常见程序OEP处代码整理
此帖为 破解基础入门系列--Nisy制作整理的一部分对于学习脱壳的朋友来说,这些程序的OEP的特征一定要熟记。否则脱来脱去,找规律,看教程。如果连这些软件的入口地址都不清楚,那什么都是空谈。 BY:Nisy
Borland Delphi 6.0 - 7.0
00509CB0 > $55 PUSH EBP
00509CB1 .8BEC MOV EBP,ESP
00509CB3 .83C4 EC ADD ESP,-14
00509CB6 .53 PUSH EBX
00509CB7 .56 PUSH ESI
00509CB8 .57 PUSH EDI
00509CB9 .33C0 XOR EAX,EAX
00509CBB .8945 EC MOV DWORD PTR SS:[EBP-14],EAX
00509CBE .B8 20975000 MOV EAX,unpack.00509720
00509CC3 .E8 84CCEFFF CALL unpack.0040694C
Microsoft Visual C++ 6.0
00496EB8 >/$55 PUSH EBP ;(初始 cpu 选择)
00496EB9|.8BEC MOV EBP,ESP
00496EBB|.6A FF PUSH -1
00496EBD|.68 40375600 PUSH Screensh.00563740
00496EC2|.68 8CC74900 PUSH Screensh.0049C78C ;SE 处理程序安装
00496EC7|.64:A1 0000000>MOV EAX,DWORD PTR FS:
00496ECD|.50 PUSH EAX
00496ECE|.64:8925 00000>MOV DWORD PTR FS:,ESP
00496ED5|.83EC 58 SUB ESP,58
Microsoft Visual C++ 6.0 E语言
00403831 >/$55 PUSH EBP
00403832|.8BEC MOV EBP,ESP
00403834|.6A FF PUSH -1
00403836|.68 F0624000 PUSH Nisy521.004062F0
0040383B|.68 A44C4000 PUSH Nisy521.00404CA4 ;SE 处理程序安装
00403840|.64:A1 0000000>MOV EAX,DWORD PTR FS:
00403846|.50 PUSH EAX
00403847|.64:8925 00000>MOV DWORD PTR FS:,ESP
Microsoft Visual Basic 5.0 / 6.0
00401FBC >68 D0D44000 push dumped_.0040D4D0
00401FC1 E8 EEFFFFFF call <jmp.&msvbvm60.ThunRTMain>
00401FC6 0000 add byte ptr ds:[eax],al
00401FC8 0000 add byte ptr ds:[eax],al
00401FCA 0000 add byte ptr ds:[eax],al
00401FCC 3000 xor byte ptr ds:[eax],al
00401FCE 0000 add byte ptr ds:[eax],al
BC++
0040163C > $ /EB 10 JMP SHORT BCLOCK.0040164E
0040163E |66 DB 66 ;CHAR 'f'
0040163F |62 DB 62 ;CHAR 'b'
00401640 |3A DB 3A ;CHAR ':'
00401641 |43 DB 43 ;CHAR 'C'
00401642 |2B DB 2B ;CHAR '+'
00401643 |2B DB 2B ;CHAR '+'
00401644 |48 DB 48 ;CHAR 'H'
00401645 |4F DB 4F ;CHAR 'O'
00401646 |4F DB 4F ;CHAR 'O'
00401647 |4B DB 4B ;CHAR 'K'
00401648 |90 NOP
00401649 |E9 DB E9
0040164A . |98E04E00 DD OFFSET BCLOCK.___CPPdebugHook
0040164E > \A1 8BE04E00 MOV EAX,DWORD PTR DS:
00401653 .C1E0 02 SHL EAX,2
00401656 .A3 8FE04E00 MOV DWORD PTR DS:,EAX
0040165B .52 PUSH EDX
0040165C .6A 00 PUSH 0 ; /pModule = NULL
0040165E .E8 DFBC0E00 CALL <JMP.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA
00401663 .8BD0 MOV EDX,EAX
Dasm:
00401000 >/$6A 00 PUSH 0 ; /pModule = NULL
00401002|.E8 C50A0000 CALL <JMP.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA
00401007|.A3 0C354000 MOV DWORD PTR DS:,EAX
0040100C|.E8 B50A0000 CALL <JMP.&KERNEL32.GetCommandLineA> ;
00401011|.A3 10354000 MOV DWORD PTR DS:,EAX
00401016|.6A 0A PUSH 0A ; /Arg4 = 0000000A
00401018|.FF35 10354000 PUSH DWORD PTR DS: ; |Arg3 = 00000000
0040101E|.6A 00 PUSH 0 ; |Arg2 = 00000000
00401020|.FF35 0C354000 PUSH DWORD PTR DS: ; |Arg1 = 00000000 感谢分享啊!!! 总结的不错,非常好。应该向你多多学习! 总结的不错,非常好。应该向你多多学习! 受益非浅,感谢! 多谢版主的总结,我收下了 学习!!!!!!!!!!!!!!!!!!!! 学习中……谢谢分享 这个已经是圣经了
就算不会也要死背下来 经验呀,呵呵,长见识中....