Home > Cloud Computing > Cloud Security

Common Program entry point (OEP) Features

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Delphi:

55 PUSH EBP
8BEC mov ebp, ESP
83C4 F0 add esp,-10
B8 A86F4B00 mov eax, PE.004B6FA8


Vc ++
55 PUSH EBP
8BEC mov ebp, ESP
83EC 44 sub esp, 44
56 PUSH ESI

Vc6.0
55 push ebp
8BEC mov ebp, esp
6A FF push-1

Vc7.0

6A 70 push 70
68 50110001 push hh.01001150
E8 1D020000 call hh.010017B0
33DB xor ebx, ebx

Vb:


00401166-FF25 6C104000 jmp dword ptr ds: [<& MSVBVM60. #100>]; MSVBVM60.ThunRTMain
00401_c> 68 147C4000 PUSH PACKME.00407C14
00401171 E8 F0FFFFFF CALL <JMP. & MSVBVM60. #100>
00401176 0000 add byte ptr ds: [EAX], AL
00401178 0000 add byte ptr ds: [EAX], AL
0040117A 0000 add byte ptr ds: [EAX], AL
0040117C 3000 xor byte ptr ds: [EAX], AL


Bc ++
0040163C> $/EB 10 jmp short BCLOCK.0040164E
0040163E | 66 DB 66; CHAR 'F'
0040163F | 62 DB 62; CHAR 'B'
00401640 | 3A DB 3A; CHAR ':'
00401641 | 43 DB 43; CHAR 'C'
00401642 | 2B DB 2B; CHAR '+'
00401643 | 2B DB 2B; CHAR '+'
00401644 | 48 DB 48; CHAR 'H'


00401645 | 4F DB 4F; CHAR 'O'
00401646 | 4F DB 4F; CHAR 'O'
00401647 | 4B DB 4B; CHAR 'K'
00401648 | 90 NOP
00401649 | E9 DB E9
0040164A. | 98E04E00 dd offset bclock. ___ CPPdebugHook
0040164E> \ A1 8BE04E00 mov eax, dword ptr ds: [4EE08B]
00401653. C1E0 02 shl eax, 2
00401656. A3 8FE04E00 mov dword ptr ds: [4EE08F], EAX
0040165B. 52 PUSH EDX
0040165C. 6A 00 PUSH 0;/pModule = NULL
0040165E. E8 DFBC0E00 CALL <JMP. & KERNEL32.GetModuleHandleA>; \ GetModuleHandleA
00401663. 8BD0 mov edx, EAX

Dasm:

00401000>/$ 6A 00 PUSH 0;/pModule = NULL
00401002 |. E8 C50A0000 CALL <JMP. & KERNEL32.GetModuleHandleA>; \ GetModuleHandleA
00401007 |. A3 0C354000 mov dword ptr ds: [40350C], EAX
0040100C |. E8 B50A0000 CALL <JMP. & KERNEL32.GetCommandLineA>; [GetCommandLineA
00401011 |. A3 10354000 mov dword ptr ds: [403510], EAX
00401016 |. 6A 0A PUSH 0A;/Arg4 = 0000000A
00401018 |. FF35 10354000 push dword ptr ds: [403510]; | Arg3 = 00000000
0040101E |. 6A 00 PUSH 0; | Arg2 = 00000000
00401020 |. FF35 0C354000 push dword ptr ds: [40350C]; | Arg1 = 00000000
++
Here, you should ask: how should we install it? The following is a brief introduction:

1. Use ToPo to increase the space by about 128 bytes [Note: personal interests may vary],
2. Enter the PE editorof LordPE, and open target.exe,
Change the. topo0 segment name to. text and install it more like a bit. [Note: You can also change your personality to your own name without affecting the result.]

Write down VOffset: 13000. change the access point to this value. ollydbgdownload target.exe ~ We came to an exception,

Pull the scroll bar up and rewrite the code at 413000:
++
Counterfeit VC ++ entry code features
++

Push ebp
Mov ebp, esp
Push-1
Push 666666


Push 888888
Mov eax, fs: [0]
Push eax
Mov fs: [0], esp
++
Pop eax
Mov fs: [0], eax
Pop eax
Pop eax
Pop eax
Pop eax
Mov ebp, eax

Do not forget jmp. Also click the Access Point of the shell. Select the modified Code and save it as newtarget.exe.

PEiD Detection: Microsoft Visual C ++, and runs properly, the task is completed

 

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More