常见程序OEP处代码整理Word下载.docx
《常见程序OEP处代码整理Word下载.docx》由会员分享,可在线阅读,更多相关《常见程序OEP处代码整理Word下载.docx(8页珍藏版)》请在冰豆网上搜索。
00496EC7|.64:
A10000000>
MOVEAX,DWORDPTRFS:
[0]
00496ECD|.50PUSHEAX
00496ECE|.64:
892500000>
MOVDWORDPTRFS:
[0],ESP
00496ED5|.83EC58SUBESP,58
MicrosoftVisualC++6.0[Overlay]E语言
00403831>
/$55PUSHEBP
00403832|.8BECMOVEBP,ESP
00403834|.6AFFPUSH-1
00403836|.68F0624000PUSHNisy521.004062F0
0040383B|.68A44C4000PUSHNisy521.00404CA4;
00403840|.64:
00403846|.50PUSHEAX
00403847|.64:
MicrosoftVisualBasic5.0/6.0
00401FBC>
68D0D44000pushdumped_.0040D4D0
00401FC1E8EEFFFFFFcall<
jmp.&
msvbvm60.ThunRTMain>
00401FC60000addbyteptrds:
[eax],al
00401FC80000addbyteptrds:
00401FCA0000addbyteptrds:
00401FCC3000xorbyteptrds:
00401FCE0000addbyteptrds:
BC++
0040163C>
$/EB10JMPSHORTBCLOCK.0040164E
0040163E|66DB66;
CHAR'
f'
0040163F|62DB62;
b'
00401640|3ADB3A;
:
'
00401641|43DB43;
C'
00401642|2BDB2B;
+'
00401643|2BDB2B;
00401644|48DB48;
H'
00401645|4FDB4F;
O'
00401646|4FDB4F;
00401647|4BDB4B;
K'
00401648|90NOP
00401649|E9DBE9
0040164A.|98E04E00DDOFFSETBCLOCK.___CPPdebugHook
0040164E>
\A18BE04E00MOVEAX,DWORDPTRDS:
[4EE08B]
00401653.C1E002SHLEAX,2
00401656.A38FE04E00MOVDWORDPTRDS:
[4EE08F],EAX
0040165B.52PUSHEDX
0040165C.6A00PUSH0;
/pModule=NULL
0040165E.E8DFBC0E00CALL<
JMP.&
KERNEL32.GetModuleHandleA>
;
\GetModuleHandleA
00401663.8BD0MOVEDX,EAX
Dasm:
00401000>
/$6A00PUSH0;
00401002|.E8C50A0000CALL<
00401007|.A30C354000MOVDWORDPTRDS:
[40350C],EAX
0040100C|.E8B50A0000CALL<
KERNEL32.GetCommandLineA>
[GetCommandLineA
00401011|.A310354000MOVDWORDPTRDS:
[403510],EAX
00401016|.6A0APUSH0A;
/Arg4=0000000A
00401018|.FF3510354000PUSHDWORDPTRDS:
[403510];
|Arg3=00000000
0040101E|.6A00PUSH0;
|Arg2=00000000
00401020|.FF350C354000PUSHDWORDPTRDS:
[40350C];
|Arg1=00000000
BorlandDelphi6.0-7.0
(&
sup3;
&
otilde;
Ecirc;
frac14;
cpu&
Ntilde;
iexcl;
Ocirc;
ntilde;
)
SE&
acute;
brvbar;
Agrave;
í
Igrave;
ETH;
ò
°
sup2;
×
MicrosoftVisualC++6.0[Overlay]E&
Oacute;
iuml;
BorlandC++(EB1066623A)
0040163CB>
/EB10jmpshortBorland_.0040164E
0040163E|66623Abounddi,dwordptrds:
[edx]
00401641|43incebx
00401642|2B2Bsubebp,dwordptrds:
[ebx]
00401644|48deceax
00401645|4Fdecedi
00401646|4Fdecedi
00401647|4Bdecebx
00401648|90nop
00401649-|E998E04E00jmpSHELL32.008EF6E6
0040164E\A18BE04E00moveax,dwordptrds:
00401653C1E002shleax,2
00401656A38FE04E00movdwordptrds:
[4EE08F],eax
0040165B52pushedx
0040165C6A00push0
0040165EE8DFBC0E00call<
*******************************************************************************
Delphi(558BEC83C4F0)
00458650D>
55pushebp
004586518BECmovebp,esp
0045865383C4F0addesp,-10
00458656B870844500moveax,Delphi.00458470
0045865BE800D6FAFFcallDelphi.00405C60
00458660A158A14500moveax,dwordptrds:
[45A158]
004586658B00moveax,dwordptrds:
[eax]
00458667E8E0E1FFFFcallDelphi.0045684C
0045866CA158A14500moveax,dwordptrds:
004586718B00moveax,dwordptrds:
00458673BAB0864500movedx,Delphi.004586B0
00458678E8DFDDFFFFcallDelphi.0045645C
0045867D8B0D48A24500movecx,dwordptrds:
[45A248];
Delphi.0045BC00
00458683A158A14500moveax,dwordptrds:
004586888B00moveax,dwordptrds:
0045868A8B15EC7D4500movedx,dwordptrds:
[457DEC];
Delphi.00457E38
00458690E8CFE1FFFFcallDelphi.00456864
00458695A158A14500moveax,dwordptrds:
0045869A8B00moveax,dwordptrds:
0045869CE843E2FFFFcallDelphi.004568E4
VisualC++(558BEC6AFF68)
0046C07BU>
0046C07C8BECmovebp,esp
0046C07E6AFFpush-1
0046C0806818064C00pushUltraSna.004C0618
0046C08568F8364700pushUltraSna.004736F8
0046C08A64:
A100000000moveax,dwordptrfs:
0046C09050pusheax
0046C09164:
892500000000movdwordptrfs:
[0],esp
0046C09883EC58subesp,58
0046C09B53pushebx
0046C09C56pushesi
0046C09D57pushedi
0046C09E8965E8movdwordptrss:
[ebp-18],esp
0046C0A1FF1574824A00calldwordptrds:
[<
KERNEL32.GetVersion>
];
kernel32.GetVersion获取windown版本
0046C0A733D2xoredx,edx
0046C0A98AD4movdl,ah
0046C0AB8915403F4F00movdwordptrds:
[4F3F40],edx
0046C0B18BC8movecx,eax
0046C0B381E1FF000000andecx,0FF
0046C0B9890D3C3F4F00movdwordptrds:
[4F3F3C],ecx
汇编(6A00E8C50A0000)
6A00push0
00401002E8C50A0000call<
00401007A30C354000movdwordptrds:
[40350C],eax
0040100CE8B50A0000call<
00401011A310354000movdwordptrds:
[403510],eax
004010166A0Apush0A
00401018FF3510354000pushdwordptrds:
[403510]
0040101E6A00push0
00401020FF350C354000pushdwordptrds:
[40350C]
00401026E806000000call汇编.00401031
0040102B50pusheax
0040102CE88F0A0000call<
KERNEL32.ExitProcess>
0040103155pushebp
004010328BECmovebp,esp
0040103483C4B0addesp,-50
00401037C745D030000000movdwordptrss:
[ebp-30],30
0040103EC745D40B000000movdwordptrss:
[ebp-2C],0B
00401045C745D837114000movdwordptrss:
[ebp-28],汇编.00401137
VB
0040116CV>
/$68147C4000pushVB.00407C14
00401171|.E8F0FFFFFFcall<
MSVBVM60.#100>
00401176|.0000addbyteptrds:
00401178|.0000addbyteptrds:
0040117A|.0000addbyteptrds:
0040117C|.3000xorbyteptrds:
易语言入口
E806000000calldump_.0040100B
0040100550pusheax
00401006E8BB010000call<
0040100B55pushebp
0040100C8BECmovebp,esp
0040100E81C4F0FEFFFFaddesp,-110
00401014E983000000jmpdump_.0040109C
004010196B726E6Cimulesi,dwordptrds:
[edx+6E],6C
0040101D6Eoutsdx,byteptres:
[edi]
也可能是这样的入口(558BEC6AFF68)
00403834|.6AFFP
升级会员 