常见语言入口特征代码!
C++语言入口特征:00408027 >/$55 push ebp
00408028|.8BEC mov ebp,esp
0040802A|.6A FF push -0x1
0040802C|.68 F0F14000 push C++.0040F1F0
00408031|.68 84AF4000 push C++.0040AF84 ;SE 处理程序安装
00408036|.64:A1 00000000 mov eax,dword ptr fs:
0040803C|.50 push eax
0040803D|.64:8925 000000>mov dword ptr fs:,esp
00408044|.83EC 58 sub esp,0x58
00408047|.53 push ebx
00408048|.56 push esi
00408049|.57 push edi ;ntdll.7C930228
0040804A|.8965 E8 mov ,esp
0040804D|.FF15 E4F04000call dword ptr ds:[<&KERNEL32.GetVersion>;kernel32.GetVersion
00408053|.33D2 xor edx,edx ;ntdll.KiFastSystemCallRet
00408055|.8AD4 mov dl,ah
00408057|.8915 D06B4100mov dword ptr ds:,edx ;ntdll.KiFastSystemCallRet
0040805D|.8BC8 mov ecx,eax
0040805F|.81E1 FF000000and ecx,0xFF
00408065|.890D CC6B4100mov dword ptr ds:,ecx
0040806B|.C1E1 08 shl ecx,0x8
C++的入口函数GetVersion
C++的字符串采用ASCII码查找
C++的按钮事件采用查找SUB EAX,0A
汇编的入口
0040285E >/$6A 00 push 0x0 ; /pModule = NULL
00402860|.E8 970B0000 call <jmp.&kernel32.GetModuleHandleA> ; \GetModuleHandleA
00402865|.A3 28544000 mov dword ptr ds:,eax
0040286A|.E8 F50C0000 call <jmp.&comctl32.InitCommonControls>; [InitCommonControls
0040286F|.68 9D334000 push 汇编.0040339D ; /pTopLevelFilter = 汇编.0040339D
00402874|.E8 F50B0000 call <jmp.&kernel32.SetUnhandledExceptio>; \SetUnhandledExceptionFilter
00402879|.6A 00 push 0x0 ; /lParam = NULL
0040287B|.68 96284000 push 汇编.00402896 ; |DlgProc = 汇编.00402896
00402880|.6A 00 push 0x0 ; |hOwner = NULL
00402882|.6A 65 push 0x65 ; |pTemplate = 65
00402884|.FF35 28544000push dword ptr ds: ; |hInst = NULL
0040288A|.E8 4B0C0000 call <jmp.&user32.DialogBoxParamA> ; \DialogBoxParamA
0040288F|.6A 00 push 0x0 ; /ExitCode = 0
00402891\.E8 480B0000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess
汇编的入口API函数 GetModuleHandleA
汇编查找字符串使用 ASCII码
DLPHI入口
0045D408 > $55 push ebp
0045D409 .8BEC mov ebp,esp
0045D40B .83C4 F0 add esp,-0x10
0045D40E .B8 28D24500 mov eax,DELPHI.0045D228
0045D413 .E8 6088FAFF call DELPHI.00405C78
0045D418 .A1 4CF14500 mov eax,dword ptr ds:
0045D41D .8B00 mov eax,dword ptr ds:
0045D41F .E8 08DFFFFF call DELPHI.0045B32C
0045D424 .8B0D 40F24500mov ecx,dword ptr ds: ;DELPHI.00460C04
0045D42A .A1 4CF14500 mov eax,dword ptr ds:
0045D42F .8B00 mov eax,dword ptr ds:
0045D431 .8B15 CCC84500mov edx,dword ptr ds: ;DELPHI.0045C918
0045D437 .E8 08DFFFFF call DELPHI.0045B344
0045D43C .A1 4CF14500 mov eax,dword ptr ds:
0045D441 .8B00 mov eax,dword ptr ds:
0045D443 .E8 7CDFFFFF call DELPHI.0045B3C4
0045D448 .E8 2769FAFF call DELPHI.00403D74
0045D44D .8D40 00 lea eax,dword ptr ds:
DELPHI入口特征 GetModuleHandleA
DELPHI查找按钮事件 右键--查找---查找二进制字符串740E8BD38B83????????FF93????????
采用CRTL+L键进行下翻页查找,需每一个都下上断
DELPHI 查找字符串采用ASCII码
易语言入口特征
004464D1 >/$55 push ebp
004464D2|.8BEC mov ebp,esp
004464D4|.6A FF push -0x1
004464D6|.68 B0C14600 push 易语言.0046C1B0
004464DB|.68 DCAC4400 push 易语言.0044ACDC ;SE 处理程序安装
004464E0|.64:A1 0000000>mov eax,dword ptr fs:
004464E6|.50 push eax
004464E7|.64:8925 00000>mov dword ptr fs:,esp
004464EE|.83EC 58 sub esp,0x58
004464F1|.53 push ebx
004464F2|.56 push esi
004464F3|.57 push edi ;ntdll.7C930228
004464F4|.8965 E8 mov ,esp
004464F7|.FF15 98514600 call dword ptr ds:[<&KERNEL32.GetVersion>;kernel32.GetVersion
004464FD|.33D2 xor edx,edx ;ntdll.KiFastSystemCallRet
易语言入口API函数 GetVersion
注:停留下后,AIT+F9返回到用户代码后,查找2进制字符串FC DB E3 E8 ?? ?? ?? ??
易语言查找字符串采用ASCII码查找
注:多数易语言采用花指令对易格式体进行保护,所以在查找字符串之前尽量先去掉花指令,具体去花指令的插件在我OD里已经添加 E JUNk CODE
VC8入口特征
00403A30 > $E8 6E270000 call VC8.004061A3
00403A35 .^ E9 79FEFFFF jmp VC8.004038B3
00403A3A/$55 push ebp
00403A3B|.8BEC mov ebp,esp
00403A3D|.83EC 08 sub esp,0x8
00403A40|.897D FC mov ,edi ;ntdll.7C930228
00403A43|.8975 F8 mov ,esi
00403A46|.8B75 0C mov esi,
00403A49|.8B7D 08 mov edi, ;VC8.<ModuleEntryPoint>
00403A4C|.8B4D 10 mov ecx,
00403A4F|.C1E9 07 shr ecx,0x7
VC8入口特征查找 GetStartupInfoW
VC8查找字符串采用 Unicode码
VC8的按钮事件采用查找SUB EAX,0A
VB入口特征
00401978 .- FF25 18114000 jmp dword ptr ds:[<&MSVBVM60.#613>] ;msvbvm60.rtcVarStrFromVar
0040197E .- FF25 84104000 jmp dword ptr ds:[<&MSVBVM60.__vbaVarTst>;msvbvm60.__vbaVarTstEq
00401984 .- FF25 7C104000 jmp dword ptr ds:[<&MSVBVM60.#528>] ;msvbvm60.rtcUpperCaseVar
0040198A .- FF25 A8104000 jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_>;msvbvm60.EVENT_SINK_QueryInterface
00401990 .- FF25 78104000 jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_>;msvbvm60.EVENT_SINK_AddRef
00401996 .- FF25 9C104000 jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_>;msvbvm60.EVENT_SINK_Release
0040199C $- FF25 08114000 jmp dword ptr ds:[<&MSVBVM60.#100>] ;msvbvm60.ThunRTMain
004019A2 00 db 00
004019A3 00 db 00
004019A4 > $68 5C284000 push VB.0040285C ;ASCII "VB5!6&vb6chs.dll"
004019A9 .E8 EEFFFFFF call <jmp.&MSVBVM60.#100>
004019AE .0000 add byte ptr ds:,al
004019B0 .0000 add byte ptr ds:,al
004019B2 .0000 add byte ptr ds:,al
004019B4 .3000 xor byte ptr ds:,al
004019B6 .0000 add byte ptr ds:,al
VB入口特征查找函数 ThunRTMain
VB 查找字符串时采用二进制字符串816C2404??000000
注:识别VB P-code编译时,只需要查找不到按钮事件就是P-CODE编译
P-CODE代码是虚拟代码,需要独立的调试器
Vb 查找字符串采用 UNICODE码查找{:5_116:}{:5_119:}
分类错误,我帮你改啦。感谢楼主分享~
感谢分享,学习了
{:5_116:}谢谢分享,但是C++目前我暂时领悟不来
谢谢支持
转的一手好帖 腻害
感谢楼主分享!!!
大部分暂时理解不了,留着备用吧
这个可以有的,很多时候很有用
还是建议用图片吧 直观
页:
[1]
2