五种常用语言的OEP特征
刚学脱壳破解一直被是不是到了OEP所困扰,刚好在CSDN上下了个文件,在此分享给初学脱壳破解的朋友们。有不正对的地方希望大家一起来完善,{:1_918:}要熟记,看到就要认得!
C++(Microsoft Visual C++ 6.0)
0040577C >/$55 PUSH EBP (C的入口)
0040577D|.8BEC MOV EBP,ESP
0040577F|.6A FF PUSH -1
00405781|.68 30B24000 PUSH EasyClea.0040B230
00405786|.68 84704000 PUSH EasyClea.00407084 ;SE 句柄安装
0040578B|.64:A1 0000000>MOV EAX,DWORD PTR FS:
00405791|.50 PUSH EAX
00405792|.64:8925 00000>MOV DWORD PTR FS:,ESP
00405799|.83EC 58 SUB ESP,58
0040579C|.53 PUSH EBX
0040579D|.56 PUSH ESI
0040579E|.57 PUSH EDI
0040579F|.8965 E8 MOV ,ESP
004057A2|.FF15 ECB04000 CALL DWORD PTR DS:[<&KERNEL32.GetVersion>;kernel32.GetVersion
---------------------------------------------------------------------------------------------------------------------------------
E语言
这个和C极度像,要分清
0040389F >/$55 PUSH EBP
004038A0|.8BEC MOV EBP,ESP
004038A2|.6A FF PUSH -1
004038A4|.68 F8724000 PUSH CrackMe.004072F8
004038A9|.68 04554000 PUSH CrackMe.00405504 ;SE 处理程序安装
004038AE|.64:A1 0000000>MOV EAX,DWORD PTR FS:
004038B4|.50 PUSH EAX
004038B5|.64:8925 00000>MOV DWORD PTR FS:,ESP
004038BC|.83EC 58 SUB ESP,58
004038BF|.53 PUSH EBX
004038C0|.56 PUSH ESI
004038C1|.57 PUSH EDI
004038C2|.8965 E8 MOV DWORD PTR SS:,ESP
004038C5|.FF15 48704000 CALL DWORD PTR DS:[<&KERNEL32.GetVersion>;kernel32.GetVersion
004038CB|.33D2 XOR EDX,EDX
004038CD|.8AD4 MOV DL,AH
004038CF|.8915 94BA4000 MOV DWORD PTR DS:,EDX
004038D5|.8BC8 MOV ECX,EAX
004038D7|.81E1 FF000000 AND ECX,0FF
004038DD|.890D 90BA4000 MOV DWORD PTR DS:,ECX
004038E3|.C1E1 08 SHL ECX,8
004038E6|.03CA ADD ECX,EDX
004038E8|.890D 8CBA4000 MOV DWORD PTR DS:,ECX
004038EE|.C1E8 10 SHR EAX,10
004038F1|.A3 88BA4000 MOV DWORD PTR DS:,EAX
004038F6|.33F6 XOR ESI,ESI
004038F8|.56 PUSH ESI
004038F9|.E8 7A030000 CALL CrackMe.00403C78
004038FE|.59 POP ECX
004038FF|.85C0 TEST EAX,EAX
00403901|.75 08 JNZ SHORT CrackMe.0040390B
00403903|.6A 1C PUSH 1C
---------------------------------------------------------------------------------------------------------------------------------
Delphi (Borland Delphi 6.0 - 7.0)
004F2F68 > $55 PUSH EBP
004F2F69 .8BEC MOV EBP,ESP
004F2F6B .83C4 F0 ADD ESP,-10
004F2F6E .53 PUSH EBX
004F2F6F .B8 102B4F00 MOV EAX,Unpacked.004F2B10
004F2F74 .E8 EF3BF1FF CALL Unpacked.00406B68
004F2F79 .8B1D F4505000 MOV EBX,DWORD PTR DS: ;Unpacked.00506C14
004F2F7F .8B03 MOV EAX,DWORD PTR DS:
004F2F81 .E8 56ACF8FF CALL Unpacked.0047DBDC
004F2F86 .8B03 MOV EAX,DWORD PTR DS:
004F2F88 .BA F42F4F00 MOV EDX,Unpacked.004F2FF4 ;ASCII " Hide Private File Pro"
004F2F8D .E8 32A8F8FF CALL Unpacked.0047D7C4
004F2F92 .8B0D 904E5000 MOV ECX,DWORD PTR DS: ;Unpacked.00509144
004F2F98 .8B03 MOV EAX,DWORD PTR DS:
004F2F9A .8B15 70E44E00 MOV EDX,DWORD PTR DS: ;Unpacked.004EE4BC
004F2FA0 .E8 4FACF8FF CALL Unpacked.0047DBF4
004F2FA5 .8B0D 3C525000 MOV ECX,DWORD PTR DS: ;Unpacked.0050909C
004F2FAB .8B03 MOV EAX,DWORD PTR DS:
004F2FAD .8B15 48B14E00 MOV EDX,DWORD PTR DS: ;Unpacked.004EB194
004F2FB3 .E8 3CACF8FF CALL Unpacked.0047DBF4
004F2FB8 .8B0D 0C535000 MOV ECX,DWORD PTR DS: ;Unpacked.005090A4
004F2FBE .8B03 MOV EAX,DWORD PTR DS:
004F2FC0 .8B15 7CB34E00 MOV EDX,DWORD PTR DS: ;Unpacked.004EB3C8
004F2FC6 .E8 29ACF8FF CALL Unpacked.0047DBF4
004F2FCB .8B0D 30505000 MOV ECX,DWORD PTR DS: ;Unpacked.005090D4
004F2FD1 .8B03 MOV EAX,DWORD PTR DS:
004F2FD3 .8B15 B0BF4E00 MOV EDX,DWORD PTR DS: ;Unpacked.004EBFFC
004F2FD9 .E8 16ACF8FF CALL Unpacked.0047DBF4
004F2FDE .8B03 MOV EAX,DWORD PTR DS:
004F2FE0 .E8 8FACF8FF CALL Unpacked.0047DC74
004F2FE5 .5B POP EBX
004F2FE6 .E8 7115F1FF CALL Unpacked.0040455C
004F2FEB .00FF ADD BH,BH
004F2FED FF DB FF
---------------------------------------------------------------------------------------------------------------------------------
VB (Microsoft Visual Basic 5.0 / 6.0)
00410400 >68 4C744100 PUSH Unpack_.0041744C ; ASCII "VB5!6&*"
00410405 E8 EEFFFFFF CALL <JMP.&msvbvm60.ThunRTMain>
0041040A 16 PUSH SS
0041040B 0000 ADD BYTE PTR DS:,AL
0041040D 0000 ADD BYTE PTR DS:,AL
0041040F 0030 ADD BYTE PTR DS:,DH
00410411 0000 ADD BYTE PTR DS:,AL
00410413 0038 ADD BYTE PTR DS:,BH
00410415 0000 ADD BYTE PTR DS:,AL
00410417 0000 ADD BYTE PTR DS:,AL
00410419 0000 ADD BYTE PTR DS:,AL
0041041B 0060 9C ADD BYTE PTR DS:,AH
0041041E F0:E2 CF LOCK LOOPD SHORT Unpack_.004103F0 ; 不允许锁定前缀
00410421 BE 3D439505 MOV ESI,595433D
00410426 E1 06 LOOPDE SHORT Unpack_.0041042E
00410428 18A5 05D40000 SBB BYTE PTR SS:,AH
0041042E 0000 ADD BYTE PTR DS:,AL
00410430 0000 ADD BYTE PTR DS:,AL
00410432 0100 ADD DWORD PTR DS:,EAX
00410434 0000 ADD BYTE PTR DS:,AL
00410436 9E SAHF
---------------------------------------------------------------------------------------------------------------------------------
BC++(Borland C++ 1999)
00401000 > /EB 10 JMP SHORTXXXXXXX.00401012
00401002 |66:623A BOUND DI,DWORD PTR DS:
00401005 |43 INC EBX
00401006 |2B2B SUB EBP,DWORD PTR DS:
00401008 |48 DEC EAX
00401009 |4F DEC EDI
0040100A |4F DEC EDI
0040100B |4B DEC EBX
0040100C |90 NOP
0040100D-|E9 AC334800 JMP 008843BE
00401012 \A1 9F334800 MOV EAX,DWORD PTR DS:
00401017 C1E0 02 SHL EAX,2
0040101A A3 A3334800 MOV DWORD PTR DS:,EAX
0040101F 52 PUSH EDX
00401020 6A 00 PUSH 0
00401022 E8 11110800 CALL <JMP.&KERNEL32.GetModuleHandleA>
00401027 8BD0 MOV EDX,EAX
00401029 E8 3A1B0600 CALLXXXXXXX.00462B68
0040102E 5A POP EDX
0040102F E8 981A0600 CALLXXXXXXX.00462ACC
00401034 E8 6F1B0600 CALLXXXXXXX.00462BA8
00401039 6A 00 PUSH 0
0040103B E8 782E0600 CALLXXXXXXX.00463EB8
00401040 59 POP ECX
00401041 68 48334800 PUSHXXXXXXX.00483348
00401046 6A 00 PUSH 0
00401048 E8 EB100800 CALL <JMP.&KERNEL32.GetModuleHandleA>
0040104D A3 A7334800 MOV DWORD PTR DS:,EAX
00401052 6A 00 PUSH 0
00401054 E9 6B900600 JMPXXXXXXX.0046A0C4
00401059 >E9 A62E0600 JMPXXXXXXX.00463F04
---------------------------------------------------------------------------------------------------------------------------------
Dasm:汇编
00401000 >/$6A 00 PUSH 0 ; /pModule = NULL
00401002|.E8 C50A0000 CALL <JMP.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA
00401007|.A3 0C354000 MOV DWORD PTR DS:,EAX
0040100C|.E8 B50A0000 CALL <JMP.&KERNEL32.GetCommandLineA> ; [GetCommandLineA
00401011|.A3 10354000 MOV DWORD PTR DS:,EAX
00401016|.6A 0A PUSH 0A ; /Arg4 = 0000000A
00401018|.FF35 10354000 PUSH DWORD PTR DS: ; |Arg3 = 00000000
0040101E|.6A 00 PUSH 0 ; |Arg2 = 00000000
00401020|.FF35 0C354000 PUSH DWORD PTR DS: ; |Arg1 = 00000000
另一种:
00401025 >/$6A F6 PUSH -0A
00401027|.E8 A0000000 CALL <JMP.&kernel32.GetStdHandle>
0040102C|.A3 00304000 MOV DWORD PTR DS:,EAX
00401031|.6A F5 PUSH -0B
00401033|.E8 94000000 CALL <JMP.&kernel32.GetStdHandle>
00401038|.A3 04304000 MOV DWORD PTR DS:,EAX
0040103D|.6A 01 PUSH 1
0040103F|.68 00104000 PUSH EchoLine.00401000
00401044|.E8 8F000000 CALL <JMP.&kernel32.SetConsoleCtrlHandle>
00401049|.6A 07 PUSH 7
0040104B|.FF35 00304000 PUSH DWORD PTR DS:
太复杂了,,不懂 ,, 还有一个VC++8.0的
00403A30 > $E8 6E270000 call VC8.004061A3
00403A35 .^ E9 79FEFFFF jmp VC8.004038B3
00403A3A/$55 push ebp
00403A3B|.8BEC mov ebp,esp
00403A3D|.83EC 08 sub esp,0x8
00403A40|.897D FC mov ,edi ;ntdll.7C930228
00403A43|.8975 F8 mov ,esi
00403A46|.8B75 0C mov esi,
00403A49|.8B7D 08 mov edi, ;VC8.<ModuleEntryPoint>
00403A4C|.8B4D 10 mov ecx,
00403A4F|.C1E9 07 shr ecx,0x7
应该比较简单 看不懂!!!!!!! 保存了,谢谢、 MARK~~{:301_978:} 这些多破就知道了 现在正在进修中...学习了 说声谢谢 不算灌水吧? 初学无罪 不太明白....
页:
[1]
2