-
-
[报喜]第一个手脱加密壳VisualProtect 2.25最终完成
-
发表于: 2005-6-14 14:28
-
我学习脱加密壳 的第一个壳VisualProtect 2.25加壳的小程序,存属学习别无他意
我在google里面搜索相关文章,
满世界竟然只有两篇一篇是fly的《用Ollydbg手脱Visual Protect V3.54加壳的DLL》
一篇是fly的《Visual Protect V3.54 脱壳 ―― VisualProtect.exe 主程序》
在这里感谢fly给予的支持,是我最终独立完成了VisualProtect 2.25的脱壳+修复输入表,在此一并感谢所有浏览本帖的人
原本向fly求助时,fly只给了树文件让我用来修复输入表
后来发现我先前不能修复输入表的原因好像是ImportREC的版本问题原先用1.6的
后改用1.4的可以全部修复输入表
下载地址http://ssbbs.hn8868.com/soft/22.exe
////////////////////////////////////////////
调试前设置Ollydbg忽略除了“内存访问异常”之外的所有其他异常。
用Ollydbg手动脱壳,老规矩:载入后弹出“是压缩代码――要继续进行分析吗?”,点“否”。
//////////////////////////////////////////////////////////////////
004E9F90 w> 55 push ebp //OD载入后停在这里
004E9F91 8BEC mov ebp,esp
004E9F93 51 push ecx
004E9F94 53 push ebx
004E9F95 56 push esi
004E9F96 57 push edi
004E9F97 C705 B00E4F00>mov dword ptr ds:[4F0EB0],0
004E9FA1 68 48F04E00 push wscut.004EF048 ; ASCII "kernel32.dll"
004E9FA6 FF15 00D04E00 call dword ptr ds:[<&KERNEL32.Load>; KERNEL32.LoadLibraryA
004E9FAC A3 0C0F4F00 mov dword ptr ds:[4F0F0C],eax
004E9FB1 68 58F04E00 push wscut.004EF058 ; ASCII "GetModuleHandleA"
004E9FB6 A1 0C0F4F00 mov eax,dword ptr ds:[4F0F0C]
004E9FBB 50 push eax
004E9FBC FF15 04D04E00 call dword ptr ds:[<&KERNEL32.GetP>; KERNEL32.GetProcAddress
004E9FC2 A3 900E4F00 mov dword ptr ds:[4F0E90],eax
004E9FC7 6A 00 push 0
004E9FC9 FF15 900E4F00 call dword ptr ds:[4F0E90]
004E9FCF A3 EC0E4F00 mov dword ptr ds:[4F0EEC],eax
004E9FD4 8B0D EC0E4F00 mov ecx,dword ptr ds:[4F0EEC]
004E9FDA 51 push ecx
004E9FDB E8 C0050000 call wscut.004EA5A0
004E9FE0 83C4 04 add esp,4
然后F9运行
出现异常shift+F9带过,直到出现注册对话框
点击试用后异常
00234788 31C9 xor ecx,ecx
0023478A 85D2 test edx,edx
0023478C 74 21 je short VP.002347AF
0023478E 52 push edx
0023478F 3A0A cmp cl,byte ptr ds:[edx] //这里异常
00234791 74 17 je short VP.002347AA
00234793 3A4A 01 cmp cl,byte ptr ds:[edx+1]
00234796 74 11 je short VP.002347A9
00234798 3A4A 02 cmp cl,byte ptr ds:[edx+2]
0023479B 74 0B je short VP.002347A8
0023479D 3A4A 03 cmp cl,byte ptr ds:[edx+3]
002347A0 74 05 je short VP.002347A7
002347A2 83C2 04 add edx,4
002347A5 ^ EB E8 jmp short VP.0023478F
看看堆栈
0012F39C 000FE061
0012F3A0 0029BEAD 返回到 VP.0029BEAD 来自 VP.00234788
0012F3A4 0012F3C8 指针到下一个 SEH 记录
0012F3A8 0029BEB7 SE 句柄 //第一次异常
0012F3AC 0012F3C0
0012F3B0 002DFAFE VP.002DFAFE
第二次异常
0012F398 000FE091
0012F39C 0029BEF5 返回到 VP.0029BEF5 来自 VP.00234788
0012F3A0 0012F3C8 指针到下一个 SEH 记录
0012F3A4 0029BEFF SE 句柄 //找到这里的地址下断
0012F3A8 0012F3BC
0029BEFD /EB 12 jmp short VP.0029BF11
0029BEFF ^|E9 DC7CF9FF jmp VP.00233BE0 //这里然后找到00233BE0下断点运行
0029BF04 |8B45 FC mov eax,dword ptr ss:[ebp-4]
0029BF07 |E8 8C86F9FF call VP.00234598
0029BF0C |E8 3780F9FF call VP.00233F48
断下之后
00233BE0 8B4424 04 mov eax,dword ptr ss:[esp+4]
00233BE4 F740 04 06000>test dword ptr ds:[eax+4],6
00233BEB 0F85 13010000 jnz VP.00233D04
00233BF1 8138 DEFAED0E cmp dword ptr ds:[eax],0EEDFADE
00233BF7 8B50 18 mov edx,dword ptr ds:[eax+18]
00233BFA 8B48 14 mov ecx,dword ptr ds:[eax+14]
00233BFD 74 6E je short VP.00233C6D
直接ctrl+F9运行到返回
002A8019 FFB5 98FEFFFF push dword ptr ss:[ebp-168]
002A801F 8D85 94FEFFFF lea eax,dword ptr ss:[ebp-16C]
002A8025 E8 A63EFFFF call VP.0029BED0
002A802A FFB5 94FEFFFF push dword ptr ss:[ebp-16C] //返回到这里,继续ctrl+F9运行到返回
002A8030 E8 7B5CFFFF call VP.0029DCB0
002A8035 8D95 90FEFFFF lea edx,dword ptr ss:[ebp-170]
002A803B E8 A00EF9FF call VP.00238EE0
002A8040 FFB5 90FEFFFF push dword ptr ss:[ebp-170]
002A8046 8D45 E8 lea eax,dword ptr ss:[ebp-18]
002A8049 BA 03000000 mov edx,3
002A804E E8 BDC8F8FF call VP.00234910
002A8053 33C0 xor eax,eax
002A8055 55 push ebp
002A8056 68 B8802A00 push VP.002A80B8
002A805B 64:FF30 push dword ptr fs:[eax]
002A805E 64:8920 mov dword ptr fs:[eax],esp
002A8061 B8 7C822A00 mov eax,VP.002A827C ; ASCII "GenUniqueSerial.GetMacAddresses"
002A8066 E8 49E2FFFF call VP.002A62B4
002A806B 8D85 8CFEFFFF lea eax,dword ptr ss:[ebp-174]
//////////////////////////
002A74FD 8D45 EC lea eax,dword ptr ss:[ebp-14]
002A7500 E8 53090000 call VP.002A7E58
002A7505 8D45 EC lea eax,dword ptr ss:[ebp-14] //返回到这里,继续执行到返回
002A7508 8B55 F8 mov edx,dword ptr ss:[ebp-8]
002A750B E8 04000000 call VP.002A7514
002A7510 8BE5 mov esp,ebp
002A7512 5D pop ebp
002A7513 C3 retn
/////////////////////
下面是注册验证002D22E4 8B45 F8 mov eax,dword ptr ss:[ebp-8]
002D22E7 50 push eax
002D22E8 8D55 F4 lea edx,dword ptr ss:[ebp-C]
002D22EB B8 B4242D00 mov eax,VP.002D24B4
002D22F0 E8 6F45FDFF call VP.002A6864
002D22F5 8B45 F4 mov eax,dword ptr ss:[ebp-C]
002D22F8 5A pop edx
002D22F9 E8 2E98FCFF call VP.0029BB2C
002D22FE A1 F8BD2D00 mov eax,dword ptr ds:[2DBDF8]
002D2303 8B00 mov eax,dword ptr ds:[eax]
002D2305 3B05 F8BA2D00 cmp eax,dword ptr ds:[2DBAF8]
002D230B 75 27 jnz short VP.002D2334
002D230D 8D55 F0 lea edx,dword ptr ss:[ebp-10]
002D2310 B8 CC242D00 mov eax,VP.002D24CC
002D2315 E8 4A45FDFF call VP.002A6864
002D231A 8B45 F0 mov eax,dword ptr ss:[ebp-10]
002D231D 50 push eax
002D231E 8D55 EC lea edx,dword ptr ss:[ebp-14]
002D2321 B8 DC242D00 mov eax,VP.002D24DC
002D2326 E8 3945FDFF call VP.002A6864
002D232B 8B45 EC mov eax,dword ptr ss:[ebp-14]
002D232E 5A pop edx
002D232F E8 F897FCFF call VP.0029BB2C
002D2334 A1 B0BE2D00 mov eax,dword ptr ds:[2DBEB0]
002D2339 8B00 mov eax,dword ptr ds:[eax]
002D233B 3B05 F8BA2D00 cmp eax,dword ptr ds:[2DBAF8]
002D2341 75 27 jnz short VP.002D236A
002D2343 8D55 E8 lea edx,dword ptr ss:[ebp-18]
002D2346 B8 F0242D00 mov eax,VP.002D24F0
002D234B E8 1445FDFF call VP.002A6864
002D2350 8B45 E8 mov eax,dword ptr ss:[ebp-18]
002D2353 50 push eax
002D2354 B8 DC242D00 mov eax,VP.002D24DC
002D2359 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
002D235C E8 0345FDFF call VP.002A6864
002D2361 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
002D2364 5A pop edx
002D2365 E8 C297FCFF call VP.0029BB2C
002D236A A1 68BF2D00 mov eax,dword ptr ds:[2DBF68]
002D236F 8B00 mov eax,dword ptr ds:[eax]
002D2371 3B05 F8BA2D00 cmp eax,dword ptr ds:[2DBAF8]
002D2377 0F85 F0000000 jnz VP.002D246D
002D237D 8D55 E0 lea edx,dword ptr ss:[ebp-20]
002D2380 B8 00252D00 mov eax,VP.002D2500
002D2385 E8 DA44FDFF call VP.002A6864
002D238A 8B45 E0 mov eax,dword ptr ss:[ebp-20]
002D238D 50 push eax
002D238E B8 DC242D00 mov eax,VP.002D24DC
002D2393 8D55 DC lea edx,dword ptr ss:[ebp-24]
002D2396 E8 C944FDFF call VP.002A6864
002D239B 8B45 DC mov eax,dword ptr ss:[ebp-24]
002D239E 5A pop edx
002D239F E8 8897FCFF call VP.0029BB2C
002D23A4 8D55 D8 lea edx,dword ptr ss:[ebp-28]
002D23A7 B8 14252D00 mov eax,VP.002D2514
002D23AC E8 B344FDFF call VP.002A6864
002D23B1 8B45 D8 mov eax,dword ptr ss:[ebp-28]
002D23B4 8B15 2CC02D00 mov edx,dword ptr ds:[2DC02C] ; VP.002DF404
002D23BA 8B12 mov edx,dword ptr ds:[edx]
002D23BC E8 6B97FCFF call VP.0029BB2C
002D23C1 33C0 xor eax,eax
002D23C3 55 push ebp
002D23C4 68 63242D00 push VP.002D2463
002D23C9 64:FF30 push dword ptr fs:[eax]
002D23CC 64:8920 mov dword ptr fs:[eax],esp
002D23CF A1 1CBB2D00 mov eax,dword ptr ds:[2DBB1C]
002D23D4 8B00 mov eax,dword ptr ds:[eax]
002D23D6 8B10 mov edx,dword ptr ds:[eax]
002D23D8 FF52 14 call dword ptr ds:[edx+14]
002D23DB 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
002D23DE E8 FD6AF6FF call VP.00238EE0
002D23E3 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
002D23E6 50 push eax
002D23E7 8D55 D0 lea edx,dword ptr ss:[ebp-30]
002D23EA B8 2C252D00 mov eax,VP.002D252C
002D23EF E8 7044FDFF call VP.002A6864
002D23F4 8B45 D0 mov eax,dword ptr ss:[ebp-30]
002D23F7 5A pop edx
002D23F8 E8 2F97FCFF call VP.0029BB2C
002D23FD A1 1CBB2D00 mov eax,dword ptr ds:[2DBB1C]
002D2402 8B00 mov eax,dword ptr ds:[eax]
002D2404 8B10 mov edx,dword ptr ds:[eax]
002D2406 FF52 14 call dword ptr ds:[edx+14]
002D2409 8BF0 mov esi,eax
002D240B 4E dec esi
002D240C 85F6 test esi,esi
002D240E 7C 49 jl short VP.002D2459
002D2410 46 inc esi
002D2411 33DB xor ebx,ebx
002D2413 8D4D CC lea ecx,dword ptr ss:[ebp-34]
002D2416 A1 1CBB2D00 mov eax,dword ptr ds:[2DBB1C]
002D241B 8B00 mov eax,dword ptr ds:[eax]
002D241D 8BD3 mov edx,ebx
002D241F 8B38 mov edi,dword ptr ds:[eax]
002D2421 FF57 0C call dword ptr ds:[edi+C]
002D2424 8B45 CC mov eax,dword ptr ss:[ebp-34]
002D2427 50 push eax
002D2428 8D55 C8 lea edx,dword ptr ss:[ebp-38]
002D242B B8 40252D00 mov eax,VP.002D2540
002D2430 E8 2F44FDFF call VP.002A6864
002D2435 8D45 C8 lea eax,dword ptr ss:[ebp-38]
002D2438 50 push eax
002D2439 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
002D243C 8BC3 mov eax,ebx
002D243E E8 9D6AF6FF call VP.00238EE0
002D2443 8B55 C4 mov edx,dword ptr ss:[ebp-3C]
002D2446 58 pop eax
002D2447 E8 0C24F6FF call VP.00234858
002D244C 8B45 C8 mov eax,dword ptr ss:[ebp-38]
002D244F 5A pop edx
002D2450 E8 D796FCFF call VP.0029BB2C
002D2455 43 inc ebx
002D2456 4E dec esi
002D2457 ^ 75 BA jnz short VP.002D2413
002D2459 33C0 xor eax,eax
002D245B 5A pop edx
002D245C 59 pop ecx
002D245D 59 pop ecx
002D245E 64:8910 mov dword ptr fs:[eax],edx
002D2461 EB 0A jmp short VP.002D246D
002D2463 ^ E9 7817F6FF jmp VP.00233BE0
002D2468 E8 DB1AF6FF call VP.00233F48
002D246D 33C0 xor eax,eax
002D246F 5A pop edx
002D2470 59 pop ecx
002D2471 59 pop ecx
002D2472 64:8910 mov dword ptr fs:[eax],edx
002D2475 68 8F242D00 push VP.002D248F
002D247A 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
002D247D BA 0F000000 mov edx,0F
002D2482 E8 3521F6FF call VP.002345BC
002D2487 C3 retn
002D2488 ^ E9 071AF6FF jmp VP.00233E94
002D248D ^ EB EB jmp short VP.002D247A
002D248F 5F pop edi
002D2490 5E pop esi
002D2491 5B pop ebx
002D2492 8BE5 mov esp,ebp
002D2494 5D pop ebp
002D2495 C3 retn //以上代码研究不透,继续返回到下面。
/////////////////////////////////////////////////////////////////////////////////////////////////////
按照fly的文章下面就是最关键的地方
002D5D75 B8 8C6A2D00 mov eax,VP.002D6A8C ; ASCII "SetEnvironment"
002D5D7A E8 B9BEFFFF call VP.002D1C38
002D5D7F A1 70BE2D00 mov eax,dword ptr ds:[2DBE70]
002D5D84 8B40 41 mov eax,dword ptr ds:[eax+41] //这里已经看到了OEP:eax=000d0060
002D5D87 0345 10 add eax,dword ptr ss:[ebp+10]
002D5D8A 8945 FC mov dword ptr ss:[ebp-4],eax
002D5D8D B8 144C2D00 mov eax,VP.[NONAME] //这里的内容002D4C14=VP.[NONAME]eax=004D0060 (wscut.004D0060)
002D5D92 E8 A9100000 call VP.002D6E40
002D5D97 3B05 74012E00 cmp eax,dword ptr ds:[2E0174]
002D5D9D A1 48BB2D00 mov eax,dword ptr ds:[2DBB48]
002D5DA2 0F9400 sete byte ptr ds:[eax]
002D5DA5 A1 70BE2D00 mov eax,dword ptr ds:[2DBE70]
002D5DAA F640 59 10 test byte ptr ds:[eax+59],10
002D5DAE 74 0A je short VP.002D5DBA
002D5DB0 33D2 xor edx,edx
002D5DB2 8B45 10 mov eax,dword ptr ss:[ebp+10]
002D5DB5 E8 5AA8FEFF call VP.002C0614
002D5DBA A1 7CBD2D00 mov eax,dword ptr ds:[2DBD7C]
002D5DBF 8038 00 cmp byte ptr ds:[eax],0
002D5DC2 75 6A jnz short VP.002D5E2E
002D5DC4 A1 DCBB2D00 mov eax,dword ptr ds:[2DBBDC]
002D5DC9 DD40 40 fld qword ptr ds:[eax+40]
002D5DCC D81D 9C6A2D00 fcomp dword ptr ds:[2D6A9C]
002D5DD2 DFE0 fstsw ax
002D5DD4 9E sahf
002D5DD5 74 57 je short VP.002D5E2E
002D5DD7 E8 FC4DF6FF call VP.0023ABD8
002D5DDC A1 DCBB2D00 mov eax,dword ptr ds:[2DBBDC]
002D5DE1 DC58 40 fcomp qword ptr ds:[eax+40]
002D5DE4 DFE0 fstsw ax
002D5DE6 9E sahf
002D5DE7 72 45 jb short VP.002D5E2E
002D5DE9 A1 DCBB2D00 mov eax,dword ptr ds:[2DBBDC]
002D5DEE DD40 40 fld qword ptr ds:[eax+40]
002D5DF1 83C4 F4 add esp,-0C
002D5DF4 DB3C24 fstp tbyte ptr ss:[esp]
002D5DF7 9B wait
002D5DF8 8D85 70FAFFFF lea eax,dword ptr ss:[ebp-590]
002D5DFE E8 9148F6FF call VP.0023A694
002D5E03 8B8D 70FAFFFF mov ecx,dword ptr ss:[ebp-590]
002D5E09 8D85 74FAFFFF lea eax,dword ptr ss:[ebp-58C]
002D5E0F BA A86A2D00 mov edx,VP.002D6AA8 ; ASCII "ExitProcess VPCRCMatch=False CrashMeDate<>0 "
002D5E14 E8 83EAF5FF call VP.0023489C
002D5E19 8B85 74FAFFFF mov eax,dword ptr ss:[ebp-58C]
002D5E1F E8 14BEFFFF call VP.002D1C38
002D5E24 BB 9BFFFFFF mov ebx,-65
002D5E29 E9 AF030000 jmp VP.002D61DD
002D5E2E A1 48BB2D00 mov eax,dword ptr ds:[2DBB48]
002D5E33 8038 00 cmp byte ptr ds:[eax],0
002D5E36 75 0A jnz short VP.002D5E42
002D5E38 A1 DCBB2D00 mov eax,dword ptr ds:[2DBBDC]
002D5E3D E8 7E4CFDFF call VP.002AAAC0
002D5E42 B8 E06A2D00 mov eax,VP.002D6AE0 ; ASCII "Uncomress Sections"
002D5E47 E8 ECBDFFFF call VP.002D1C38
002D5E4C 8B45 08 mov eax,dword ptr ss:[ebp+8]
002D5E4F FF10 call dword ptr ds:[eax]
002D5E51 A1 84BB2D00 mov eax,dword ptr ds:[2DBB84]
002D5E56 8B00 mov eax,dword ptr ds:[eax]
002D5E58 8B15 70BE2D00 mov edx,dword ptr ds:[2DBE70] ; VP.002DF78C
002D5E5E 3B42 4D cmp eax,dword ptr ds:[edx+4D]
002D5E61 74 1B je short VP.002D5E7E
002D5E63 A1 70BE2D00 mov eax,dword ptr ds:[2DBE70]
002D5E68 8378 45 00 cmp dword ptr ds:[eax+45],0
002D5E6C 76 10 jbe short VP.002D5E7E
002D5E6E B8 FC6A2D00 mov eax,VP.002D6AFC ; ASCII "Rellocation"
002D5E73 E8 C0BDFFFF call VP.002D1C38
002D5E78 8B45 08 mov eax,dword ptr ss:[ebp+8]
002D5E7B FF50 04 call dword ptr ds:[eax+4]
002D5E7E A1 C0C02D00 mov eax,dword ptr ds:[2DC0C0]
002D5E83 8338 02 cmp dword ptr ds:[eax],2
002D5E86 75 0A jnz short VP.002D5E92
002D5E88 A1 D8BC2D00 mov eax,dword ptr ds:[2DBCD8]
002D5E8D 8338 04 cmp dword ptr ds:[eax],4
002D5E90 74 14 je short VP.002D5EA6
002D5E92 A1 C0C02D00 mov eax,dword ptr ds:[2DC0C0]
002D5E97 8338 01 cmp dword ptr ds:[eax],1
002D5E9A 75 1C jnz short VP.002D5EB8
002D5E9C A1 20BF2D00 mov eax,dword ptr ds:[2DBF20]
002D5EA1 8338 00 cmp dword ptr ds:[eax],0
002D5EA4 75 12 jnz short VP.002D5EB8
002D5EA6 B8 106B2D00 mov eax,VP.002D6B10 ; ASCII "VC ImportTable Win NT 4.0/Windows 9.x"
002D5EAB E8 88BDFFFF call VP.002D1C38
002D5EB0 8B45 08 mov eax,dword ptr ss:[ebp+8]
002D5EB3 FF50 08 call dword ptr ds:[eax+8]
002D5EB6 EB 16 jmp short VP.002D5ECE
002D5EB8 B8 406B2D00 mov eax,VP.002D6B40 ; ASCII "Delphi ImportTable"
002D5EBD E8 76BDFFFF call VP.002D1C38
002D5EC2 A1 84BB2D00 mov eax,dword ptr ds:[2DBB84]
002D5EC7 8B00 mov eax,dword ptr ds:[eax]
002D5EC9 E8 7AA6FEFF call VP.[NONAME] 按照fly的文章这里应该是输入表加密的地方了,为什么我进去之后没有看到
和《用Ollydbg手脱Visual Protect V3.54加壳的DLL》一文中的类似代码啊???到底输入表加密部分在哪里啊?请高手们指教啊
002D5ECE A1 48BB2D00 mov eax,dword ptr ds:[2DBB48]
002D5ED3 8038 00 cmp byte ptr ds:[eax],0
002D5ED6 74 5F je short VP.002D5F37
002D5ED8 B8 144C2D00 mov eax,VP.[NONAME]
002D5EDD E8 5E0F0000 call VP.002D6E40
002D5EE2 3B05 74012E00 cmp eax,dword ptr ds:[2E0174]
002D5EE8 74 4D je short VP.002D5F37
002D5EEA A1 48BB2D00 mov eax,dword ptr ds:[2DBB48]
002D5EEF C600 00 mov byte ptr ds:[eax],0
002D5EF2 A1 DCBB2D00 mov eax,dword ptr ds:[2DBBDC]
002D5EF7 DD40 40 fld qword ptr ds:[eax+40]
002D5EFA 83C4 F4 add esp,-0C
002D5EFD DB3C24 fstp tbyte ptr ss:[esp]
002D5F00 9B wait
002D5F01 8D85 68FAFFFF lea eax,dword ptr ss:[ebp-598]
002D5F07 E8 8847F6FF call VP.0023A694
002D5F0C 8B8D 68FAFFFF mov ecx,dword ptr ss:[ebp-598]
002D5F12 8D85 6CFAFFFF lea eax,dword ptr ss:[ebp-594]
002D5F18 BA 5C6B2D00 mov edx,VP.002D6B5C ; ASCII "CodeCRCMatch False "
002D5F1D E8 7AE9F5FF call VP.0023489C
002D5F22 8B85 6CFAFFFF mov eax,dword ptr ss:[ebp-594]
002D5F28 E8 0BBDFFFF call VP.002D1C38
002D5F2D A1 DCBB2D00 mov eax,dword ptr ds:[2DBBDC]
002D5F32 E8 894BFDFF call VP.002AAAC0
002D5F37 8B45 F8 mov eax,dword ptr ss:[ebp-8]
002D5F3A E8 1924FCFF call VP.00298358
002D5F3F 8B45 F8 mov eax,dword ptr ss:[ebp-8]
002D5F42 E8 B9D7F5FF call VP.00233700
002D5F47 807D 20 00 cmp byte ptr ss:[ebp+20],0
002D5F4B 0F85 B0000000 jnz VP.002D6001
002D5F51 A1 48BB2D00 mov eax,dword ptr ds:[2DBB48]
002D5F56 8038 00 cmp byte ptr ds:[eax],0
002D5F59 74 5F je short VP.002D5FBA
002D5F5B B8 144C2D00 mov eax,VP.[NONAME]
002D5F60 E8 DB0E0000 call VP.002D6E40
002D5F65 3B05 74012E00 cmp eax,dword ptr ds:[2E0174]
002D5F6B 74 4D je short VP.002D5FBA
002D5F6D A1 48BB2D00 mov eax,dword ptr ds:[2DBB48]
002D5F72 C600 00 mov byte ptr ds:[eax],0
002D5F75 A1 DCBB2D00 mov eax,dword ptr ds:[2DBBDC]
002D5F7A DD40 40 fld qword ptr ds:[eax+40]
002D5F7D 83C4 F4 add esp,-0C
002D5F80 DB3C24 fstp tbyte ptr ss:[esp]
002D5F83 9B wait
002D5F84 8D85 60FAFFFF lea eax,dword ptr ss:[ebp-5A0]
002D5F8A E8 0547F6FF call VP.0023A694
002D5F8F 8B8D 60FAFFFF mov ecx,dword ptr ss:[ebp-5A0]
002D5F95 8D85 64FAFFFF lea eax,dword ptr ss:[ebp-59C]
002D5F9B BA 786B2D00 mov edx,VP.002D6B78 ; ASCII "CodeCRCMatch False"
002D5FA0 E8 F7E8F5FF call VP.0023489C
002D5FA5 8B85 64FAFFFF mov eax,dword ptr ss:[ebp-59C]
002D5FAB E8 88BCFFFF call VP.002D1C38
002D5FB0 A1 DCBB2D00 mov eax,dword ptr ds:[2DBBDC]
002D5FB5 E8 064BFDFF call VP.002AAAC0
002D5FBA 8B45 FC mov eax,dword ptr ss:[ebp-4]
002D5FBD 33D2 xor edx,edx
002D5FBF 52 push edx
002D5FC0 50 push eax
002D5FC1 8D95 58FAFFFF lea edx,dword ptr ss:[ebp-5A8]
002D5FC7 B8 08000000 mov eax,8
002D5FCC E8 AF2FF6FF call VP.00238F80
002D5FD1 8B8D 58FAFFFF mov ecx,dword ptr ss:[ebp-5A8]
002D5FD7 8D85 5CFAFFFF lea eax,dword ptr ss:[ebp-5A4]
002D5FDD BA 946B2D00 mov edx,VP.002D6B94 ; ASCII "Finalizing 0x"
002D5FE2 E8 B5E8F5FF call VP.0023489C
002D5FE7 8B85 5CFAFFFF mov eax,dword ptr ss:[ebp-5A4]
002D5FED E8 46BCFFFF call VP.002D1C38
002D5FF2 FF65 FC jmp dword ptr ss:[ebp-4] //这里跳向程序的真正入口电d0060
002D5FF5 6A 00 push 0
002D5FF7 E8 C00CF6FF call VP.00236CBC
002D5FFC E9 C6040000 jmp VP.002D64C7
002D6001 A1 70BE2D00 mov eax,dword ptr ds:[2DBE70]
004D0060 55 push ebp //程序真正入口
004D0061 8BEC mov ebp,esp
004D0063 83C4 EC add esp,-14
004D0066 53 push ebx
004D0067 33C0 xor eax,eax
004D0069 8945 EC mov dword ptr ss:[ebp-14],eax
004D006C B8 68FD4C00 mov eax,wscut.004CFD68
004D0071 E8 7E6CF3FF call wscut.00406CF4
004D0076 8B1D 88314D00 mov ebx,dword ptr ds:[4D3188] ; wscut.004D4C34
004D007C 33C0 xor eax,eax
004D007E 55 push ebp
004D007F 68 CE014D00 push wscut.004D01CE
004D0084 64:FF30 push dword ptr fs:[eax]
004D0087 64:8920 mov dword ptr fs:[eax],esp
004D008A 8B03 mov eax,dword ptr ds:[ebx]
004D008C E8 9780F9FF call wscut.00468128
004D0091 8B03 mov eax,dword ptr ds:[ebx]
004D0093 BA E4014D00 mov edx,wscut.004D01E4
004D0098 E8 977CF9FF call wscut.00467D34
004D009D 8B03 mov eax,dword ptr ds:[ebx]
004D009F 83C0 50 add eax,50
004D00A2 BA 00024D00 mov edx,wscut.004D0200 ; ASCII "wscut.chm"
004D00A7 E8 1848F3FF call wscut.004048C4
重新运行wscut.exe,运行ImportREC,选择这个进程。 把OEP改为d0060,点IT AutoSearch,
点“Get Import”,有许多函数无效,用“追踪层次3”全部修复。FixDump,正常运行!
下面是ImportREC导出的树结构,有很多无效函数,我到底哪力错了啊
; Syntax for each function in a thunk (the separator is a TAB)
; ------------------------------------------------------------
; Flag RVA ModuleName Ordinal Name
;
; Details for <Valid> parameter:
; ------------------------------
; Flag: 0 = valid: no -> - Name contains the address of the redirected API (you can set
; it to zero if you edit it).
; - Ordinal is not considered but you should let '0000' as value.
; - ModuleName is not considered but you should let '?' as value.
;
; 1 = valid: yes -> All next parameters on the line will be considered.
; Function imported by ordinal must have no name (the 4th TAB must
; be there though).
;
; 2 = Equivalent to 0 but it is for the loader.
;
; 3 = Equivalent to 1 but it is for the loader.
;
; 4 = Equivalent to 0 with (R) tag.
;
; 5 = Equivalent to 1 with (R) tag.
;
; And finally, edit this file as your own risk! :-)
Target: D:\Program Files\2\wscut.exe
OEP: 000D0060 IATRVA: 000D51A0 IATSize: 00000744
FThunk: 000D51A4 NbFunc: 0000002B
1 000D51A4 kernel32.dll 005F DeleteCriticalSection
1 000D51A8 kernel32.dll 01E5 LeaveCriticalSection
1 000D51AC kernel32.dll 0074 EnterCriticalSection
1 000D51B0 kernel32.dll 01CC InitializeCriticalSection
1 000D51B4 kernel32.dll 02F8 VirtualFree
1 000D51B8 kernel32.dll 02F5 VirtualAlloc
1 000D51BC kernel32.dll 01F0 LocalFree
1 000D51C0 kernel32.dll 01EC LocalAlloc
1 000D51C4 kernel32.dll 0111 GetCurrentThreadId
1 000D51C8 kernel32.dll 01CF InterlockedDecrement
1 000D51CC kernel32.dll 01D2 InterlockedIncrement
1 000D51D0 kernel32.dll 02FD VirtualQuery
1 000D51D4 kernel32.dll 0308 WideCharToMultiByte
1 000D51D8 kernel32.dll 028F SetCurrentDirectoryA
1 000D51DC kernel32.dll 0209 MultiByteToWideChar
1 000D51E0 kernel32.dll 033B lstrlen
1 000D51E4 kernel32.dll 0338 lstrcpyn
1 000D51E8 kernel32.dll 01E7 LoadLibraryExA
1 000D51EC kernel32.dll 0186 GetThreadLocale
1 000D51F0 kernel32.dll 016B GetStartupInfoA
1 000D51F4 kernel32.dll 0158 GetProcAddress
1 000D51F8 kernel32.dll 013F GetModuleHandleA
1 000D51FC kernel32.dll 013D GetModuleFileNameA
1 000D5200 kernel32.dll 0135 GetLocaleInfoA
1 000D5204 kernel32.dll 0132 GetLastError
1 000D5208 kernel32.dll 010C GetCurrentDirectoryA
1 000D520C kernel32.dll 00DF GetCommandLineA
1 000D5210 kernel32.dll 00C8 FreeLibrary
1 000D5214 kernel32.dll 00A8 FindFirstFileA
1 000D5218 kernel32.dll 00A4 FindClose
1 000D521C kernel32.dll 0091 ExitProcess
1 000D5220 kernel32.dll 0315 WriteFile
1 000D5224 kernel32.dll 02E2 UnhandledExceptionFilter
1 000D5228 kernel32.dll 029C SetFilePointer
1 000D522C kernel32.dll 0293 SetEndOfFile
1 000D5230 kernel32.dll 025E RtlUnwind
1 000D5234 kernel32.dll 0244 ReadFile
1 000D5238 kernel32.dll 0237 RaiseException
1 000D523C kernel32.dll 016D GetStdHandle
1 000D5240 kernel32.dll 012A GetFileSize
1 000D5244 kernel32.dll 012D GetFileType
1 000D5248 kernel32.dll 0039 CreateFileA
1 000D524C kernel32.dll 001F CloseHandle
FThunk: 000D5254 NbFunc: 00000004
1 000D5254 user32.dll 011C GetKeyboardType
1 000D5258 user32.dll 01B0 LoadStringA
1 000D525C user32.dll 01C4 MessageBoxA
1 000D5260 user32.dll 0026 CharNextA
FThunk: 000D5268 NbFunc: 00000003
1 000D5268 advapi32.dll 01AF RegQueryValueExA
1 000D526C advapi32.dll 01A5 RegOpenKeyExA
1 000D5270 advapi32.dll 018C RegCloseKey
FThunk: 000D5278 NbFunc: 00000003
1 000D5278 oleaut32.dll 0006 SysFreeString
1 000D527C oleaut32.dll 0005 SysReAllocStringLen
1 000D5280 oleaut32.dll 0004 SysAllocStringLen
FThunk: 000D5288 NbFunc: 00000004
1 000D5288 kernel32.dll 02DA TlsSetValue
1 000D528C kernel32.dll 02D9 TlsGetValue
1 000D5290 kernel32.dll 01EC LocalAlloc
1 000D5294 kernel32.dll 013F GetModuleHandleA
FThunk: 000D529C NbFunc: 00000003
1 000D529C advapi32.dll 01AF RegQueryValueExA
1 000D52A0 advapi32.dll 01A5 RegOpenKeyExA
1 000D52A4 advapi32.dll 018C RegCloseKey
FThunk: 000D52AC NbFunc: 00000042
1 000D52AC kernel32.dll 0335 lstrcpy
1 000D52B0 kernel32.dll 031A WritePrivateProfileStringA
1 000D52B4 kernel32.dll 0315 WriteFile
1 000D52B8 kernel32.dll 0304 WaitForSingleObject
1 000D52BC kernel32.dll 02FD VirtualQuery
1 000D52C0 kernel32.dll 02F5 VirtualAlloc
1 000D52C4 kernel32.dll 02CA Sleep
1 000D52C8 kernel32.dll 02C9 SizeofResource
1 000D52CC kernel32.dll 02BA SetThreadLocale
1 000D52D0 kernel32.dll 029C SetFilePointer
1 000D52D4 kernel32.dll 0297 SetEvent
1 000D52D8 kernel32.dll 0296 SetErrorMode
1 000D52DC kernel32.dll 0293 SetEndOfFile
1 000D52E0 kernel32.dll 0259 ResetEvent
1 000D52E4 kernel32.dll 0244 ReadFile
1 000D52E8 kernel32.dll 0209 MultiByteToWideChar
1 000D52EC kernel32.dll 0208 MulDiv
1 000D52F0 kernel32.dll 01F9 LockResource
1 000D52F4 kernel32.dll 01EB LoadResource
1 000D52F8 kernel32.dll 01E6 LoadLibraryA
1 000D52FC kernel32.dll 01E5 LeaveCriticalSection
1 000D5300 kernel32.dll 01CC InitializeCriticalSection
1 000D5304 kernel32.dll 01B3 GlobalUnlock
1 000D5308 kernel32.dll 01B0 GlobalSize
1 000D530C kernel32.dll 01AF GlobalReAlloc
1 000D5310 kernel32.dll 01AD GlobalMemoryStatus
1 000D5314 kernel32.dll 01AB GlobalHandle
1 000D5318 kernel32.dll 01AC GlobalLock
1 000D531C kernel32.dll 01A8 GlobalFree
1 000D5320 kernel32.dll 01A4 GlobalFindAtomA
1 000D5324 kernel32.dll 01A3 GlobalDeleteAtom
1 000D5328 kernel32.dll 01A1 GlobalAlloc
1 000D532C kernel32.dll 019F GlobalAddAtomA
1 000D5330 kernel32.dll 0194 GetVersionExA
1 000D5334 kernel32.dll 0193 GetVersion
1 000D5338 kernel32.dll 018B GetTickCount
1 000D533C kernel32.dll 0186 GetThreadLocale
1 000D5340 kernel32.dll 0177 GetSystemInfo
1 000D5344 kernel32.dll 016F GetStringTypeExA
1 000D5348 kernel32.dll 016D GetStdHandle
1 000D534C kernel32.dll 0166 GetProfileStringA
1 000D5350 kernel32.dll 0158 GetProcAddress
1 000D5354 kernel32.dll 0154 GetPrivateProfileStringA
1 000D5358 kernel32.dll 013F GetModuleHandleA
1 000D535C kernel32.dll 013D GetModuleFileNameA
1 000D5360 kernel32.dll 0135 GetLocaleInfoA
1 000D5364 kernel32.dll 0134 GetLocalTime
1 000D5368 kernel32.dll 0132 GetLastError
1 000D536C kernel32.dll 0118 GetDiskFreeSpaceA
1 000D5370 kernel32.dll 0112 GetDateFormatA
1 000D5374 kernel32.dll 0111 GetCurrentThreadId
1 000D5378 kernel32.dll 010F GetCurrentProcessId
1 000D537C kernel32.dll 00D4 GetCPInfo
1 000D5380 kernel32.dll 00CE GetACP
1 000D5384 kernel32.dll 00CA FreeResource
1 000D5388 kernel32.dll 00C8 FreeLibrary
1 000D538C kernel32.dll 00C3 FormatMessageA
1 000D5390 kernel32.dll 00B7 FindResourceA
1 000D5394 kernel32.dll 0075 EnumCalendarInfoA
1 000D5398 kernel32.dll 0074 EnterCriticalSection
1 000D539C kernel32.dll 005F DeleteCriticalSection
1 000D53A0 kernel32.dll 0052 CreateThread
1 000D53A4 kernel32.dll 0039 CreateFileA
1 000D53A8 kernel32.dll 0035 CreateEventA
1 000D53AC kernel32.dll 0025 CompareStringA
1 000D53B0 kernel32.dll 001F CloseHandle
FThunk: 000D53B8 NbFunc: 00000003
1 000D53B8 version.dll 000B VerQueryValueA
1 000D53BC version.dll 0002 GetFileVersionInfoSizeA
1 000D53C0 version.dll 0001 GetFileVersionInfoA
FThunk: 000D53C8 NbFunc: 00000056
1 000D53C8 gdi32.dll 0213 UnrealizeObject
1 000D53CC gdi32.dll 020A StretchBlt
1 000D53D0 gdi32.dll 0209 StartPage
1 000D53D4 gdi32.dll 0206 StartDocA
1 000D53D8 gdi32.dll 0204 SetWindowOrgEx
1 000D53DC gdi32.dll 0203 SetWindowExtEx
1 000D53E0 gdi32.dll 0202 SetWinMetaFileBits
1 000D53E4 gdi32.dll 0200 SetViewportOrgEx
1 000D53E8 gdi32.dll 01FF SetViewportExtEx
1 000D53EC gdi32.dll 01FD SetTextColor
1 000D53F0 gdi32.dll 01F9 SetStretchBltMode
1 000D53F4 gdi32.dll 01F6 SetROP2
1 000D53F8 gdi32.dll 01F2 SetPixel
1 000D53FC gdi32.dll 01EC SetMapMode
1 000D5400 gdi32.dll 01E3 SetEnhMetaFileBits
1 000D5404 gdi32.dll 01DF SetDIBColorTable
1 000D5408 gdi32.dll 01DA SetBrushOrgEx
1 000D540C gdi32.dll 01D8 SetBkMode
1 000D5410 gdi32.dll 01D7 SetBkColor
1 000D5414 gdi32.dll 01D3 SetAbortProc
1 000D5418 gdi32.dll 01D2 SelectPalette
1 000D541C gdi32.dll 01D1 SelectObject
1 000D5420 gdi32.dll 01CA SaveDC
1 000D5424 gdi32.dll 01C4 RoundRect
1 000D5428 gdi32.dll 01C3 RestoreDC
1 000D542C gdi32.dll 01B9 Rectangle
1 000D5430 gdi32.dll 01B8 RectVisible
1 000D5434 gdi32.dll 01B6 RealizePalette
1 000D5438 gdi32.dll 01B1 Polyline
1 000D543C gdi32.dll 01AD PolyPolyline
1 000D5440 gdi32.dll 01A3 PlayEnhMetaFile
1 000D5444 gdi32.dll 01A0 PatBlt
1 000D5448 gdi32.dll 0194 MoveToEx
1 000D544C gdi32.dll 0191 MaskBlt
1 000D5450 gdi32.dll 0190 LineTo
1 000D5454 gdi32.dll 018A IntersectClipRect
1 000D5458 gdi32.dll 0186 GetWindowOrgEx
1 000D545C gdi32.dll 0184 GetWinMetaFileBits
1 000D5460 gdi32.dll 017F GetTextMetricsA
1 000D5464 gdi32.dll 0179 GetTextExtentPointA
1 000D5468 gdi32.dll 0177 GetTextExtentPoint32A
1 000D546C gdi32.dll 016C GetSystemPaletteEntries
1 000D5470 gdi32.dll 0168 GetStockObject
1 000D5474 gdi32.dll 0167 GetRgnBox
1 000D5478 gdi32.dll 015F GetPixel
1 000D547C gdi32.dll 015D GetPaletteEntries
1 000D5480 gdi32.dll 0158 GetObjectA
1 000D5484 gdi32.dll 0138 GetEnhMetaFilePaletteEntries
1 000D5488 gdi32.dll 0137 GetEnhMetaFileHeader
1 000D548C gdi32.dll 0134 GetEnhMetaFileBits
1 000D5490 gdi32.dll 012E GetDeviceCaps
1 000D5494 gdi32.dll 012D GetDIBits
1 000D5498 gdi32.dll 012C GetDIBColorTable
1 000D549C gdi32.dll 012A GetDCOrgEx
1 000D54A0 gdi32.dll 0128 GetCurrentPositionEx
1 000D54A4 gdi32.dll 0123 GetClipBox
1 000D54A8 gdi32.dll 0113 GetBrushOrgEx
1 000D54AC gdi32.dll 010E GetBitmapBits
1 000D54B0 gdi32.dll 00E0 GdiFlush
1 000D54B4 gdi32.dll 00A3 ExtTextOutA
1 000D54B8 gdi32.dll 009E ExtCreatePen
1 000D54BC gdi32.dll 009D ExcludeClipRect
1 000D54C0 gdi32.dll 005E EndPage
1 000D54C4 gdi32.dll 005C EndDoc
1 000D54C8 gdi32.dll 005A Ellipse
1 000D54CC gdi32.dll 0055 DeleteObject
1 000D54D0 gdi32.dll 0053 DeleteEnhMetaFile
1 000D54D4 gdi32.dll 0052 DeleteDC
1 000D54D8 gdi32.dll 004F CreateSolidBrush
1 000D54DC gdi32.dll 004A CreateRectRgn
1 000D54E0 gdi32.dll 0047 CreatePenIndirect
1 000D54E4 gdi32.dll 0044 CreatePalette
1 000D54E8 gdi32.dll 0040 CreateICA
1 000D54EC gdi32.dll 003E CreateHalftonePalette
1 000D54F0 gdi32.dll 0039 CreateFontIndirectA
1 000D54F4 gdi32.dll 0032 CreateDIBitmap
1 000D54F8 gdi32.dll 0031 CreateDIBSection
1 000D54FC gdi32.dll 002D CreateDCA
1 000D5500 gdi32.dll 002C CreateCompatibleDC
1 000D5504 gdi32.dll 002B CreateCompatibleBitmap
1 000D5508 gdi32.dll 0028 CreateBrushIndirect
1 000D550C gdi32.dll 0026 CreateBitmap
1 000D5510 gdi32.dll 0022 CopyEnhMetaFileA
1 000D5514 gdi32.dll 0020 CombineRgn
1 000D5518 gdi32.dll 0013 BitBlt
1 000D551C gdi32.dll 000C Arc
FThunk: 000D5524 NbFunc: 000000AD
1 000D5524 user32.dll 02B1 WindowFromPoint
1 000D5528 user32.dll 02AE WinHelpA
1 000D552C user32.dll 02AC WaitMessage
1 000D5530 user32.dll 02A1 ValidateRect
1 000D5534 user32.dll 0297 UpdateWindow
1 000D5538 user32.dll 0291 UnregisterClassA
1 000D553C user32.dll 028D UnionRect
1 000D5540 user32.dll 028C UnhookWindowsHookEx
1 000D5544 user32.dll 0288 TranslateMessage
1 000D5548 user32.dll 0287 TranslateMDISysAccel
1 000D554C user32.dll 0282 TrackPopupMenu
1 000D5550 user32.dll 0277 SystemParametersInfoA
1 000D5554 user32.dll 0270 ShowWindow
1 000D5558 user32.dll 026E ShowScrollBar
1 000D555C user32.dll 026D ShowOwnedPopups
1 000D5560 user32.dll 026C ShowCursor
1 000D5564 user32.dll 0268 SetWindowsHookExA
1 000D5568 user32.dll 0264 SetWindowTextA
1 000D556C user32.dll 0261 SetWindowPos
1 000D5570 user32.dll 0260 SetWindowPlacement
1 000D5574 user32.dll 025E SetWindowLongA
1 000D5578 user32.dll 0258 SetTimer
1 000D557C user32.dll 024E SetScrollRange
1 000D5580 user32.dll 024D SetScrollPos
1 000D5584 user32.dll 024C SetScrollInfo
1 000D5588 user32.dll 024A SetRect
1 000D558C user32.dll 0248 SetPropA
1 000D5590 user32.dll 0240 SetMenuItemInfoA
1 000D5594 user32.dll 023B SetMenu
1 000D5598 user32.dll 0237 SetKeyboardState
1 000D559C user32.dll 0235 SetForegroundWindow
1 000D55A0 user32.dll 0234 SetFocus
1 000D55A4 user32.dll 022B SetCursor
1 000D55A8 user32.dll 0228 SetClipboardData
1 000D55AC user32.dll 0225 SetClassLongA
1 000D55B0 user32.dll 0222 SetCapture
1 000D55B4 user32.dll 0221 SetActiveWindow
1 000D55B8 user32.dll 0219 SendMessageA
1 000D55BC user32.dll 0213 ScrollWindowEx
1 000D55C0 user32.dll 0212 ScrollWindow
1 000D55C4 user32.dll 020F ScreenToClient
1 000D55C8 user32.dll 020A RemovePropA
1 000D55CC user32.dll 0209 RemoveMenu
1 000D55D0 user32.dll 0208 ReleaseDC
1 000D55D4 user32.dll 0207 ReleaseCapture
1 000D55D8 user32.dll 01FB RegisterClipboardFormatA
1 000D55DC user32.dll 01FB RegisterClipboardFormatA
1 000D55E0 user32.dll 01F7 RegisterClassA
1 000D55E4 user32.dll 01F6 RedrawWindow
1 000D55E8 user32.dll 01EF PtInRect
1 000D55EC user32.dll 01E6 PostQuitMessage
1 000D55F0 user32.dll 01E4 PostMessageA
1 000D55F4 user32.dll 01E2 PeekMessageA
1 000D55F8 user32.dll 01D9 OpenClipboard
1 000D55FC user32.dll 01D8 OffsetRect
1 000D5600 user32.dll 01D4 OemToCharA
1 000D5604 user32.dll 01C4 MessageBoxA
1 000D5608 user32.dll 01C3 MessageBeep
1 000D560C user32.dll 01BF MapWindowPoints
1 000D5610 user32.dll 01BB MapVirtualKeyA
1 000D5614 user32.dll 01B0 LoadStringA
1 000D5618 user32.dll 01A7 LoadKeyboardLayoutA
1 000D561C user32.dll 01A3 LoadIconA
1 000D5620 user32.dll 019F LoadCursorA
1 000D5624 user32.dll 019D LoadBitmapA
1 000D5628 user32.dll 019A KillTimer
1 000D562C user32.dll 0198 IsZoomed
1 000D5630 user32.dll 0197 IsWindowVisible
1 000D5634 user32.dll 0195 IsWindowEnabled
1 000D5638 user32.dll 0194 IsWindow
1 000D563C user32.dll 0193 IsRectEmpty
1 000D5640 user32.dll 0191 IsIconic
1 000D5644 user32.dll 018C IsDialogMessage
1 000D5648 user32.dll 018B IsClipboardFormatAvailable
1 000D564C user32.dll 018A IsChild
1 000D5650 user32.dll 0183 IsCharAlphaNumericA
1 000D5654 user32.dll 0182 IsCharAlphaA
1 000D5658 user32.dll 017F InvalidateRect
1 000D565C user32.dll 017E IntersectRect
1 000D5660 user32.dll 017A InsertMenuItemA
1 000D5664 user32.dll 0179 InsertMenuA
1 000D5668 user32.dll 0176 InflateRect
1 000D566C user32.dll 0167 GetWindowThreadProcessId
1 000D5670 user32.dll 0163 GetWindowTextA
1 000D5674 user32.dll 0161 GetWindowRect
1 000D5678 user32.dll 0160 GetWindowPlacement
1 000D567C user32.dll 015B GetWindowLongA
1 000D5680 user32.dll 0159 GetWindowDC
1 000D5684 user32.dll 0150 GetTopWindow
1 000D5688 user32.dll 014A GetSystemMetrics
1 000D568C user32.dll 0149 GetSystemMenu
1 000D5690 user32.dll 0147 GetSysColor
1 000D5694 user32.dll 0146 GetSubMenu
1 000D5698 user32.dll 0144 GetScrollRange
1 000D569C user32.dll 0143 GetScrollPos
1 000D56A0 user32.dll 0142 GetScrollInfo
1 000D56A4 user32.dll 013E GetPropA
1 000D56A8 user32.dll 0139 GetParent
1 000D56AC user32.dll 0157 GetWindow
1 000D56B0 user32.dll 0131 GetMessageTime
1 000D56B4 user32.dll 012C GetMenuStringA
1 000D56B8 user32.dll 012B GetMenuState
1 000D56BC user32.dll 0128 GetMenuItemInfoA
1 000D56C0 user32.dll 0127 GetMenuItemID
1 000D56C4 user32.dll 0126 GetMenuItemCount
1 000D56C8 user32.dll 0120 GetMenu
1 000D56CC user32.dll 011D GetLastActivePopup
1 000D56D0 user32.dll 011B GetKeyboardState
1 000D56D4 user32.dll 0118 GetKeyboardLayoutList
1 000D56D8 user32.dll 0117 GetKeyboardLayout
1 000D56DC user32.dll 0116 GetKeyState
1 000D56E0 user32.dll 0114 GetKeyNameTextA
1 000D56E4 user32.dll 010F GetIconInfo
1 000D56E8 user32.dll 010C GetForegroundWindow
1 000D56EC user32.dll 010B GetFocus
1 000D56F0 user32.dll 010A GetDoubleClickTime
1 000D56F4 user32.dll 0106 GetDlgItem
1 000D56F8 user32.dll 0103 GetDesktopWindow
1 000D56FC user32.dll 0102 GetDCEx
1 000D5700 user32.dll 0101 GetDC
1 000D5704 user32.dll 0100 GetCursorPos
1 000D5708 user32.dll 00FD GetCursor
1 000D570C user32.dll 00F6 GetClipboardData
1 000D5710 user32.dll 00F4 GetClientRect
1 000D5714 user32.dll 00F1 GetClassNameA
1 000D5718 user32.dll 00EB GetClassInfoA
1 000D571C user32.dll 00EA GetCaretPos
1 000D5720 user32.dll 00E8 GetCapture
1 000D5724 user32.dll 00E0 GetActiveWindow
1 000D5728 user32.dll 00DE FrameRect
1 000D572C user32.dll 00D8 FindWindowA
1 000D5730 user32.dll 00D7 FillRect
1 000D5734 user32.dll 00D4 EqualRect
1 000D5738 user32.dll 00D3 EnumWindows
1 000D573C user32.dll 00D0 EnumThreadWindows
1 000D5740 user32.dll 00C1 EnumClipboardFormats
1 000D5744 user32.dll 00BE EndPaint
1 000D5748 user32.dll 00BA EnableWindow
1 000D574C user32.dll 00B9 EnableScrollBar
1 000D5750 user32.dll 00B8 EnableMenuItem
1 000D5754 user32.dll 00B7 EmptyClipboard
1 000D5758 user32.dll 00B2 DrawTextA
1 000D575C user32.dll 00AE DrawMenuBar
1 000D5760 user32.dll 00AD DrawIconEx
1 000D5764 user32.dll 00AC DrawIcon
1 000D5768 user32.dll 00AB DrawFrameControl
1 000D576C user32.dll 00A9 DrawFocusRect
1 000D5770 user32.dll 00A8 DrawEdge
1 000D5774 user32.dll 0098 DispatchMessageA
1 000D5778 user32.dll 0091 DestroyWindow
1 000D577C user32.dll 0090 DestroyMenu
1 000D5780 user32.dll 008E DestroyCursor
1 000D5784 user32.dll 008E DestroyCursor
1 000D5788 user32.dll 008A DeleteMenu
1 000D578C user32.dll 0087 DefWindowProcA
1 000D5790 user32.dll 0085 DefMDIChildProcA
1 000D5794 user32.dll 0083 DefFrameProcA
1 000D5798 user32.dll 005B CreateWindowExA
1 000D579C user32.dll 005A CreatePopupMenu
1 000D57A0 user32.dll 0059 CreateMenu
1 000D57A4 user32.dll 0053 CreateIcon
1 000D57A8 user32.dll 003E CloseClipboard
1 000D57AC user32.dll 003C ClientToScreen
1 000D57B0 user32.dll 0035 CheckMenuItem
1 000D57B4 user32.dll 0017 CallWindowProcA
1 000D57B8 user32.dll 0016 CallNextHookEx
1 000D57BC user32.dll 000D BeginPaint
1 000D57C0 user32.dll 0026 CharNextA
1 000D57C4 user32.dll 0023 CharLowerBuffA
1 000D57C8 user32.dll 0022 CharLowerA
1 000D57CC user32.dll 0031 CharUpperBuffA
1 000D57D0 user32.dll 0003 AdjustWindowRectEx
1 000D57D4 user32.dll 0001 ActivateKeyboardLayout
FThunk: 000D57DC NbFunc: 00000001
1 000D57DC kernel32.dll 02CA Sleep
FThunk: 000D57E4 NbFunc: 0000000C
1 000D57E4 oleaut32.dll 0094 SafeArrayPtrOfIndex
1 000D57E8 oleaut32.dll 001A SafeArrayPutElement
1 000D57EC oleaut32.dll 0019 SafeArrayGetElement
1 000D57F0 oleaut32.dll 0013 SafeArrayGetUBound
1 000D57F4 oleaut32.dll 0014 SafeArrayGetLBound
1 000D57F8 oleaut32.dll 0028 SafeArrayRedim
1 000D57FC oleaut32.dll 000F SafeArrayCreate
1 000D5800 oleaut32.dll 0093 VariantChangeTypeEx
1 000D5804 oleaut32.dll 000B VariantCopyInd
1 000D5808 oleaut32.dll 000A VariantCopy
1 000D580C oleaut32.dll 0009 VariantClear
1 000D5810 oleaut32.dll 0008 VariantInit
FThunk: 000D5818 NbFunc: 00000004
1 000D5818 ole32.dll 00FA OleUninitialize
1 000D581C ole32.dll 00E3 OleInitialize
1 000D5820 ole32.dll 0065 CoUninitialize
1 000D5824 ole32.dll 003D CoInitialize
FThunk: 000D582C NbFunc: 00000002
1 000D582C oleaut32.dll 00C8 GetErrorInfo
1 000D5830 oleaut32.dll 0006 SysFreeString
FThunk: 000D5838 NbFunc: 00000018
1 000D5838 comctl32.dll 004F ImageList_SetIconSize
1 000D583C comctl32.dll 003B ImageList_GetIconSize
1 000D5840 comctl32.dll 0052 ImageList_Write
1 000D5844 comctl32.dll 0043 ImageList_Read
1 000D5848 comctl32.dll 0038 ImageList_GetDragImage
1 000D584C comctl32.dll 0031 ImageList_DragShowNolock
1 000D5850 comctl32.dll 004C ImageList_SetDragCursorImage
1 000D5854 comctl32.dll 0030 ImageList_DragMove
1 000D5858 comctl32.dll 002F ImageList_DragLeave
1 000D585C comctl32.dll 002E ImageList_DragEnter
1 000D5860 comctl32.dll 0036 ImageList_EndDrag
1 000D5864 comctl32.dll 002A ImageList_BeginDrag
1 000D5868 comctl32.dll 0044 ImageList_Remove
1 000D586C comctl32.dll 0033 ImageList_DrawEx
1 000D5870 comctl32.dll 0045 ImageList_Replace
1 000D5874 comctl32.dll 0032 ImageList_Draw
1 000D5878 comctl32.dll 0037 ImageList_GetBkColor
1 000D587C comctl32.dll 004B ImageList_SetBkColor
1 000D5880 comctl32.dll 0046 ImageList_ReplaceIcon
1 000D5884 comctl32.dll 0027 ImageList_Add
1 000D5888 comctl32.dll 003C ImageList_GetImageCount
1 000D588C comctl32.dll 002D ImageList_Destroy
1 000D5890 comctl32.dll 002C ImageList_Create
1 000D5894 comctl32.dll 0011 InitCommonControls
FThunk: 000D589C NbFunc: 00000004
1 000D589C winspool.drv 00F6 OpenPrinterA
1 000D58A0 winspool.drv 00DC EnumPrintersA
1 000D58A4 winspool.drv 00B1 DocumentPropertiesA
1 000D58A8 winspool.drv 0086 ClosePrinter
FThunk: 000D58B0 NbFunc: 00000001
1 000D58B0 shell32.dll 0171 ShellExecuteA
FThunk: 000D58B8 NbFunc: 00000003
1 000D58B8 shell32.dll 014B SHGetSpecialFolderLocation
1 000D58BC shell32.dll 0145 SHGetMalloc
1 000D58C0 shell32.dll 0138 SHGetDesktopFolder
FThunk: 000D58C8 NbFunc: 00000004
1 000D58C8 comdlg32.dll 0075 PrintDlgA
1 000D58CC comdlg32.dll 0065 ChooseColorA
1 000D58D0 comdlg32.dll 0070 GetSaveFileNameA
1 000D58D4 comdlg32.dll 006E GetOpenFileNameA
FThunk: 000D58DC NbFunc: 00000001
1 000D58DC kernel32.dll 0208 MulDiv
我在google里面搜索相关文章,
满世界竟然只有两篇一篇是fly的《用Ollydbg手脱Visual Protect V3.54加壳的DLL》
一篇是fly的《Visual Protect V3.54 脱壳 ―― VisualProtect.exe 主程序》
在这里感谢fly给予的支持,是我最终独立完成了VisualProtect 2.25的脱壳+修复输入表,在此一并感谢所有浏览本帖的人
原本向fly求助时,fly只给了树文件让我用来修复输入表
后来发现我先前不能修复输入表的原因好像是ImportREC的版本问题原先用1.6的
后改用1.4的可以全部修复输入表
下载地址http://ssbbs.hn8868.com/soft/22.exe
////////////////////////////////////////////
调试前设置Ollydbg忽略除了“内存访问异常”之外的所有其他异常。
用Ollydbg手动脱壳,老规矩:载入后弹出“是压缩代码――要继续进行分析吗?”,点“否”。
//////////////////////////////////////////////////////////////////
004E9F90 w> 55 push ebp //OD载入后停在这里
004E9F91 8BEC mov ebp,esp
004E9F93 51 push ecx
004E9F94 53 push ebx
004E9F95 56 push esi
004E9F96 57 push edi
004E9F97 C705 B00E4F00>mov dword ptr ds:[4F0EB0],0
004E9FA1 68 48F04E00 push wscut.004EF048 ; ASCII "kernel32.dll"
004E9FA6 FF15 00D04E00 call dword ptr ds:[<&KERNEL32.Load>; KERNEL32.LoadLibraryA
004E9FAC A3 0C0F4F00 mov dword ptr ds:[4F0F0C],eax
004E9FB1 68 58F04E00 push wscut.004EF058 ; ASCII "GetModuleHandleA"
004E9FB6 A1 0C0F4F00 mov eax,dword ptr ds:[4F0F0C]
004E9FBB 50 push eax
004E9FBC FF15 04D04E00 call dword ptr ds:[<&KERNEL32.GetP>; KERNEL32.GetProcAddress
004E9FC2 A3 900E4F00 mov dword ptr ds:[4F0E90],eax
004E9FC7 6A 00 push 0
004E9FC9 FF15 900E4F00 call dword ptr ds:[4F0E90]
004E9FCF A3 EC0E4F00 mov dword ptr ds:[4F0EEC],eax
004E9FD4 8B0D EC0E4F00 mov ecx,dword ptr ds:[4F0EEC]
004E9FDA 51 push ecx
004E9FDB E8 C0050000 call wscut.004EA5A0
004E9FE0 83C4 04 add esp,4
然后F9运行
出现异常shift+F9带过,直到出现注册对话框
点击试用后异常
00234788 31C9 xor ecx,ecx
0023478A 85D2 test edx,edx
0023478C 74 21 je short VP.002347AF
0023478E 52 push edx
0023478F 3A0A cmp cl,byte ptr ds:[edx] //这里异常
00234791 74 17 je short VP.002347AA
00234793 3A4A 01 cmp cl,byte ptr ds:[edx+1]
00234796 74 11 je short VP.002347A9
00234798 3A4A 02 cmp cl,byte ptr ds:[edx+2]
0023479B 74 0B je short VP.002347A8
0023479D 3A4A 03 cmp cl,byte ptr ds:[edx+3]
002347A0 74 05 je short VP.002347A7
002347A2 83C2 04 add edx,4
002347A5 ^ EB E8 jmp short VP.0023478F
看看堆栈
0012F39C 000FE061
0012F3A0 0029BEAD 返回到 VP.0029BEAD 来自 VP.00234788
0012F3A4 0012F3C8 指针到下一个 SEH 记录
0012F3A8 0029BEB7 SE 句柄 //第一次异常
0012F3AC 0012F3C0
0012F3B0 002DFAFE VP.002DFAFE
第二次异常
0012F398 000FE091
0012F39C 0029BEF5 返回到 VP.0029BEF5 来自 VP.00234788
0012F3A0 0012F3C8 指针到下一个 SEH 记录
0012F3A4 0029BEFF SE 句柄 //找到这里的地址下断
0012F3A8 0012F3BC
0029BEFD /EB 12 jmp short VP.0029BF11
0029BEFF ^|E9 DC7CF9FF jmp VP.00233BE0 //这里然后找到00233BE0下断点运行
0029BF04 |8B45 FC mov eax,dword ptr ss:[ebp-4]
0029BF07 |E8 8C86F9FF call VP.00234598
0029BF0C |E8 3780F9FF call VP.00233F48
断下之后
00233BE0 8B4424 04 mov eax,dword ptr ss:[esp+4]
00233BE4 F740 04 06000>test dword ptr ds:[eax+4],6
00233BEB 0F85 13010000 jnz VP.00233D04
00233BF1 8138 DEFAED0E cmp dword ptr ds:[eax],0EEDFADE
00233BF7 8B50 18 mov edx,dword ptr ds:[eax+18]
00233BFA 8B48 14 mov ecx,dword ptr ds:[eax+14]
00233BFD 74 6E je short VP.00233C6D
直接ctrl+F9运行到返回
002A8019 FFB5 98FEFFFF push dword ptr ss:[ebp-168]
002A801F 8D85 94FEFFFF lea eax,dword ptr ss:[ebp-16C]
002A8025 E8 A63EFFFF call VP.0029BED0
002A802A FFB5 94FEFFFF push dword ptr ss:[ebp-16C] //返回到这里,继续ctrl+F9运行到返回
002A8030 E8 7B5CFFFF call VP.0029DCB0
002A8035 8D95 90FEFFFF lea edx,dword ptr ss:[ebp-170]
002A803B E8 A00EF9FF call VP.00238EE0
002A8040 FFB5 90FEFFFF push dword ptr ss:[ebp-170]
002A8046 8D45 E8 lea eax,dword ptr ss:[ebp-18]
002A8049 BA 03000000 mov edx,3
002A804E E8 BDC8F8FF call VP.00234910
002A8053 33C0 xor eax,eax
002A8055 55 push ebp
002A8056 68 B8802A00 push VP.002A80B8
002A805B 64:FF30 push dword ptr fs:[eax]
002A805E 64:8920 mov dword ptr fs:[eax],esp
002A8061 B8 7C822A00 mov eax,VP.002A827C ; ASCII "GenUniqueSerial.GetMacAddresses"
002A8066 E8 49E2FFFF call VP.002A62B4
002A806B 8D85 8CFEFFFF lea eax,dword ptr ss:[ebp-174]
//////////////////////////
002A74FD 8D45 EC lea eax,dword ptr ss:[ebp-14]
002A7500 E8 53090000 call VP.002A7E58
002A7505 8D45 EC lea eax,dword ptr ss:[ebp-14] //返回到这里,继续执行到返回
002A7508 8B55 F8 mov edx,dword ptr ss:[ebp-8]
002A750B E8 04000000 call VP.002A7514
002A7510 8BE5 mov esp,ebp
002A7512 5D pop ebp
002A7513 C3 retn
/////////////////////
下面是注册验证002D22E4 8B45 F8 mov eax,dword ptr ss:[ebp-8]
002D22E7 50 push eax
002D22E8 8D55 F4 lea edx,dword ptr ss:[ebp-C]
002D22EB B8 B4242D00 mov eax,VP.002D24B4
002D22F0 E8 6F45FDFF call VP.002A6864
002D22F5 8B45 F4 mov eax,dword ptr ss:[ebp-C]
002D22F8 5A pop edx
002D22F9 E8 2E98FCFF call VP.0029BB2C
002D22FE A1 F8BD2D00 mov eax,dword ptr ds:[2DBDF8]
002D2303 8B00 mov eax,dword ptr ds:[eax]
002D2305 3B05 F8BA2D00 cmp eax,dword ptr ds:[2DBAF8]
002D230B 75 27 jnz short VP.002D2334
002D230D 8D55 F0 lea edx,dword ptr ss:[ebp-10]
002D2310 B8 CC242D00 mov eax,VP.002D24CC
002D2315 E8 4A45FDFF call VP.002A6864
002D231A 8B45 F0 mov eax,dword ptr ss:[ebp-10]
002D231D 50 push eax
002D231E 8D55 EC lea edx,dword ptr ss:[ebp-14]
002D2321 B8 DC242D00 mov eax,VP.002D24DC
002D2326 E8 3945FDFF call VP.002A6864
002D232B 8B45 EC mov eax,dword ptr ss:[ebp-14]
002D232E 5A pop edx
002D232F E8 F897FCFF call VP.0029BB2C
002D2334 A1 B0BE2D00 mov eax,dword ptr ds:[2DBEB0]
002D2339 8B00 mov eax,dword ptr ds:[eax]
002D233B 3B05 F8BA2D00 cmp eax,dword ptr ds:[2DBAF8]
002D2341 75 27 jnz short VP.002D236A
002D2343 8D55 E8 lea edx,dword ptr ss:[ebp-18]
002D2346 B8 F0242D00 mov eax,VP.002D24F0
002D234B E8 1445FDFF call VP.002A6864
002D2350 8B45 E8 mov eax,dword ptr ss:[ebp-18]
002D2353 50 push eax
002D2354 B8 DC242D00 mov eax,VP.002D24DC
002D2359 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
002D235C E8 0345FDFF call VP.002A6864
002D2361 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
002D2364 5A pop edx
002D2365 E8 C297FCFF call VP.0029BB2C
002D236A A1 68BF2D00 mov eax,dword ptr ds:[2DBF68]
002D236F 8B00 mov eax,dword ptr ds:[eax]
002D2371 3B05 F8BA2D00 cmp eax,dword ptr ds:[2DBAF8]
002D2377 0F85 F0000000 jnz VP.002D246D
002D237D 8D55 E0 lea edx,dword ptr ss:[ebp-20]
002D2380 B8 00252D00 mov eax,VP.002D2500
002D2385 E8 DA44FDFF call VP.002A6864
002D238A 8B45 E0 mov eax,dword ptr ss:[ebp-20]
002D238D 50 push eax
002D238E B8 DC242D00 mov eax,VP.002D24DC
002D2393 8D55 DC lea edx,dword ptr ss:[ebp-24]
002D2396 E8 C944FDFF call VP.002A6864
002D239B 8B45 DC mov eax,dword ptr ss:[ebp-24]
002D239E 5A pop edx
002D239F E8 8897FCFF call VP.0029BB2C
002D23A4 8D55 D8 lea edx,dword ptr ss:[ebp-28]
002D23A7 B8 14252D00 mov eax,VP.002D2514
002D23AC E8 B344FDFF call VP.002A6864
002D23B1 8B45 D8 mov eax,dword ptr ss:[ebp-28]
002D23B4 8B15 2CC02D00 mov edx,dword ptr ds:[2DC02C] ; VP.002DF404
002D23BA 8B12 mov edx,dword ptr ds:[edx]
002D23BC E8 6B97FCFF call VP.0029BB2C
002D23C1 33C0 xor eax,eax
002D23C3 55 push ebp
002D23C4 68 63242D00 push VP.002D2463
002D23C9 64:FF30 push dword ptr fs:[eax]
002D23CC 64:8920 mov dword ptr fs:[eax],esp
002D23CF A1 1CBB2D00 mov eax,dword ptr ds:[2DBB1C]
002D23D4 8B00 mov eax,dword ptr ds:[eax]
002D23D6 8B10 mov edx,dword ptr ds:[eax]
002D23D8 FF52 14 call dword ptr ds:[edx+14]
002D23DB 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
002D23DE E8 FD6AF6FF call VP.00238EE0
002D23E3 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
002D23E6 50 push eax
002D23E7 8D55 D0 lea edx,dword ptr ss:[ebp-30]
002D23EA B8 2C252D00 mov eax,VP.002D252C
002D23EF E8 7044FDFF call VP.002A6864
002D23F4 8B45 D0 mov eax,dword ptr ss:[ebp-30]
002D23F7 5A pop edx
002D23F8 E8 2F97FCFF call VP.0029BB2C
002D23FD A1 1CBB2D00 mov eax,dword ptr ds:[2DBB1C]
002D2402 8B00 mov eax,dword ptr ds:[eax]
002D2404 8B10 mov edx,dword ptr ds:[eax]
002D2406 FF52 14 call dword ptr ds:[edx+14]
002D2409 8BF0 mov esi,eax
002D240B 4E dec esi
002D240C 85F6 test esi,esi
002D240E 7C 49 jl short VP.002D2459
002D2410 46 inc esi
002D2411 33DB xor ebx,ebx
002D2413 8D4D CC lea ecx,dword ptr ss:[ebp-34]
002D2416 A1 1CBB2D00 mov eax,dword ptr ds:[2DBB1C]
002D241B 8B00 mov eax,dword ptr ds:[eax]
002D241D 8BD3 mov edx,ebx
002D241F 8B38 mov edi,dword ptr ds:[eax]
002D2421 FF57 0C call dword ptr ds:[edi+C]
002D2424 8B45 CC mov eax,dword ptr ss:[ebp-34]
002D2427 50 push eax
002D2428 8D55 C8 lea edx,dword ptr ss:[ebp-38]
002D242B B8 40252D00 mov eax,VP.002D2540
002D2430 E8 2F44FDFF call VP.002A6864
002D2435 8D45 C8 lea eax,dword ptr ss:[ebp-38]
002D2438 50 push eax
002D2439 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
002D243C 8BC3 mov eax,ebx
002D243E E8 9D6AF6FF call VP.00238EE0
002D2443 8B55 C4 mov edx,dword ptr ss:[ebp-3C]
002D2446 58 pop eax
002D2447 E8 0C24F6FF call VP.00234858
002D244C 8B45 C8 mov eax,dword ptr ss:[ebp-38]
002D244F 5A pop edx
002D2450 E8 D796FCFF call VP.0029BB2C
002D2455 43 inc ebx
002D2456 4E dec esi
002D2457 ^ 75 BA jnz short VP.002D2413
002D2459 33C0 xor eax,eax
002D245B 5A pop edx
002D245C 59 pop ecx
002D245D 59 pop ecx
002D245E 64:8910 mov dword ptr fs:[eax],edx
002D2461 EB 0A jmp short VP.002D246D
002D2463 ^ E9 7817F6FF jmp VP.00233BE0
002D2468 E8 DB1AF6FF call VP.00233F48
002D246D 33C0 xor eax,eax
002D246F 5A pop edx
002D2470 59 pop ecx
002D2471 59 pop ecx
002D2472 64:8910 mov dword ptr fs:[eax],edx
002D2475 68 8F242D00 push VP.002D248F
002D247A 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
002D247D BA 0F000000 mov edx,0F
002D2482 E8 3521F6FF call VP.002345BC
002D2487 C3 retn
002D2488 ^ E9 071AF6FF jmp VP.00233E94
002D248D ^ EB EB jmp short VP.002D247A
002D248F 5F pop edi
002D2490 5E pop esi
002D2491 5B pop ebx
002D2492 8BE5 mov esp,ebp
002D2494 5D pop ebp
002D2495 C3 retn //以上代码研究不透,继续返回到下面。
/////////////////////////////////////////////////////////////////////////////////////////////////////
按照fly的文章下面就是最关键的地方
002D5D75 B8 8C6A2D00 mov eax,VP.002D6A8C ; ASCII "SetEnvironment"
002D5D7A E8 B9BEFFFF call VP.002D1C38
002D5D7F A1 70BE2D00 mov eax,dword ptr ds:[2DBE70]
002D5D84 8B40 41 mov eax,dword ptr ds:[eax+41] //这里已经看到了OEP:eax=000d0060
002D5D87 0345 10 add eax,dword ptr ss:[ebp+10]
002D5D8A 8945 FC mov dword ptr ss:[ebp-4],eax
002D5D8D B8 144C2D00 mov eax,VP.[NONAME] //这里的内容002D4C14=VP.[NONAME]eax=004D0060 (wscut.004D0060)
002D5D92 E8 A9100000 call VP.002D6E40
002D5D97 3B05 74012E00 cmp eax,dword ptr ds:[2E0174]
002D5D9D A1 48BB2D00 mov eax,dword ptr ds:[2DBB48]
002D5DA2 0F9400 sete byte ptr ds:[eax]
002D5DA5 A1 70BE2D00 mov eax,dword ptr ds:[2DBE70]
002D5DAA F640 59 10 test byte ptr ds:[eax+59],10
002D5DAE 74 0A je short VP.002D5DBA
002D5DB0 33D2 xor edx,edx
002D5DB2 8B45 10 mov eax,dword ptr ss:[ebp+10]
002D5DB5 E8 5AA8FEFF call VP.002C0614
002D5DBA A1 7CBD2D00 mov eax,dword ptr ds:[2DBD7C]
002D5DBF 8038 00 cmp byte ptr ds:[eax],0
002D5DC2 75 6A jnz short VP.002D5E2E
002D5DC4 A1 DCBB2D00 mov eax,dword ptr ds:[2DBBDC]
002D5DC9 DD40 40 fld qword ptr ds:[eax+40]
002D5DCC D81D 9C6A2D00 fcomp dword ptr ds:[2D6A9C]
002D5DD2 DFE0 fstsw ax
002D5DD4 9E sahf
002D5DD5 74 57 je short VP.002D5E2E
002D5DD7 E8 FC4DF6FF call VP.0023ABD8
002D5DDC A1 DCBB2D00 mov eax,dword ptr ds:[2DBBDC]
002D5DE1 DC58 40 fcomp qword ptr ds:[eax+40]
002D5DE4 DFE0 fstsw ax
002D5DE6 9E sahf
002D5DE7 72 45 jb short VP.002D5E2E
002D5DE9 A1 DCBB2D00 mov eax,dword ptr ds:[2DBBDC]
002D5DEE DD40 40 fld qword ptr ds:[eax+40]
002D5DF1 83C4 F4 add esp,-0C
002D5DF4 DB3C24 fstp tbyte ptr ss:[esp]
002D5DF7 9B wait
002D5DF8 8D85 70FAFFFF lea eax,dword ptr ss:[ebp-590]
002D5DFE E8 9148F6FF call VP.0023A694
002D5E03 8B8D 70FAFFFF mov ecx,dword ptr ss:[ebp-590]
002D5E09 8D85 74FAFFFF lea eax,dword ptr ss:[ebp-58C]
002D5E0F BA A86A2D00 mov edx,VP.002D6AA8 ; ASCII "ExitProcess VPCRCMatch=False CrashMeDate<>0 "
002D5E14 E8 83EAF5FF call VP.0023489C
002D5E19 8B85 74FAFFFF mov eax,dword ptr ss:[ebp-58C]
002D5E1F E8 14BEFFFF call VP.002D1C38
002D5E24 BB 9BFFFFFF mov ebx,-65
002D5E29 E9 AF030000 jmp VP.002D61DD
002D5E2E A1 48BB2D00 mov eax,dword ptr ds:[2DBB48]
002D5E33 8038 00 cmp byte ptr ds:[eax],0
002D5E36 75 0A jnz short VP.002D5E42
002D5E38 A1 DCBB2D00 mov eax,dword ptr ds:[2DBBDC]
002D5E3D E8 7E4CFDFF call VP.002AAAC0
002D5E42 B8 E06A2D00 mov eax,VP.002D6AE0 ; ASCII "Uncomress Sections"
002D5E47 E8 ECBDFFFF call VP.002D1C38
002D5E4C 8B45 08 mov eax,dword ptr ss:[ebp+8]
002D5E4F FF10 call dword ptr ds:[eax]
002D5E51 A1 84BB2D00 mov eax,dword ptr ds:[2DBB84]
002D5E56 8B00 mov eax,dword ptr ds:[eax]
002D5E58 8B15 70BE2D00 mov edx,dword ptr ds:[2DBE70] ; VP.002DF78C
002D5E5E 3B42 4D cmp eax,dword ptr ds:[edx+4D]
002D5E61 74 1B je short VP.002D5E7E
002D5E63 A1 70BE2D00 mov eax,dword ptr ds:[2DBE70]
002D5E68 8378 45 00 cmp dword ptr ds:[eax+45],0
002D5E6C 76 10 jbe short VP.002D5E7E
002D5E6E B8 FC6A2D00 mov eax,VP.002D6AFC ; ASCII "Rellocation"
002D5E73 E8 C0BDFFFF call VP.002D1C38
002D5E78 8B45 08 mov eax,dword ptr ss:[ebp+8]
002D5E7B FF50 04 call dword ptr ds:[eax+4]
002D5E7E A1 C0C02D00 mov eax,dword ptr ds:[2DC0C0]
002D5E83 8338 02 cmp dword ptr ds:[eax],2
002D5E86 75 0A jnz short VP.002D5E92
002D5E88 A1 D8BC2D00 mov eax,dword ptr ds:[2DBCD8]
002D5E8D 8338 04 cmp dword ptr ds:[eax],4
002D5E90 74 14 je short VP.002D5EA6
002D5E92 A1 C0C02D00 mov eax,dword ptr ds:[2DC0C0]
002D5E97 8338 01 cmp dword ptr ds:[eax],1
002D5E9A 75 1C jnz short VP.002D5EB8
002D5E9C A1 20BF2D00 mov eax,dword ptr ds:[2DBF20]
002D5EA1 8338 00 cmp dword ptr ds:[eax],0
002D5EA4 75 12 jnz short VP.002D5EB8
002D5EA6 B8 106B2D00 mov eax,VP.002D6B10 ; ASCII "VC ImportTable Win NT 4.0/Windows 9.x"
002D5EAB E8 88BDFFFF call VP.002D1C38
002D5EB0 8B45 08 mov eax,dword ptr ss:[ebp+8]
002D5EB3 FF50 08 call dword ptr ds:[eax+8]
002D5EB6 EB 16 jmp short VP.002D5ECE
002D5EB8 B8 406B2D00 mov eax,VP.002D6B40 ; ASCII "Delphi ImportTable"
002D5EBD E8 76BDFFFF call VP.002D1C38
002D5EC2 A1 84BB2D00 mov eax,dword ptr ds:[2DBB84]
002D5EC7 8B00 mov eax,dword ptr ds:[eax]
002D5EC9 E8 7AA6FEFF call VP.[NONAME] 按照fly的文章这里应该是输入表加密的地方了,为什么我进去之后没有看到
和《用Ollydbg手脱Visual Protect V3.54加壳的DLL》一文中的类似代码啊???到底输入表加密部分在哪里啊?请高手们指教啊
002D5ECE A1 48BB2D00 mov eax,dword ptr ds:[2DBB48]
002D5ED3 8038 00 cmp byte ptr ds:[eax],0
002D5ED6 74 5F je short VP.002D5F37
002D5ED8 B8 144C2D00 mov eax,VP.[NONAME]
002D5EDD E8 5E0F0000 call VP.002D6E40
002D5EE2 3B05 74012E00 cmp eax,dword ptr ds:[2E0174]
002D5EE8 74 4D je short VP.002D5F37
002D5EEA A1 48BB2D00 mov eax,dword ptr ds:[2DBB48]
002D5EEF C600 00 mov byte ptr ds:[eax],0
002D5EF2 A1 DCBB2D00 mov eax,dword ptr ds:[2DBBDC]
002D5EF7 DD40 40 fld qword ptr ds:[eax+40]
002D5EFA 83C4 F4 add esp,-0C
002D5EFD DB3C24 fstp tbyte ptr ss:[esp]
002D5F00 9B wait
002D5F01 8D85 68FAFFFF lea eax,dword ptr ss:[ebp-598]
002D5F07 E8 8847F6FF call VP.0023A694
002D5F0C 8B8D 68FAFFFF mov ecx,dword ptr ss:[ebp-598]
002D5F12 8D85 6CFAFFFF lea eax,dword ptr ss:[ebp-594]
002D5F18 BA 5C6B2D00 mov edx,VP.002D6B5C ; ASCII "CodeCRCMatch False "
002D5F1D E8 7AE9F5FF call VP.0023489C
002D5F22 8B85 6CFAFFFF mov eax,dword ptr ss:[ebp-594]
002D5F28 E8 0BBDFFFF call VP.002D1C38
002D5F2D A1 DCBB2D00 mov eax,dword ptr ds:[2DBBDC]
002D5F32 E8 894BFDFF call VP.002AAAC0
002D5F37 8B45 F8 mov eax,dword ptr ss:[ebp-8]
002D5F3A E8 1924FCFF call VP.00298358
002D5F3F 8B45 F8 mov eax,dword ptr ss:[ebp-8]
002D5F42 E8 B9D7F5FF call VP.00233700
002D5F47 807D 20 00 cmp byte ptr ss:[ebp+20],0
002D5F4B 0F85 B0000000 jnz VP.002D6001
002D5F51 A1 48BB2D00 mov eax,dword ptr ds:[2DBB48]
002D5F56 8038 00 cmp byte ptr ds:[eax],0
002D5F59 74 5F je short VP.002D5FBA
002D5F5B B8 144C2D00 mov eax,VP.[NONAME]
002D5F60 E8 DB0E0000 call VP.002D6E40
002D5F65 3B05 74012E00 cmp eax,dword ptr ds:[2E0174]
002D5F6B 74 4D je short VP.002D5FBA
002D5F6D A1 48BB2D00 mov eax,dword ptr ds:[2DBB48]
002D5F72 C600 00 mov byte ptr ds:[eax],0
002D5F75 A1 DCBB2D00 mov eax,dword ptr ds:[2DBBDC]
002D5F7A DD40 40 fld qword ptr ds:[eax+40]
002D5F7D 83C4 F4 add esp,-0C
002D5F80 DB3C24 fstp tbyte ptr ss:[esp]
002D5F83 9B wait
002D5F84 8D85 60FAFFFF lea eax,dword ptr ss:[ebp-5A0]
002D5F8A E8 0547F6FF call VP.0023A694
002D5F8F 8B8D 60FAFFFF mov ecx,dword ptr ss:[ebp-5A0]
002D5F95 8D85 64FAFFFF lea eax,dword ptr ss:[ebp-59C]
002D5F9B BA 786B2D00 mov edx,VP.002D6B78 ; ASCII "CodeCRCMatch False"
002D5FA0 E8 F7E8F5FF call VP.0023489C
002D5FA5 8B85 64FAFFFF mov eax,dword ptr ss:[ebp-59C]
002D5FAB E8 88BCFFFF call VP.002D1C38
002D5FB0 A1 DCBB2D00 mov eax,dword ptr ds:[2DBBDC]
002D5FB5 E8 064BFDFF call VP.002AAAC0
002D5FBA 8B45 FC mov eax,dword ptr ss:[ebp-4]
002D5FBD 33D2 xor edx,edx
002D5FBF 52 push edx
002D5FC0 50 push eax
002D5FC1 8D95 58FAFFFF lea edx,dword ptr ss:[ebp-5A8]
002D5FC7 B8 08000000 mov eax,8
002D5FCC E8 AF2FF6FF call VP.00238F80
002D5FD1 8B8D 58FAFFFF mov ecx,dword ptr ss:[ebp-5A8]
002D5FD7 8D85 5CFAFFFF lea eax,dword ptr ss:[ebp-5A4]
002D5FDD BA 946B2D00 mov edx,VP.002D6B94 ; ASCII "Finalizing 0x"
002D5FE2 E8 B5E8F5FF call VP.0023489C
002D5FE7 8B85 5CFAFFFF mov eax,dword ptr ss:[ebp-5A4]
002D5FED E8 46BCFFFF call VP.002D1C38
002D5FF2 FF65 FC jmp dword ptr ss:[ebp-4] //这里跳向程序的真正入口电d0060
002D5FF5 6A 00 push 0
002D5FF7 E8 C00CF6FF call VP.00236CBC
002D5FFC E9 C6040000 jmp VP.002D64C7
002D6001 A1 70BE2D00 mov eax,dword ptr ds:[2DBE70]
004D0060 55 push ebp //程序真正入口
004D0061 8BEC mov ebp,esp
004D0063 83C4 EC add esp,-14
004D0066 53 push ebx
004D0067 33C0 xor eax,eax
004D0069 8945 EC mov dword ptr ss:[ebp-14],eax
004D006C B8 68FD4C00 mov eax,wscut.004CFD68
004D0071 E8 7E6CF3FF call wscut.00406CF4
004D0076 8B1D 88314D00 mov ebx,dword ptr ds:[4D3188] ; wscut.004D4C34
004D007C 33C0 xor eax,eax
004D007E 55 push ebp
004D007F 68 CE014D00 push wscut.004D01CE
004D0084 64:FF30 push dword ptr fs:[eax]
004D0087 64:8920 mov dword ptr fs:[eax],esp
004D008A 8B03 mov eax,dword ptr ds:[ebx]
004D008C E8 9780F9FF call wscut.00468128
004D0091 8B03 mov eax,dword ptr ds:[ebx]
004D0093 BA E4014D00 mov edx,wscut.004D01E4
004D0098 E8 977CF9FF call wscut.00467D34
004D009D 8B03 mov eax,dword ptr ds:[ebx]
004D009F 83C0 50 add eax,50
004D00A2 BA 00024D00 mov edx,wscut.004D0200 ; ASCII "wscut.chm"
004D00A7 E8 1848F3FF call wscut.004048C4
重新运行wscut.exe,运行ImportREC,选择这个进程。 把OEP改为d0060,点IT AutoSearch,
点“Get Import”,有许多函数无效,用“追踪层次3”全部修复。FixDump,正常运行!
下面是ImportREC导出的树结构,有很多无效函数,我到底哪力错了啊
; Syntax for each function in a thunk (the separator is a TAB)
; ------------------------------------------------------------
; Flag RVA ModuleName Ordinal Name
;
; Details for <Valid> parameter:
; ------------------------------
; Flag: 0 = valid: no -> - Name contains the address of the redirected API (you can set
; it to zero if you edit it).
; - Ordinal is not considered but you should let '0000' as value.
; - ModuleName is not considered but you should let '?' as value.
;
; 1 = valid: yes -> All next parameters on the line will be considered.
; Function imported by ordinal must have no name (the 4th TAB must
; be there though).
;
; 2 = Equivalent to 0 but it is for the loader.
;
; 3 = Equivalent to 1 but it is for the loader.
;
; 4 = Equivalent to 0 with (R) tag.
;
; 5 = Equivalent to 1 with (R) tag.
;
; And finally, edit this file as your own risk! :-)
Target: D:\Program Files\2\wscut.exe
OEP: 000D0060 IATRVA: 000D51A0 IATSize: 00000744
FThunk: 000D51A4 NbFunc: 0000002B
1 000D51A4 kernel32.dll 005F DeleteCriticalSection
1 000D51A8 kernel32.dll 01E5 LeaveCriticalSection
1 000D51AC kernel32.dll 0074 EnterCriticalSection
1 000D51B0 kernel32.dll 01CC InitializeCriticalSection
1 000D51B4 kernel32.dll 02F8 VirtualFree
1 000D51B8 kernel32.dll 02F5 VirtualAlloc
1 000D51BC kernel32.dll 01F0 LocalFree
1 000D51C0 kernel32.dll 01EC LocalAlloc
1 000D51C4 kernel32.dll 0111 GetCurrentThreadId
1 000D51C8 kernel32.dll 01CF InterlockedDecrement
1 000D51CC kernel32.dll 01D2 InterlockedIncrement
1 000D51D0 kernel32.dll 02FD VirtualQuery
1 000D51D4 kernel32.dll 0308 WideCharToMultiByte
1 000D51D8 kernel32.dll 028F SetCurrentDirectoryA
1 000D51DC kernel32.dll 0209 MultiByteToWideChar
1 000D51E0 kernel32.dll 033B lstrlen
1 000D51E4 kernel32.dll 0338 lstrcpyn
1 000D51E8 kernel32.dll 01E7 LoadLibraryExA
1 000D51EC kernel32.dll 0186 GetThreadLocale
1 000D51F0 kernel32.dll 016B GetStartupInfoA
1 000D51F4 kernel32.dll 0158 GetProcAddress
1 000D51F8 kernel32.dll 013F GetModuleHandleA
1 000D51FC kernel32.dll 013D GetModuleFileNameA
1 000D5200 kernel32.dll 0135 GetLocaleInfoA
1 000D5204 kernel32.dll 0132 GetLastError
1 000D5208 kernel32.dll 010C GetCurrentDirectoryA
1 000D520C kernel32.dll 00DF GetCommandLineA
1 000D5210 kernel32.dll 00C8 FreeLibrary
1 000D5214 kernel32.dll 00A8 FindFirstFileA
1 000D5218 kernel32.dll 00A4 FindClose
1 000D521C kernel32.dll 0091 ExitProcess
1 000D5220 kernel32.dll 0315 WriteFile
1 000D5224 kernel32.dll 02E2 UnhandledExceptionFilter
1 000D5228 kernel32.dll 029C SetFilePointer
1 000D522C kernel32.dll 0293 SetEndOfFile
1 000D5230 kernel32.dll 025E RtlUnwind
1 000D5234 kernel32.dll 0244 ReadFile
1 000D5238 kernel32.dll 0237 RaiseException
1 000D523C kernel32.dll 016D GetStdHandle
1 000D5240 kernel32.dll 012A GetFileSize
1 000D5244 kernel32.dll 012D GetFileType
1 000D5248 kernel32.dll 0039 CreateFileA
1 000D524C kernel32.dll 001F CloseHandle
FThunk: 000D5254 NbFunc: 00000004
1 000D5254 user32.dll 011C GetKeyboardType
1 000D5258 user32.dll 01B0 LoadStringA
1 000D525C user32.dll 01C4 MessageBoxA
1 000D5260 user32.dll 0026 CharNextA
FThunk: 000D5268 NbFunc: 00000003
1 000D5268 advapi32.dll 01AF RegQueryValueExA
1 000D526C advapi32.dll 01A5 RegOpenKeyExA
1 000D5270 advapi32.dll 018C RegCloseKey
FThunk: 000D5278 NbFunc: 00000003
1 000D5278 oleaut32.dll 0006 SysFreeString
1 000D527C oleaut32.dll 0005 SysReAllocStringLen
1 000D5280 oleaut32.dll 0004 SysAllocStringLen
FThunk: 000D5288 NbFunc: 00000004
1 000D5288 kernel32.dll 02DA TlsSetValue
1 000D528C kernel32.dll 02D9 TlsGetValue
1 000D5290 kernel32.dll 01EC LocalAlloc
1 000D5294 kernel32.dll 013F GetModuleHandleA
FThunk: 000D529C NbFunc: 00000003
1 000D529C advapi32.dll 01AF RegQueryValueExA
1 000D52A0 advapi32.dll 01A5 RegOpenKeyExA
1 000D52A4 advapi32.dll 018C RegCloseKey
FThunk: 000D52AC NbFunc: 00000042
1 000D52AC kernel32.dll 0335 lstrcpy
1 000D52B0 kernel32.dll 031A WritePrivateProfileStringA
1 000D52B4 kernel32.dll 0315 WriteFile
1 000D52B8 kernel32.dll 0304 WaitForSingleObject
1 000D52BC kernel32.dll 02FD VirtualQuery
1 000D52C0 kernel32.dll 02F5 VirtualAlloc
1 000D52C4 kernel32.dll 02CA Sleep
1 000D52C8 kernel32.dll 02C9 SizeofResource
1 000D52CC kernel32.dll 02BA SetThreadLocale
1 000D52D0 kernel32.dll 029C SetFilePointer
1 000D52D4 kernel32.dll 0297 SetEvent
1 000D52D8 kernel32.dll 0296 SetErrorMode
1 000D52DC kernel32.dll 0293 SetEndOfFile
1 000D52E0 kernel32.dll 0259 ResetEvent
1 000D52E4 kernel32.dll 0244 ReadFile
1 000D52E8 kernel32.dll 0209 MultiByteToWideChar
1 000D52EC kernel32.dll 0208 MulDiv
1 000D52F0 kernel32.dll 01F9 LockResource
1 000D52F4 kernel32.dll 01EB LoadResource
1 000D52F8 kernel32.dll 01E6 LoadLibraryA
1 000D52FC kernel32.dll 01E5 LeaveCriticalSection
1 000D5300 kernel32.dll 01CC InitializeCriticalSection
1 000D5304 kernel32.dll 01B3 GlobalUnlock
1 000D5308 kernel32.dll 01B0 GlobalSize
1 000D530C kernel32.dll 01AF GlobalReAlloc
1 000D5310 kernel32.dll 01AD GlobalMemoryStatus
1 000D5314 kernel32.dll 01AB GlobalHandle
1 000D5318 kernel32.dll 01AC GlobalLock
1 000D531C kernel32.dll 01A8 GlobalFree
1 000D5320 kernel32.dll 01A4 GlobalFindAtomA
1 000D5324 kernel32.dll 01A3 GlobalDeleteAtom
1 000D5328 kernel32.dll 01A1 GlobalAlloc
1 000D532C kernel32.dll 019F GlobalAddAtomA
1 000D5330 kernel32.dll 0194 GetVersionExA
1 000D5334 kernel32.dll 0193 GetVersion
1 000D5338 kernel32.dll 018B GetTickCount
1 000D533C kernel32.dll 0186 GetThreadLocale
1 000D5340 kernel32.dll 0177 GetSystemInfo
1 000D5344 kernel32.dll 016F GetStringTypeExA
1 000D5348 kernel32.dll 016D GetStdHandle
1 000D534C kernel32.dll 0166 GetProfileStringA
1 000D5350 kernel32.dll 0158 GetProcAddress
1 000D5354 kernel32.dll 0154 GetPrivateProfileStringA
1 000D5358 kernel32.dll 013F GetModuleHandleA
1 000D535C kernel32.dll 013D GetModuleFileNameA
1 000D5360 kernel32.dll 0135 GetLocaleInfoA
1 000D5364 kernel32.dll 0134 GetLocalTime
1 000D5368 kernel32.dll 0132 GetLastError
1 000D536C kernel32.dll 0118 GetDiskFreeSpaceA
1 000D5370 kernel32.dll 0112 GetDateFormatA
1 000D5374 kernel32.dll 0111 GetCurrentThreadId
1 000D5378 kernel32.dll 010F GetCurrentProcessId
1 000D537C kernel32.dll 00D4 GetCPInfo
1 000D5380 kernel32.dll 00CE GetACP
1 000D5384 kernel32.dll 00CA FreeResource
1 000D5388 kernel32.dll 00C8 FreeLibrary
1 000D538C kernel32.dll 00C3 FormatMessageA
1 000D5390 kernel32.dll 00B7 FindResourceA
1 000D5394 kernel32.dll 0075 EnumCalendarInfoA
1 000D5398 kernel32.dll 0074 EnterCriticalSection
1 000D539C kernel32.dll 005F DeleteCriticalSection
1 000D53A0 kernel32.dll 0052 CreateThread
1 000D53A4 kernel32.dll 0039 CreateFileA
1 000D53A8 kernel32.dll 0035 CreateEventA
1 000D53AC kernel32.dll 0025 CompareStringA
1 000D53B0 kernel32.dll 001F CloseHandle
FThunk: 000D53B8 NbFunc: 00000003
1 000D53B8 version.dll 000B VerQueryValueA
1 000D53BC version.dll 0002 GetFileVersionInfoSizeA
1 000D53C0 version.dll 0001 GetFileVersionInfoA
FThunk: 000D53C8 NbFunc: 00000056
1 000D53C8 gdi32.dll 0213 UnrealizeObject
1 000D53CC gdi32.dll 020A StretchBlt
1 000D53D0 gdi32.dll 0209 StartPage
1 000D53D4 gdi32.dll 0206 StartDocA
1 000D53D8 gdi32.dll 0204 SetWindowOrgEx
1 000D53DC gdi32.dll 0203 SetWindowExtEx
1 000D53E0 gdi32.dll 0202 SetWinMetaFileBits
1 000D53E4 gdi32.dll 0200 SetViewportOrgEx
1 000D53E8 gdi32.dll 01FF SetViewportExtEx
1 000D53EC gdi32.dll 01FD SetTextColor
1 000D53F0 gdi32.dll 01F9 SetStretchBltMode
1 000D53F4 gdi32.dll 01F6 SetROP2
1 000D53F8 gdi32.dll 01F2 SetPixel
1 000D53FC gdi32.dll 01EC SetMapMode
1 000D5400 gdi32.dll 01E3 SetEnhMetaFileBits
1 000D5404 gdi32.dll 01DF SetDIBColorTable
1 000D5408 gdi32.dll 01DA SetBrushOrgEx
1 000D540C gdi32.dll 01D8 SetBkMode
1 000D5410 gdi32.dll 01D7 SetBkColor
1 000D5414 gdi32.dll 01D3 SetAbortProc
1 000D5418 gdi32.dll 01D2 SelectPalette
1 000D541C gdi32.dll 01D1 SelectObject
1 000D5420 gdi32.dll 01CA SaveDC
1 000D5424 gdi32.dll 01C4 RoundRect
1 000D5428 gdi32.dll 01C3 RestoreDC
1 000D542C gdi32.dll 01B9 Rectangle
1 000D5430 gdi32.dll 01B8 RectVisible
1 000D5434 gdi32.dll 01B6 RealizePalette
1 000D5438 gdi32.dll 01B1 Polyline
1 000D543C gdi32.dll 01AD PolyPolyline
1 000D5440 gdi32.dll 01A3 PlayEnhMetaFile
1 000D5444 gdi32.dll 01A0 PatBlt
1 000D5448 gdi32.dll 0194 MoveToEx
1 000D544C gdi32.dll 0191 MaskBlt
1 000D5450 gdi32.dll 0190 LineTo
1 000D5454 gdi32.dll 018A IntersectClipRect
1 000D5458 gdi32.dll 0186 GetWindowOrgEx
1 000D545C gdi32.dll 0184 GetWinMetaFileBits
1 000D5460 gdi32.dll 017F GetTextMetricsA
1 000D5464 gdi32.dll 0179 GetTextExtentPointA
1 000D5468 gdi32.dll 0177 GetTextExtentPoint32A
1 000D546C gdi32.dll 016C GetSystemPaletteEntries
1 000D5470 gdi32.dll 0168 GetStockObject
1 000D5474 gdi32.dll 0167 GetRgnBox
1 000D5478 gdi32.dll 015F GetPixel
1 000D547C gdi32.dll 015D GetPaletteEntries
1 000D5480 gdi32.dll 0158 GetObjectA
1 000D5484 gdi32.dll 0138 GetEnhMetaFilePaletteEntries
1 000D5488 gdi32.dll 0137 GetEnhMetaFileHeader
1 000D548C gdi32.dll 0134 GetEnhMetaFileBits
1 000D5490 gdi32.dll 012E GetDeviceCaps
1 000D5494 gdi32.dll 012D GetDIBits
1 000D5498 gdi32.dll 012C GetDIBColorTable
1 000D549C gdi32.dll 012A GetDCOrgEx
1 000D54A0 gdi32.dll 0128 GetCurrentPositionEx
1 000D54A4 gdi32.dll 0123 GetClipBox
1 000D54A8 gdi32.dll 0113 GetBrushOrgEx
1 000D54AC gdi32.dll 010E GetBitmapBits
1 000D54B0 gdi32.dll 00E0 GdiFlush
1 000D54B4 gdi32.dll 00A3 ExtTextOutA
1 000D54B8 gdi32.dll 009E ExtCreatePen
1 000D54BC gdi32.dll 009D ExcludeClipRect
1 000D54C0 gdi32.dll 005E EndPage
1 000D54C4 gdi32.dll 005C EndDoc
1 000D54C8 gdi32.dll 005A Ellipse
1 000D54CC gdi32.dll 0055 DeleteObject
1 000D54D0 gdi32.dll 0053 DeleteEnhMetaFile
1 000D54D4 gdi32.dll 0052 DeleteDC
1 000D54D8 gdi32.dll 004F CreateSolidBrush
1 000D54DC gdi32.dll 004A CreateRectRgn
1 000D54E0 gdi32.dll 0047 CreatePenIndirect
1 000D54E4 gdi32.dll 0044 CreatePalette
1 000D54E8 gdi32.dll 0040 CreateICA
1 000D54EC gdi32.dll 003E CreateHalftonePalette
1 000D54F0 gdi32.dll 0039 CreateFontIndirectA
1 000D54F4 gdi32.dll 0032 CreateDIBitmap
1 000D54F8 gdi32.dll 0031 CreateDIBSection
1 000D54FC gdi32.dll 002D CreateDCA
1 000D5500 gdi32.dll 002C CreateCompatibleDC
1 000D5504 gdi32.dll 002B CreateCompatibleBitmap
1 000D5508 gdi32.dll 0028 CreateBrushIndirect
1 000D550C gdi32.dll 0026 CreateBitmap
1 000D5510 gdi32.dll 0022 CopyEnhMetaFileA
1 000D5514 gdi32.dll 0020 CombineRgn
1 000D5518 gdi32.dll 0013 BitBlt
1 000D551C gdi32.dll 000C Arc
FThunk: 000D5524 NbFunc: 000000AD
1 000D5524 user32.dll 02B1 WindowFromPoint
1 000D5528 user32.dll 02AE WinHelpA
1 000D552C user32.dll 02AC WaitMessage
1 000D5530 user32.dll 02A1 ValidateRect
1 000D5534 user32.dll 0297 UpdateWindow
1 000D5538 user32.dll 0291 UnregisterClassA
1 000D553C user32.dll 028D UnionRect
1 000D5540 user32.dll 028C UnhookWindowsHookEx
1 000D5544 user32.dll 0288 TranslateMessage
1 000D5548 user32.dll 0287 TranslateMDISysAccel
1 000D554C user32.dll 0282 TrackPopupMenu
1 000D5550 user32.dll 0277 SystemParametersInfoA
1 000D5554 user32.dll 0270 ShowWindow
1 000D5558 user32.dll 026E ShowScrollBar
1 000D555C user32.dll 026D ShowOwnedPopups
1 000D5560 user32.dll 026C ShowCursor
1 000D5564 user32.dll 0268 SetWindowsHookExA
1 000D5568 user32.dll 0264 SetWindowTextA
1 000D556C user32.dll 0261 SetWindowPos
1 000D5570 user32.dll 0260 SetWindowPlacement
1 000D5574 user32.dll 025E SetWindowLongA
1 000D5578 user32.dll 0258 SetTimer
1 000D557C user32.dll 024E SetScrollRange
1 000D5580 user32.dll 024D SetScrollPos
1 000D5584 user32.dll 024C SetScrollInfo
1 000D5588 user32.dll 024A SetRect
1 000D558C user32.dll 0248 SetPropA
1 000D5590 user32.dll 0240 SetMenuItemInfoA
1 000D5594 user32.dll 023B SetMenu
1 000D5598 user32.dll 0237 SetKeyboardState
1 000D559C user32.dll 0235 SetForegroundWindow
1 000D55A0 user32.dll 0234 SetFocus
1 000D55A4 user32.dll 022B SetCursor
1 000D55A8 user32.dll 0228 SetClipboardData
1 000D55AC user32.dll 0225 SetClassLongA
1 000D55B0 user32.dll 0222 SetCapture
1 000D55B4 user32.dll 0221 SetActiveWindow
1 000D55B8 user32.dll 0219 SendMessageA
1 000D55BC user32.dll 0213 ScrollWindowEx
1 000D55C0 user32.dll 0212 ScrollWindow
1 000D55C4 user32.dll 020F ScreenToClient
1 000D55C8 user32.dll 020A RemovePropA
1 000D55CC user32.dll 0209 RemoveMenu
1 000D55D0 user32.dll 0208 ReleaseDC
1 000D55D4 user32.dll 0207 ReleaseCapture
1 000D55D8 user32.dll 01FB RegisterClipboardFormatA
1 000D55DC user32.dll 01FB RegisterClipboardFormatA
1 000D55E0 user32.dll 01F7 RegisterClassA
1 000D55E4 user32.dll 01F6 RedrawWindow
1 000D55E8 user32.dll 01EF PtInRect
1 000D55EC user32.dll 01E6 PostQuitMessage
1 000D55F0 user32.dll 01E4 PostMessageA
1 000D55F4 user32.dll 01E2 PeekMessageA
1 000D55F8 user32.dll 01D9 OpenClipboard
1 000D55FC user32.dll 01D8 OffsetRect
1 000D5600 user32.dll 01D4 OemToCharA
1 000D5604 user32.dll 01C4 MessageBoxA
1 000D5608 user32.dll 01C3 MessageBeep
1 000D560C user32.dll 01BF MapWindowPoints
1 000D5610 user32.dll 01BB MapVirtualKeyA
1 000D5614 user32.dll 01B0 LoadStringA
1 000D5618 user32.dll 01A7 LoadKeyboardLayoutA
1 000D561C user32.dll 01A3 LoadIconA
1 000D5620 user32.dll 019F LoadCursorA
1 000D5624 user32.dll 019D LoadBitmapA
1 000D5628 user32.dll 019A KillTimer
1 000D562C user32.dll 0198 IsZoomed
1 000D5630 user32.dll 0197 IsWindowVisible
1 000D5634 user32.dll 0195 IsWindowEnabled
1 000D5638 user32.dll 0194 IsWindow
1 000D563C user32.dll 0193 IsRectEmpty
1 000D5640 user32.dll 0191 IsIconic
1 000D5644 user32.dll 018C IsDialogMessage
1 000D5648 user32.dll 018B IsClipboardFormatAvailable
1 000D564C user32.dll 018A IsChild
1 000D5650 user32.dll 0183 IsCharAlphaNumericA
1 000D5654 user32.dll 0182 IsCharAlphaA
1 000D5658 user32.dll 017F InvalidateRect
1 000D565C user32.dll 017E IntersectRect
1 000D5660 user32.dll 017A InsertMenuItemA
1 000D5664 user32.dll 0179 InsertMenuA
1 000D5668 user32.dll 0176 InflateRect
1 000D566C user32.dll 0167 GetWindowThreadProcessId
1 000D5670 user32.dll 0163 GetWindowTextA
1 000D5674 user32.dll 0161 GetWindowRect
1 000D5678 user32.dll 0160 GetWindowPlacement
1 000D567C user32.dll 015B GetWindowLongA
1 000D5680 user32.dll 0159 GetWindowDC
1 000D5684 user32.dll 0150 GetTopWindow
1 000D5688 user32.dll 014A GetSystemMetrics
1 000D568C user32.dll 0149 GetSystemMenu
1 000D5690 user32.dll 0147 GetSysColor
1 000D5694 user32.dll 0146 GetSubMenu
1 000D5698 user32.dll 0144 GetScrollRange
1 000D569C user32.dll 0143 GetScrollPos
1 000D56A0 user32.dll 0142 GetScrollInfo
1 000D56A4 user32.dll 013E GetPropA
1 000D56A8 user32.dll 0139 GetParent
1 000D56AC user32.dll 0157 GetWindow
1 000D56B0 user32.dll 0131 GetMessageTime
1 000D56B4 user32.dll 012C GetMenuStringA
1 000D56B8 user32.dll 012B GetMenuState
1 000D56BC user32.dll 0128 GetMenuItemInfoA
1 000D56C0 user32.dll 0127 GetMenuItemID
1 000D56C4 user32.dll 0126 GetMenuItemCount
1 000D56C8 user32.dll 0120 GetMenu
1 000D56CC user32.dll 011D GetLastActivePopup
1 000D56D0 user32.dll 011B GetKeyboardState
1 000D56D4 user32.dll 0118 GetKeyboardLayoutList
1 000D56D8 user32.dll 0117 GetKeyboardLayout
1 000D56DC user32.dll 0116 GetKeyState
1 000D56E0 user32.dll 0114 GetKeyNameTextA
1 000D56E4 user32.dll 010F GetIconInfo
1 000D56E8 user32.dll 010C GetForegroundWindow
1 000D56EC user32.dll 010B GetFocus
1 000D56F0 user32.dll 010A GetDoubleClickTime
1 000D56F4 user32.dll 0106 GetDlgItem
1 000D56F8 user32.dll 0103 GetDesktopWindow
1 000D56FC user32.dll 0102 GetDCEx
1 000D5700 user32.dll 0101 GetDC
1 000D5704 user32.dll 0100 GetCursorPos
1 000D5708 user32.dll 00FD GetCursor
1 000D570C user32.dll 00F6 GetClipboardData
1 000D5710 user32.dll 00F4 GetClientRect
1 000D5714 user32.dll 00F1 GetClassNameA
1 000D5718 user32.dll 00EB GetClassInfoA
1 000D571C user32.dll 00EA GetCaretPos
1 000D5720 user32.dll 00E8 GetCapture
1 000D5724 user32.dll 00E0 GetActiveWindow
1 000D5728 user32.dll 00DE FrameRect
1 000D572C user32.dll 00D8 FindWindowA
1 000D5730 user32.dll 00D7 FillRect
1 000D5734 user32.dll 00D4 EqualRect
1 000D5738 user32.dll 00D3 EnumWindows
1 000D573C user32.dll 00D0 EnumThreadWindows
1 000D5740 user32.dll 00C1 EnumClipboardFormats
1 000D5744 user32.dll 00BE EndPaint
1 000D5748 user32.dll 00BA EnableWindow
1 000D574C user32.dll 00B9 EnableScrollBar
1 000D5750 user32.dll 00B8 EnableMenuItem
1 000D5754 user32.dll 00B7 EmptyClipboard
1 000D5758 user32.dll 00B2 DrawTextA
1 000D575C user32.dll 00AE DrawMenuBar
1 000D5760 user32.dll 00AD DrawIconEx
1 000D5764 user32.dll 00AC DrawIcon
1 000D5768 user32.dll 00AB DrawFrameControl
1 000D576C user32.dll 00A9 DrawFocusRect
1 000D5770 user32.dll 00A8 DrawEdge
1 000D5774 user32.dll 0098 DispatchMessageA
1 000D5778 user32.dll 0091 DestroyWindow
1 000D577C user32.dll 0090 DestroyMenu
1 000D5780 user32.dll 008E DestroyCursor
1 000D5784 user32.dll 008E DestroyCursor
1 000D5788 user32.dll 008A DeleteMenu
1 000D578C user32.dll 0087 DefWindowProcA
1 000D5790 user32.dll 0085 DefMDIChildProcA
1 000D5794 user32.dll 0083 DefFrameProcA
1 000D5798 user32.dll 005B CreateWindowExA
1 000D579C user32.dll 005A CreatePopupMenu
1 000D57A0 user32.dll 0059 CreateMenu
1 000D57A4 user32.dll 0053 CreateIcon
1 000D57A8 user32.dll 003E CloseClipboard
1 000D57AC user32.dll 003C ClientToScreen
1 000D57B0 user32.dll 0035 CheckMenuItem
1 000D57B4 user32.dll 0017 CallWindowProcA
1 000D57B8 user32.dll 0016 CallNextHookEx
1 000D57BC user32.dll 000D BeginPaint
1 000D57C0 user32.dll 0026 CharNextA
1 000D57C4 user32.dll 0023 CharLowerBuffA
1 000D57C8 user32.dll 0022 CharLowerA
1 000D57CC user32.dll 0031 CharUpperBuffA
1 000D57D0 user32.dll 0003 AdjustWindowRectEx
1 000D57D4 user32.dll 0001 ActivateKeyboardLayout
FThunk: 000D57DC NbFunc: 00000001
1 000D57DC kernel32.dll 02CA Sleep
FThunk: 000D57E4 NbFunc: 0000000C
1 000D57E4 oleaut32.dll 0094 SafeArrayPtrOfIndex
1 000D57E8 oleaut32.dll 001A SafeArrayPutElement
1 000D57EC oleaut32.dll 0019 SafeArrayGetElement
1 000D57F0 oleaut32.dll 0013 SafeArrayGetUBound
1 000D57F4 oleaut32.dll 0014 SafeArrayGetLBound
1 000D57F8 oleaut32.dll 0028 SafeArrayRedim
1 000D57FC oleaut32.dll 000F SafeArrayCreate
1 000D5800 oleaut32.dll 0093 VariantChangeTypeEx
1 000D5804 oleaut32.dll 000B VariantCopyInd
1 000D5808 oleaut32.dll 000A VariantCopy
1 000D580C oleaut32.dll 0009 VariantClear
1 000D5810 oleaut32.dll 0008 VariantInit
FThunk: 000D5818 NbFunc: 00000004
1 000D5818 ole32.dll 00FA OleUninitialize
1 000D581C ole32.dll 00E3 OleInitialize
1 000D5820 ole32.dll 0065 CoUninitialize
1 000D5824 ole32.dll 003D CoInitialize
FThunk: 000D582C NbFunc: 00000002
1 000D582C oleaut32.dll 00C8 GetErrorInfo
1 000D5830 oleaut32.dll 0006 SysFreeString
FThunk: 000D5838 NbFunc: 00000018
1 000D5838 comctl32.dll 004F ImageList_SetIconSize
1 000D583C comctl32.dll 003B ImageList_GetIconSize
1 000D5840 comctl32.dll 0052 ImageList_Write
1 000D5844 comctl32.dll 0043 ImageList_Read
1 000D5848 comctl32.dll 0038 ImageList_GetDragImage
1 000D584C comctl32.dll 0031 ImageList_DragShowNolock
1 000D5850 comctl32.dll 004C ImageList_SetDragCursorImage
1 000D5854 comctl32.dll 0030 ImageList_DragMove
1 000D5858 comctl32.dll 002F ImageList_DragLeave
1 000D585C comctl32.dll 002E ImageList_DragEnter
1 000D5860 comctl32.dll 0036 ImageList_EndDrag
1 000D5864 comctl32.dll 002A ImageList_BeginDrag
1 000D5868 comctl32.dll 0044 ImageList_Remove
1 000D586C comctl32.dll 0033 ImageList_DrawEx
1 000D5870 comctl32.dll 0045 ImageList_Replace
1 000D5874 comctl32.dll 0032 ImageList_Draw
1 000D5878 comctl32.dll 0037 ImageList_GetBkColor
1 000D587C comctl32.dll 004B ImageList_SetBkColor
1 000D5880 comctl32.dll 0046 ImageList_ReplaceIcon
1 000D5884 comctl32.dll 0027 ImageList_Add
1 000D5888 comctl32.dll 003C ImageList_GetImageCount
1 000D588C comctl32.dll 002D ImageList_Destroy
1 000D5890 comctl32.dll 002C ImageList_Create
1 000D5894 comctl32.dll 0011 InitCommonControls
FThunk: 000D589C NbFunc: 00000004
1 000D589C winspool.drv 00F6 OpenPrinterA
1 000D58A0 winspool.drv 00DC EnumPrintersA
1 000D58A4 winspool.drv 00B1 DocumentPropertiesA
1 000D58A8 winspool.drv 0086 ClosePrinter
FThunk: 000D58B0 NbFunc: 00000001
1 000D58B0 shell32.dll 0171 ShellExecuteA
FThunk: 000D58B8 NbFunc: 00000003
1 000D58B8 shell32.dll 014B SHGetSpecialFolderLocation
1 000D58BC shell32.dll 0145 SHGetMalloc
1 000D58C0 shell32.dll 0138 SHGetDesktopFolder
FThunk: 000D58C8 NbFunc: 00000004
1 000D58C8 comdlg32.dll 0075 PrintDlgA
1 000D58CC comdlg32.dll 0065 ChooseColorA
1 000D58D0 comdlg32.dll 0070 GetSaveFileNameA
1 000D58D4 comdlg32.dll 006E GetOpenFileNameA
FThunk: 000D58DC NbFunc: 00000001
1 000D58DC kernel32.dll 0208 MulDiv
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
