ollydbg 中几种函数入口

1. BC++ 程序启动反汇编

A1 A8534BB00  MOV EAX,DWORD PTR DS:[4B53A8]
C1E0 02            SHL EAX,2
A3 AC534B00     MOV DWORD PTR DS:[4B53AC],EAX
57  PUSH EDI
51                     PUSH ECX
33C0                 XOR EAX,EAX
BF 88DA4C00     MOV EDI,BC++.004CDA88
B9 C0358D00     MOV ECX,BC++.008D35C0
3BCF            CMP ECX,EDX
76 05           JBE SHORT BC++.00401024
2BCF            SUB ECX,EDI
FC                CLD
...................
E8 9A2A0B00     CALL <JMP.&kernel32.GetModuleHandleA>
...................
E8 742A0B00     CALL <JMP.&kernel32.GetModuleHandleA>
A3 B0534B00     MOV DWORD PTR DS:[4B53B0],EAX
6A 00                PUSH 0
E9 FCE30A00     JMP BC++.004AF45C
E9 BB570A00     JMP BC++.004A6820
33C0                  XOR EAX,EAX
A0 9D534B00     MOV AL,BYTE PTR DS:[4B539D]
C3                     RETN
...................
E8 A3450000     CALL <JMP.&kernel32.GetCommandLineA>
.......

2. Delphi

55                   PUSH EBP
8BEC               MOV  EBP,ESP
83C4 00          ADD  ESP,0
E9 14FDFFFF    JMP  主程序.00401F1F
00401F1F
---------------------------------------
55                      PUSH EBP
8BEC                  MOV  EBP,ESP
6A FF                  PUSH -1
68 40374000       PUSH yzm3_Del.00403740
68 80204000       PUSH <JMP.&MSVCRT._except_handler3>      ;  SE 处理程序安装
.....................
50                        PUSH EAX                                 ;  pStartupinfo
FF15 0C304000     CALL DWORD PTR DS:[<&KERNEL32.GetStartup>;  GetStartupInfoA
.....................
53                        PUSH EBX                                 ;  pModule = NULL
FF15 08304000     CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>;  GetModuleHandleA
50                        PUSH EAX
E8 64000000         CALL yzm3_Del.004020B4                   //主程序Winmain
8945 98                 MOV DWORD PTR SS:[EBP-68],EAX
50                         PUSH EAX                                 ;
FF15 D4314000      CALL DWORD PTR DS:[<&MSVCRT.exit>]       ; exit

3. VC++6.0 启动函数

55                         PUSH EBP
8BEC                     MOV  EBP, ESP
6A FF                     PUSH -1
68 BO504000          PUSH 主程序.004050B0
68 201F4000           PUSH 主程序.00401F20           // SE处理程序安装
64:A1 00000000      MOV EAX,DWORD PTR FS[0]
50                          PUSH EAX
64:8925 00000000  MOV DWORD PTR FS[0],ESP
83EC 58                 SUB ESP,58
53           PUSH EBP
56           PUSH ESI
57           PUSH EDI
8965 E8                 MOV DWORD PTR SS:[EBP - 18],ESP
FF15 20504000     CALL DWORD PTR DS:[<&KERNEL32.GetVersion>] // 确定Windows系统版本
33D2                    XOR EDX,EDX
8AD4                    MOV DL,AH
8915 EC844000      MOV DWORD PTR DS:[4084EC],EDX  
..........................
FF15 1C504000       CALL DWORD PTR DS:[<&KERNEL32.GetCommandLineA>] // 指向进程的完整命令行的指针
..........................
50                           PUSH EAX
FF15 18504000        CALL DWORD PTR DS:[<&KERNEL32.GetStartupInfoA>] // 获取一个进程的启动信息
..........................
56                           PUSH ESI
FF15 14504000         CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>]// 返回进程地址空间执行文件基地址
50                             PUSH EAX
E8 D9FEFFFFF            CALL 主程序.00401000          // 调用用户自己编写进入的WinMain
8945 A0                   MOV  DWORD PTR SS:[EBP - 60],EAX
50                            PUSH EAX
E8 B0010000             CALL 主程序.Exit
C3                             RETN

posted @ 2012-12-07 09:59  小金马  阅读(816)  评论(0编辑  收藏  举报