OD各種編程語(yǔ)言查找按鈕事件

1、TUXX1$61 6C 24I確定 I 取稍 IA5criP訓(xùn)岬fl TOLODEM冋比3;hort UIB.0 04 0-I4BE ,0F1 taM flno刃inii劉川lUIdidsbtR整個(gè)段塊（1 r直幷夭小寫地址十八逬制反匯編oenoseDC8ieC24 04 470000II 7l 881170的胭州DFFFF0flie8iiFFree00468121eeee06408123Qe7lDa 4D伽斗胭127eeSF E44S33Dniuimsr ?rtAFsub jrip sub jrip sub jmp Eiib jrip add adddviord ptr as: esp*U

2、,47 ue.aoiiasaiodviard pt廣 se; esp*4 ,43 卵* aanasHyodMord ptf s；esp+M,0FFFF ue.aanaaBaoduord ptr ss: esp-U flFFFF je.aQ4asciobyte ptr bytze ptrds:eax ds:eax,alaL,dLInc add 匝 inc add add addbyte ptrd5：eaw-FF00ii03?,ah未知命-dviord ptr ds:eax byte ptr ds:eax,al byte ptr ds: eax-etlK*a+40 rih byte ptr ds:

3、 edi+3C*344SE4箱5術(shù)網(wǎng)客國(guó)09nL1 j|y fhin曠ft n1尸eciie6Aie=UB.oe408Aieush ebphov ebp ,e5ppd羽p pTC|lDV田界,Delbdll Delphihoveax,duopovEdK ,dTIDLdi.DelphiecM.duoEdK ,duo0VE呂X ,dUDlOVedx duD；dll Delphi10VE3M ,dUi2DfienSBCBPiav edxedK53pU5h etiK胭蚯MOD8BD8nou 己bx.eKeflii2DAeF8BC3nav pax.ebK06420611E8 5E9aeOBall Del

4、phi.aB436Z7i|0642061666：3B6 eoieaeocrap word ptr tl5：ebx+182,0ee42D61E打汕BEJe short Delphi.Q042D62Eee42DA208BD3nau pdxetix00420622SBSS 84010000Piau edx.duord ptr ds:ebK*184eeiiED 百 28FF93 80016000tall dworrt ptr ds:ebx*180ell2D62ELsbpap pbxeeil2DA2FC3應(yīng)n|0642063053pu?h pbxQeii2D 百 31SBDSnou ebx.eax,ee

5、ii2D633seesnau eax,etKDJ jj J U.liJJ 11njniiriA?匚aanonLHl 1 na1 nhi仙蚯D2E-Delphi.Oe42D42EQOUSSFDA66；S3Be 22010000crip word ptr ds:ebK+122,0aeUSSFDE、7 II BEje stiort Delphi _ eaU35FEEe仙33FE08BD3Piou edx,ebK001I3SFE28BS3 24013BB0fiiou axdviord ptr ds: ebx+1214et3&FEeFF93 2eoieeeocall div葉d ptr ds:ebx*1

6、20e435FEE5Bpop ebx0Bl35FEFC3Ftnl0135FFO53push ebxeO3SFF12nQiueoacrip viord ptr ds:eax+12fl ,0Qei35FF9w 7也 10je snort Delphi.60436BQBOeHSEFFBSBDSfiiou 9bx,eaKOOHSSFFD8BD0nou pdxeaxOOUSFFFSRM01000(1Piau paxduord ptr ds:Gbx*12CeensfisesFFflS 2SaiOQBQdbjard pt廣 d5：ebx*12aeenseesB56pop ebxOOliSOOCC3血Si44

7、30D00lea dx.dvford ptr ds; eaxi0的3右時(shí)nA虹a真nr55RR匚于呻h pWJijj JU-liijn.fnrii ahn 4Ufids :0ePA4640= Qe47F638 (Delphi . O0J|7F638押b嵐網(wǎng)羅 站同樣寫個(gè)腳本，方便大家操作：復(fù)制內(nèi)容到剪貼板代碼:var Addrmov Addr,4O1OOOloop:find Addr,#740E8BD38B83?FF93?#cmp $RESULT,0je Exitadd $RESULT,0Abp $RESULTadd $RESULT,1mov Addr,$RESULTjmp loopExit:

8、ret三、易語(yǔ)言易語(yǔ)言的這種查找方法，同樣適合有殼的程序，其他的就必須脫殼后再繼續(xù)操作了OD載入后，就F9運(yùn)行程序吧，當(dāng)程序運(yùn)行后,ALT+E選中易語(yǔ)言的核心庫(kù)krnln,雙擊進(jìn)去陰4陰卿0eiQEOseo61220009 QISCOQOO 10BQ0Q6042QBQQ09 it22BQQei95CD8QB09501700005EFE0Q6O61BEOQeO62020069719G0QG971A13Q607in20Q0071A9EIQeaZ2FZ00fl00QS21OOe QQBiQOaB oQBmeoQ 0B11E60B OQQUOOO QQBEQ09B OQ/ACeOQ SOQODQOe

9、QQQ37Q0Q QQB1Q09B OQQB9eOQ QQQ1?60e ooeoDooo 00009690 0QQ3EG9Q 0BQ0S60B 0QQ1700Q QBBIZeaBe 0416001BBF3D57UB10ECflB2Q122858CB13C35CD lOOgDUDU 1HD5132D 即 20B19E1 I22B772C5nDC-l626CDQASfiSbD173i|BR5EFEEE78fi2C22EAD719C1CD71A110l271（121273Z2FZ*ia0flaw scrchpg dpi engine dadkeyb krnln（系纟充 uH-lnon纟充iefran

10、e銃w5hCHs r 系統(tǒng) UKthene （系纟充 ushom （系貌 C0MCTL32 （奈銃 OLEPH032 （索銃 HFCi2L0C （系班 LPK （系統(tǒng) mswsock （系統(tǒng)6.0.21 , 0. 7.00. 7.90. 7.00, 5.6.0 A.aa.: 5.6.05.325.1.2 6.00.E .1.25.1 .2:爲(wèi)迪俺洞碉叢？1地址1602868 1f)028EBE 10028EC2 16a28EC1 1C028EC7 仙028ECA 16D28ECE 16e2SED1 MOZSEDP 1OB2SEDA 10028ED9 ieO28EDA 16e2SEDB 1flO

11、28EDE 10028EE1 16a28EEi 10B28EEE 10e28EF2 turnS91ID EC 837D EC 00 7C 12QB59 ECSBUS 08 SB即C90 10 旳毎D Fe FF75 FCEB DFFF55 5F 5ES95D 89嶼SBG5C782B37D714 13反匯編nou dword ptr ss; ebp-lUJ, ecj( crip dhiord ptF sc;ehp-1ii,0 jl short krnln _1oaSEDft mounounouedx fdvFord eax jdiiord e c X , d VFD r d dvord p t

12、 rptr S5：ebp-14 ptr 55：&hp+8 ptr ds: &ax+&tJK*U+10 ss;ebp-10,ecKnoupush dvford ptr ss: ebp-10 J up short krnln.1a028EB5 ss:ehp-UFCcall dhford pti* pop edi pop esiFHnou dviord ptrF8nou dhiord ptrE6nou e d K , d iiD r d7ca2OQea coinou duord ptrFn eoIcep duord ptF je short hrninannn II口 J)蠻 H iiBn p* r

13、1ss: ebp-C ,et)x sc;ebp-S,P3X ptr ss:ehp-18 tls;e(iK+27O ,0 幣薜爐勾則an w斤*hn咋尊皆L國(guó)6忙ODiirieo28EeB10028EeE1028EC2 10028ECU ieO28EC7 10eECA ieO28EGE 1fiO28E：l1 IBBgBEDii1028ED9 10028EDA ieO28EDB ieO2SE：DE 1Q028EE1 10028EE4 leO28EEE ieO28EF2 磁麗尹匚ri*BQJiD EC 8371) EC 00 7C 12 陽(yáng)石 EC BB嶼 OSSB WO 10 694D FO FF

14、TS FO EB DF FF55 5F 薩 B95D 89卻5 e站雪 C782 B37D 7期*3 jiDjki; asFCFiiFES70020000F4 OO001nov duiard pt廣 ss :Bbp- 1U ,ecx cnp dii(rd ptr ss:ebp-1U,0 jl short krnln_1Q023ED6PiauPIOV IWV fllOUedx ,dviDrd eaXfdviord e-cKpdMord dviord ptrptr ss: ebp-1ii ptr 5s:ebp*B ptr ds;eax*edM*4+10 ss :ebp-10,ecMpush dwa

15、rd ptr ss:ebp-10 jnp short hrnln.1Q0Z8EB5 call dvjord pl:廠 s5：cbp-4 pop pop PiauPIOU non neu cnppdiduiard ptr duord ptrduard pt尸 duard pt廣:ebp-C,ebx 5S;et)p-8 ,eax ptr ss:ebp-18 ds:edH+270,O:abp-C,0je short krnln,ie02aF07SS：CO12F4CC = 004Ofi5F (. OOiOflSftF )同樣,寫個(gè)腳本，方便大家 復(fù)制內(nèi)容到剪貼板 代 碼:gp aGet Process

16、Hea p,kernel32.dll cmp $RESULT,0 je err bp $RESULT run run run bc $RESULT rtu find 10001000,#FF55FC5F5E895D?8945# bp $RESULT find eip, #FFE0# cmp $RESULT,0 je err bp $RESULT run bc $RESULT stoMSG，按紐事件查找完畢！ ” ret err:MSG 腳本運(yùn)行錯(cuò)誤！請(qǐng)檢查錯(cuò)誤后再繼續(xù)運(yùn)行腳本!ret四、VC+程序（非MFC程序）OD載入后，單擊鼠標(biāo)右鍵，選擇”查找，然后是”所有命令”在彈出的輸入框里，寫入特征

17、代碼sub eax,0a10.GIF (7 KB) 2008-9-14 12:02確定后，就來(lái)到下面的窗口葩扯十神反匸編aOii16iO23.FF30push duord pt廣 ds:eax00602?.FF7fl 斡pumh dword ptr ds:eaK+4OOM602S FF5E 14cdll dword ptr ss:ebp*1iiQ的虢B“ E9 97ee9aoQjnp北0C7004160308叭D asmu ecK,duord ptr 55：etip+8|Cdse Z3 of switcri OBUIBFERB041ifi033 FF55 14Cd11 duord ptr 55

18、：ebp+l40016036、E9 SABBOOOejrip UO+MM0C5a酗03B FF75 eCpush duord ptr 5s:ebpO3E“ EB 4?jnp short UC+*.00416085aOii16O4O SB4D asnon vcx,dvord ptr fs:ebp+8|Cjsp C of switch OOM5FEAemrnwa FF55 14call dvford ptr &s:et)p EB 7Fjmp short UC+* .OOHUOC?0Oil16iO4S FF7E SCpush dwoFd ptr 5s:et)p+CCase

19、2 of switch OOUIFEA00ii16OitBw EB 2Djmp short VC+* .aonuB/n觀AF6仙D SB4 18noq fdKjduord ptr ss:ebp+1SCjse 28 of switch OfliilEFEfl盹州強(qiáng)弭.3DD eerw ecx,diford ptr 55：ebp*8OOM4DF3.FF3flpush duord ptr ds:eaxB加1心仍5.FF70 84pu乩 dword ptr(Js;eaK+4jlli山叨川nnhTf.ftuQ匚匚7U 矽mich rliiinrrl n 1k* cc T ahn+P 1地址反匯編注釋pu

20、sh eD卩初始CPU選擇）00m5FF55uti eax,0Atadd add add pop jnb add jn?bylzp ptF d5：eax ,al byte ptr ds:edK,al al ,ch eaxshort HFCit2.73D31012 byte ptr ds:ebK+C085e short riFC*l2.73D31B19查K命令call HFCij2.tt11687整個(gè)段換（S）nou eaxduor口 ptr ds;eax*即 gtn|int3lnt3int3int3int3nou edi.edlpush Esipush edi地址十六進(jìn)制反匯編彳主釋73D32

21、I19CSBliD Ofimou PCX,word ptr* cs: ebp+873D32119FFF7 0 eiipU5ti duiord ptr d5 : eax + ir73D32lA2FF55 1I|C311 dvjord ptF ss:ebp+1473D32IIA5p E9 97eoeoeJnp MFCU2,730325173D32IIAAseiiD oemou ecK,dwopd pti* cs: ebp+873D3211ADFF55 1已call dhiord ptF sg : ebp + 1 即73D32lB0h E9 eneeoeoQ仙p MFCU2-73D3253F73D3

22、2liB5FF75 ecpush duord ptr ss : bp*C7SDS2li87 EB 山5jinpi short HF 2.72 陽(yáng) MF F73D324BABBfiD eenou e c X , d vf D r d ptr ss : eb p + 87SD02WBFF5E 仙cdll dword ptr ss:ebp+1473D32tC07 EB 7FJnp short HFCM273D32汕173D32iC2Fr75 ecpush duord ptr ss : Bbp + C了3D3Z斗C5w EB 2Djrip short MFC+Z ？3D3Z+FU73D32IC7陽(yáng)嶼1

23、8nou eax,dviord ptr 5s:ebp+1873D32IICAFF3 8push dijord ptr ds:eax73D32I1CCEB蚯 Ofimou e X , d VPD r d ptr ss : eb p+873D32即CFFF7B Ql 04 FFFF0OIE9 floflcaeee eeee eoeo enDO 即eene sv-uoeaFFFFFFFFOO0000067400 JiDeOSF E448343DAr加卩 sub jri卩 add adddiiard pt嚴(yán) ss;esp*4 47 UB.aa4Q8A10diiard pt廣 ss; esp+U ,1|3UB.Q0408A90(jtord ptr s：s;esp+4 pQFFFFUB.aQossaodword ptr ss;esp*4,0FFFF UB.aOQSClQhyte ptr byte ptrds:eax,ai d：eax,41test al,dl inceaxd 7- c d d d a ? n d d d _d -T -i _d _d 3byt9 ptrdG：PdXbFFQGMQS。Nhdviord pl:廣 ds:pax bjitp ptf ds:ax ,al bt9 ptr dG： p&K4EdK*a4ii9dh byte ptr ds: *(11+30344j