Hi Christal Je pense avoir localise le code de modification du PE Header. Je t'explique comment j'ai fait. D'apres l'import table du fichier, il y a pas d'api qui permet de faire ca, donc il doit faire des getprocaddress pour trouver les adresses des fonctions lui_meme. Donc breakpoint au retour de getprocaddress. Un peu au dessus il y a un push eax qui pointe vers le string --------------------------------------------------byte--------------PROT---(0)-- 0167:0043C038 57 72 69 74 65 50 72 6F-63 65 73 73 4D 65 6D 6F WriteProcessMemo 0167:0043C048 72 79 00 43 72 65 61 74-65 46 69 6C 65 41 00 5C ry.CreateFileA.\ 0167:0043C058 5C 2E 5C 53 49 43 45 00-5C 5C 2E 5C 54 52 57 2E \.\SICE.\\.\TRW. 0167:0043C068 56 58 44 00 4D 4D 4D 4D-4D 4D 4D 4D 4D 4D 4D 4D VXD.MMMMMMMMMMMM 0167:0043C078 4D 4D 4D 4D 4D 4D 4D 4D-4D 4D 4D 4D 00 43 72 65 MMMMMMMMMMMM.Cre 0167:0043C088 61 74 65 54 68 72 65 61-64 00 00 00 00 00 61 B3 ateThread.....a. 0167:0043C098 43 00 45 78 69 74 54 68-72 65 61 64 00 00 00 00 C.ExitThread.... 0167:0043C0A8 00 00 00 00 00 59 EB 01-EA 8B BD 96 10 00 00 EB .....Y.......... 0167:0043C0B8 01 B8 89 8D 96 10 00 00-EB 01 E9 51 EB 01 C7 2B ...........Q...+ -------------------------------------------------------------------------PROT32- 015F:0043C0E5 200453 AND [EDX*2+EBX],AL 015F:0043C0E8 50 PUSH EAX <--------------- 015F:0043C0E9 EB01 JMP 0043C0EC de la fonction. En regardant qu'elles etaient les fonctions j'ai vu writeprocessmemory :-))) Tres interressant !! Ensuite il stocke l'addresse dans son code. 015F:0043C118 FFFF INVALID 015F:0043C11A 8901 MOV [ECX],EAX <-------- 015F:0043C11C EB01 JMP 0043C11F Il suffit de mettre un bpm R a cet endroit (0043C181) et il break ici: EAX=BFF949D5 EBX=0078FC1C ECX=00000000 EDX=81621BE0 ESI=0043C00B EDI=0078FF9C EBP=0043B000 ESP=0078FC08 EIP=0043B849 o d I S z A P c CS=015F DS=0167 SS=0167 ES=0167 FS=3B3F GS=0000 --------------------------------------------------byte--------------PROT---(0)-- 0167:00400000 4D 5A 90 00 03 00 00 00-04 00 00 00 FF FF 00 00 MZ.............. 0167:00400010 B8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@....... 0167:00400020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0167:00400030 00 00 00 00 00 00 00 00-00 00 00 00 D8 00 00 00 ................ 0167:00400040 0E 1F BA 0E 00 B4 09 CD-21 B8 01 4C CD 21 54 68 ........!..L.!Th 0167:00400050 69 73 20 70 72 6F 67 72-61 6D 20 63 61 6E 6E 6F is program canno 0167:00400060 74 20 62 65 20 72 75 6E-20 69 6E 20 44 4F 53 20 t be run in DOS 0167:00400070 6D 6F 64 65 2E 0D 0D 0A-24 00 00 00 00 00 00 00 mode....$....... 0167:00400080 D6 08 55 C1 92 69 3B 92-92 69 3B 92 92 69 3B 92 ..U..i;..i;..i;. 0167:00400090 7A 76 31 92 BF 69 3B 92-11 75 35 92 9E 69 3B 92 zv1..i;..u5..i;. 0167:004000A0 92 69 3B 92 91 69 3B 92-F0 76 28 92 99 69 3B 92 .i;..i;..v(..i;. 0167:004000B0 92 69 3A 92 DC 69 3B 92-7A 76 30 92 9A 69 3B 92 .i:..i;.zv0..i;. 0167:004000C0 2A 6F 3D 92 93 69 3B 92-52 69 63 68 92 69 3B 92 *o=..i;.Rich.i;. 0167:004000D0 00 00 00 00 00 00 00 00-50 45 00 00 4C 01 03 00 ........PE..L... 0167:004000E0 00 00 03 38 90 90 90 90-00 00 00 00 E0 00 0F 01 ...8............ 0167:004000F0 0B 01 06 00 00 70 00 00-00 60 01 00 00 00 00 00 .....p...`...... 0167:00400100 00 B0 03 00 00 10 00 00-00 80 00 00 00 00 40 00 ..............@. 0167:00400110 00 10 00 00 00 02 00 00-04 00 00 00 00 00 00 00 ................ 0167:00400120 04 00 00 00 00 00 00 00-00 E0 03 00 00 04 00 00 ................ 0167:00400130 2A 84 00 00 02 00 00 00-00 00 10 00 00 10 00 00 *............... 0167:00400140 00 00 10 00 00 10 00 00-00 00 00 00 10 00 00 00 ................ 0167:00400150 00 00 00 00 00 00 00 00-40 C2 03 00 28 00 00 00 ........@...(... 0167:00400160 00 D0 01 00 A8 04 00 00-00 00 00 00 00 00 00 00 ................ 0167:00400170 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0167:00400180 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0167:00400190 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0167:004001A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0167:004001B0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0167:004001C0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0167:004001D0 50 45 53 48 69 45 4C 44-00 C0 01 00 00 10 00 00 PESHiELD........ 0167:004001E0 00 56 00 00 00 04 00 00-00 00 00 00 00 00 00 00 .V.............. 0167:004001F0 00 00 00 00 40 00 00 C0-50 45 53 48 69 45 4C 44 ....@...PESHiELD 0167:00400200 00 E0 01 00 00 D0 01 00-00 08 00 00 00 5A 00 00 .............Z.. 0167:00400210 00 00 00 00 00 00 00 00-00 00 00 00 40 00 00 C0 ............@... 0167:00400220 41 4E 41 4B 49 4E 39 38-00 30 00 00 00 B0 03 00 ANAKIN98.0...... 0167:00400230 00 14 00 00 00 62 00 00-00 00 00 00 00 00 00 00 .....b.......... 0167:00400240 00 00 00 00 40 00 00 C0-00 00 00 00 00 00 00 00 ....@........... 0167:00400250 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0167:00400260 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ -------------------------------------------------------------------------PROT32- 015F:0043B830 53 PUSH EBX  015F:0043B831 FFB5C9110000 PUSH DWORD PTR [EBP+000011C9]  015F:0043B837 8B857D110000 MOV EAX,[EBP+0000117D] 015F:0043B83D E89F040000 CALL 0043BCE1 015F:0043B842 50 PUSH EAX 015F:0043B843 8B8581110000 MOV EAX,[EBP+00001181] <- writeprocessmemory 015F:0043B849 E893040000 CALL 0043BCE1 015F:0043B84E 81C460030000 ADD ESP,00000360 015F:0043B854 80BD3B11000001 CMP BYTE PTR [EBP+0000113B],01 015F:0043B85B 751C JNZ 0043B879 et apres le call : EAX=00000001 EBX=0078FC1C ECX=CCFA4490 EDX=BFFC9490 ESI=0043C00B EDI=0078FF9C EBP=0043B000 ESP=0078FC1C EIP=0043B84E o d I s z A p C CS=015F DS=0167 SS=0167 ES=0167 FS=3B3F GS=0000 --------------------------------------------------byte--------------PROT---(0)-- 0167:00400000 4D 5A 00 00 01 00 00 00-02 00 00 00 03 00 00 00 MZ.............. 0167:00400010 04 00 00 00 05 00 00 00-06 00 00 00 07 00 00 00 ................ 0167:00400020 08 00 00 00 09 00 00 00-0A 00 00 00 0B 00 00 00 ................ 0167:00400030 0C 00 00 00 0D 00 00 00-0E 00 00 00 C0 D8 FF FF ................ 0167:00400040 01 00 00 00 02 00 00 00-03 00 00 00 04 00 00 00 ................ 0167:00400050 05 00 00 00 06 00 00 00-07 00 00 00 08 00 00 00 ................ 0167:00400060 09 00 00 00 0A 00 00 00-0B 00 00 00 0C 00 00 00 ................ 0167:00400070 0D 00 00 00 0E 00 00 00-0F 00 00 00 10 00 00 00 ................ 0167:00400080 11 00 00 00 12 00 00 00-13 00 00 00 14 00 00 00 ................ 0167:00400090 15 00 00 00 16 00 00 00-17 00 00 00 18 00 00 00 ................ 0167:004000A0 19 00 00 00 1A 00 00 00-1B 00 00 00 1C 00 00 00 ................ 0167:004000B0 1D 00 00 00 1E 00 00 00-1F 00 00 00 20 00 00 00 ............ ... 0167:004000C0 21 00 00 00 22 00 00 00-23 00 00 00 24 00 00 00 !..."...#...$... 0167:004000D0 25 00 00 00 26 00 00 00-27 00 00 00 28 00 00 00 %...&...'...(... 0167:004000E0 29 00 00 00 2A 00 00 00-2B 00 00 00 2C 00 00 00 )...*...+...,... 0167:004000F0 2D 00 00 00 2E 00 00 00-2F 00 00 00 30 00 00 00 -......./...0... 0167:00400100 31 00 00 00 32 00 00 00-33 00 00 00 34 00 00 00 1...2...3...4... 0167:00400110 35 00 00 00 36 00 00 00-37 00 00 00 38 00 00 00 5...6...7...8... 0167:00400120 39 00 00 00 3A 00 00 00-3B 00 00 00 3C 00 00 00 9...:...;...<... 0167:00400130 3D 00 00 00 3E 00 00 00-3F 00 00 00 40 00 00 00 =...>...?...@... 0167:00400140 41 00 00 00 42 00 00 00-43 00 00 00 44 00 00 00 A...B...C...D... 0167:00400150 45 00 00 00 46 00 00 00-47 00 00 00 48 00 00 00 E...F...G...H... 0167:00400160 49 00 00 00 4A 00 00 00-4B 00 00 00 4C 00 00 00 I...J...K...L... 0167:00400170 4D 00 00 00 4E 00 00 00-4F 00 00 00 50 00 00 00 M...N...O...P... 0167:00400180 51 00 00 00 52 00 00 00-53 00 00 00 54 00 00 00 Q...R...S...T... 0167:00400190 55 00 00 00 56 00 00 00-57 00 00 00 58 00 00 00 U...V...W...X... 0167:004001A0 59 00 00 00 5A 00 00 00-5B 00 00 00 5C 00 00 00 Y...Z...[...\... 0167:004001B0 5D 00 00 00 5E 00 00 00-5F 00 00 00 60 00 00 00 ]...^..._...`... 0167:004001C0 61 00 00 00 62 00 00 00-63 00 00 00 64 00 00 00 a...b...c...d... 0167:004001D0 65 00 00 00 66 00 00 00-67 00 00 00 68 00 00 00 e...f...g...h... 0167:004001E0 69 00 00 00 6A 00 00 00-6B 00 00 00 6C 00 00 00 i...j...k...l... 0167:004001F0 6D 00 00 00 6E 00 00 00-6F 00 00 00 70 00 00 00 m...n...o...p... 0167:00400200 71 00 00 00 72 00 00 00-73 00 00 00 74 00 00 00 q...r...s...t... 0167:00400210 75 00 00 00 76 00 00 00-77 00 00 00 78 00 00 00 u...v...w...x... 0167:00400220 79 00 00 00 7A 00 00 00-7B 00 00 00 7C 00 00 00 y...z...{...|... 0167:00400230 7D 00 00 00 7E 00 00 00-7F 00 00 00 80 00 00 00 }...~.......... 0167:00400240 81 00 00 00 82 00 00 00-83 00 00 00 84 00 00 00 ................ 0167:00400250 85 00 00 00 86 00 00 00-87 00 00 00 88 00 00 00 ................ 0167:00400260 89 00 00 00 8A 00 00 00-8B 00 00 00 8C 00 00 00 ................ -------------------------------------------------------------------------PROT32- 015F:0043B830 53 PUSH EBX  015F:0043B831 FFB5C9110000 PUSH DWORD PTR [EBP+000011C9]  015F:0043B837 8B857D110000 MOV EAX,[EBP+0000117D] 015F:0043B83D E89F040000 CALL 0043BCE1 015F:0043B842 50 PUSH EAX 015F:0043B843 8B8581110000 MOV EAX,[EBP+00001181] 015F:0043B849 E893040000 CALL 0043BCE1 <----------------- :-(( 015F:0043B84E 81C460030000 ADD ESP,00000360 Il a tout flinguer le PE HEADER héhéhé. Voila je pense que ca pourra t'aider. A bientot PS: J'ai fait ca d'apres DeCSS. SV