About flower instructions, flower instruction generator for flower instructions

It is true that the flowering instruction does not change the position of the feature code, but it changes the order of program execution, and some can also change the file structure. When the antivirus software scans, it jumps to the flower command, that is, it is judged that there is no virus. Normally, when the file is not killed, adding the flower instruction is the simplest and most effective method, and it can generally kill a lot of antivirus software, so the general file free killing is a common method, provided that your flower instruction is not commonly used, and it is best to make your own personal flower instruction, which will be very effective.

1. Necessary knowledge of writing flower instruction generators.

1. The principle of flower instructions.

Flower instructions are useless in the program**, the program has no effect on it, and it can run normally without it. After adding the flower instruction, when the antivirus software disassembles the Trojan statically, the Trojan's ** will not be displayed normally, which increases the difficulty of the antivirus software.

2. How to write flower instructions.

Let's take a look at a flower instruction and analyze and understand its principle:

push ebp

mov ebp,esp

push edx

pop edx

inc ecx

dec ecx

add esp,21

add esp,-21

add esp,10

sub esp,10

JMP origin entry point.

There are generally three parts to the flower instruction, which start with push ebp and mov ebp, and the two sentences esp can often be seen at the beginning of most programs. Push EBP is to press EBP into the stack, MOV EBP, ESP is to assign the value of ESP to EBP, it doesn't matter if you don't understand, as long as you know Push EBP and MOV EBP, ESP These two sentences often appear at the beginning of the file, just use ollydbg to open an unpacked file and often stop at push ebp mov ebp, esp after loading.

The next thing is to spend the instruction, push edx is to press the general register edx into the stack, pop edx is to pop the general register edx out of the stack, and the sum of these two sentences is equivalent to doing nothing. The next inc ecx, ecx is used to hold the count value, which is also a register, inc is plus 1; The dec in dec ecx below is minus 1, plus 1 minus 1 to cancel out, and nothing is done. add esp,21 this is the register esp plus 21,add is to add,the following sentence add esp,-21 is the register esp plus 21,elementary school knowledge,+21+(-21)=0,still nothing is done。

Then down add esp, 10 register esp plus 21, sub esp, 10 register esp minus 10, sub is subtracted. A +10 and a -10 cancel each other out.

3. How to write flower instructions.

Let's take a look at the general steps of the flowering instruction:

1. Prepare the flower instructions to be added;

2. Prepare unpacked hacking software;

3. Open the hacking software with ollydbg and write down the memory address of the entry point;

4. Find the zero address, write the flower instruction sentence by sentence, and then use JMP to jump back to the program entry point; (If you can't find a blank address,We can use zeroadd to add a section,English software,I'm good at Chinese,It's easy to operate, and it's not demonstrated.。 ）

5. After saving, use peditor to modify the file entry point to the address of the start flower writing instruction. In this way, the program will run the flower instruction first, and then jump back to the original beginning of the program to execute the program;

6. Check whether the program is operating normally and the non-killing effect.