Microsoft Visual C++ 6.000496EB8 >/$ 55 PUSH EBP ; (初始 cpu 选择)00496EB9 |. 8BEC MOV EBP,ESP00496EBB |. 6A FF PUSH -100496EBD |. 68 40375600 PUSH Screensh.0056374000496EC2 |. 68 8CC74900 PUSH Screensh.0049C78C ; SE 处理程序安装00496EC7 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]00496ECD |. 50 PUSH EAX00496ECE |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP00496ED5 |. 83EC 58 SUB ESP,58---------------------------------------------------------------------------------------Microsoft Visual Basic 5.0 / 6.000401166 - FF25 6C104000 JMP DWORD PTR DS:[<&MSVBVM60.#100>] ; MSVBVM60.ThunRTMain0040116C > 68 147C4000 PUSH PACKME.00407C1400401171 E8 F0FFFFFF CALL <JMP.&MSVBVM60.#100>00401176 0000 ADD BYTE PTR DS:[EAX],AL00401178 0000 ADD BYTE PTR DS:[EAX],AL0040117A 0000 ADD BYTE PTR DS:[EAX],AL0040117C 3000 XOR BYTE PTR DS:[EAX],AL或省略第一行的JMP00401FBC > 68 D0D44000 push dumped_.0040D4D000401FC1 E8 EEFFFFFF call <jmp.&msvbvm60.ThunRTMain>00401FC6 0000 add byte ptr ds:[eax],al00401FC8 0000 add byte ptr ds:[eax],al00401FCA 0000 add byte ptr ds:[eax],al00401FCC 3000 xor byte ptr ds:[eax],al00401FCE 0000 add byte ptr ds:[eax],al----------------------------------------------------------------------BC++0040163C > $ /EB 10 JMP SHORT BCLOCK.0040164E0040163E |66 DB 66 ; CHAR 'f'0040163F |62 DB 62 ; CHAR 'b'00401640 |3A DB 3A ; CHAR ':'00401641 |43 DB 43 ; CHAR 'C'00401642 |2B DB 2B ; CHAR '+'00401643 |2B DB 2B ; CHAR '+'00401644 |48 DB 48 ; CHAR 'H'00401645 |4F DB 4F ; CHAR 'O'00401646 |4F DB 4F ; CHAR 'O'00401647 |4B DB 4B ; CHAR 'K'00401648 |90 NOP00401649 |E9 DB E90040164A . |98E04E00 DD OFFSET BCLOCK.___CPPdebugHook0040164E > /A1 8BE04E00 MOV EAX,DWORD PTR DS:[4EE08B]00401653 . C1E0 02 SHL EAX,200401656 . A3 8FE04E00 MOV DWORD PTR DS:[4EE08F],EAX0040165B . 52 PUSH EDX0040165C . 6A 00 PUSH 0 ; /pModule = NULL0040165E . E8 DFBC0E00 CALL <JMP.&KERNEL32.GetModuleHandleA> ; /GetModuleHandleA00401663 . 8BD0 MOV EDX,EAX-----------------------------------------------------------------------------------------------Borland Delphi 6.0 - 7.000509CB0 > $ 55 PUSH EBP00509CB1 . 8BEC MOV EBP,ESP00509CB3 . 83C4 EC ADD ESP,-1400509CB6 . 53 PUSH EBX00509CB7 . 56 PUSH ESI00509CB8 . 57 PUSH EDI00509CB9 . 33C0 XOR EAX,EAX00509CBB . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX00509CBE . B8 20975000 MOV EAX,unpack.0050972000509CC3 . E8 84CCEFFF CALL unpack.0040694C-----------------------------------------------------------------------------------------------易语言入口00401000 > E8 06000000 call dump_.0040100B00401005 50 push eax00401006 E8 BB010000 call <jmp.&KERNEL32.ExitProcess>0040100B 55 push ebp0040100C 8BEC mov ebp,esp0040100E 81C4 F0FEFFFF add esp,-11000401014 E9 83000000 jmp dump_.0040109C00401019 6B72 6E 6C imul esi,dword ptr ds:[edx+6E],6C0040101D 6E outs dx,byte ptr es:[edi]也可能是这样的入口Microsoft Visual C++ 6.0 [Overlay] E语言00403831 >/$ 55 PUSH EBP00403832 |. 8BEC MOV EBP,ESP00403834 |. 6A FF PUSH -100403836 |. 68 F0624000 PUSH Nisy521.004062F00040383B |. 68 A44C4000 PUSH Nisy521.00404CA4 ; SE 处理程序安装00403840 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]00403846 |. 50 PUSH EAX00403847 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP-------------------------------------------------------------------MASM32 / TASM32入口00401258 >/$ 6A 00 push 0 ; /pModule = NULL0040125A |. E8 47000000 call <jmp.&kernel32.GetModuleHandleA> ; /GetModuleHandleA0040125F |. A3 00304000 mov dword ptr ds:[403000],eax00401264 |. 6A 00 push 0 ; /lParam = NULL00401266 |. 68 DF104000 push dump.004010DF ; |DlgProc = dump.004010DF0040126B |. 6A 00 push 0 ; |hOwner = NULL0040126D |. 6A 65 push 65 ; |pTemplate = 650040126F |. FF35 00304000 push dword ptr ds:[403000] ; |hInst = NULL00401275 |. E8 56000000 call <jmp.&user32.DialogBoxParamA> ; /DialogBoxParamA-
