DNF检测基址特征码加最全的检测基址
02FD7F9A 59 pop ecx02FD7F9B C3 retn
02FD7F9C 90 nop
02FD7F9D 90 nop
02FD7F9E 90 nop
02FD7F9F 90 nop
02FD7FA0 33C9 xor ecx,ecx
02FD7FA2 33C0 xor eax,eax
02FD7FA4 890D CD6B1503 mov dword ptr ds:,ecx
02FD7FAA A2 CC6B1503 mov byte ptr ds:,al
02FD7FAF A3 C86B1503 mov dword ptr ds:,eax
02FD7FB4 890D D16B1503 mov dword ptr ds:,ecx
02FD7FBA A3 D86B1503 mov dword ptr ds:,eax
02FD7FBF C3 retn
02FD7FC0 E8 0B000000 call 02FD7FD0
02FD7FC5 E9 A6010000 jmp 02FD8170
02FD7FCA 90 nop
02FD7FCB 90 nop
02FD7FCC 90 nop
02FD7FCD 90 nop
02FD7FCE 90 nop
02FD7FCF 90 nop
02FD7FD0 81EC 04010000 sub esp,0x104
02FD7FD6 53 push ebx
02FD7FD7 55 push ebp
02FD7FD8 56 push esi
02FD7FD9 57 push edi
02FD7FDA 68 9CD21203 push 0x312D29C ; ASCII "TerSafe.dll"
02FD7FDF 50 push eax
02FD7FE0 E8 E6783200 call 032FF8CB
02FD7FE5 8B35 58501103 mov esi,dword ptr ds:
02FD7FEB 8B2D 78521103 mov ebp,dword ptr ds:
02FD7FF1 33DB xor ebx,ebx
02FD7FF3 3BC3 cmp eax,ebx
02FD7FF5 75 61 jnz short 02FD8058
02FD7FF7 B9 40000000 mov ecx,0x40
02FD7FFC 33C0 xor eax,eax
02FD7FFE 8D7C24 11 lea edi,dword ptr ss:
02FD8002 885C24 10 mov byte ptr ss:,bl
02FD8006 F3:AB rep stos dword ptr es:
02FD8008 66:AB stos word ptr es:
02FD800A AA stos byte ptr es:
02FD800B 8D4424 10 lea eax,dword ptr ss:
02FD800F 68 04010000 push 0x104
02FD8014 50 push eax
02FD8015 53 push ebx
02FD8016 FFD6 call esi
02FD8018 8D4C24 10 lea ecx,dword ptr ss:
02FD801C 6A 5C push 0x5C
02FD801E 51 push ecx
02FD801F FFD5 call ebp
02FD8021 8858 01 mov byte ptr ds:,bl
02FD8024 8D7C24 18 lea edi,dword ptr ss:
02FD8028 83C9 FF or ecx,-0x1
02FD802B 33C0 xor eax,eax
02FD802D F2:AE repne scas byte ptr es:
02FD802F F7D1 not ecx
02FD8031 49 dec ecx
02FD8032 BA 03010000 mov edx,0x103
02FD8037 2BD1 sub edx,ecx
02FD8039 8D4424 18 lea eax,dword ptr ss:
02FD803D 52 push edx
02FD803E 68 9CD21203 push 0x312D29C ; ASCII "TerSafe.dll"
02FD8043 50 push eax
02FD8044 56 push esi
02FD8045 E8 E5BD3000 call 032E3E2F
02FD804A 83C4 14 add esp,0x14
02FD804D 8D4C24 10 lea ecx,dword ptr ss:
02FD8051 51 push ecx
02FD8052 55 push ebp
02FD8053 E8 61AB3900 call 03372BB9
02FD8058 68 90D21203 push 0x312D290 ; ASCII "CreateObj"
02FD805D 50 push eax
02FD805E 55 push ebp
02FD805F E8 1D7D4800 call 0345FD81
02FD8064 6A 09 push 0x9
02FD8066 FFD0 call eax
02FD8068 83C4 04 add esp,0x4
02FD806B A3 386C1503 mov dword ptr ds:,eax
02FD8070 8B10 mov edx,dword ptr ds:
02FD8072 8BC8 mov ecx,eax
02FD8074 68 2D6C1503 push 0x3156C2D
02FD8079 FF12 call dword ptr ds:
02FD807B 8B0D 386C1503 mov ecx,dword ptr ds:
02FD8081 8B01 mov eax,dword ptr ds:
02FD8083 FF50 04 call dword ptr ds:
02FD8086 8B0D 386C1503 mov ecx,dword ptr ds:
02FD808C A2 2C6C1503 mov byte ptr ds:,al
02FD8091 3BCB cmp ecx,ebx
02FD8093 891D 286C1503 mov dword ptr ds:,ebx
02FD8099 0F85 A9000000 jnz 02FD8148
02FD809F 68 9CD21203 push 0x312D29C ; ASCII "TerSafe.dll"
02FD80A4 52 push edx
02FD80A5 E8 DD7F4500 call 03430087
02FD80AA 3BC3 cmp eax,ebx
02FD80AC 75 61 jnz short 02FD810F
02FD80AE B9 40000000 mov ecx,0x40
02FD80B3 33C0 xor eax,eax 你确定这是检测特征:sleepy: 是用什么检查的
页:
[1]