11012FA2 send pre1
110306A1 w32.send
if (ecx==11012F70) on 11084310
[111A6D9C] 存放原始風暴地址
內容:
7C E8 12 11 FD 07 00 00 00 00 00 00 00 00 01 61 61 61 62 62 62 00 00 00 00 01 00 00 09 00 00 00
0F 00 00 00 00 FF 00 00 00 00 00 00 30 00 00 00
新代碼寫在111AD7E0
pushad
xor ebx,ebx
xor edi,edi
push ebx
push edi
mov ecx,0x11012F70
call ecx
add esp,8
popad
代碼二進制:
111AD7E0 60 PUSHAD
111AD7E1 B9 16D81A11 MOV ECX,mhmain.111AD816
111AD7E6 890D 9C6D1A11 MOV DWORD PTR DS:[111A6D9C],ECX
111AD7EC B9 702F0111 MOV ECX,mhmain.11012F70
111AD7F1 33DB XOR EBX,EBX ; xor edi,edi;
111AD7F3 33FF XOR EDI,EDI
111AD7F5 53 PUSH EBX
111AD7F6 57 PUSH EDI
111AD7F7 FFD1 CALL ECX
111AD7F9 83C4 08 ADD ESP,8
111AD7FC 61 POPAD
111AD7FD C3 RETN
數據地址 111AD816
做代碼和數據111AD7E0
60 B9 16 D8 1A 11 89 0D 9C 6D 1A 11 B9 70 2F 01 11 33 DB 33 FF 53 57 FF D1 83 C4 08 61 C3 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 00 7C E8 12 11 FD 02 30 31 31 00 00 00 00 00 01 58 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00
0F 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00
say a:
1.87 A5 A5 77 11
2.7F BE D7 88 93
3.15 FF B0 05 CF
每次不一樣
C8 99 29 06 2D
3C BD 06 2B 51
96 AD C9 C5 55
ba 0e 33
25 8f