===============五大语言入口点特征==================
delphi:
55 PUSH EBP
8BEC MOV EBP,ESP
83C4 F0 ADD ESP,-10
B8 A86F4B00 MOV EAX,PE.004B6FA8
vc++
55 PUSH EBP
8BEC MOV EBP,ESP
83EC 44 SUB ESP,44
56 PUSH ESI
vb
FF25 6C104000 JMP DWORD PTR DS:[<&MSVBVM60.#100>] ; MSVBVM60.ThunRTMain
68 147C4000 PUSH PACKME.00407C14
E8 F0FFFFFF CALL <JMP.&MSVBVM60.#100>
0000 ADD BYTE PTR DS:[EAX],AL
0000 ADD BYTE PTR DS:[EAX],AL
0000 ADD BYTE PTR DS:[EAX],AL
3000 XOR BYTE PTR DS:[EAX],AL
vb
00402360 68 2C4D4000 push KillBox.00404D2C ; ASCII "VB5!6&*vb6chs.dll"
00402365 E8 EEFFFFFF call KillBox.00402358 ; jmp to msvbvm60.ThunRTMain
0040236A 0000 add byte ptr ds:[eax],al
0040236C 0000 add byte ptr ds:[eax],al
0040236E 0000 add byte ptr ds:[eax],al
00402370 3000 xor byte ptr ds:[eax],al
00402372 0000 add byte ptr ds:[eax],al
00402374 3800 cmp byte ptr ds:[eax],al
00402376 0000 add byte ptr ds:[eax],al
00402378 0000 add byte ptr ds:[eax],al
0040237A 0000 add byte ptr ds:[eax],al
0040237C 4F dec edi
0040237D C2 F150 retn 50F1
bc++
0040163C > $ /EB 10 JMP SHORT BCLOCK.0040164E
0040163E |66 DB 66 ; CHAR 'f'
0040163F |62 DB 62 ; CHAR 'b'
00401640 |3A DB 3A ; CHAR ':'
00401641 |43 DB 43 ; CHAR 'C'
00401642 |2B DB 2B ; CHAR '+'
00401643 |2B DB 2B ; CHAR '+'
00401644 |48 DB 48 ; CHAR 'H'
00401645 |4F DB 4F ; CHAR 'O'
00401646 |4F DB 4F ; CHAR 'O'
00401647 |4B DB 4B ; CHAR 'K'
00401648 |90 NOP
00401649 |E9 DB E9
dasm:
6A 00 PUSH 0 ; /pModule = NULL
E8 C50A0000 CALL <JMP.&KERNEL32.GetModuleHandleA> ; /GetModuleHandleA
A3 0C354000 MOV DWORD PTR DS:[40350C],EAX
E8 B50A0000 CALL <JMP.&KERNEL32.GetCommandLineA> ; [GetCommandLineA
A3 10354000 MOV DWORD PTR DS:[403510],EAX
6A 0A PUSH 0A ; /Arg4 = 0000000A
FF35 10354000 PUSH DWORD PTR DS:[403510
##############################################################################################
tmd壳入口特征
0041D014 > B8 00000000 MOV EAX,0 ;载入点。注意看这些代码
0041D019 60 PUSHAD
0041D01A 0BC0 OR EAX,EAX ;明眼的就看出是Themida 壳了
0041D01C 74 68 JE SHORT 无敌外挂.0041D086
0041D01E E8 00000000 CALL 无敌外挂.0041D023