常见程序OEP处代码整理.docx
《常见程序OEP处代码整理.docx》由会员分享,可在线阅读,更多相关《常见程序OEP处代码整理.docx(8页珍藏版)》请在冰豆网上搜索。
常见程序OEP处代码整理
常见程序OEP处代码整理
对于学习脱壳的朋友来说,这些程序的OEP的特征一定要熟记。
否则脱来脱去,找规律,看教程。
如果连这些软件的入口地址都不清楚,那什么都是空谈。
BY:
NisyBorlandDelphi6.0-7.0
00509CB0>$55PUSHEBP
00509CB1.8BECMOVEBP,ESP
00509CB3.83C4ECADDESP,-14
00509CB6.53PUSHEBX
00509CB7.56PUSHESI
00509CB8.57PUSHEDI
00509CB9.33C0XOREAX,EAX
00509CBB.8945ECMOVDWORDPTRSS:
[EBP-14],EAX
00509CBE.B820975000MOVEAX,unpack.00509720
00509CC3.E884CCEFFFCALLunpack.0040694C
MicrosoftVisualC++6.0
00496EB8>/$55PUSHEBP;(初始cpu选择)
00496EB9|.8BECMOVEBP,ESP
00496EBB|.6AFFPUSH-1
00496EBD|.6840375600PUSHScreensh.00563740
00496EC2|.688CC74900PUSHScreensh.0049C78C;SE处理程序安装
00496EC7|.64:
A10000000>MOVEAX,DWORDPTRFS:
[0]
00496ECD|.50PUSHEAX
00496ECE|.64:
892500000>MOVDWORDPTRFS:
[0],ESP
00496ED5|.83EC58SUBESP,58
MicrosoftVisualC++6.0[Overlay]E语言
00403831>/$55PUSHEBP
00403832|.8BECMOVEBP,ESP
00403834|.6AFFPUSH-1
00403836|.68F0624000PUSHNisy521.004062F0
0040383B|.68A44C4000PUSHNisy521.00404CA4;SE处理程序安装
00403840|.64:
A10000000>MOVEAX,DWORDPTRFS:
[0]
00403846|.50PUSHEAX
00403847|.64:
892500000>MOVDWORDPTRFS:
[0],ESP
MicrosoftVisualBasic5.0/6.0
00401FBC>68D0D44000pushdumped_.0040D4D0
00401FC1E8EEFFFFFFcall
00401FC60000addbyteptrds:
[eax],al
00401FC80000addbyteptrds:
[eax],al
00401FCA0000addbyteptrds:
[eax],al
00401FCC3000xorbyteptrds:
[eax],al
00401FCE0000addbyteptrds:
[eax],al
BC++
0040163C>$/EB10JMPSHORTBCLOCK.0040164E
0040163E|66DB66;CHAR'f'
0040163F|62DB62;CHAR'b'
00401640|3ADB3A;CHAR':
'
00401641|43DB43;CHAR'C'
00401642|2BDB2B;CHAR'+'
00401643|2BDB2B;CHAR'+'
00401644|48DB48;CHAR'H'
00401645|4FDB4F;CHAR'O'
00401646|4FDB4F;CHAR'O'
00401647|4BDB4B;CHAR'K'
00401648|90NOP
00401649|E9DBE9
0040164A.|98E04E00DDOFFSETBCLOCK.___CPPdebugHook
0040164E>\A18BE04E00MOVEAX,DWORDPTRDS:
[4EE08B]
00401653.C1E002SHLEAX,2
00401656.A38FE04E00MOVDWORDPTRDS:
[4EE08F],EAX
0040165B.52PUSHEDX
0040165C.6A00PUSH0;/pModule=NULL
0040165E.E8DFBC0E00CALL;\GetModuleHandleA
00401663.8BD0MOVEDX,EAX
Dasm:
00401000>/$6A00PUSH0;/pModule=NULL
00401002|.E8C50A0000CALL;\GetModuleHandleA
00401007|.A30C354000MOVDWORDPTRDS:
[40350C],EAX
0040100C|.E8B50A0000CALL;[GetCommandLineA
00401011|.A310354000MOVDWORDPTRDS:
[403510],EAX
00401016|.6A0APUSH0A;/Arg4=0000000A
00401018|.FF3510354000PUSHDWORDPTRDS:
[403510];|Arg3=00000000
0040101E|.6A00PUSH0;|Arg2=00000000
00401020|.FF350C354000PUSHDWORDPTRDS:
[40350C];|Arg1=00000000
BorlandDelphi6.0-7.0
00509CB0>$55PUSHEBP
00509CB1.8BECMOVEBP,ESP
00509CB3.83C4ECADDESP,-14
00509CB6.53PUSHEBX
00509CB7.56PUSHESI
00509CB8.57PUSHEDI
00509CB9.33C0XOREAX,EAX
00509CBB.8945ECMOVDWORDPTRSS:
[EBP-14],EAX
00509CBE.B820975000MOVEAX,unpack.00509720
00509CC3.E884CCEFFFCALLunpack.0040694C
MicrosoftVisualC++6.0
00496EB8>/$55PUSHEBP;(³õʼcpuÑ¡Ôñ)
00496EB9|.8BECMOVEBP,ESP
00496EBB|.6AFFPUSH-1
00496EBD|.6840375600PUSHScreensh.00563740
00496EC2|.688CC74900PUSHScreensh.0049C78C;SE´¦Àí³ÌÐò°²×°
00496EC7|.64:
A10000000>MOVEAX,DWORDPTRFS:
[0]
00496ECD|.50PUSHEAX
00496ECE|.64:
892500000>MOVDWORDPTRFS:
[0],ESP
00496ED5|.83EC58SUBESP,58
MicrosoftVisualC++6.0[Overlay]EÓïÑÔ
00403831>/$55PUSHEBP
00403832|.8BECMOVEBP,ESP
00403834|.6AFFPUSH-1
00403836|.68F0624000PUSHNisy521.004062F0
0040383B|.68A44C4000PUSHNisy521.00404CA4;SE´¦Àí³ÌÐò°²×°
00403840|.64:
A10000000>MOVEAX,DWORDPTRFS:
[0]
00403846|.50PUSHEAX
00403847|.64:
892500000>MOVDWORDPTRFS:
[0],ESP
MicrosoftVisualBasic5.0/6.0
00401FBC>68D0D44000pushdumped_.0040D4D0
00401FC1E8EEFFFFFFcall
00401FC60000addbyteptrds:
[eax],al
00401FC80000addbyteptrds:
[eax],al
00401FCA0000addbyteptrds:
[eax],al
00401FCC3000xorbyteptrds:
[eax],al
00401FCE0000addbyteptrds:
[eax],al
BC++
0040163C>$/EB10JMPSHORTBCLOCK.0040164E
0040163E|66DB66;CHAR'f'
0040163F|62DB62;CHAR'b'
00401640|3ADB3A;CHAR':
'
00401641|43DB43;CHAR'C'
00401642|2BDB2B;CHAR'+'
00401643|2BDB2B;CHAR'+'
00401644|48DB48;CHAR'H'
00401645|4FDB4F;CHAR'O'
00401646|4FDB4F;CHAR'O'
00401647|4BDB4B;CHAR'K'
00401648|90NOP
00401649|E9DBE9
0040164A.|98E04E00DDOFFSETBCLOCK.___CPPdebugHook
0040164E>\A18BE04E00MOVEAX,DWORDPTRDS:
[4EE08B]
00401653.C1E002SHLEAX,2
00401656.A38FE04E00MOVDWORDPTRDS:
[4EE08F],EAX
0040165B.52PUSHEDX
0040165C.6A00PUSH0;/pModule=NULL
0040165E.E8DFBC0E00CALL;\GetModuleHandleA
00401663.8BD0MOVEDX,EAX
Dasm:
00401000>/$6A00PUSH0;/pModule=NULL
00401002|.E8C50A0000CALL;\GetModuleHandleA
00401007|.A30C354000MOVDWORDPTRDS:
[40350C],EAX
0040100C|.E8B50A0000CALL;[GetCommandLineA
00401011|.A310354000MOVDWORDPTRDS:
[403510],EAX
00401016|.6A0APUSH0A;/Arg4=0000000A
00401018|.FF3510354000PUSHDWORDPTRDS:
[403510];|Arg3=00000000
0040101E|.6A00PUSH0;|Arg2=00000000
00401020|.FF350C354000PUSHDWORDPTRDS:
[40350C];|Arg1=00000000
BorlandC++(EB1066623A)
0040163CB>/EB10jmpshortBorland_.0040164E
0040163E|66623Abounddi,dwordptrds:
[edx]
00401641|43incebx
00401642|2B2Bsubebp,dwordptrds:
[ebx]
00401644|48deceax
00401645|4Fdecedi
00401646|4Fdecedi
00401647|4Bdecebx
00401648|90nop
00401649-|E998E04E00jmpSHELL32.008EF6E6
0040164E\A18BE04E00moveax,dwordptrds:
[4EE08B]
00401653C1E002shleax,2
00401656A38FE04E00movdwordptrds:
[4EE08F],eax
0040165B52pushedx
0040165C6A00push0
0040165EE8DFBC0E00call
*******************************************************************************
Delphi(558BEC83C4F0)
00458650D>55pushebp
004586518BECmovebp,esp
0045865383C4F0addesp,-10
00458656B870844500moveax,Delphi.00458470
0045865BE800D6FAFFcallDelphi.00405C60
00458660A158A14500moveax,dwordptrds:
[45A158]
004586658B00moveax,dwordptrds:
[eax]
00458667E8E0E1FFFFcallDelphi.0045684C
0045866CA158A14500moveax,dwordptrds:
[45A158]
004586718B00moveax,dwordptrds:
[eax]
00458673BAB0864500movedx,Delphi.004586B0
00458678E8DFDDFFFFcallDelphi.0045645C
0045867D8B0D48A24500movecx,dwordptrds:
[45A248];Delphi.0045BC00
00458683A158A14500moveax,dwordptrds:
[45A158]
004586888B00moveax,dwordptrds:
[eax]
0045868A8B15EC7D4500movedx,dwordptrds:
[457DEC];Delphi.00457E38
00458690E8CFE1FFFFcallDelphi.00456864
00458695A158A14500moveax,dwordptrds:
[45A158]
0045869A8B00moveax,dwordptrds:
[eax]
0045869CE843E2FFFFcallDelphi.004568E4
*******************************************************************************
VisualC++(558BEC6AFF68)
0046C07BU>55pushebp
0046C07C8BECmovebp,esp
0046C07E6AFFpush-1
0046C0806818064C00pushUltraSna.004C0618
0046C08568F8364700pushUltraSna.004736F8
0046C08A64:
A100000000moveax,dwordptrfs:
[0]
0046C09050pusheax
0046C09164:
892500000000movdwordptrfs:
[0],esp
0046C09883EC58subesp,58
0046C09B53pushebx
0046C09C56pushesi
0046C09D57pushedi
0046C09E8965E8movdwordptrss:
[ebp-18],esp
0046C0A1FF1574824A00calldwordptrds:
[<&KERNEL32.GetVersion>];kernel32.GetVersion获取windown版本
0046C0A733D2xoredx,edx
0046C0A98AD4movdl,ah
0046C0AB8915403F4F00movdwordptrds:
[4F3F40],edx
0046C0B18BC8movecx,eax
0046C0B381E1FF000000andecx,0FF
0046C0B9890D3C3F4F00movdwordptrds:
[4F3F3C],ecx
*******************************************************************************
汇编(6A00E8C50A0000)
00401000>6A00push0
00401002E8C50A0000call
00401007A30C354000movdwordptrds:
[40350C],eax
0040100CE8B50A0000call
00401011A310354000movdwordptrds:
[403510],eax
004010166A0Apush0A
00401018FF3510354000pushdwordptrds:
[403510]
0040101E6A00push0
00401020FF350C354000pushdwordptrds:
[40350C]
00401026E806000000call汇编.00401031
0040102B50pusheax
0040102CE88F0A0000call
0040103155pushebp
004010328BECmovebp,esp
0040103483C4B0addesp,-50
00401037C745D030000000movdwordptrss:
[ebp-30],30
0040103EC745D40B000000movdwordptrss:
[ebp-2C],0B
00401045C745D837114000movdwordptrss:
[ebp-28],汇编.00401137
*******************************************************************************
VB
0040116CV>/$68147C4000pushVB.00407C14
00401171|.E8F0FFFFFFcall
00401176|.0000addbyteptrds:
[eax],al
00401178|.0000addbyteptrds:
[eax],al
0040117A|.0000addbyteptrds:
[eax],al
0040117C|.3000xorbyteptrds:
[eax],al
易语言入口
00401000>E806000000calldump_.0040100B
0040100550pusheax
00401006E8BB010000call
0040100B55pushebp
0040100C8BECmovebp,esp
0040100E81C4F0FEFFFFaddesp,-110
00401014E983000000jmpdump_.0040109C
004010196B726E6Cimulesi,dwordptrds:
[edx+6E],6C
0040101D6Eoutsdx,byteptres:
[edi]
也可能是这样的入口(558BEC6AFF68)
MicrosoftVisualC++6.0[Overlay]E语言
00403831>/$55PUSHEBP
00403832|.8BECMOVEBP,ESP
00403834|.6AFFP
升级会员 