认识各语言的入口特征及加壳后的识别判断,及加密与压缩壳识别
C++
00408027 >/$ 55 push ebp
00408028 |. 8BEC mov ebp,esp
0040802A |. 6A FF push -0x1
0040802C |. 68 F0F14000 push C++.0040F1F0
00408031 |. 68 84AF4000 push C++.0040AF84 ; SE 处理程序安装
00408036 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
0040803C |. 50 push eax
0040803D |. 64:8925 000000>mov dword ptr fs:[0],esp
00408044 |. 83EC 58 sub esp,0x58
00408047 |. 53 push ebx
00408048 |. 56 push esi
00408049 |. 57 push edi ; ntdll.7C930228
0040804A |. 8965 E8 mov [local.6],esp
0040804D |. FF15 E4F04000 call dword ptr ds:[<&KERNEL32.GetVersion>; kernel32.GetVersion
00408053 |. 33D2 xor edx,edx ; ntdll.KiFastSystemCallRet
00408055 |. 8AD4 mov dl,ah
00408057 |. 8915 D06B4100 mov dword ptr ds:[0x416BD0],edx ; ntdll.KiFastSystemCallRet
0040805D |. 8BC8 mov ecx,eax
0040805F |. 81E1 FF000000 and ecx,0xFF
00408065 |. 890D CC6B4100 mov dword ptr ds:[0x416BCC],ecx
0040806B |. C1E1 08 shl ecx,0x8
C++的入口函数GetVersion
C++的字符串采用ASCII码查找
C++的按钮事件采用查找SUB EAX,0A
汇编的入口
0040285E >/$ 6A 00 push 0x0 ; /pModule = NULL
00402860 |. E8 970B0000 call <jmp.&kernel32.GetModuleHandleA> ; \GetModuleHandleA
00402865 |. A3 28544000 mov dword ptr ds:[0x405428],eax
0040286A |. E8 F50C0000 call <jmp.&comctl32.InitCommonControls> ; [InitCommonControls
0040286F |. 68 9D334000 push 汇编.0040339D ; /pTopLevelFilter = 汇编.0040339D
00402874 |. E8 F50B0000 call <jmp.&kernel32.SetUnhandledExceptio>; \SetUnhandledExceptionFilter
00402879 |. 6A 00 push 0x0 ; /lParam = NULL
0040287B |. 68 96284000 push 汇编.00402896 ; |DlgProc = 汇编.00402896
00402880 |. 6A 00 push 0x0 ; |hOwner = NULL
00402882 |. 6A 65 push 0x65 ; |pTemplate = 65
00402884 |. FF35 28544000 push dword ptr ds:[0x405428] ; |hInst = NULL
0040288A |. E8 4B0C0000 call <jmp.&user32.DialogBoxParamA> ; \DialogBoxParamA
0040288F |. 6A 00 push 0x0 ; /ExitCode = 0
00402891 \. E8 480B0000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess
汇编的入口API函数 GetModuleHandleA
汇编查找字符串使用 ASCII码
DLPHI入口
0045D408 > $ 55 push ebp
0045D409 . 8BEC mov ebp,esp
0045D40B . 83C4 F0 add esp,-0x10
0045D40E . B8 28D24500 mov eax,DELPHI.0045D228
0045D413 . E8 6088FAFF call DELPHI.00405C78
0045D418 . A1 4CF14500 mov eax,dword ptr ds:[0x45F14C]
0045D41D . 8B00 mov eax,dword ptr ds:[eax]
0045D41F . E8 08DFFFFF call DELPHI.0045B32C
0045D424 . 8B0D 40F24500 mov ecx,dword ptr ds:[0x45F240] ; DELPHI.00460C04
0045D42A . A1 4CF14500 mov eax,dword ptr ds:[0x45F14C]
0045D42F . 8B00 mov eax,dword ptr ds:[eax]
0045D431 . 8B15 CCC84500 mov edx,dword ptr ds:[0x45C8CC] ; DELPHI.0045C918
0045D437 . E8 08DFFFFF call DELPHI.0045B344
0045D43C . A1 4CF14500 mov eax,dword ptr ds:[0x45F14C]
0045D441 . 8B00 mov eax,dword ptr ds:[eax]
0045D443 . E8 7CDFFFFF call DELPHI.0045B3C4
0045D448 . E8 2769FAFF call DELPHI.00403D74
0045D44D . 8D40 00 lea eax,dword ptr ds:[eax]
DELPHI入口特征 GetModuleHandleA
DELPHI查找按钮事件 右键--查找---查找二进制字符串740E8BD38B83????????FF93????????
采用CRTL+L键进行下翻页查找,需每一个都下上断
DELPHI 查找字符串采用ASCII码
易语言入口特征
004464D1 >/$ 55 push ebp
004464D2 |. 8BEC mov ebp,esp
004464D4 |. 6A FF push -0x1
004464D6 |. 68 B0C14600 push 易语言.0046C1B0
004464DB |. 68 DCAC4400 push 易语言.0044ACDC ; SE 处理程序安装
004464E0 |. 64:A1 0000000>mov eax,dword ptr fs:[0]
004464E6 |. 50 push eax
004464E7 |. 64:8925 00000>mov dword ptr fs:[0],esp
004464EE |. 83EC 58 sub esp,0x58
004464F1 |. 53 push ebx
004464F2 |. 56 push esi
004464F3 |. 57 push edi ; ntdll.7C930228
004464F4 |. 8965 E8 mov [local.6],esp
004464F7 |. FF15 98514600 call dword ptr ds:[<&KERNEL32.GetVersion>; kernel32.GetVersion
004464FD |. 33D2 xor edx,edx ; ntdll.KiFastSystemCallRet
易语言入口API函数 GetVersion
注:停留下后,AIT+F9返回到用户代码后,查找2进制字符串FC DB E3 E8 ?? ?? ?? ??
易语言查找字符串采用ASCII码查找
注:多数易语言采用花指令对易格式体进行保护,所以在查找字符串之前尽量先去掉花指令,具体去花指令的插件在我OD里已经添加 E JUNk CODE
VC8入口特征
00403A30 > $ E8 6E270000 call VC8.004061A3
00403A35 .^ E9 79FEFFFF jmp VC8.004038B3
00403A3A /$ 55 push ebp
00403A3B |. 8BEC mov ebp,esp
00403A3D |. 83EC 08 sub esp,0x8
00403A40 |. 897D FC mov [local.1],edi ; ntdll.7C930228
00403A43 |. 8975 F8 mov [local.2],esi
00403A46 |. 8B75 0C mov esi,[arg.2]
00403A49 |. 8B7D 08 mov edi,[arg.1] ; VC8.<ModuleEntryPoint>
00403A4C |. 8B4D 10 mov ecx,[arg.3]
00403A4F |. C1E9 07 shr ecx,0x7
VC8入口特征查找 GetStartupInfoW
VC8查找字符串采用 Unicode码
VC8的按钮事件采用查找SUB EAX,0A
VB入口特征
00401978 .- FF25 18114000 jmp dword ptr ds:[<&MSVBVM60.#613>] ; msvbvm60.rtcVarStrFromVar
0040197E .- FF25 84104000 jmp dword ptr ds:[<&MSVBVM60.__vbaVarTst>; msvbvm60.__vbaVarTstEq
00401984 .- FF25 7C104000 jmp dword ptr ds:[<&MSVBVM60.#528>] ; msvbvm60.rtcUpperCaseVar
0040198A .- FF25 A8104000 jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_>; msvbvm60.EVENT_SINK_QueryInterface
00401990 .- FF25 78104000 jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_>; msvbvm60.EVENT_SINK_AddRef
00401996 .- FF25 9C104000 jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_>; msvbvm60.EVENT_SINK_Release
0040199C $- FF25 08114000 jmp dword ptr ds:[<&MSVBVM60.#100>] ; msvbvm60.ThunRTMain
004019A2 00 db 00
004019A3 00 db 00
004019A4 > $ 68 5C284000 push VB.0040285C ; ASCII "VB5!6&vb6chs.dll"
004019A9 . E8 EEFFFFFF call <jmp.&MSVBVM60.#100>
004019AE . 0000 add byte ptr ds:[eax],al
004019B0 . 0000 add byte ptr ds:[eax],al
004019B2 . 0000 add byte ptr ds:[eax],al
004019B4 . 3000 xor byte ptr ds:[eax],al
004019B6 . 0000 add byte ptr ds:[eax],al
VB入口特征查找函数 ThunRTMain
VB 查找字符串时采用二进制字符串816C2404??000000
注:识别VB P-code编译时,只需要查找不到按钮事件就是P-CODE编译
P-CODE代码是虚拟代码,需要独立的调试器
Vb 查找字符串采用 UNICODE码查找
DIE64类似于PEID的功能,但是他强大之处,在于他可以不管是任何壳保护的情况下,都可以识别出他的编写语言
当程序提示说有压缩代码时,就表示程序已经被压缩或者加密
VMP入口,就是看起来很凌乱,就像未解码的代码一样,但是VMP保护分两种代码
乱序
虚拟
VMP在默认保护的情况下是不会保护功能代码的,并且VMP保护功能代码只是一个区段,如果大家看到的.VMP区段有三条的话,就表示此程序已经被VMP进行了最大保护,如果只是一条区段的话,那就是乱序保护,两条区段的话,就是乱序加虚拟保护
TMD2.10以后的版本和WL的版本入口都是一样
00600000 > 83EC 04 sub esp,0x4
00600003 50 push eax
00600004 53 push ebx
00600005 E8 01000000 call 易语言.0060000B
0060000A CC int3
0060000B 58 pop eax ; kernel32.7C817027
0060000C 89C3 mov ebx,eax
0060000E 40 inc eax
0060000F 2D 00D00900 sub eax,0x9D000
00600014 2D 17186000 sub eax,0x601817
00600019 05 0C186000 add eax,0x60180C
0060001E 803B CC cmp byte ptr ds:[ebx],0xCC
00600021 75 19 jnz short 易语言.0060003C
00600023 C603 00 mov byte ptr ds:[ebx],0x0
00600026 BB 00100000 mov ebx,0x1000
0060002B 68 C5D8FB58 push 0x58FBD8C5
00600030 68 50030877 push 0x77080350
00600035 53 push ebx
00600036 50 push eax
00600037 E8 0A000000 call 易语言.00600046
0060003C 83C0 00 add eax,0x0
0060003F 894424 08 mov dword ptr ss:[esp+0x8],eax
00600043 5B pop ebx ; kernel32.7C817027
00600044 58 pop eax ; kernel32.7C817027
个人推荐这个保护自己的补丁Private exe Protector
SE调试技巧,就是在运行起来之后4-5分钟时在去调试,可以避免少被ANTI到
ANTI所指的是反调试