好友
阅读权限10
听众
最后登录1970-1-1
|
刚学脱壳破解一直被是不是到了OEP所困扰,刚好在CSDN上下了个文件,在此分享给初学脱壳破解的朋友们。有不正对的地方希望大家一起来完善,
要熟记,看到就要认得!
C++ (Microsoft Visual C++ 6.0)
0040577C >/$ 55 PUSH EBP (C的入口)
0040577D |. 8BEC MOV EBP,ESP
0040577F |. 6A FF PUSH -1
00405781 |. 68 30B24000 PUSH EasyClea.0040B230
00405786 |. 68 84704000 PUSH EasyClea.00407084 ; SE 句柄安装
0040578B |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00405791 |. 50 PUSH EAX
00405792 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00405799 |. 83EC 58 SUB ESP,58
0040579C |. 53 PUSH EBX
0040579D |. 56 PUSH ESI
0040579E |. 57 PUSH EDI
0040579F |. 8965 E8 MOV [LOCAL.6],ESP
004057A2 |. FF15 ECB04000 CALL DWORD PTR DS:[<&KERNEL32.GetVersion>; kernel32.GetVersion
---------------------------------------------------------------------------------------------------------------------------------
E语言
这个和C极度像,要分清
0040389F >/$ 55 PUSH EBP
004038A0 |. 8BEC MOV EBP,ESP
004038A2 |. 6A FF PUSH -1
004038A4 |. 68 F8724000 PUSH CrackMe.004072F8
004038A9 |. 68 04554000 PUSH CrackMe.00405504 ; SE 处理程序安装
004038AE |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
004038B4 |. 50 PUSH EAX
004038B5 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
004038BC |. 83EC 58 SUB ESP,58
004038BF |. 53 PUSH EBX
004038C0 |. 56 PUSH ESI
004038C1 |. 57 PUSH EDI
004038C2 |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004038C5 |. FF15 48704000 CALL DWORD PTR DS:[<&KERNEL32.GetVersion>; kernel32.GetVersion
004038CB |. 33D2 XOR EDX,EDX
004038CD |. 8AD4 MOV DL,AH
004038CF |. 8915 94BA4000 MOV DWORD PTR DS:[40BA94],EDX
004038D5 |. 8BC8 MOV ECX,EAX
004038D7 |. 81E1 FF000000 AND ECX,0FF
004038DD |. 890D 90BA4000 MOV DWORD PTR DS:[40BA90],ECX
004038E3 |. C1E1 08 SHL ECX,8
004038E6 |. 03CA ADD ECX,EDX
004038E8 |. 890D 8CBA4000 MOV DWORD PTR DS:[40BA8C],ECX
004038EE |. C1E8 10 SHR EAX,10
004038F1 |. A3 88BA4000 MOV DWORD PTR DS:[40BA88],EAX
004038F6 |. 33F6 XOR ESI,ESI
004038F8 |. 56 PUSH ESI
004038F9 |. E8 7A030000 CALL CrackMe.00403C78
004038FE |. 59 POP ECX
004038FF |. 85C0 TEST EAX,EAX
00403901 |. 75 08 JNZ SHORT CrackMe.0040390B
00403903 |. 6A 1C PUSH 1C
---------------------------------------------------------------------------------------------------------------------------------
Delphi (Borland Delphi 6.0 - 7.0)
004F2F68 > $ 55 PUSH EBP
004F2F69 . 8BEC MOV EBP,ESP
004F2F6B . 83C4 F0 ADD ESP,-10
004F2F6E . 53 PUSH EBX
004F2F6F . B8 102B4F00 MOV EAX,Unpacked.004F2B10
004F2F74 . E8 EF3BF1FF CALL Unpacked.00406B68
004F2F79 . 8B1D F4505000 MOV EBX,DWORD PTR DS:[5050F4] ; Unpacked.00506C14
004F2F7F . 8B03 MOV EAX,DWORD PTR DS:[EBX]
004F2F81 . E8 56ACF8FF CALL Unpacked.0047DBDC
004F2F86 . 8B03 MOV EAX,DWORD PTR DS:[EBX]
004F2F88 . BA F42F4F00 MOV EDX,Unpacked.004F2FF4 ; ASCII " Hide Private File Pro"
004F2F8D . E8 32A8F8FF CALL Unpacked.0047D7C4
004F2F92 . 8B0D 904E5000 MOV ECX,DWORD PTR DS:[504E90] ; Unpacked.00509144
004F2F98 . 8B03 MOV EAX,DWORD PTR DS:[EBX]
004F2F9A . 8B15 70E44E00 MOV EDX,DWORD PTR DS:[4EE470] ; Unpacked.004EE4BC
004F2FA0 . E8 4FACF8FF CALL Unpacked.0047DBF4
004F2FA5 . 8B0D 3C525000 MOV ECX,DWORD PTR DS:[50523C] ; Unpacked.0050909C
004F2FAB . 8B03 MOV EAX,DWORD PTR DS:[EBX]
004F2FAD . 8B15 48B14E00 MOV EDX,DWORD PTR DS:[4EB148] ; Unpacked.004EB194
004F2FB3 . E8 3CACF8FF CALL Unpacked.0047DBF4
004F2FB8 . 8B0D 0C535000 MOV ECX,DWORD PTR DS:[50530C] ; Unpacked.005090A4
004F2FBE . 8B03 MOV EAX,DWORD PTR DS:[EBX]
004F2FC0 . 8B15 7CB34E00 MOV EDX,DWORD PTR DS:[4EB37C] ; Unpacked.004EB3C8
004F2FC6 . E8 29ACF8FF CALL Unpacked.0047DBF4
004F2FCB . 8B0D 30505000 MOV ECX,DWORD PTR DS:[505030] ; Unpacked.005090D4
004F2FD1 . 8B03 MOV EAX,DWORD PTR DS:[EBX]
004F2FD3 . 8B15 B0BF4E00 MOV EDX,DWORD PTR DS:[4EBFB0] ; Unpacked.004EBFFC
004F2FD9 . E8 16ACF8FF CALL Unpacked.0047DBF4
004F2FDE . 8B03 MOV EAX,DWORD PTR DS:[EBX]
004F2FE0 . E8 8FACF8FF CALL Unpacked.0047DC74
004F2FE5 . 5B POP EBX
004F2FE6 . E8 7115F1FF CALL Unpacked.0040455C
004F2FEB . 00FF ADD BH,BH
004F2FED FF DB FF
---------------------------------------------------------------------------------------------------------------------------------
VB (Microsoft Visual Basic 5.0 / 6.0)
00410400 > 68 4C744100 PUSH Unpack_.0041744C ; ASCII "VB5!6&*"
00410405 E8 EEFFFFFF CALL <JMP.&msvbvm60.ThunRTMain>
0041040A 16 PUSH SS
0041040B 0000 ADD BYTE PTR DS:[EAX],AL
0041040D 0000 ADD BYTE PTR DS:[EAX],AL
0041040F 0030 ADD BYTE PTR DS:[EAX],DH
00410411 0000 ADD BYTE PTR DS:[EAX],AL
00410413 0038 ADD BYTE PTR DS:[EAX],BH
00410415 0000 ADD BYTE PTR DS:[EAX],AL
00410417 0000 ADD BYTE PTR DS:[EAX],AL
00410419 0000 ADD BYTE PTR DS:[EAX],AL
0041041B 0060 9C ADD BYTE PTR DS:[EAX-64],AH
0041041E F0:E2 CF LOCK LOOPD SHORT Unpack_.004103F0 ; 不允许锁定前缀
00410421 BE 3D439505 MOV ESI,595433D
00410426 E1 06 LOOPDE SHORT Unpack_.0041042E
00410428 18A5 05D40000 SBB BYTE PTR SS:[EBP+D405],AH
0041042E 0000 ADD BYTE PTR DS:[EAX],AL
00410430 0000 ADD BYTE PTR DS:[EAX],AL
00410432 0100 ADD DWORD PTR DS:[EAX],EAX
00410434 0000 ADD BYTE PTR DS:[EAX],AL
00410436 9E SAHF
---------------------------------------------------------------------------------------------------------------------------------
BC++ (Borland C++ 1999)
00401000 > /EB 10 JMP SHORTXXXXXXX.00401012
00401002 |66:623A BOUND DI,DWORD PTR DS:[EDX]
00401005 |43 INC EBX
00401006 |2B2B SUB EBP,DWORD PTR DS:[EBX]
00401008 |48 DEC EAX
00401009 |4F DEC EDI
0040100A |4F DEC EDI
0040100B |4B DEC EBX
0040100C |90 NOP
0040100D -|E9 AC334800 JMP 008843BE
00401012 \A1 9F334800 MOV EAX,DWORD PTR DS:[48339F]
00401017 C1E0 02 SHL EAX,2
0040101A A3 A3334800 MOV DWORD PTR DS:[4833A3],EAX
0040101F 52 PUSH EDX
00401020 6A 00 PUSH 0
00401022 E8 11110800 CALL <JMP.&KERNEL32.GetModuleHandleA>
00401027 8BD0 MOV EDX,EAX
00401029 E8 3A1B0600 CALLXXXXXXX.00462B68
0040102E 5A POP EDX
0040102F E8 981A0600 CALLXXXXXXX.00462ACC
00401034 E8 6F1B0600 CALLXXXXXXX.00462BA8
00401039 6A 00 PUSH 0
0040103B E8 782E0600 CALLXXXXXXX.00463EB8
00401040 59 POP ECX
00401041 68 48334800 PUSHXXXXXXX.00483348
00401046 6A 00 PUSH 0
00401048 E8 EB100800 CALL <JMP.&KERNEL32.GetModuleHandleA>
0040104D A3 A7334800 MOV DWORD PTR DS:[4833A7],EAX
00401052 6A 00 PUSH 0
00401054 E9 6B900600 JMPXXXXXXX.0046A0C4
00401059 > E9 A62E0600 JMPXXXXXXX.00463F04
---------------------------------------------------------------------------------------------------------------------------------
Dasm:汇编
00401000 >/$ 6A 00 PUSH 0 ; /pModule = NULL
00401002 |. E8 C50A0000 CALL <JMP.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA
00401007 |. A3 0C354000 MOV DWORD PTR DS:[40350C],EAX
0040100C |. E8 B50A0000 CALL <JMP.&KERNEL32.GetCommandLineA> ; [GetCommandLineA
00401011 |. A3 10354000 MOV DWORD PTR DS:[403510],EAX
00401016 |. 6A 0A PUSH 0A ; /Arg4 = 0000000A
00401018 |. FF35 10354000 PUSH DWORD PTR DS:[403510] ; |Arg3 = 00000000
0040101E |. 6A 00 PUSH 0 ; |Arg2 = 00000000
00401020 |. FF35 0C354000 PUSH DWORD PTR DS:[40350C] ; |Arg1 = 00000000
另一种:
00401025 >/$ 6A F6 PUSH -0A
00401027 |. E8 A0000000 CALL <JMP.&kernel32.GetStdHandle>
0040102C |. A3 00304000 MOV DWORD PTR DS:[403000],EAX
00401031 |. 6A F5 PUSH -0B
00401033 |. E8 94000000 CALL <JMP.&kernel32.GetStdHandle>
00401038 |. A3 04304000 MOV DWORD PTR DS:[403004],EAX
0040103D |. 6A 01 PUSH 1
0040103F |. 68 00104000 PUSH EchoLine.00401000
00401044 |. E8 8F000000 CALL <JMP.&kernel32.SetConsoleCtrlHandle>
00401049 |. 6A 07 PUSH 7
0040104B |. FF35 00304000 PUSH DWORD PTR DS:[403000]
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2012-3-25 13:52
