常见程序OEP处代码整理
　

对于学习脱壳的朋友来说，这些程序的OEP的特征一定要熟记。否则脱来脱去，找规律，看教程。如果连这些软件的入口地址都不清楚，那什么都是空谈。
Borland Delphi 6.0 - 7.0

004664A0 > 55 PUSH EBP
004664A1 8BEC MOV EBP,ESP
004664A3 83C4 F0 ADD ESP,-10
004664A6 53 PUSH EBX
004664A7 B8 90624600 MOV EAX,PerfectC.00466290
004664AC E8 7705FAFF CALL PerfectC.00406A28
004664B1 8B1D C4814600 MOV EBX,DWORD PTR DS:[4681C4] ; PerfectC.00469BB0
004664B7 8B03 MOV EAX,DWORD PTR DS:[EBX]
004664B9 E8 EE5AFFFF CALL PerfectC.0045BFAC
004664BE 8B03 MOV EAX,DWORD PTR DS:[EBX]
004664C0 BA 40654600 MOV EDX,PerfectC.00466540
004664C5 E8 E256FFFF CALL PerfectC.0045BBAC
004664CA 8B0D B8824600 MOV ECX,DWORD PTR DS:[4682B8] ; PerfectC.00469BF8
004664D0 8B03 MOV EAX,DWORD PTR DS:[EBX]
004664D2 8B15 E81A4600 MOV EDX,DWORD PTR DS:[461AE8] ; PerfectC.00461B34
004664D8 E8 E75AFFFF CALL PerfectC.0045BFC4
004664DD 8B0D F0824600 MOV ECX,DWORD PTR DS:[4682F0] ; PerfectC.00469BD8

Microsoft Visual C++ 6.0 [Overlay] E语言

00403831 >/$ 55 PUSH EBP
00403832 |. 8BEC MOV EBP,ESP
00403834 |. 6A FF PUSH -1
00403836 |. 68 F0624000 PUSH Nisy521.004062F0
0040383B |. 68 A44C4000 PUSH Nisy521.00404CA4 ; SE 处理程序安装
00403840 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00403846 |. 50 PUSH EAX
00403847 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP

Microsoft Visual Basic 5.0 / 6.0

00401166 - FF25 6C104000 JMP DWORD PTR DS:[<&MSVBVM60.#100>] ; MSVBVM60.ThunRTMain
0040116C > 68 147C4000 PUSH PACKME.00407C14
00401171 E8 F0FFFFFF CALL <JMP.&MSVBVM60.#100>
00401176 0000 ADD BYTE PTR DS:[EAX],AL
00401178 0000 ADD BYTE PTR DS:[EAX],AL
0040117A 0000 ADD BYTE PTR DS:[EAX],AL
0040117C 3000 XOR BYTE PTR DS:[EAX],AL

或省略第一行的JMP

00401FBC > 68 D0D44000 push dumped_.0040D4D0
00401FC1 E8 EEFFFFFF call <jmp.&msvbvm60.ThunRTMain>
00401FC6 0000 add byte ptr ds:[eax],al
00401FC8 0000 add byte ptr ds:[eax],al
00401FCA 0000 add byte ptr ds:[eax],al
00401FCC 3000 xor byte ptr ds:[eax],al
00401FCE 0000 add byte ptr ds:[eax],al

BC++

0040163C > $ /EB 10 JMP SHORT BCLOCK.0040164E
0040163E |66 DB 66 ; CHAR 'f'
0040163F |62 DB 62 ; CHAR 'b'
00401640 |3A DB 3A ; CHAR ':'
00401641 |43 DB 43 ; CHAR 'C'
00401642 |2B DB 2B ; CHAR '+'
00401643 |2B DB 2B ; CHAR '+'
00401644 |48 DB 48 ; CHAR 'H'
00401645 |4F DB 4F ; CHAR 'O'
00401646 |4F DB 4F ; CHAR 'O'
00401647 |4B DB 4B ; CHAR 'K'
00401648 |90 NOP
00401649 |E9 DB E9
0040164A . |98E04E00 DD OFFSET BCLOCK.___CPPdebugHook
0040164E > \A1 8BE04E00 MOV EAX,DWORD PTR DS:[4EE08B]
00401653 . C1E0 02 SHL EAX,2
00401656 . A3 8FE04E00 MOV DWORD PTR DS:[4EE08F],EAX
0040165B . 52 PUSH EDX
0040165C . 6A 00 PUSH 0 ; /pModule = NULL
0040165E . E8 DFBC0E00 CALL <JMP.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA
00401663 . 8BD0 MOV EDX,EAX

Dasm:

00401000 >/$ 6A 00 PUSH 0 ; /pModule = NULL
00401002 |. E8 C50A0000 CALL <JMP.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA
00401007 |. A3 0C354000 MOV DWORD PTR DS:[40350C],EAX
0040100C |. E8 B50A0000 CALL <JMP.&KERNEL32.GetCommandLineA> ; [GetCommandLineA
00401011 |. A3 10354000 MOV DWORD PTR DS:[403510],EAX
00401016 |. 6A 0A PUSH 0A ; /Arg4 = 0000000A
00401018 |. FF35 10354000 PUSH DWORD PTR DS:[403510] ; |Arg3 = 00000000
0040101E |. 6A 00 PUSH 0 ; |Arg2 = 00000000
00401020 |. FF35 0C354000 PUSH DWORD PTR DS:[40350C] ; |Arg1 = 00000000

vc++
   55            PUSH EBP
   8BEC          MOV EBP,ESP
   83EC 44       SUB ESP,44
   56            PUSH ESI

vb:

00401166  - FF25 6C104000   JMP DWORD PTR DS:[<&MSVBVM60.#100>]      ; MSVBVM60.ThunRTMain
0040116C >  68 147C4000     PUSH PACKME.00407C14
00401171    E8 F0FFFFFF     CALL <JMP.&MSVBVM60.#100>
00401176    0000            ADD BYTE PTR DS:[EAX],AL
00401178    0000            ADD BYTE PTR DS:[EAX],AL
0040117A    0000            ADD BYTE PTR DS:[EAX],AL
0040117C    3000            XOR BYTE PTR DS:[EAX],AL

[课程]Linux pwn 探索篇！