Hmily 发表于 2008-8-31 22:43

BC++ OEP 定位特征码

代码:
Ctrl+S:
retn
pushad
mov ebx,0BCB05000
pushebx
push0BAD
retn

Ctrl+B:
C3 60 BB 00 50 B0 BC 53 68 AD 0B 00 00 C3搜索这段代码可以定位很多BC++程序的OEP位置
可能某些程序需要把0BCB05000修改为通配符
当然,如果壳把整个主干都SDK或者VM,那就没了
此特征码可以定位未处理主干的BC++加壳程序的OEP

扩展一下,编译语言的特征可以帮我们定位OEP,其他编译语言自然有其他的特征码方法了 复制内容到剪贴板 代码:
01.OllyDBG V1.1.0 主程序OEP位置

00401000 EB 10jmp short 00401012
//OEP
0040100266:623Abound di,dword ptr ds:
0040100543 inc ebx
004010062B2B sub ebp,dword ptr ds:
0040100848 dec eax
004010094F dec edi
0040100A4F dec edi
0040100B4B dec ebx
0040100C90 nop
0040100DE9 28014B00jmp 008B113A
00401012A1 1B014B00mov eax,dword ptr ds:
00401017C1E0 02shl eax,2
0040101AA3 1F014B00mov dword ptr ds:,eax
0040101F52 pushedx
004010206A 00push0
00401022E8 4BE00A00call004AF072 ; <jmp.&KERNEL32.GetModuleHandleA>
004010278BD0 mov edx,eax
00401029E8 DA240A00call004A3508 ; 004A3508
0040102E5A pop edx
0040102FE8 70180A00call004A28A4 ; 004A28A4
00401034E8 D3240A00call004A350C ; 004A350C
004010396A 00push0
0040103BE8 F8330A00call004A4438 ; 004A4438
0040104059 pop ecx
0040104168 C4004B00push4B00C4
004010466A 00push0
00401048E8 25E00A00call004AF072 ; <jmp.&KERNEL32.GetModuleHandleA>
0040104DA3 23014B00mov dword ptr ds:,eax
004010526A 00push0
00401054E9 AFC10A00jmp 004AD208 ; 004AD208
00401059E9 26340A00jmp 004A4484 ; 004A4484
0040105E33C0 xor eax,eax
00401060A0 0D014B00mov al,byte ptr ds:
00401065C3 retn
00401066A1 23014B00mov eax,dword ptr ds:
___________________________
//BC++ OEP 定位特征码
0040106BC3 retn
0040106C60 pushad
0040106DBB 0050B0BCmov ebx,BCB05000
0040107253 pushebx
0040107368 AD0B0000push0BAD
00401078C3 retn
___________________________
00401079B9 9C000000mov ecx,9C
0040107E0BC9 orecx,ecx复制内容到剪贴板 代码:
02.IDA.Pro.Advanced.V5.0.0.879 主程序OEP位置

00401650EB 10jmp short 00401662
//OEP
0040165266:623Abound di,dword ptr ds:
0040165543 inc ebx
004016562B2B sub ebp,dword ptr ds:
0040165848 dec eax
004016594F dec edi
0040165A4F dec edi
0040165B4B dec ebx
0040165C90 nop
0040165DE9 98105700jmp 009726FA
00401662A1 8B105700mov eax,dword ptr ds:
00401667C1E0 02shl eax,2
0040166AA3 8F105700mov dword ptr ds:,eax
0040166F52 pushedx
004016706A 00push0
00401672E8 D9EC1600call00570350 ; jmp to kernel32.GetModuleHandleA
004016778BD0 mov edx,eax
00401679E8 96A21500call0055B914 ; 0055B914
0040167E5A pop edx
0040167FE8 F4A11500call0055B878 ; 0055B878
00401684E8 CBA21500call0055B954 ; 0055B954
004016896A 00push0
0040168BE8 C4B81500call0055CF54 ; 0055CF54
0040169059 pop ecx
0040169168 34105700push571034
004016966A 00push0
00401698E8 B3EC1600call00570350 ; jmp to kernel32.GetModuleHandleA
0040169DA3 93105700mov dword ptr ds:,eax
004016A26A 00push0
004016A4E9 7B601600jmp 00567724 ; 00567724
004016A9E9 F2B81500jmp 0055CFA0 ; 0055CFA0
004016AE33C0 xor eax,eax
004016B0A0 7D105700mov al,byte ptr ds:
004016B5C3 retn
004016B6A1 93105700mov eax,dword ptr ds:
___________________________
//BC++ OEP 定位特征码
004016BBC3 retn
004016BC60 pushad
004016BDBB 0050B0BCmov ebx,BCB05000
004016C253 pushebx
004016C368 AD0B0000push0BAD
004016C8C3 retn
___________________________
004016C9B9 AC000000mov ecx,0AC
004016CE0BC9 orecx,ecx复制内容到剪贴板 代码:
03.Immunity Debugger V1.5 主程序OEP位置

0040120C EB 10jmp short 0040121E
//OEP
0040120E66:623Abound di,dword ptr ds:
0040121143 inc ebx
004012122B2B sub ebp,dword ptr ds:
0040121448 dec eax
004012154F dec edi
004012164F dec edi
004012174B dec ebx
0040121890 nop
00401219E9 98104F00jmp 008F22B6
0040121EA1 8B104F00mov eax,dword ptr ds:
00401223C1E0 02shl eax,2
00401226A3 8F104F00mov dword ptr ds:,eax
0040122B52 pushedx
0040122C6A 00push0
0040122EE8 0DEF0E00call004F0140 ; <jmp.&KERNEL32.GetModuleHandleA>
004012338BD0 mov edx,eax
00401235E8 7A0F0E00call004E21B4 ; 004E21B4
0040123A5A pop edx
0040123BE8 00030E00call004E1540 ; 004E1540
00401240E8 730F0E00call004E21B8 ; 004E21B8
004012456A 00push0
00401247E8 2C1F0E00call004E3178 ; 004E3178
0040124C59 pop ecx
0040124D68 34104F00push4F1034
004012526A 00push0
00401254E8 E7EE0E00call004F0140 ; <jmp.&KERNEL32.GetModuleHandleA>
00401259A3 93104F00mov dword ptr ds:,eax
0040125E6A 00push0
00401260E9 B7C40E00jmp 004ED71C ; 004ED71C
00401265E9 5E1F0E00jmp 004E31C8 ; 004E31C8
0040126A33C0 xor eax,eax
0040126CA0 7D104F00mov al,byte ptr ds:
00401271C3 retn
00401272A1 93104F00mov eax,dword ptr ds:
___________________________
//BC++ OEP 定位特征码
00401277C3 retn
0040127860 pushad
00401279BB 0050B0BCmov ebx,BCB05000
0040127E53 pushebx
0040127F68 AD0B0000push0BAD
00401284C3 retn
___________________________
00401285B9 B4000000mov ecx,0B4
0040128A0BC9 orecx,ecx复制内容到剪贴板 代码:
04.Obsidium V1.3.0.0 主程序OEP位置

00401620EB 10jmp short 00401632
//OEP
00401632A1 8BE05700mov eax,dword ptr ds:
00401637C1E0 02shl eax,2
0040163AA3 8FE05700mov dword ptr ds:,eax
0040163F52 pushedx
004016406A 00push0
00401642E8 0FBD1700call0057D356 ; <jmp.&kernel32.GetModuleHandleA>
004016478BD0 mov edx,eax
00401649E8 C6E81600call0056FF14 ; 0056FF14
00401637C1E0 02shl eax,2
0040163AA3 8FE05700mov dword ptr ds:,eax
0040163F52 pushedx
004016406A 00push0
00401642E8 0FBD1700call0057D356 ; <jmp.&kernel32.GetModuleHandleA>
004016478BD0 mov edx,eax
00401649E8 C6E81600call0056FF14 ; 0056FF14
0040164E5A pop edx
0040164FE8 24E81600call0056FE78 ; 0056FE78
00401654E8 FBE81600call0056FF54 ; 0056FF54
004016596A 00push0
0040165BE8 00FE1600call00571460 ; 00571460
0040166059 pop ecx
0040166168 34E05700push57E034
004016666A 00push0
00401668E8 E9BC1700call0057D356 ; <jmp.&kernel32.GetModuleHandleA>
0040166DA3 93E05700mov dword ptr ds:,eax
004016726A 00push0
00401674E9 67601700jmp 005776E0 ; 005776E0
00401679E9 2EFE1600jmp 005714AC ; 005714AC
0040167E33C0 xor eax,eax
00401680A0 7DE05700mov al,byte ptr ds:
00401685C3 retn
00401686A1 93E05700mov eax,dword ptr ds:
___________________________
//BC++ OEP 定位特征码
0040168BC3 retn
0040168C60 pushad
0040168DBB 0050B0BCmov ebx,BCB05000
0040169253 pushebx
0040169368 AD0B0000push0BAD
00401698C3 retn
___________________________
00401699B9 CC000000mov ecx,0CC
0040169E0BC9 orecx,ecx复制内容到剪贴板 代码:
05.SoftwareShield FingerPrint Viewer V3.1.12.187 主程序OEP位置

004013D4EB 10jmp short 004013E6
//OEP
004013D666:623Abound di,dword ptr ds:
004013D943 inc ebx
004013DA2B2B sub ebp,dword ptr ds:
004013DC48 dec eax
004013DD4F dec edi
004013DE4F dec edi
004013DF4B dec ebx
004013E090 nop
004013E1E9 98704900jmp 0089847E
004013E6A1 8B704900mov eax,dword ptr ds:
004013EBC1E0 02shl eax,2
004013EEA3 8F704900mov dword ptr ds:,eax
004013F352 pushedx
004013F46A 00push0
004013F6E8 D34D0900call004961CE ; <jmp.&KERNEL32.GetModuleHandleA>
004013FB8BD0 mov edx,eax
004013FDE8 2EA00800call0048B430 ; 0048B430
004014025A pop edx
00401403E8 8C9F0800call0048B394 ; 0048B394
00401408E8 63A00800call0048B470 ; 0048B470
0040140D6A 00push0
0040140FE8 68B40800call0048C87C ; 0048C87C
0040141459 pop ecx
0040141568 34704900push497034
0040141A6A 00push0
0040141CE8 AD4D0900call004961CE ; <jmp.&KERNEL32.GetModuleHandleA>
00401421A3 93704900mov dword ptr ds:,eax
004014266A 00push0
00401428E9 93050900jmp 004919C0 ; 004919C0
0040142DE9 96B40800jmp 0048C8C8 ; 0048C8C8
0040143233C0 xor eax,eax
00401434A0 7D704900mov al,byte ptr ds:
00401439C3 retn
0040143AA1 93704900mov eax,dword ptr ds:
___________________________
//BC++ OEP 定位特征码
0040143FC3 retn
0040144060 pushad
00401441BB 0050B0BCmov ebx,BCB05000
0040144653 pushebx
0040144768 AD0B0000push0BAD
0040144CC3 retn
___________________________
0040144DB9 B4000000mov ecx,0B4
004014520BC9 orecx,ecx

fly
http://www.unpack.cn
20080831

小黑冰 发表于 2008-8-31 22:58

站长越来越厉害了 支持下``````

小生我怕怕 发表于 2008-8-31 23:01

h把这一串记住脱BC++应该会少走错了吧!

guoyonghao 发表于 2008-9-1 08:16

顶!!!!!!!!!!!
页: [1]
查看完整版本: BC++ OEP 定位特征码