OEP入口的特征

zoukankan html css js c++ java

OEP入口的特征

OEP入口的特征

入口特征............
Microsoft Visual C++ 6.0
push    ebp
mov     ebp, esp
push    -1
push    004C0618
push    004736F8
mov     eax, dword ptr fs:[0]
push    eax
mov     dword ptr fs:[0], esp
sub     esp, 58
push    ebx
push    esi
push    edi
mov     [local.6], esp

Microsoft Visual Basic 5.0 / 6.0
JMP DWORD PTR DS[<&MSVBVM60.#100>]
PUSH Dumped.00407C14
CALL <JMP.&MSVBVM60.#100>
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
XOR BYTE PTR DS:[EAX],AL
VB还有一种
push Dumped.0040D4D0
call <jmp.&msvbvm60.ThunRTMain>
add byte ptr ds:[eax],al
add byte ptr ds:[eax],al
add byte ptr ds:[eax],al
xor byte ptr ds:[eax],al
add byte ptr ds:[eax],al

Borland C++
JMP SHORT BCLOCK.0040164E
DB 66                     ; CHAR 'f'
DB 62                     ; CHAR 'b'
DB 3A                     ; CHAR ':'
DB 43                     ; CHAR 'C'
DB 2B                     ; CHAR '+'
DB 2B                     ; CHAR '+'
DB 48                     ; CHAR 'H'
DB 4F                     ; CHAR 'O'
DB 4F                     ; CHAR 'O'
DB 4B                     ; CHAR 'K'
NOP
DB E9
DD OFFSET BCLOCK.___CPPdebugHook
MOV   EAX,DWORD PTR DS:[4EE08B]
SHL    EAX,2
MOV   DWORD PTR DS:[4EE08F],EAX
PUSH EDX
PUSH 0 ; /pModule = NULL
CALL <JMP.&KERNEL32.GetModuleHandleA> ; /GetModuleHandleA
MOV   EDX,EAX

Borland Delphi 6.0 - 7.0
PUSH EBP
MOV  EBP,ESP
ADD  ESP,-14
PUSH EBX
PUSH ESI
PUSH EDI
XOR EAX,EAX
MOV DWORD PTR SS:[EBP-14],EAX
MOV EAX,Dumped.00509720
CALL Dumped.0040694C

易语言入口
call   Dumped.0040100B
push eax
call   <jmp.&KERNEL32.ExitProcess>
push ebp
mov ebp,esp
add   esp,-110
jmp   Dumped.0040109C
imul   esi,dword ptr ds:[edx+6E],6C
outs dx,byte ptr es:[edi]
也是有令一种形式
Microsoft Visual C++ 6.0 [Overlay]的E语言
PUSH EBP
MOV   EBP,ESP
PUSH -1
PUSH Dumped.004062F0
PUSH Dumped.00404CA4 ; SE 处理程序安装
MOV   EAX,DWORD PTR FS:[0]
PUSH EAX
MOV   DWORD PTR FS:[0],ESP

MASM32 / TASM32
push 0                        ; /pModule = NULL
call <jmp.&kernel32.GetModuleHandleA> ; /GetModuleHandleA
mov dword ptr ds:[403000],eax
push 0                       ; /lParam = NULL
push Dumped.004010DF ; |DlgProc = dump.004010DF
push 0                       ; |hOwner = NULL
push 65                     ; |pTemplate = 65
push dword ptr ds:[403000] ; |hInst = NULL
call   <jmp.&user32.DialogBoxParamA> ; /DialogBoxParamA

VC8
call Dumped.004ACF97
jmp Dumped.004A28FC
int   3
int   3
int   3
int   3
int   3
int   3
int   3
int   3
int   3
int   3
mov ecx,dword ptr ss:[esp+4]
test   ecx,3
je      short Dumped.004A2B20
mov   al,byte ptr ds:[ecx]
add    ecx,1

-------------------------------------------------------
kedebug

Department of Computer Science and Engineering,

Shanghai Jiao Tong University

E-mail: kedebug0@gmail.com

GitHub: http://github.com/kedebug

-------------------------------------------------------

查看全文

相关阅读:
正则表达式练习,持续更新中
 Jquery使用mouseenter和mouseleave实现鼠标经过弹出层且可以点击
 SQL查找删除重复数据只保留一条
 TreeView(C#)无限目录树代码片段
 ora-01440:要减小精度或标度，则要修改的列必须为空
 SQL查询和删除重复字段的内容
 CodeSmith(C#)简单示例及相关小知识
 MSSQL 自定义函数详解
 一些精妙的sql语句收集
 134.Gas Station

原文地址：https://www.cnblogs.com/kedebug/p/2791761.html