.

Packing no-kill is the technology before 05 years, and later Kaba pioneered the virtual machine shelling technology, as well as the emergence of memory monitoring technology, which makes the packing completely meaningless in no-killing.

The current antivirus software can kill the packed, and there are special effects for dealing with bare metal.

This is done by operating the computer with a keyboard.

In the past, the packing, but now the killing soft has been updated with new functions The general packing can't be overkill, even if it can be passed, it can only pass one or a few scattered killing soft, and the non-killing time will not be too long. It is recommended to learn the no-kill if the feature code is modified, or the no-kill if there is no feature code. You have to understand that simple shelling can't just kill the soft.

It is okay to kill the domestic soft of the 360 class,,, but it is just a shelling. You can't pass the card, Norton, and Nod

These three methods are combined together It is best to modify the feature code and the command to add it doesn't matter if you add it or not, I don't like to add and then add the shell, now many shells are killed, and the shell is changed after the shell.