The fragrance of the encrypted Trojan client is finally broken at 22:24, August 4, 2004, and a brother of a black customer has gone through the final password after thinking about three days. I have been lucky. Our prize users. Subsequently, several readers once again broke the leaving inventory, and found a photo of the snow ...
In this issue, in order to meet the wishes of many readers of the black, we specially prepared 20 photos of the Snowbead, and sent it to friends who can challenge this hacker. In the readers in guess, we will take a grand prize, give you, well, after reading the legend of the black book, come to meet the challenge of the new hacker battle!
Primer
I stared at the snowy photo, my lover loving people. Just a day ago, I thought about this, although there were some sloppy, but there were my love and dreams of love ... and today's total staying inn suffering from the strongest and most ferocious attacks of the black. I can't face the snow in the photo, she makes me feel that my love seems to be an extra heavy burden in her whole life ...
Trojan in the husk
Listening to the rain and put down the snow, a blank in the brain, not only because of his and snow, but also because he knew that the Xiangxiang Inn was likely to have an unprecedented rivers and lakes in the rivers and lakes. However, he did not think that the little sister's deer cited the Skirle computer system in this moment. Listening to the rain has not yet closed three nights. He invaded the UNIX service of "Miss" in accordance with the big sister. Sleep is very luxurious when he is working. The phone suddenly shaken like dancing on the table, listening to the brain nerve of the rain, the big brain, the big sister is reminded? After picking up the phone, the phone is listening to the most familiar sound.
"what are you doing?"
"The servers of the horses."
"Why is it not in qq to rsille me!", The voice of the other side seems to be anger.
"..." I was busy at the time, "I can't find a more appropriate reason or excuse.
"Give me a QQ chat discipline viewer!"
"What do you want to do?"
"Look at a person's chat history."
"who?"
"Through the inventory, snow!"
"What! Are you black? Why?"
"What are you nervous ?! Why are you nervous? What do you know? What do you know will always love me, but you give me love is a lie, a cruel blood shower! My fate, I am in my life The most important start has been destroyed in your hand, I will never let it end so easily, so easy to wave, listen to the rain ... You owe me! I owe me forever! "
"I want ...", the phone hangs up, listening to the rain, some numbers seem to have let him fall into a illusion, his mind is chaotic recalls the call, thinking in my mind, this is from the beginning Should not happen ...
Before listening to the fridge, I took out a pot of ice cubes from the freezer, grogly walked into the toilet, he poured the ice in the pool of the water, and tied the head into this basin. Ice water mixed pool. The cold-born water stimulates every cell on his head. He recalls the phone of Lujingwei, recalling every detail of the first Deer, and recalls to learn to change the Trojan with the big sister with the big sister.
Two years ago, black camp ...
Big sister is still slightly tender and the rain and deer wicked: "You will use Trojans now, but why you can't succeed when you attack others, do you succeed until the reason? In fact, the reason is very simple, you use Trojan Can be killed by anti-virus software, such Trojans will naturally be discovered, your success rate is of course very low. And the way to improve the success rate is only one, escaping the virus firewall chasing, let them unable to detect you Trojan. "Lu Caiwei seems to be very interested in this part," Big sister, teach us this part, I always failed when I implanted Trojans, I have no confidence now. "The big sister is then told that time. Trojan step. Description of the tools used:
Resource Hacker
Tools with Exescope, but I feel that primary users will use it more convenient. He modified software resources to be more foolified.
PE-SCAN
For the view of the outer casing, it can take a shell for some housings.
Upxshell
UpxShell is an EXE compression software. It has a very good compression ratio, which is also excellent across platform performance. Since UPXSHELL is still an Exe executable file, many hackers use it does not change the property only to change the size of the size to compress the virus and hacker software, which of course also include our famous glacial. And it will add a layer of shell to the compressed software, which avoids a lot of anti-virus software to kill it, better confused victims.
Aspack
Aspack is very similar to UPX, but also compression software. Early Ice Clients are compressed with this software, so they want some version of the ice river to be compressed. Software After compression over Aspack, we can use unaspack to decompress accordingly so that we can see the effect before compression. The compression principle of Aspack is the same as UPX.
EXESCOPE
Exescope is the most commonly used tool for modifying the software resources. It is powerful to enable Exescope to analyze and display different file information and content without resource files, and it can override executable files, which in which Includes menus, dialogs, string tables, and more.
W32DASM
Ding Ding's W32DASM can make an anti-assembly operation, and there is a good support for WinAPI, and the reconciliation of the comparable code is very strong. He can record the static code of the program and is the best complement to Softice.
OLLYDBG: OLLYDBG is an intuitive analysis debugger for 32-bit assets. It is especially useful when the source code is not available, or it is especially useful when you encounter problems with the compiler, it is a very good dynamic tracking debugging tool.
HEX WORKSHOP
A very professional hex editor, powerful development tool, can easily perform hex, insert, fill, delete, cut, copy, and paste operation, match, replace, comparison, and calculations The commands such as checksum make the work more quickly. Fast speed, accurate algorithm, and with calculator and converter tool.
Nowadays, many black camps are in the cover of the housing, and even some newers say that they can successfully escape any anti-virus software in the rivers and lakes. He is only halfway, because when there is no shell, there is very little have the anti-virus software can find Trojans, but once the hip hippike is executed, complete the shelling process, then tracking the anti-virus software will Soon discovered that the Trojans in the memory are running, and finally kill. In fact, in accordance with the many people of the black guidelines, the big sister has no meaning for many people who have become masters, but Lu Caiwei does not think so, in her opinion, the means of the shell is different. Can still be effectively escaping the anti-virus software.
The principle of Trojans is very simple. Many of the Trojans provided in the black cabinet are treated, and these treatment is the so-called housing. Big sister said that when an Exe procedure is generated, it is easy to make modifications to it, but if the programmer adds a shell to the Exe program, then at least this plus the shell EXE The program is not so modified, and if you want to modify, you must first take it. Listening to the rain, Dulan, Deer, clearly, clearly, the shell of each Trojan, the ice river with Aspack, while the gray pigeon is the UPX shell for casing. Listening to the rain, I remember that Lu Caiwei once had a proud of his proudly and hid the anti-virus software, and the deer cracked by using PE-SCAN to see the housing. This gray pigeon is using UpxShell. Make the shell. So at this time, the UPXunpack program with UPX can take the hippi process to shell the trees generated by the gray pigeon. After the shell, the gray pigeons have suddenly been more than 300 K to increase to more than 900 K, then she knows that she has already The shell is successful. Lu Caiwei then revealed the rain with Exescope to modify the icon of the gray gray client after shell.
Lu Caiwei told to listen to the rain, and her own way to explore the shell and modify the tippiece of the icon. However, when the UPXSHELL is compressed and the shell is different, she is not like a big sister. She directly handles the shells, but in advance in the advanced in the UPXSHELL, I will perform Scrambler encryption, and then click Encrypt to complete the encryption process, and then use Aspack to add the EXE file that has been added to the case. Lu Caiwei said that the anti-virus software could not kill this time.
Listening is clear, Lu Caiwei, this step is just a thinking. In fact, it is very flexible, which is dual-handed housing for Trojans with two different case tools, which is equal to compressing Trojans. Naturally, it will escape the first layer of the anti-virus software firewall. However, more shells are added, and the procedure is pressed, and the final procedure is still to be separated. How to make the decompressed Trojan really escape anti-virus software this is a key step.
Changed Trojan
Listening to rain is very understanding how anti-virus software tracks Trojans and viruses. Most anti-virus software will pick a few spectrums in Trojans and virus programs, and then when these programs are running in the system, anti-virus software checks these loading into memory. Program, check if there is a signature in the program that meets your own killing requirements.
He believes that his intuition, Lu Caiwei must learn how to modify the key technology of Trojan, if Lu Jingwei really masters this method, then Lu Jingwei's Trojan wants to bypass a few zero zero zero The dispersed anti-virus software is not under words. Listening to the rain, I can't believe that Lu Caiwei learned to modify the technology of Trojan, because he believes that this is a relatively high difficulty for deer. And the live children who modify the code must master some techniques for assembly language. Listening to the rain, I can't understand, is there someone guidance? No, Lu Caiwei is not the kind of girl who controls others. It seems that in addition to being awe. In addition to the big sister, he didn't see that she had anyone, and the Cai Wei is a very persistent girl. But listening to the rain, it is often able to drive an amazing explosive force for a woman who is angered by an emotional woman.
Cai Wei is in front of the computer, this is already the 20th modification of the 20th modification of the Trojan code. The result is not the result of modification. It is still killed by anti-virus software. The modification of the signature is too difficult for her, which needs to master the superb assembly language, and Lu Caiwei will not pass this. All she owns is only a thin, only 5 A4 paper tutorials who have printed her printed. When the tutorial starts directly into the topic, talk about how the program in the horspogram, but Deer Caiwei tried to find Ollydbg to find program Trojan's program entrance, after three, she understood, this Trojan must take away Program analysis can be performed after shell. Shell is not in the words for Deer, because she is too familiar with Tools such as PE-Scan and Wollf. After a simple analysis and shelling Trojan, Deer Caiwei can finally use OLLYDBG to debug the Trojan source program. According to the big sister's tutorial, when using ollydbg to analyze the program, the first line of the open analyzing interface should be the entry of the program, 004bdf68, the virtual address symbol of the memory is analyzed by the entrance of the program. Lu Caiwei According to the instructions of the big sister, use the Lordpe Deluxe tool to open the shelled Trojan, and then use the "PE Editor" to calculate the relative offset address "000 dBF68" of the program file in the file address calculator. Lu Caiwei decided to step by step according to the big sister.
The relative offset address of the program is calculated. Here, the following is to open the shell-shelling Trojan using Hex Workshop, and Lu Caiwei saw a string of characters. At this time she already foggy, but she can feel that she has to succeed. Click on the right button to find the sixteen offset address head, here is the key, Lu Caiwei, one line of writing, wrote the annotation of this big sister. In the annotation, there is definitely a signature of the anti-virus software in about 150 blocks, and you need to do a step by step by step, you can choose 150 or 100 pieces, then these Field rules, after saving the program, using anti-virus software for killing, of course, the number of segments selected, the smaller the chance can be found, and the smaller the chance. However, it is eventually to determine the field of the program to the most accurate location, which is repeatedly tested, and the scope of the block is reduced.
After 30 minutes, Lu Caiwei broke the field range to block DB367 according to the annotation of the big sister, which should be the signature analyzed by anti-virus software. Lu Caiwei kept this code firmly, in accordance with the next step, open the anti-assessment tool W32DASM to make a disassembly operation on Trojan, by finding the field of DB367, Lu Caiwei's anti-assessment of W32DASM is also Zhao to the corresponding code. Field:
Mov DWORD PTR [EBP-18], EAX
MOV DWORD PTR [EBP-14], EAX
At this time, I met Lu Jingwei's most headache. She must understand the meaning of this disassembler to modify the program, otherwise the error modification is likely to cause the program to run normally. The tutorial did not explain the meaning of these disassembled fields. Fortunately, the Internet is developed today, there is nothing to find, search!
Lu Caiwei started a section of the search for every code, and translated the relevant documentation for marking. After understanding the program is probably here, she began to try to modify the transform program code, after replacing, did not succeed to the expected, the program can even be opened, it is the most critical place here. Everything in front is not looking for a map of treasure, but it is the key to the key to understand the map and find the burial position of the treasure.
Where do you go? In the case of this anti-assembly manual, Lu Caiwei started a step in step ...
end
I'm looking for abnormal sadness and fear, he always treated the Cai Wei as a sister, but did not expect that he would choose a lover or a relatives today ... he didn't know how to see any kindness, more kindness Blood, is there a hacker really to conquer the bad luck in the face? Listening to the rain blind looks in front ... But he only saw the beginning of the story, but he never guess the end ...
Strictly declare that due to the high danger of this article, the editor and author will hereby will this paper use a lot of literary treatment. I hope everyone is only as a knowledge point, and do not imitate!
