TwMs v226.3 CRC MSCRC
//TwMs v226.3 CRC MSCRC//單MSCRC ,沒有BCCRC的情況下會觸發D1060104檢測到CE D1010201 BlackCipher檢測到MS內存被修改
//mscrc1,0489AB59 reg edx
//mscrc2,045C958F reg ebx
registersymbol(memcopy)
alloc(memcopy,256)
registersymbol(mscem)
alloc(mscem,95418016)//5AE7000+xx
registersymbol(memaddr)
alloc(memaddr,4)
label(copyend)
label(loopcopy)
createthread(memcopy)
memaddr:
dd mscem
memcopy:
mov eax,00401000
lea ecx,
loopcopy:
xor ebx,ebx
movzx ebx,byte ptr
mov byte ptr ,bl
inc eax
inc ecx
cmp eax,00401000+5AE7000
jg copyend
jmp loopcopy
copyend:
lea ebx,
sub ebx,00401000
add ebx,0489AB59//FIXjmp
cmp ,5B5A0202
je +d
mov ,5B5A0202
mov ,AAB35366
lea ebx,
sub ebx,00401000
add ebx,045C958F//FIXjmp
cmp ,1A011B8B
je +d
mov ,1A011B8B
mov ,04E6819C
ret
registersymbol(mscrc1)
alloc(mscrc1,512)
label(mscrc1end)
mscrc1:
cmp edx,00401000
jb mscrc1end
cmp edx,00401000+5AE7000
ja mscrc1end
add edx,
sub edx,00401000
jmp mscrc1end
mscrc1end:
db 02 02 5A 5B 66 53 B3 AA
jmp 0489AB59+8
0489AB59:
jmp mscrc1
registersymbol(mscrc2)
alloc(mscrc2,512)
label(mscrc2end)
mscrc2:
cmp ebx,00401000
jb mscrc2end
cmp ebx,00401000+5AE7000
ja mscrc2end
add ebx,
sub ebx,00401000
jmp mscrc2end
mscrc2end:
db 8B 1B 01 1A 9C
jmp 045C958F+5
045C958F:
jmp mscrc2
頁:
[1]