OD逆向时各编程语言入口特征码

来源：互联网发布：诺基亚5320手电筒软件编辑：程序博客网时间：2024/06/05 00:38

Microsoft Visual C++ 6.0

00496EB8 >/$ 55 PUSH EBP ; (初始 cpu 选择)

00496EB9 |. 8BEC MOV EBP,ESP

00496EBB |. 6A FF PUSH -1

00496EBD |. 68 40375600 PUSH Screensh.00563740

00496EC2 |. 68 8CC74900 PUSH Screensh.0049C78C ; SE 处理程序安装

00496EC7 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]

00496ECD |. 50 PUSH EAX

00496ECE |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP

00496ED5 |. 83EC 58 SUB ESP,58

Microsoft Visual Basic 5.0 / 6.0

00401166 - FF25 6C104000 JMP DWORD PTR DS:[<&MSVBVM60.#100>] ; MSVBVM60.ThunRTMain

0040116C > 68 147C4000 PUSH PACKME.00407C14

00401171 E8 F0FFFFFF CALL <JMP.&MSVBVM60.#100>

00401176 0000 ADD BYTE PTR DS:[EAX],AL

00401178 0000 ADD BYTE PTR DS:[EAX],AL

0040117A 0000 ADD BYTE PTR DS:[EAX],AL

0040117C 3000 XOR BYTE PTR DS:[EAX],AL

或省略第一行的JMP

00401FBC > 68 D0D44000 push dumped_.0040D4D0

00401FC1 E8 EEFFFFFF call <jmp.&msvbvm60.ThunRTMain>

00401FC6 0000 add byte ptr ds:[eax],al

00401FC8 0000 add byte ptr ds:[eax],al

00401FCA 0000 add byte ptr ds:[eax],al

00401FCC 3000 xor byte ptr ds:[eax],al

00401FCE 0000 add byte ptr ds:[eax],al

Borland C++

0040163C > $ /EB 10 JMP SHORT BCLOCK.0040164E

0040163E |66 DB 66 ; CHAR ‘f‘

0040163F |62 DB 62 ; CHAR ‘b‘

00401640 |3A DB 3A ; CHAR ‘:‘

00401641 |43 DB 43 ; CHAR ‘C‘

00401642 |2B DB 2B ; CHAR ‘+‘

00401643 |2B DB 2B ; CHAR ‘+‘

00401644 |48 DB 48 ; CHAR ‘H‘

00401645 |4F DB 4F ; CHAR ‘O‘

00401646 |4F DB 4F ; CHAR ‘O‘

00401647 |4B DB 4B ; CHAR ‘K‘

00401648 |90 NOP

00401649 |E9 DB E9

0040164A . |98E04E00 DD OFFSET BCLOCK.___CPPdebugHook

0040164E > \A1 8BE04E00 MOV EAX,DWORD PTR DS:[4EE08B]

00401653 . C1E0 02 SHL EAX,2

00401656 . A3 8FE04E00 MOV DWORD PTR DS:[4EE08F],EAX

0040165B . 52 PUSH EDX

0040165C . 6A 00 PUSH 0 ; /pModule = NULL

0040165E . E8 DFBC0E00 CALL <JMP.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA

00401663 . 8BD0 MOV EDX,EAX

Borland Delphi 6.0 - 7.0

00509CB0 > $ 55 PUSH EBP

00509CB1 . 8BEC MOV EBP,ESP

00509CB3 . 83C4 EC ADD ESP,-14

00509CB6 . 53 PUSH EBX

00509CB7 . 56 PUSH ESI

00509CB8 . 57 PUSH EDI

00509CB9 . 33C0 XOR EAX,EAX

00509CBB . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX

00509CBE . B8 20975000 MOV EAX,unpack.00509720

00509CC3 . E8 84CCEFFF CALL unpack.0040694C

易语言入口

00401000 > E8 06000000 call dump_.0040100B

00401005 50 push eax

00401006 E8 BB010000 call <jmp.&KERNEL32.ExitProcess>

0040100B 55 push ebp

0040100C 8BEC mov ebp,esp

0040100E 81C4 F0FEFFFF add esp,-110

00401014 E9 83000000 jmp dump_.0040109C

00401019 6B72 6E 6C imul esi,dword ptr ds:[edx+6E],6C

0040101D 6E outs dx,byte ptr es:[edi]

Microsoft Visual C++ 6.0 [Overlay] 易语言

00403831 >/$ 55 PUSH EBP

00403832 |. 8BEC MOV EBP,ESP

00403834 |. 6A FF PUSH -1

00403836 |. 68 F0624000 PUSH Nisy521.004062F0

0040383B |. 68 A44C4000 PUSH Nisy521.00404CA4 ; SE 处理程序安装

00403840 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]

00403846 |. 50 PUSH EAX

00403847 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP

MASM32 / TASM32入口

00401258 >/$ 6A 00 push 0 ; /pModule = NULL

0040125A |. E8 47000000 call <jmp.&kernel32.GetModuleHandleA> ; \GetModuleHandleA

0040125F |. A3 00304000 mov dword ptr ds:[403000],eax

00401264 |. 6A 00 push 0 ; /lParam = NULL

00401266 |. 68 DF104000 push dump.004010DF ; |DlgProc = dump.004010DF

0040126B |. 6A 00 push 0 ; |hOwner = NULL

0040126D |. 6A 65 push 65 ; |pTemplate = 65

0040126F |. FF35 00304000 push dword ptr ds:[403000] ; |hInst = NULL

00401275 |. E8 56000000 call <jmp.&user32.DialogBoxParamA> ; \DialogBoxParamA

004A2ADC > $ E8 B6A40000 call 记事本.004ACF97

004A2AE1 .^ E9 16FEFFFF jmp 记事本.004A28FC

004A2AE6 CC int3

004A2AE7 CC int3

004A2AE8 CC int3

004A2AE9 CC int3

004A2AEA CC int3

004A2AEB CC int3

004A2AEC CC int3

004A2AED CC int3

004A2AEE CC int3

004A2AEF CC int3

004A2AF0 /$ 8B4C24 04 mov ecx,dword ptr ss:[esp+4]

004A2AF4 |. F7C1 03000000 test ecx,3

004A2AFA |. 74 24 je short 记事本.004A2B20

004A2AFC |> 8A01 /mov al,byte ptr ds:[ecx]

004A2AFE |. 83C1 01 |add ecx,1

0 0