01|修改Win用户名
打开运行,输入cmd,回车;
输入control userpasswords2,回车;
点击属性,修改用户名,点击确定;
打开运行,输入regedit,回车;
定位到HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProfileList;
选中下面名字最长的项,双击右侧的ProfileImagePath,修改 C:Users 后的用户名,点击确定;
注销并重新登录;
打开 C:User,将新的用户名文件夹删除,再将原来的的用户名文件夹重命名为新的用户名;
再次注销并重新登录。
02|修的内核bug如何推进
发patch
-
克隆最新代码,确定问题还存在
-
新建本地分支,修改要修改的部分
git add 修改的文件 git commit -s commit-log 《标题》:修改的大类:简短的patch主要描述 《空行》 《详细描述》 git format-patch -1(可以在三小短线下写点东西) -
使用get-maintainer获取当前文件的维护者,发给子系统(可以使用git自带的send-mail命令)
03|cl(VS ToolChain)编译ffmpeg
lame: ./configure --enable-shared --prefix=/mnt/Mp3/Out/ --host=x86_64-pc-windows CC=cl.exe
ffmpeg: ./configure --prefix=Out --toolchain=msvc --enable-w32threads --enable-x86asm --disable-doc --disable-ffprobe --enable-small --disable-runtime-cpudetect --disable-network --disable-debug
x264: ./configure --enable-static --enable-shared
lame: ./configure --prefix=/usr/local --enable-static --enable-shared
ffmpeg: ./configure --prefix=Out --enable-x86asm --enable-network --enable-protocol=https --enable-optimizations --enable-gpl --enable-libx264 --enable-libmp3lame --enable-small --enable-static --disable-shared --disable-ffprobe --disable-doc --extra-cflags=/usr/local/include --extra-ldflags=/usr/local/lib
04|WSA on Win10
New-NetFirewallRule -DisplayName "WSL" -Direction Inbound -InterfaceAlias "vEthernet (WSL)" -Action Allow
https://github.com/cinit/WSAPatch/
05|Docker Commands on Win
www.docker.com
learn.microsoft.com/en-us/windows/wsl/wsl-config#configuration-setting-for-wslconfig
learn.microsoft.com/zh-cn/windows/wsl/wsl-config#configuration-setting-for-wslconfig
mklink /j "C:Program FilesDocker" "K:VmachineDocker"
wsl --export dis_name dest
wsl --unregister dis_name
wsl --import dis_dest dis_export --version 2
06|CheatEngine PVZ 0cd
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
add dword ptr [edi+24],10000
mov eax,[edi+24]
exit:
jmp returnhere
"PVZ原版启动程序.exe"+8728C:
jmp newmem
nop 2
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"PVZ原版启动程序.exe"+8728C:
add dword ptr [edi+24],01
mov eax,[edi+24]
//Alt: db 83 47 24 01 8B 47 24
0
"No description"
4 Bytes
1566453C
1
"0cd script"
Auto Assembler Script
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
add dword ptr [edi+24],10000
mov eax,[edi+24]
exit:
jmp returnhere
"PVZ原版启动程序.exe"+8728C:
jmp newmem
nop 2
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"PVZ原版启动程序.exe"+8728C:
add dword ptr [edi+24],01
mov eax,[edi+24]
//Alt: db 83 47 24 01 8B 47 24
07|CCL反软件查杀
multiCCL定位原理图示
by niu-cow in NE365
2996-04-22
1.假设一种比较极端的情况:
某杀毒软件针对某样本
抽取了如下 a b c d e 的五个特征码片段
而其中的任何一个单独的片段都不构成完整的特征码
更极端的情况是可能有两套这样的组合。
却以其中任何两处来识别。(见 图1)
这样,如果用原来的CCL就很难定位了,就算能定位,操作也
变得很复杂。
(图1)
..............................aaaaaaaaa........................
...............................................................
.............bbbbbbb.........ccc...............................
...............................................................
...................ddddddddd...............eeeee...............
2.针对这种情况
有个思路是从一端开始盖零(考虑到PE文件文件头的重要性
multiCCL选择了从尾端开始往前盖)。
直到如图2所示时,杀毒软件才不能识别
(b片段被破坏了一个字节)
这样b尾端就出来了。
(图2)
..............................aaaaaaaaa.........................
................................................................
.............bbbbbb000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
------------------------------------------------------------------
下面是定b片段的头端了
看看图3 图4 图5 ,注意看b片段中间那个字节的零的移动
(图3)
..............................aaaaaaaaa.........................
................................................................
.............bbbb0bbb0000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
----------------------------------
(图4)
..............................aaaaaaaaa.........................
................................................................
.............0bbbbbb00000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
----------------------------------------------------------------------
(图5)
..............................aaaaaaaaa.........................
................................................................
............0bbbbbbb00000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
--------------上图的a 和 b 两个片段都暴露了--------------------------
图5 中,暴露出完整的a b 两个片段,这下又被杀毒软件认出来了
这样就定位出b段了。
接下来把b希用0盖掉作为新的样本,用杀毒软件检测一下是否被杀,还杀就
重复前面的步骤定 c 段,如图6
(图6)
..............................aaaaaaaaa........................
...............................................................
.............0000000.........ccc...............................
...............................................................
...................ddddddddd...............eeeee...............
-----------------------------------------------------------------------
如果定好c段盖掉后还是被杀就再定 d 段
如图7
(图7)
..............................aaaaaaaaa........................
...............................................................
.............0000000.........000...............................
...............................................................
...................ddddddddd...............eeeee...............
-----------------------------------------------------------------------
这样重复,直到片段d e ……都被找出盖掉后,杀毒软件再也不认了
-----------------------------------
一个字节一个字节来显然太费时间,效率很低的,一次性
生成上千个文件也是不现实的。
所以考虑先用二分法粗定。到范围小时再逐字节替换。
-----------------------------------
从尾端开始数,以1.2.4.6.8……的大小往前盖
即取2的指数阶 , 2^n 