|
C++入口特征
00408027 >/$ 55 push ebp
00408028 |. 8BEC mov ebp,esp
0040802A |. 6A FF push -0x1
0040802C |. 68 F0F14000 push C++.0040F1F0
00408031 |. 68 84AF4000 push C++.0040AF84 ; SE 处理程序安装
00408036 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
0040803C |. 50 push eax
0040803D |. 64:8925 000000>mov dword ptr fs:[0],esp
00408044 |. 83EC 58 sub esp,0x58
00408047 |. 53 push ebx
00408048 |. 56 push esi
00408049 |. 57 push edi ; ntdll.7C930228
0040804A |. 8965 E8 mov [local.6],esp
0040804D |. FF15 E4F04000 call dword ptr ds:[<&KERNEL32.GetVersion>; kernel32.GetVersion
00408053 |. 33D2 xor edx,edx ; ntdll.KiFastSystemCallRet
00408055 |. 8AD4 mov dl,ah
00408057 |. 8915 D06B4100 mov dword ptr ds:[0x416BD0],edx ; ntdll.KiFastSystemCallRet
0040805D |. 8BC8 mov ecx,eax
0040805F |. 81E1 FF000000 and ecx,0xFF
00408065 |. 890D CC6B4100 mov dword ptr ds:[0x416BCC],ecx
0040806B |. C1E1 08 shl ecx,0x8
C++的入口函数GetVersion
C++的字符串采用ASCII码查找
C++的按钮事件采用查找SUB EAX,0A
汇编的入口特征
0040285E >/$ 6A 00 push 0x0 ; /pModule = NULL
00402860 |. E8 970B0000 call <jmp.&kernel32.GetModuleHandleA> ; \GetModuleHandleA
00402865 |. A3 28544000 mov dword ptr ds:[0x405428],eax
0040286A |. E8 F50C0000 call <jmp.&comctl32.InitCommonControls> ; [InitCommonControls
0040286F |. 68 9D334000 push 汇编.0040339D ; /pTopLevelFilter = 汇编.0040339D
00402874 |. E8 F50B0000 call <jmp.&kernel32.SetUnhandledExceptio>; \SetUnhandledExceptionFilter
00402879 |. 6A 00 push 0x0 ; /lParam = NULL
0040287B |. 68 96284000 push 汇编.00402896 ; |DlgProc = 汇编.00402896
00402880 |. 6A 00 push 0x0 ; |hOwner = NULL
00402882 |. 6A 65 push 0x65 ; |pTemplate = 65
00402884 |. FF35 28544000 push dword ptr ds:[0x405428] ; |hInst = NULL
0040288A |. E8 4B0C0000 call <jmp.&user32.DialogBoxParamA> ; \DialogBoxParamA
0040288F |. 6A 00 push 0x0 ; /ExitCode = 0
00402891 \. E8 480B0000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess
汇编的入口API函数 GetModuleHandleA
汇编查找字符串使用 ASCII码
DLPHI入口特征
0045D408 > $ 55 push ebp
0045D409 . 8BEC mov ebp,esp
0045D40B . 83C4 F0 add esp,-0x10
0045D40E . B8 28D24500 mov eax,DELPHI.0045D228
0045D413 . E8 6088FAFF call DELPHI.00405C78
0045D418 . A1 4CF14500 mov eax,dword ptr ds:[0x45F14C]
0045D41D . 8B00 mov eax,dword ptr ds:[eax]
0045D41F . E8 08DFFFFF call DELPHI.0045B32C
0045D424 . 8B0D 40F24500 mov ecx,dword ptr ds:[0x45F240] ; DELPHI.00460C04
0045D42A . A1 4CF14500 mov eax,dword ptr ds:[0x45F14C]
0045D42F . 8B00 mov eax,dword ptr ds:[eax]
0045D431 . 8B15 CCC84500 mov edx,dword ptr ds:[0x45C8CC] ; DELPHI.0045C918
0045D437 . E8 08DFFFFF call DELPHI.0045B344
0045D43C . A1 4CF14500 mov eax,dword ptr ds:[0x45F14C]
0045D441 . 8B00 mov eax,dword ptr ds:[eax]
0045D443 . E8 7CDFFFFF call DELPHI.0045B3C4
0045D448 . E8 2769FAFF call DELPHI.00403D74
0045D44D . 8D40 00 lea eax,dword ptr ds:[eax]
DELPHI入口特征 GetModuleHandleA
DELPHI查找按钮事件 右键--查找---查找二进制字符串740E8BD38B83????????FF93????????
采用CRTL+L键进行下翻页查找,需每一个都下上断
DELPHI 查找字符串采用ASCII码
易语言入口特征
|
|