00401BC6 - ff2560114000 jmp dword ptr [0x401160] ; msvbvm60.__vbaExceptHandler
00401BCC - ff2590114000 jmp dword ptr [0x401190] ; msvbvm60.__vbaFPException
00401BD2 - ff259c104000 jmp dword ptr [0x40109c] ; msvbvm60._adj_fdiv_m16i
00401BD8 - ff257c104000 jmp dword ptr [0x40107c] ; msvbvm60._adj_fdiv_m32
00401BDE - ff25dc114000 jmp dword ptr [0x4011dc] ; msvbvm60._adj_fdiv_m32i
00401BE4 - ff2538104000 jmp dword ptr [0x401038] ; msvbvm60._adj_fdiv_m64
00401BEA - ff25f8114000 jmp dword ptr [0x4011f8] ; msvbvm60._adj_fdiv_r
00401BF0 - ff25a4104000 jmp dword ptr [0x4010a4] ; msvbvm60._adj_fdivr_m16i
00401BF6 - ff25f0114000 jmp dword ptr [0x4011f0] ; msvbvm60._adj_fdivr_m32
00401BFC - ff25e0114000 jmp dword ptr [0x4011e0] ; msvbvm60._adj_fdivr_m32i
00401C02 - ff2574114000 jmp dword ptr [0x401174] ; msvbvm60._adj_fdivr_m64
00401C08 - ff2520114000 jmp dword ptr [0x401120] ; msvbvm60._adj_fpatan
00401C0E - ff2570114000 jmp dword ptr [0x401170] ; msvbvm60._adj_fprem
00401C14 - ff2548104000 jmp dword ptr [0x401048] ; msvbvm60._adj_fprem1
00401C1A - ff2510104000 jmp dword ptr [0x401010] ; msvbvm60._adj_fptan
00401C20 - ff2540124000 jmp dword ptr [0x401240] ; msvbvm60._CIatan
00401C26 - ff250c104000 jmp dword ptr [0x40100c] ; msvbvm60._CIcos
00401C2C - ff257c124000 jmp dword ptr [0x40127c] ; msvbvm60._CIexp
00401C32 - ff25bc114000 jmp dword ptr [0x4011bc] ; msvbvm60._CIlog
00401C38 - ff25c8104000 jmp dword ptr [0x4010c8] ; msvbvm60._CIsin
00401C3E - ff254c114000 jmp dword ptr [0x40114c] ; msvbvm60._CIsqrt
00401C44 - ff256c124000 jmp dword ptr [0x40126c] ; msvbvm60._CItan
00401C4A - ff2560124000 jmp dword ptr [0x401260] ; msvbvm60._allmul
00401C50 - ff2510114000 jmp dword ptr [0x401110] ; msvbvm60.DllFunctionCall
00401C56 - ff25ec104000 jmp dword ptr [0x4010ec] ; msvbvm60.__vbaGenerateBoundsError
00401C5C - ff25c0114000 jmp dword ptr [0x4011c0] ; msvbvm60.__vbaErrorOverflow
00401C62 - ff2570104000 jmp dword ptr [0x401070] ; msvbvm60.__vbaSetSystemError
00401C68 - ff2534104000 jmp dword ptr [0x401034] ; msvbvm60.__vbaFreeVarList
00401C6E - ff250c124000 jmp dword ptr [0x40120c] ; msvbvm60.__vbaI4Var
00401C74 - ff25e8114000 jmp dword ptr [0x4011e8] ; msvbvm60.rtcImmediateIf
00401C7A - ff250c114000 jmp dword ptr [0x40110c] ; msvbvm60.__vbaI2I4
00401C80 - ff2578104000 jmp dword ptr [0x401078] ; msvbvm60.__vbaHresultCheckObj
00401C86 - ff2548114000 jmp dword ptr [0x401148] ; msvbvm60.__vbaUI1I2
00401C8C - ff255c114000 jmp dword ptr [0x40115c] ; msvbvm60.__vbaUI1I4
00401C92 - ff2530124000 jmp dword ptr [0x401230] ; msvbvm60.__vbaFpI4
00401C98 - ff251c114000 jmp dword ptr [0x40111c] ; msvbvm60.__vbaFpUI1
00401C9E - ff2554124000 jmp dword ptr [0x401254] ; msvbvm60.__vbaR8IntI4
00401CA4 - ff25b8114000 jmp dword ptr [0x4011b8] ; msvbvm60.VarPtr
00401CAA - ff2500114000 jmp dword ptr [0x401100] ; msvbvm60.__vbaAryConstruct2
00401CB0 - ff2584104000 jmp dword ptr [0x401084] ; msvbvm60.__vbaAryDestruct
00401CB6 - ff254c124000 jmp dword ptr [0x40124c] ; msvbvm60.__vbaCastObj
00401CBC - ff2584124000 jmp dword ptr [0x401284] ; msvbvm60.__vbaFreeObj
00401CC2 - ff25a0104000 jmp dword ptr [0x4010a0] ; msvbvm60.__vbaObjSetAddref
00401CC8 - ff2578124000 jmp dword ptr [0x401278] ; msvbvm60.__vbaAryUnlock
00401CCE - ff251c124000 jmp dword ptr [0x40121c] ; msvbvm60.__vbaAryLock
00401CD4 - ff25e0104000 jmp dword ptr [0x4010e0] ; msvbvm60.__vbaFileClose
00401CDA - ff25a4114000 jmp dword ptr [0x4011a4] ; msvbvm60.__vbaGetOwner3
00401CE0 - ff25b4114000 jmp dword ptr [0x4011b4] ; msvbvm60.__vbaFileSeek
00401CE6 - ff25c4114000 jmp dword ptr [0x4011c4] ; msvbvm60.__vbaFileOpen
00401CEC - ff2534114000 jmp dword ptr [0x401134] ; msvbvm60.__vbaRedim
00401CF2 - ff25d0104000 jmp dword ptr [0x4010d0] ; msvbvm60.__vbaErase
00401CF8 - ff2540114000 jmp dword ptr [0x401140] ; msvbvm60.__vbaNew
00401CFE - ff2598104000 jmp dword ptr [0x401098] ; msvbvm60.__vbaObjSet
00401D04 - ff2550114000 jmp dword ptr [0x401150] ; msvbvm60.__vbaObjIs
00401D0A - ff2558114000 jmp dword ptr [0x401158] ; msvbvm60.__vbaStrUI1
00401D10 - ff256c114000 jmp dword ptr [0x40116c] ; msvbvm60.rtcReplace
00401D16 - ff25f4104000 jmp dword ptr [0x4010f4] ; msvbvm60.__vbaStrCmp
00401D1C - ff2530104000 jmp dword ptr [0x401030] ; msvbvm60.__vbaEnd
00401D22 - ff2520104000 jmp dword ptr [0x401020] ; msvbvm60.__vbaFreeVar
00401D28 - ff2524124000 jmp dword ptr [0x401224] ; msvbvm60.__vbaVarDup
00401D2E - ff2568104000 jmp dword ptr [0x401068] ; msvbvm60.rtcVarFromFormatVar
00401D34 - ff25a8114000 jmp dword ptr [0x4011a8] ; msvbvm60.__vbaVarCat
00401D3A - ff25a0114000 jmp dword ptr [0x4011a0] ; msvbvm60.__vbaStrVarVal
00401D40 - ff25ec114000 jmp dword ptr [0x4011ec] ; msvbvm60.__vbaFreeStrList
00401D46 - ff2508104000 jmp dword ptr [0x401008] ; msvbvm60.__vbaStrI2
00401D4C - ff255c104000 jmp dword ptr [0x40105c] ; msvbvm60.__vbaStrCat
00401D52 - ff2580124000 jmp dword ptr [0x401280] ; msvbvm60.__vbaFreeStr
00401D58 - ff2548124000 jmp dword ptr [0x401248] ; msvbvm60.__vbaStrMove
00401D5E - ff253c104000 jmp dword ptr [0x40103c] ; msvbvm60.__vbaFreeObjList
00401D64 - ff25d8114000 jmp dword ptr [0x4011d8] ; msvbvm60.__vbaNew2
00401D6A - ff252c104000 jmp dword ptr [0x40102c] ; msvbvm60.__vbaLenBstr
00401D70 - ff2530114000 jmp dword ptr [0x401130] ; msvbvm60.__vbaStrR8
00401D76 - ff25d4114000 jmp dword ptr [0x4011d4] ; msvbvm60.__vbaR8Str
00401D7C - ff2584114000 jmp dword ptr [0x401184] ; msvbvm60.__vbaI2Str
00401D82 - ff2508114000 jmp dword ptr [0x401108] ; msvbvm60.rtcIsNumeric
00401D88 - ff25b8104000 jmp dword ptr [0x4010b8] ; msvbvm60.rtcTrimVar
00401D8E - ff2528104000 jmp dword ptr [0x401028] ; msvbvm60.__vbaStrVarMove
00401D94 - ff2550104000 jmp dword ptr [0x401050] ; msvbvm60.__vbaI2Abs
00401D9A - ff256c104000 jmp dword ptr [0x40106c] ; msvbvm60.__vbaRecDestruct
00401DA0 - ff25d0114000 jmp dword ptr [0x4011d0] ; msvbvm60.__vbaVar2Vec
00401DA6 - ff251c104000 jmp dword ptr [0x40101c] ; msvbvm60.__vbaAryMove
00401DAC - ff253c124000 jmp dword ptr [0x40123c] ; msvbvm60.__vbaRecDestructAnsi
00401DB2 - ff254c104000 jmp dword ptr [0x40104c] ; msvbvm60.__vbaRecAnsiToUni
00401DB8 - ff2538114000 jmp dword ptr [0x401138] ; msvbvm60.__vbaRecUniToAnsi
00401DBE - ff2598114000 jmp dword ptr [0x401198] ; msvbvm60.rtcStrConvVar2
00401DC4 - ff25e4114000 jmp dword ptr [0x4011e4] ; msvbvm60.__vbaStrCopy
00401DCA - ff2574124000 jmp dword ptr [0x401274] ; msvbvm60.rtcGetSecondOfMinute
00401DD0 - ff2564124000 jmp dword ptr [0x401264] ; msvbvm60.rtcGetMinuteOfHour
00401DD6 - ff255c124000 jmp dword ptr [0x40125c] ; msvbvm60.rtcGetHourOfDay
00401DDC - ff2558124000 jmp dword ptr [0x401258] ; msvbvm60.rtcGetDayOfMonth
00401DE2 - ff2568124000 jmp dword ptr [0x401268] ; msvbvm60.rtcGetMonthOfYear
00401DE8 - ff2564104000 jmp dword ptr [0x401064] ; msvbvm60.rtcGetYear
00401DEE - ff2504104000 jmp dword ptr [0x401004] ; msvbvm60.__vbaVarSub
00401DF4 - ff2518124000 jmp dword ptr [0x401218] ; msvbvm60.__vbaVarAdd
00401DFA - ff2504124000 jmp dword ptr [0x401204] ; msvbvm60.__vbaVarTstNe
00401E00 - ff2594104000 jmp dword ptr [0x401094] ; msvbvm60.rtcMsgBox
00401E06 - ff2580114000 jmp dword ptr [0x401180] ; msvbvm60.rtcRound
00401E0C - ff2524114000 jmp dword ptr [0x401124] ; msvbvm60.__vbaR4Var
00401E12 - ff2588104000 jmp dword ptr [0x401088] ; msvbvm60.rtcTypeName
00401E18 - ff25b0104000 jmp dword ptr [0x4010b0] ; msvbvm60.__vbaFpR4
00401E1E - ff25b0114000 jmp dword ptr [0x4011b0] ; msvbvm60.__vbaI2Var
00401E24 - ff2570124000 jmp dword ptr [0x401270] ; msvbvm60.__vbaFPInt
00401E2A - ff25c4104000 jmp dword ptr [0x4010c4] ; msvbvm60.__vbaFpR8
00401E30 - ff2528124000 jmp dword ptr [0x401228] ; msvbvm60.__vbaFpI2
00401E36 - ff2520124000 jmp dword ptr [0x401220] ; msvbvm60.__vbaStrToAnsi
00401E3C - ff257c114000 jmp dword ptr [0x40117c] ; msvbvm60.rtcStringVar
00401E42 - ff258c104000 jmp dword ptr [0x40108c] ; msvbvm60.__vbaExitProc
00401E48 - ff2538124000 jmp dword ptr [0x401238] ; msvbvm60.__vbaVarSetObjAddref
00401E4E - ff252c124000 jmp dword ptr [0x40122c] ; msvbvm60.__vbaVarLateMemCallLd
00401E54 - ff2504114000 jmp dword ptr [0x401104] ; msvbvm60.__vbaObjVar
00401E5A - ff2514124000 jmp dword ptr [0x401214] ; msvbvm60.__vbaLateMemCall
00401E60 - ff2518114000 jmp dword ptr [0x401118] ; msvbvm60.__vbaVarLateMemSt
00401E66 - ff258c114000 jmp dword ptr [0x40118c] ; msvbvm60.rtcCreateObject2
00401E6C - ff2508124000 jmp dword ptr [0x401208] ; msvbvm60.__vbaVarSetVar
00401E72 - ff25f4114000 jmp dword ptr [0x4011f4] ; msvbvm60.__vbaR8Var
00401E78 - ff2544104000 jmp dword ptr [0x401044] ; msvbvm60.__vbaR8Sgn
00401E7E - ff2544114000 jmp dword ptr [0x401144] ; msvbvm60.rtcShell
00401E84 - ff25cc104000 jmp dword ptr [0x4010cc] ; msvbvm60.rtcInStrRev
00401E8A - ff25dc104000 jmp dword ptr [0x4010dc] ; msvbvm60.rtcSpaceVar
00401E90 - ff2590104000 jmp dword ptr [0x401090] ; msvbvm60.__vbaOnError
00401E96 - ff2594114000 jmp dword ptr [0x401194] ; msvbvm60.__vbaInStrVar
00401E9C - ff2568114000 jmp dword ptr [0x401168] ; msvbvm60.__vbaStrToUnicode
00401EA2 - ff2560104000 jmp dword ptr [0x401060] ; msvbvm60.__vbaLsetFixstr
00401EA8 - ff2588114000 jmp dword ptr [0x401188] ; msvbvm60.rtcVarBstrFromAnsi
00401EAE - ff25ac114000 jmp dword ptr [0x4011ac] ; msvbvm60.__vbaLsetFixstrFree
00401EB4 - ff25ac104000 jmp dword ptr [0x4010ac] ; msvbvm60.rtcDoEvents
00401EBA - ff252c114000 jmp dword ptr [0x40112c] ; msvbvm60.__vbaFixstrConstruct
00401EC0 - ff25e8104000 jmp dword ptr [0x4010e8] ; msvbvm60.rtcUpperCaseVar
00401EC6 - ff25fc104000 jmp dword ptr [0x4010fc] ; msvbvm60.__vbaVarTstEq
00401ECC - ff2578114000 jmp dword ptr [0x401178] ; msvbvm60.__vbaVarDiv
00401ED2 - ff25b4104000 jmp dword ptr [0x4010b4] ; msvbvm60.__vbaBoolVar
00401ED8 - ff2574104000 jmp dword ptr [0x401074] ; msvbvm60.rtcDateDiff
00401EDE - ff2558104000 jmp dword ptr [0x401058] ; msvbvm60.__vbaVarCmpNe
00401EE4 - ff2514114000 jmp dword ptr [0x401114] ; msvbvm60.__vbaVarOr
00401EEA - ff25c0104000 jmp dword ptr [0x4010c0] ; msvbvm60.__vbaBoolVarNull
00401EF0 - ff2528114000 jmp dword ptr [0x401128] ; msvbvm60.rtcFileSeek
00401EF6 - ff259c114000 jmp dword ptr [0x40119c] ; msvbvm60.__vbaUbound
00401EFC - ff2564114000 jmp dword ptr [0x401164] ; msvbvm60.rtcSplit
00401F02 - ff2580104000 jmp dword ptr [0x401080] ; msvbvm60.__vbaAryVar
00401F08 - ff2544124000 jmp dword ptr [0x401244] ; msvbvm60.__vbaAryCopy
00401F0E - ff25f0104000 jmp dword ptr [0x4010f0] ; msvbvm60.__vbaGet3
00401F14 - ff25cc114000 jmp dword ptr [0x4011cc] ; msvbvm60.__vbaInStr
00401F1A - ff2540104000 jmp dword ptr [0x401040] ; msvbvm60.rtcAnsiValueBstr
00401F20 - ff2518104000 jmp dword ptr [0x401018] ; msvbvm60.__vbaStrI4
00401F26 - ff2534124000 jmp dword ptr [0x401234] ; msvbvm60.rtcLeftCharVar
00401F2C - ff25d4104000 jmp dword ptr [0x4010d4] ; msvbvm60.rtcMidCharVar
00401F32 - ff25fc114000 jmp dword ptr [0x4011fc] ; msvbvm60.rtcFileLen
00401F38 - ff2510124000 jmp dword ptr [0x401210] ; msvbvm60.__vbaVarCmpEq
00401F3E - ff2514104000 jmp dword ptr [0x401014] ; msvbvm60.__vbaVarMove
00401F44 - ff2550124000 jmp dword ptr [0x401250] ; msvbvm60.rtcRightCharVar
00401F4A - ff25a8104000 jmp dword ptr [0x4010a8] ; msvbvm60.__vbaVarIndexLoad
00401F50 - ff2500104000 jmp dword ptr [0x401000] ; msvbvm60.__vbaVarTstGt
00401F56 - ff25bc104000 jmp dword ptr [0x4010bc] ; msvbvm60.__vbaRefVarAry
00401F5C - ff2554104000 jmp dword ptr [0x401054] ; msvbvm60.__vbaResume
00401F62 - ff25f8104000 jmp dword ptr [0x4010f8] ; msvbvm60.__vbaPutOwner3
00401F68 - ff25c8114000 jmp dword ptr [0x4011c8] ; msvbvm60.rtcFreeFile
00401F6E - ff2524104000 jmp dword ptr [0x401024] ; msvbvm60.rtcRgb
00401F74 - ff2554114000 jmp dword ptr [0x401154] ; msvbvm60.EVENT_SINK_QueryInterface
00401F7A - ff25e4104000 jmp dword ptr [0x4010e4] ; msvbvm60.EVENT_SINK_AddRef
00401F80 - ff253c114000 jmp dword ptr [0x40113c] ; msvbvm60.EVENT_SINK_Release
00401F86 - ff2500124000 jmp dword ptr [0x401200] ; msvbvm60.ThunRTMain
根据ESP定律来到OEP
00401F8C 6804214000 push 0x402104
00401F91 e8f0ffffff call 0x401f86 ; jmp 到 msvbvm60.ThunRTMain ===> 这里跳转到了
jmp dword ptr [0x401200] ; msvbvm60.ThunRTMain
// 这里来到了系统领空,看来到oep之前,代码是解压到系统领空的。
// 请教一下,系统领空的代码可以dump出来反编译分析吗?
壳虽然能脱,import表无法修复,dump后的大小也不对。
dump.exe修复oep后,用peid检查是vb写的应用。
OD可以运行不跑飞。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
东京好嗨冷
PlaneJun
