花指令编写手册-最新和一批花指令.doc

花指令合集(0608)【深层】->IanLuck汇编代码:============================伪装代码部分:============================moveax,0040E000push004153F3pushdwordptrfs:[0]movdwordptrfs:[0],esppushfwpushadpusheaxxorebx,ebxpopeaxpopadpopfwpopdwordptrfs:[0]popeaxjmpXXXXXXXX'执行到程序的原有OEP============================【深层】伪装WCRTLibrary(VisualC++)DLLMethod1->Jibz二进制代码+汇编代码:============================伪装代码部分:============================使用二进制粘贴以下代码:558BEC837D0C017541A1C030001085C0740AFFD085C075046AFEEB17680C3000106808300010E88900000085C0595974086AFDFF150820001068043000106800300010E8520000005959粘贴完毕后,再添加2行汇编语句:jmpXXXXXXXX'执行到程序的原有OEPretn0C1。伪装vcVC++程序的入口代码:PUSHEBPMOVEBP,ESPPUSH-1push415448-\___PUSH4021A8-/在这段代码中类似这样的操作数可以乱填MOVEAX,DWORDPTRFS:[0]PUSHEAXMOVDWORDPTRFS:[0],ESPADDESP,-6CPUSHEBXPUSHESIPUSHEDIADDBYTEPTRDS:[EAX],AL/这条指令可以不要!jmp跳转到程序原来的入口点******************************************************************************************2。跳转somewhere:nop/"胡乱"跳转的开始...jmp下一个jmp的地址/在附近随意跳jmp.../...jmp原入口的地址/跳到原始oep<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<新入口:pushebpmovebp,espincecxpushedxnoppopedxdececxpopebpincecxloopsomewhere/跳转到上面那段代码地址去!-1push111111push222222moveax,fs:[0]pusheaxmovfs:[0],esppopeaxmovfs:[0],eaxpopeaxpopeaxpopeaxpopeaxmovebp,++pushebpmovebp,esppush-1push111111push222222moveax,fs:[0]pusheaxmovfs:[0],esppopeaxmovfs:[0],eaxpopeaxpopeaxpopeaxpopeaxmovebp,++-1PUSH0PUSH0MOVEAX,DWORDPTRFS:[0]PUSHEAXMOVDWORDPTRFS:[0],ESPSUBESP,68PUSHEBXPUSHESIPOPEAXPOPEAXPOPEAXADDESP,68POPEAXMOVDWORDPTRFS:[0],EAXPOPEAXPOPEAXPOPEAXPOPEAXMOVEBP,,eax后面加上PUSHEAXPOPEAX7:防杀精灵一号防杀代码:pushebpmovebp,esppush-1push666666push888888moveax,dwordptrfs:[0]pusheaxmovdwordptrfs:[0],esppopeaxmovdwordptrfs:[0],eaxpopeaxpopeaxpopeaxpopeaxmovebp,eaxjmp入口8:防杀精灵二号防杀代码:pushebpmovebp,esppush-1push0push0moveax,dwordptrfs:[0]pusheaxmovdwordptrfs:[0],espsubesp,68pushebxpushesipushedipopeaxpopeaxpopeaxADDesp,68popeaxmovdwordptrfs:[0],eaxpopeaxpopeaxpope