-
-
[旧帖] [原创]脱壳新版教程之三 常见语言特征码. 0.00雪花
-
发表于: 2010-8-14 14:00
-
大家好,我们在脱壳过程中,一步一步地执行,最后怎么知道到了OEP拉,或者说OEP处有什么标志吗?
上期有朋友跟帖到找OEP有什么关键标志,在这我也把一些常见的列出来:
***************************************************************
Microsoft Visual C++ 6.0( FF15 ACF64400 )
0041FFAF 55 push ebp
0041FFB0 8BEC mov ebp,esp
0041FFB2 6A FF push -1
0041FFB4 68 70C44200 push EZIP_1_0.0042C470
0041FFB9 68 A2014200 push EZIP_1_0.004201A2 ; jmp 到
0041FFBE 64:A1 00000000 mov eax,dword ptr fs:[0]
0041FFC4 50 push eax
0041FFC5 64:8925 0000000>mov dword ptr fs:[0],esp
0041FFCC 83EC 20 sub esp,20
0041FFCF 53 push ebx
0041FFD0 56 push esi
0041FFD1 57 push edi
0041FFD2 8965 E8 mov dword ptr ss:[ebp-18],esp
0041FFD5 8365 FC 00 and dword ptr ss:[ebp-4],0
0041FFD9 6A 01 push 1
0041FFDB FF15 ACF64400 call dword ptr ds:[44F6AC] ; MSVCRT.__set_app_type
0041FFE1 59 pop ecx
0041FFE2 830D DCE14400 F>or dword ptr ds:[44E1DC],FFFFFFFF
0041FFE9 830D ECE14400 F>or dword ptr ds:[44E1EC],FFFFFFFF
0041FFF0 FF15 B0F64400 call dword ptr ds:[44F6B0] ; MSVCRT.__p__fmode
Microsoft Visual C++ 6.0 SPx Method 1( FF15 F4644000 )
004010CC 55 push ebp
004010CD 8BEC mov ebp,esp
004010CF 83EC 44 sub esp,44
004010D2 56 push esi
004010D3 FF15 E4634000 call dword ptr ds:[4063E4] ; kernel32.GetCommandLineA
004010D9 8BF0 mov esi,eax
004010DB 8A00 mov al,byte ptr ds:[eax]
004010DD 3C 22 cmp al,22
004010DF 75 1B jnz short ASPack_1.004010FC
004010E1 56 push esi
004010E2 FF15 F4644000 call dword ptr ds:[4064F4] ; USER32.CharNextA
004010E8 8BF0 mov esi,eax
004010EA 8A00 mov al,byte ptr ds:[eax]
004010EC 84C0 test al,al
004010EE 74 04 je short ASPack_1.004010F4
004010F0 3C 22 cmp al,22
004010F2 ^ 75 ED jnz short ASPack_1.004010E1
004010F4 803E 22 cmp byte ptr ds:[esi],22
****************************************************************
Borland Delphi(E8 2CE6FAFF)
0061EC50 55 push ebp
0061EC51 8BEC mov ebp,esp
0061EC53 83C4 E0 add esp,-20
0061EC56 53 push ebx
0061EC57 56 push esi
0061EC58 57 push edi
0061EC59 33C0 xor eax,eax
0061EC5B 8945 F0 mov dword ptr ss:[ebp-10],e>
0061EC5E 8945 EC mov dword ptr ss:[ebp-14],e>
0061EC61 8945 E8 mov dword ptr ss:[ebp-18],e>
0061EC64 B8 90E56100 mov eax,flashfxp.0061E590
0061EC69 E8 0E7FDEFF call flashfxp.00406B7C
004578F4 55 push ebp
004578F5 8BEC mov ebp,esp
004578F7 83C4 F4 add esp,-0C
004578FA B8 AC774500 mov eax,ex1.004577AC
004578FF E8 2CE6FAFF call ex1.00405F30
00457904 A1 40954500 mov eax,dword ptr ds:[459540]
00457909 8B00 mov eax,dword ptr ds:[eax]
0045790B E8 78A1FEFF call ex1.00441A88
00457910 8B0D 10964500 mov ecx,dword ptr ds:[459610] ; ex1.0045A820
00457916 A1 40954500 mov eax,dword ptr ds:[459540]
0045791B 8B00 mov eax,dword ptr ds:[eax]
0045791D 8B15 24744500 mov edx,dword ptr ds:[457424] ; ex1.00457470
00457923 E8 78A1FEFF call ex1.00441AA0
00457928 A1 40954500 mov eax,dword ptr ds:[459540]
0045792D 8B00 mov eax,dword ptr ds:[eax]
0045792F E8 ECA1FEFF call ex1.00441B20
00457934 E8 8BBEFAFF call ex1.004037C4
*************************************************************
Borland C++(E8 CD1B0C00 )
004014BC /EB 10 jmp short BossKey.004014CE
004014BE |66:623A bound di,dword ptr ds:[edx]
004014C1 |43 inc ebx
004014C2 |2B2B sub ebp,dword ptr ds:[ebx]
004014C4 |48 dec eax
004014C5 |4F dec edi
004014C6 |4F dec edi
004014C7 |4B dec ebx
004014C8 |90 nop
004014C9 -|E9 98404C00 jmp 008C5566
004014CE \A1 8B404C00 mov eax,dword ptr ds:[4C408>
004014D3 C1E0 02 shl eax,2
004014D6 A3 8F404C00 mov dword ptr ds:[4C408F],e>
004014DB 52 push edx
004014DC 6A 00 push 0
004014DE E8 CD1B0C00 call BossKey.004C30B0 ; jmp to kernel32.GetModuleHandleA
004014E3 8BD0 mov edx,eax
004014E5 E8 3E2F0A00 call BossKey.004A4428
****************************************************************
Microsoft Visual Basic 5.0 / 6.0( E8 F0FFFFFF )
0040106C 68 D8114000 push ASPack_2.004011D8
00401071 E8 F0FFFFFF call ASPack_2.00401066 ; jmp 到
00401076 0000 add byte ptr ds:[eax],al
00401078 0000 add byte ptr ds:[eax],al
0040107A 0000 add byte ptr ds:[eax],al
0040107C 3000 xor byte ptr ds:[eax],al
0040107E 0000 add byte ptr ds:[eax],al
00401080 3800 cmp byte ptr ds:[eax],al
00401082 0000 add byte ptr ds:[eax],al
00401084 0000 add byte ptr ds:[eax],al
00401086 0000 add byte ptr ds:[eax],al
00401088 2F das
00401089 5D pop ebp
0040108A D5 B8 aad 0B8
0040108C 8615 D611B3B5 xchg byte ptr ds:[B5B311D6],dl
00401092 0020 add byte ptr ds:[eax],ah
00401094 ED in eax,dx
00401095 A8 C1 test al,0C1
*****************************************************************
MASM32 / TASM32( E8 6C020000 )
00402A11 6A 00 push 0
00402A13 E8 6C020000 call XJ1000.00402C84 ; jmp 到
00402A18 A3 00104000 mov dword ptr ds:[401000],eax
00402A1D 6A 00 push 0
00402A1F 68 352A4000 push XJ1000.00402A35
00402A24 6A 00 push 0
00402A26 6A 64 push 64
00402A28 50 push eax
00402A29 E8 8C020000 call XJ1000.00402CBA ; jmp 到
00402A2E 6A 00 push 0
00402A30 E8 43020000 call XJ1000.00402C78 ; jmp 到
00402A35 55 push ebp
00402A36 8BEC mov ebp,esp
00402A38 83C4 FC add esp,-4
00402A3B 60 pushad
00402A3C 817D 0C 1001000>cmp dword ptr ss:[ebp+C],110
00402A43 75 74 jnz short XJ1000.00402AB9
*****************************************************************
这些内容新手可以COPY后到一个记事本中,以后调试软件的时候,有看到相关的语句 然后打开对照一下,有一定熟悉程度之后,对以后处理 stole code 会有很大的帮助。
上期有朋友跟帖到找OEP有什么关键标志,在这我也把一些常见的列出来:
***************************************************************
Microsoft Visual C++ 6.0( FF15 ACF64400 )
0041FFAF 55 push ebp
0041FFB0 8BEC mov ebp,esp
0041FFB2 6A FF push -1
0041FFB4 68 70C44200 push EZIP_1_0.0042C470
0041FFB9 68 A2014200 push EZIP_1_0.004201A2 ; jmp 到
0041FFBE 64:A1 00000000 mov eax,dword ptr fs:[0]
0041FFC4 50 push eax
0041FFC5 64:8925 0000000>mov dword ptr fs:[0],esp
0041FFCC 83EC 20 sub esp,20
0041FFCF 53 push ebx
0041FFD0 56 push esi
0041FFD1 57 push edi
0041FFD2 8965 E8 mov dword ptr ss:[ebp-18],esp
0041FFD5 8365 FC 00 and dword ptr ss:[ebp-4],0
0041FFD9 6A 01 push 1
0041FFDB FF15 ACF64400 call dword ptr ds:[44F6AC] ; MSVCRT.__set_app_type
0041FFE1 59 pop ecx
0041FFE2 830D DCE14400 F>or dword ptr ds:[44E1DC],FFFFFFFF
0041FFE9 830D ECE14400 F>or dword ptr ds:[44E1EC],FFFFFFFF
0041FFF0 FF15 B0F64400 call dword ptr ds:[44F6B0] ; MSVCRT.__p__fmode
Microsoft Visual C++ 6.0 SPx Method 1( FF15 F4644000 )
004010CC 55 push ebp
004010CD 8BEC mov ebp,esp
004010CF 83EC 44 sub esp,44
004010D2 56 push esi
004010D3 FF15 E4634000 call dword ptr ds:[4063E4] ; kernel32.GetCommandLineA
004010D9 8BF0 mov esi,eax
004010DB 8A00 mov al,byte ptr ds:[eax]
004010DD 3C 22 cmp al,22
004010DF 75 1B jnz short ASPack_1.004010FC
004010E1 56 push esi
004010E2 FF15 F4644000 call dword ptr ds:[4064F4] ; USER32.CharNextA
004010E8 8BF0 mov esi,eax
004010EA 8A00 mov al,byte ptr ds:[eax]
004010EC 84C0 test al,al
004010EE 74 04 je short ASPack_1.004010F4
004010F0 3C 22 cmp al,22
004010F2 ^ 75 ED jnz short ASPack_1.004010E1
004010F4 803E 22 cmp byte ptr ds:[esi],22
****************************************************************
Borland Delphi(E8 2CE6FAFF)
0061EC50 55 push ebp
0061EC51 8BEC mov ebp,esp
0061EC53 83C4 E0 add esp,-20
0061EC56 53 push ebx
0061EC57 56 push esi
0061EC58 57 push edi
0061EC59 33C0 xor eax,eax
0061EC5B 8945 F0 mov dword ptr ss:[ebp-10],e>
0061EC5E 8945 EC mov dword ptr ss:[ebp-14],e>
0061EC61 8945 E8 mov dword ptr ss:[ebp-18],e>
0061EC64 B8 90E56100 mov eax,flashfxp.0061E590
0061EC69 E8 0E7FDEFF call flashfxp.00406B7C
004578F4 55 push ebp
004578F5 8BEC mov ebp,esp
004578F7 83C4 F4 add esp,-0C
004578FA B8 AC774500 mov eax,ex1.004577AC
004578FF E8 2CE6FAFF call ex1.00405F30
00457904 A1 40954500 mov eax,dword ptr ds:[459540]
00457909 8B00 mov eax,dword ptr ds:[eax]
0045790B E8 78A1FEFF call ex1.00441A88
00457910 8B0D 10964500 mov ecx,dword ptr ds:[459610] ; ex1.0045A820
00457916 A1 40954500 mov eax,dword ptr ds:[459540]
0045791B 8B00 mov eax,dword ptr ds:[eax]
0045791D 8B15 24744500 mov edx,dword ptr ds:[457424] ; ex1.00457470
00457923 E8 78A1FEFF call ex1.00441AA0
00457928 A1 40954500 mov eax,dword ptr ds:[459540]
0045792D 8B00 mov eax,dword ptr ds:[eax]
0045792F E8 ECA1FEFF call ex1.00441B20
00457934 E8 8BBEFAFF call ex1.004037C4
*************************************************************
Borland C++(E8 CD1B0C00 )
004014BC /EB 10 jmp short BossKey.004014CE
004014BE |66:623A bound di,dword ptr ds:[edx]
004014C1 |43 inc ebx
004014C2 |2B2B sub ebp,dword ptr ds:[ebx]
004014C4 |48 dec eax
004014C5 |4F dec edi
004014C6 |4F dec edi
004014C7 |4B dec ebx
004014C8 |90 nop
004014C9 -|E9 98404C00 jmp 008C5566
004014CE \A1 8B404C00 mov eax,dword ptr ds:[4C408>
004014D3 C1E0 02 shl eax,2
004014D6 A3 8F404C00 mov dword ptr ds:[4C408F],e>
004014DB 52 push edx
004014DC 6A 00 push 0
004014DE E8 CD1B0C00 call BossKey.004C30B0 ; jmp to kernel32.GetModuleHandleA
004014E3 8BD0 mov edx,eax
004014E5 E8 3E2F0A00 call BossKey.004A4428
****************************************************************
Microsoft Visual Basic 5.0 / 6.0( E8 F0FFFFFF )
0040106C 68 D8114000 push ASPack_2.004011D8
00401071 E8 F0FFFFFF call ASPack_2.00401066 ; jmp 到
00401076 0000 add byte ptr ds:[eax],al
00401078 0000 add byte ptr ds:[eax],al
0040107A 0000 add byte ptr ds:[eax],al
0040107C 3000 xor byte ptr ds:[eax],al
0040107E 0000 add byte ptr ds:[eax],al
00401080 3800 cmp byte ptr ds:[eax],al
00401082 0000 add byte ptr ds:[eax],al
00401084 0000 add byte ptr ds:[eax],al
00401086 0000 add byte ptr ds:[eax],al
00401088 2F das
00401089 5D pop ebp
0040108A D5 B8 aad 0B8
0040108C 8615 D611B3B5 xchg byte ptr ds:[B5B311D6],dl
00401092 0020 add byte ptr ds:[eax],ah
00401094 ED in eax,dx
00401095 A8 C1 test al,0C1
*****************************************************************
MASM32 / TASM32( E8 6C020000 )
00402A11 6A 00 push 0
00402A13 E8 6C020000 call XJ1000.00402C84 ; jmp 到
00402A18 A3 00104000 mov dword ptr ds:[401000],eax
00402A1D 6A 00 push 0
00402A1F 68 352A4000 push XJ1000.00402A35
00402A24 6A 00 push 0
00402A26 6A 64 push 64
00402A28 50 push eax
00402A29 E8 8C020000 call XJ1000.00402CBA ; jmp 到
00402A2E 6A 00 push 0
00402A30 E8 43020000 call XJ1000.00402C78 ; jmp 到
00402A35 55 push ebp
00402A36 8BEC mov ebp,esp
00402A38 83C4 FC add esp,-4
00402A3B 60 pushad
00402A3C 817D 0C 1001000>cmp dword ptr ss:[ebp+C],110
00402A43 75 74 jnz short XJ1000.00402AB9
*****************************************************************
这些内容新手可以COPY后到一个记事本中,以后调试软件的时候,有看到相关的语句 然后打开对照一下,有一定熟悉程度之后,对以后处理 stole code 会有很大的帮助。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
