Modifier un Fichier .exe

HiHi S'il vous plaît ^^

Jmp = jump (= sauter)
dword = double word (= long (type de données))
ptr = pointer (= pointeur)

En clair, ça fait un saut au pointeur 00416180

mov = move (= se déplacer)
eax = un type de registre (il me semble...)

C'est de l'assembleur  

Merci beaucoup , =) bon je vais travailler tout ça !!!

EAX est le registre d'accumulation en 32 bits (AX c'est les 16 bits de poids faible de EAX, AH c'est les 8 bits de poids fort de AX et AL c'est les 8 bits de poids faible de AX).
Les registres sont des petites zones mémoires dans le CPU. Certains sont spécialisés comme ESP (SP en 16bits= Stack Pointer qui indique l'adresse de l'instruction à exécuter).

oui mais ils dise : Mov eax,eax Mais on ne sais pas de quel registre il parle  
enfin je veux dire de quel clé ou ce qu'il deplace  

mov A, B met le contenu de B dans A. Donc pour MOV EAX,EAX, ça ne fait rien.
Mais c'est pas un problème puisque juste avant il y a un saut. Ce code ne sera jamais exécuté.

Ha ok c'est pour embrouiller   ils sont pas bête ces Hacker   bon je vais trouver une ligne sans Saut je vous la copie ^^

Voila bon je vous copie le début :

+++++++++++++++++++ IMPORTED FUNCTIONS ++++++++++++++++++
Number of Imported Modules = 12 (decimal)

Import Module 001: KERNEL32.DLL
Import Module 002: KERNEL32.DLL
Import Module 003: KERNEL32.DLL
Import Module 004: KERNEL32.DLL
Import Module 005: advapi32.dll
Import Module 006: advapi32.dll
Import Module 007: oleaut32.dll
Import Module 008: oleaut32.dll
Import Module 009: URLMON.DLL
Import Module 010: user32.dll
Import Module 011: user32.dll
Import Module 012: wininet.dll

+++++++++++++++++++ IMPORT MODULE DETAILS +++++++++++++++

Import Module 001: KERNEL32.DLL

Addr:0001D007 hint(0100) Name: Sleep

Import Module 002: KERNEL32.DLL

Addr:0001D017 hint(0100) Name: WriteFile
Addr:0001D022 hint(0100) Name: WinExec
Addr:0001D02B hint(0100) Name: WaitForSingleObject
Addr:0001D040 hint(0100) Name: VirtualQuery
Addr:0001D04E hint(0100) Name: SetFilePointer
Addr:0001D05E hint(0100) Name: SetEvent
Addr:0001D068 hint(0100) Name: SetEndOfFile
Addr:0001D076 hint(0100) Name: ResetEvent
Addr:0001D082 hint(0100) Name: ReadFile
Addr:0001D08C hint(0100) Name: MoveFileA
Addr:0001D097 hint(0100) Name: LeaveCriticalSection
Addr:0001D0AD hint(0100) Name: InitializeCriticalSection
Addr:0001D0C8 hint(0100) Name: GetVersionExA
Addr:0001D0D7 hint(0100) Name: GetThreadLocale
Addr:0001D0E8 hint(0100) Name: GetSystemDirectoryA
Addr:0001D0FD hint(0100) Name: GetStringTypeExA
Addr:0001D10F hint(0100) Name: GetStdHandle
Addr:0001D11D hint(0100) Name: GetProcAddress
Addr:0001D12D hint(0100) Name: GetModuleHandleA
Addr:0001D13F hint(0100) Name: GetModuleFileNameA
Addr:0001D153 hint(0100) Name: GetLocaleInfoA
Addr:0001D163 hint(0100) Name: GetLocalTime
Addr:0001D171 hint(0100) Name: GetLastError
Addr:0001D17F hint(0100) Name: GetFullPathNameA
Addr:0001D191 hint(0100) Name: GetDiskFreeSpaceA
Addr:0001D1A4 hint(0100) Name: GetDateFormatA
Addr:0001D1B4 hint(0100) Name: GetCurrentThreadId
Addr:0001D1C8 hint(0100) Name: GetCPInfo
Addr:0001D1D3 hint(0100) Name: GetACP
Addr:0001D1DB hint(0100) Name: FormatMessageA
Addr:0001D1EB hint(0100) Name: FindNextFileA
Addr:0001D1FA hint(0100) Name: FindFirstFileA
Addr:0001D20A hint(0100) Name: FindClose
Addr:0001D215 hint(0100) Name: FileTimeToLocalFileTime
Addr:0001D22E hint(0100) Name: FileTimeToDosDateTime
Addr:0001D245 hint(0100) Name: EnumCalendarInfoA
Addr:0001D258 hint(0100) Name: EnterCriticalSection
Addr:0001D26E hint(0100) Name: DeleteFileA
Addr:0001D27B hint(0100) Name: DeleteCriticalSection
Addr:0001D292 hint(0100) Name: CreateMutexA
Addr:0001D2A0 hint(0100) Name: CreateFileA
Addr:0001D2AD hint(0100) Name: CreateEventA
Addr:0001D2BB hint(0100) Name: CompareStringA
Addr:0001D2CB hint(0100) Name: CloseHandle

Import Module 003: KERNEL32.DLL

Addr:0001D2E1 hint(0100) Name: TlsSetValue
Addr:0001D2EE hint(0100) Name: TlsGetValue
Addr:0001D2FB hint(0100) Name: LocalAlloc
Addr:0001D307 hint(0100) Name: GetModuleHandleA

Import Module 004: KERNEL32.DLL

Addr:0001D322 hint(0100) Name: DeleteCriticalSection
Addr:0001D339 hint(0100) Name: LeaveCriticalSection
Addr:0001D34F hint(0100) Name: EnterCriticalSection
Addr:0001D365 hint(0100) Name: InitializeCriticalSection
Addr:0001D380 hint(0100) Name: VirtualFree
Addr:0001D38D hint(0100) Name: VirtualAlloc
Addr:0001D39B hint(0100) Name: LocalFree
Addr:0001D3A6 hint(0100) Name: LocalAlloc
Addr:0001D3B2 hint(0100) Name: GetTickCount
Addr:0001D3C0 hint(0100) Name: QueryPerformanceCounter
Addr:0001D3D9 hint(0100) Name: GetVersion
Addr:0001D3E5 hint(0100) Name: GetCurrentThreadId
Addr:0001D3F9 hint(0100) Name: InterlockedDecrement
Addr:0001D40F hint(0100) Name: InterlockedIncrement
Addr:0001D425 hint(0100) Name: VirtualQuery
Addr:0001D433 hint(0100) Name: WideCharToMultiByte
Addr:0001D448 hint(0100) Name: MultiByteToWideChar
Addr:0001D45D hint(0100) Name: lstrlenA
Addr:0001D467 hint(0100) Name: lstrcpynA
Addr:0001D472 hint(0100) Name: LoadLibraryExA
Addr:0001D482 hint(0100) Name: GetThreadLocale
Addr:0001D493 hint(0100) Name: GetStartupInfoA
Addr:0001D4A4 hint(0100) Name: GetProcAddress
Addr:0001D4B4 hint(0100) Name: GetModuleHandleA
Addr:0001D4C6 hint(0100) Name: GetModuleFileNameA
Addr:0001D4DA hint(0100) Name: GetLocaleInfoA
Addr:0001D4EA hint(0100) Name: GetCommandLineA
Addr:0001D4FB hint(0100) Name: FreeLibrary
Addr:0001D508 hint(0100) Name: FindFirstFileA
Addr:0001D518 hint(0100) Name: FindClose
Addr:0001D523 hint(0100) Name: ExitProcess
Addr:0001D530 hint(0100) Name: WriteFile
Addr:0001D53B hint(0100) Name: UnhandledExceptionFilter
Addr:0001D555 hint(0100) Name: RtlUnwind
Addr:0001D560 hint(0100) Name: RaiseException
Addr:0001D570 hint(0100) Name: GetStdHandle

Import Module 005: advapi32.dll

Addr:0001D587 hint(0100) Name: RegSetValueExA
Addr:0001D597 hint(0100) Name: RegOpenKeyExA
Addr:0001D5A6 hint(0100) Name: RegFlushKey
Addr:0001D5B3 hint(0100) Name: RegCreateKeyExA
Addr:0001D5C4 hint(0100) Name: RegCloseKey

Import Module 006: advapi32.dll

Addr:0001D5DA hint(0100) Name: RegQueryValueExA
Addr:0001D5EC hint(0100) Name: RegOpenKeyExA
Addr:0001D5FB hint(0100) Name: RegCloseKey

Import Module 007: oleaut32.dll

Addr:0001D611 hint(0100) Name: SafeArrayPtrOfIndex
Addr:0001D626 hint(0100) Name: SafeArrayGetUBound
Addr:0001D63A hint(0100) Name: SafeArrayGetLBound
Addr:0001D64E hint(0100) Name: SafeArrayCreate
Addr:0001D65F hint(0100) Name: VariantChangeType
Addr:0001D672 hint(0100) Name: VariantCopy
Addr:0001D67F hint(0100) Name: VariantClear
Addr:0001D68D hint(0100) Name: VariantInit

Import Module 008: oleaut32.dll

Addr:0001D6A3 hint(0100) Name: SysFreeString
Addr:0001D6B2 hint(0100) Name: SysReAllocStringLen
Addr:0001D6C7 hint(0100) Name: SysAllocStringLen

Import Module 009: URLMON.DLL

Addr:0001D6E3 hint(0100) Name: URLDownloadToFileA

Import Module 010: user32.dll

Addr:0001D700 hint(0100) Name: GetKeyboardType
Addr:0001D711 hint(0100) Name: LoadStringA
Addr:0001D71E hint(0100) Name: MessageBoxA
Addr:0001D72B hint(0100) Name: CharNextA

Import Module 011: user32.dll

Addr:0001D73F hint(0100) Name: MessageBoxA
Addr:0001D74C hint(0100) Name: LoadStringA
Addr:0001D759 hint(0100) Name: GetSystemMetrics
Addr:0001D76B hint(0100) Name: CharNextA
Addr:0001D776 hint(0100) Name: CharToOemA

Import Module 012: wininet.dll

Addr:0001D78B hint(0100) Name: FindNextUrlCacheEntryA
Addr:0001D7A3 hint(0100) Name: FindFirstUrlCacheEntryA
Addr:0001D7BC hint(0100) Name: FindCloseUrlCache
Addr:0001D7CF hint(0100) Name: DeleteUrlCacheEntry

+++++++++++++++++++ EXPORTED FUNCTIONS ++++++++++++++++++
Number of Exported Functions = 0000 (decimal)




+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
//********************** Start of Code in Object BRAT0 **************
Program Entry Point = 00412C28 (FOTOFEST.exe File Offset:00012C28)


:00401000 0410 add al, 10
:00401002 40 inc eax
:00401003 000A add byte ptr [edx], cl
:00401005 06 push es
:00401006 53 push ebx
:00401007 7472 je 0040107B
:00401009 696E6758104000 imul ebp, dword ptr [esi+67], 00401058
:00401010 00000000000000000000 BYTE 10 DUP(0)
:0040101A 00000000000000000000 BYTE 10 DUP(0)
:00401024 0000000000000000 BYTE 8 DUP(0)


:0040102C 58 pop eax
:0040102D 104000 adc byte ptr [eax+00], al
:00401030 0400 add al, 00
:00401032 000000000000 BYTE 6 DUP(0)



:00401038 A4304000 DWORD 004030A4
:0040103C B0304000 DWORD 004030B0
:00401040 B4304000 DWORD 004030B4
:00401044 B8304000 DWORD 004030B8
:00401048 AC304000 DWORD 004030AC
:0040104C 302E4000 DWORD 00402E30
:00401050 4C2E4000 DWORD 00402E4C
:00401054 882E4000 DWORD 00402E88


:00401058 07 pop es
:00401059 54 push esp
:0040105A 4F dec edi
:0040105B 626A65 bound ebp, dword ptr [edx+65]
:0040105E 63746410 arpl dword ptr [esp+10], esi
:00401062 40 inc eax
:00401063 0007 add byte ptr [edi], al
:00401065 07 pop es
:00401066 54 push esp
:00401067 4F dec edi
:00401068 626A65 bound ebp, dword ptr [edx+65]
:0040106B 63745810 arpl dword ptr [eax+2*ebx+10], esi
:0040106F 40 inc eax
:00401070 00000000000000 BYTE 7 DUP(0)


:00401077 06 push es
:00401078 53 push ebx
:00401079 7973 jns 004010EE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401007(C)
|
:0040107B 7465 je 004010E2
:0040107D 6D insd
:0040107E 0000 add byte ptr [eax], al
:00401080 8410 test byte ptr [eax], dl
:00401082 40 inc eax
:00401083 000F add byte ptr [edi], cl
:00401085 0A4949 or cl, byte ptr [ecx+49]
:00401088 6E outsb
:00401089 7465 je 004010F0
:0040108B 7266 jb 004010F3
:0040108D 61 popad
:0040108E 636500 arpl dword ptr [ebp+00], esp
:00401091 000000 BYTE 3 DUP(0)


:00401094 0100 add dword ptr [eax], eax
:00401096 00000000000000 BYTE 7 DUP(0)


:0040109D C00000 rol byte ptr [eax], 00
:004010A0 00000000 BYTE 4 DUP(0)


:004010A4 46 inc esi
:004010A5 06 push es
:004010A6 53 push ebx
:004010A7 7973 jns 0040111C
:004010A9 7465 je 00401110
:004010AB 6D insd
:004010AC 0300 add eax, dword ptr [eax]
:004010AE FFFF BYTE 2 DUP(0ffh)


:004010B0 CC int 03
:004010B1 83442404F8 add dword ptr [esp+04], FFFFFFF8
:004010B6 E9B53E0000 jmp 00404F70
:004010BB 83442404F8 add dword ptr [esp+04], FFFFFFF8
:004010C0 E9D33E0000 jmp 00404F98
:004010C5 83442404F8 add dword ptr [esp+04], FFFFFFF8
:004010CA E9DD3E0000 jmp 00404FAC
:004010CF CC int 03
:004010D0 CC int 03

:004010D1 B1104000 DWORD 004010B1
:004010D5 BB104000 DWORD 004010BB
:004010D9 C5104000 DWORD 004010C5


:004010DD 0100 add dword ptr [eax], eax
:004010DF 00000000000000000000 BYTE 10 DUP(0)
:004010E9 C00000 rol byte ptr [eax], 00
:004010EC 00000000 BYTE 4 DUP(0)



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401089(C)
|
:004010F0 46 inc esi
:004010F1 D110 rcl dword ptr [eax], 1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040108B(C)
|
:004010F3 40 inc eax
:004010F4 0008 add byte ptr [eax], cl
:004010F6 00000000000000 BYTE 7 DUP(0)


:004010FD 8D4000 lea eax, dword ptr [eax+00]

:00401100 4C114000 DWORD 0040114C
:00401104 DD104000 DWORD 004010DD


:00401108 00000000000000000000 BYTE 10 DUP(0)
:00401112 00000000000000000000 BYTE 10 DUP(0)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004010A7(C)
|
:0040111C 00000000 BYTE 4 DUP(0)
:00401120 4C dec esp
:00401121 114000 adc dword ptr [eax+00], eax
:00401124 0C00 or al, 00
:00401126 0000 add byte ptr [eax], al

:00401128 0C104000 DWORD 0040100C
:0040112C A4304000 DWORD 004030A4
:00401130 444F4000 DWORD 00404F44
:00401134 504F4000 DWORD 00404F50
:00401138 B8304000 DWORD 004030B8
:0040113C AC304000 DWORD 004030AC
:00401140 604F4000 DWORD 00404F60
:00401144 4C2E4000 DWORD 00402E4C
:00401148 882E4000 DWORD 00402E88


:0040114C 1154496E adc dword ptr [ecx+2*ecx+6E], edx
:00401150 7465 je 004011B7
:00401152 7266 jb 004011BA
:00401154 61 popad
:00401155 636564 arpl dword ptr [ebp+64], esp
:00401158 4F dec edi
:00401159 626A65 bound ebp, dword ptr [edx+65]
:0040115C 63748BC0 arpl dword ptr [ebx+4*ecx-40], esi

* Referenced by a CALL at Addresses:
|:00403809 , :00403824
|

Sinon vous avez pas plus simple, un logiciel qui decode tout sa , Genre : Premiere Action ajouter la valeur X a la clé Y ...   parce que là =) c'est meme pas un dixième du fichier  

C'est après que tu rendras compte que la taille totale du programme prend en gros un millions de fois plus de code  
Je m'explique: quand tu fais un jump ou un call, ça va dans le code qui commence à l'adresse donné.
Et comme en informatique, il y a des fonctions qui appellent des fonctions qui appellent des fonctions... au total ça fait beaucoup  

Sinon, tu vois avec le code assembleur, le code hexadécimal en langage machine correspondant. Un programme est mis en mémoire. Donc, une partie de cette mémoire contient des octets du programmes (comme par exemple 63 74 8B C0) qui donc veulent dire quelque chose. Après il y a tout le reste de la mémoire qui ne correspond pas au programme, mais comme le désassembleur ne fait finalement pas la différence entre ce qui fait partie du programme et ce qui n'est fait pas, tu te retrouve avec des octets de valeurs aléatoires, comme par exemple 80 C0 qui ne serait en fait qu'une donnée mais qui correspond aussi à une instruction assembler (MOV AX,AX).
Tout ça pour dire, que le MOV EAX,EAX n'est pas volontaire, c'est juste que, comme c'est une partie qui ne sera jamais exécutée, c'est peut-être une donnée du programme qui ne correspond pas à un code assembleur.