|
1.Borland Delphi 6.0 - 7.0
PUSH EBP
MOV EBP,ESP
ADD ESP,-14
PUSH EBX
PUSH ESI
PUSH EDI
XOR EAX,EAX
MOV DWORD PTR SS:[EBP-14],EAX
MOV EAX,unpack.00509720
CALL unpack.0040694C
2.Microsoft Visual C++ 6.0
PUSH EBP ; (初始 cpu 选择)
MOV EBP,ESP
PUSH -1
PUSH Screensh.00563740
PUSH Screensh.0049C78C ; SE 处理程序安装
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
MOV DWORD PTR FS:[0],ESP
SUB ESP,58
3.Microsoft Visual C++ 6.0 [Overlay] E语言
PUSH EBP
MOV EBP,ESP
PUSH -1
PUSH Nisy521.004062F0
PUSH Nisy521.00404CA4 ; SE 处理程序安装
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
MOV DWORD PTR FS:[0],ESP
4.Microsoft Visual Basic 5.0 / 6.0
JMP DWORD PTR DS:[] ; MSVBVM60.ThunRTMain
PUSH PACKME.00407C14
CALL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
XOR BYTE PTR DS:[EAX],AL
或省略第一行的JMP
push dumped_.0040D4D0
call
add byte ptr ds:[eax],al
add byte ptr ds:[eax],al
add byte ptr ds:[eax],al
xor byte ptr ds:[eax],al
add byte ptr ds:[eax],al
5.BC++
JMP SHORT BCLOCK.0040164E
; CHAR 'f'
; CHAR 'b'
; CHAR ':'
; CHAR 'C'
; CHAR '+'
; CHAR '+'
; CHAR 'H'
; CHAR 'O'
; CHAR 'O'
; CHAR 'K'
NOP
00401649 |E9 DB E9
DD OFFSET BCLOCK.___CPPdebugHook
MOV EAX,DWORD PTR DS:[4EE08B]
SHL EAX,2
MOV DWORD PTR DS:[4EE08F],EAX
PUSH EDX
PUSH 0 ; /pModule = NULL
CALL ; \GetModuleHandleA
MOV EDX,EAX
6.Dasm:
; /pModule = NULL
CALL ; \GetModuleHandleA
MOV DWORD PTR DS:[40350C],EAX
CALL ; [GetCommandLineA
MOV DWORD PTR DS:[403510],EAX
PUSH 0A ; /Arg4 = 0000000A
PUSH DWORD PTR DS:[403510] ; |Arg3 = 00000000
PUSH 0 ; |Arg2 = 00000000
PUSH DWORD PTR DS:[40350C] ; |Arg1 = 00000000
7.VC8 -> Microsoft Corporation
call QQRecord.00446C13 ; (Initial CPU selection)
jmp QQRecord.0043DD01
push ebp
mov ebp,esp
push ecx
push ebx
mov eax,dword ptr ss:[ebp+C]
add eax,0C
mov dword ptr ss:[ebp-4],eax
mov ebx,dword ptr fs:[0]
mov eax,dword ptr ds:[ebx]
mov dword ptr fs:[0],eax
mov eax,dword ptr ss:[ebp+8]
mov ebx,dword ptr ss:[ebp+C]
mov ebp,dword ptr ss:[ebp-4]
mov esp,dword ptr ds:[ebx-4]
jmp eax
pop ebx
leave
retn 8
8.PB
PUSH EBP
MOV EBP, ESP
PUSH EBX
PUSH ESI
PUSH EDI
MOV EBX, 00416000
TEST WORD PTR CS:[004113D2], 850F0004
FILD DWORD PTR [EAX]
ADD [EAX], AL
PUSH 00000000
CALL [00418454] ; CoInitialize
CALL 0041100A
MOV [EBX+00000108], 00000001
LEA EAX, [EBX+00000290]
PUSH EAX
CALL [004183DC] ; GetVersionExA
SUB ESP, 00000044
MOV [ESP], 00000044
MOV [ESP+2C], 00000000
PUSH ESP
CALL [004183D4] ; GetStartupInfoA
MOV EAX, 0000000A
TEST [ESP+2C], 00000001
JZ 410DBC
MOVZX EAX, WORD PTR [ESP+30]
ADD ESP, 00000044
MOV [EBX+000000FE], EAX
CALL [004183B0] ; GetCommandLineA
9.Borland C++ 1999
jmp short VBto_UNP.004014E2
bound di,dword ptr ds:[edx]
inc ebx
sub ebp,dword ptr ds:[ebx]
dec eax
dec edi
dec edi
dec ebx
nop
jmp 0097157A
mov eax,dword ptr ds:[57008B]
shl eax,2
mov dword ptr ds:[57008F],eax
push edx
push 0
call <jmp.&kernel32.GetModuleHandleA>
10,Microsoft Visual C++ ver. 8.0
call SolidPDF.004A3F56
jmp SolidPDF.004A38AF
int3
int3
int3
int3
int3
int3
push ecx
lea ecx,dword ptr ss:[esp+8]
sub ecx,eax
and ecx,0F
add eax,ecx
sbb ecx,ecx
or eax,ecx
pop ecx
jmp SolidPDF.004A3810
push ecx
lea ecx,dword ptr ss:[esp+8]
|
浙公网安备 33010602011771号