大家帮忙，关于ASPACK加壳DLL文件的脱壳与修复（附脱壳程序及原件）-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

大家帮忙，关于ASPACK加壳DLL文件的脱壳与修复（附脱壳程序及原件）

发表于: 2006-7-18 15:53 5702

大家帮忙，关于ASPACK加壳DLL文件的脱壳与修复（附脱壳程序及原件）

zhangld

2006-7-18 15:53

5702

请各位帮忙看一下这个ASPACK2.12加壳的DLL文件的脱壳过程是否正确
同时解答几个关于IAT修复的问题

几个问题如下：
1、找到程序的入口点后，看到的代码为：
00C57A74    55          db    55                         ;  CHAR 'U'//这里应该是程序入口，但我不知为何显示这些东西？
00C57A75    8B          db    8B
00C57A76    EC          db    EC
00C57A77    83          db    83
00C57A78    C4          db    C4
00C57A79    B4          db    B4
00C57A7A    B8          db    B8
00C57A7B    BC6EC500    dd    Hrms.00C56EBC
00C57A7F    E8          db    E8
这与我DUMP出来的代码好像不一样，为什么？怎么处理？
2、我在脱壳过程中找的重定位表的RVA,SIZE是否正确？
3、我在修复DUMPED.DLL的输入表时出现了很大的问题，所得指针好象都不正确，试了好多次都不行。为什么会出现这种情况？

附较为详细的过程：

一、寻找RVA和SIZE
1、od载入后在此停下
0174A001 >  60             pushad
0174A002 E8 03000000    call 0174A00A
0174A007  - E9 EB045D45    jmp    46D1A4F7
0174A00C 55             push ebp
0174A00D C3             retn
0174A00E E8 01000000    call 0174A014
0174A013 EB 5D          jmp    short 0174A072
0174A015 BB EDFFFFFF    mov    ebx, -13
************************************************
2.然后运用FLY大侠的办法寻找ASPack加壳DLL的重定位处理代码段的方法！
Ctrl+S在“整个段块”搜索命令序列：

代码:--------------------------------------------------------------------------------
mov ecx,dword ptr ds:[esi+4]
sub ecx,8
shr ecx,1
--------------------------------------------------------------------------------
找到下边的语句，并在其前边的0174A1DA处下断点
0174A1C8 8785 35050000 xchg [ebp+535], eax
0174A1CE 8B95 22040000 mov    edx, [ebp+422]
0174A1D4 8B85 2D050000 mov    eax, [ebp+52D]
**0174A1DA 2BD0          sub    edx, eax
0174A1DC 74 79          je    short 0174A257
0174A1DE 8BC2          mov    eax, edx
0174A1E0 C1E8 10       shr    eax, 10
0174A1E3 33DB          xor    ebx, ebx
0174A1E5 8BB5 39050000 mov    esi, [ebp+539]
0174A1EB 03B5 22040000 add    esi, [ebp+422]
0174A1F1 833E 00       cmp    dword ptr [esi], 0
0174A1F4 74 61          je    short 0174A257
**0174A1F6 8B4E 04       mov    ecx, [esi+4]
**0174A1F9 83E9 08       sub    ecx, 8
**0174A1FC D1E9          shr    ecx, 1
****************************************************
F8运行至
★0174A1E5 8BB5 39050000 mov    esi, [ebp+539]
★0174A1EB 03B5 22040000 add    esi, [ebp+422]
0174A1F1 833E 00       cmp    dword ptr [esi], 0
此处第一句时得出ESI=[EBP+539]=[01745A4C]=003FB000,★这个003FB000就是重定位表的RVA！
第二句add    esi, [ebp+422] 得出重定位表的VA，即003FB000+00870000=00C6B000
继续向下
0174A1F4 /74 61          je    short 0174A257
0174A1F6 |8B4E 04       mov    ecx, [esi+4]
0174A1F9 |83E9 08       sub    ecx, 8
0174A1FC |D1E9          shr    ecx, 1
0174A1FE |8B3E          mov    edi, [esi]
0174A200 |03BD 22040000 add    edi, [ebp+422]
0174A206 |83C6 08       add    esi, 8
0174A209 |66:8B1E       mov    bx, [esi]
0174A20C |C1EB 0C       shr    ebx, 0C
0174A20F |83FB 01       cmp    ebx, 1
0174A212 |74 0C          je    short 0174A220
0174A214 |83FB 02       cmp    ebx, 2
0174A217 |74 16          je    short 0174A22F
0174A219 |83FB 03       cmp    ebx, 3
0174A21C |74 20          je    short 0174A23E
0174A21E |EB 2C          jmp    short 0174A24C
0174A220 |66:8B1E       mov    bx, [esi]
0174A223 |81E3 FF0F0000 and    ebx, 0FFF
0174A229 |66:01041F    add    [edi+ebx], ax
0174A22D |EB 1D          jmp    short 0174A24C
0174A22F |66:8B1E       mov    bx, [esi]
0174A232 |81E3 FF0F0000 and    ebx, 0FFF
0174A238 |66:01141F    add    [edi+ebx], dx
0174A23C |EB 0E          jmp    short 0174A24C
0174A23E |66:8B1E       mov    bx, [esi]
0174A241 |81E3 FF0F0000 and    ebx, 0FFF
0174A247 |01141F       add    [edi+ebx], edx
0174A24A |EB 00          jmp    short 0174A24C
★0174A24C |66:830E FF    or    word ptr [esi], 0FFFF
//这里把许多重定位数据变为FFFF★NOP掉！也就是改为
//0174A24C 90             nop
//0174A24D 90             nop
//0174A24E 90             nop
//0174A24F 90             nop}
0174A250 83C6 02       add    esi, 2
0174A253  ^ E2 B4          loopd short 0174A209 //循环处理
0174A255  ^ EB 9A          jmp    short 0174A1F1
★0174A257 8B95 22040000 mov    edx, [ebp+422]
//这里下断，ESI=00CA7C94
0174A25D 8BB5 41050000 mov    esi, [ebp+541]

当我们中断在0174A257处时，重定位处理完毕。此时ESI=00CA7C94，就是重定位表的结束地址啦。
得到重定位表信息：
RVA=003FB000，大小＝00CA7C94－00C6B000＝3CC94

二、找OEP
Ctrl+B在当前位置下搜索Hex值：6175，即popad、jnz
找到此处下断
0174A3AF 61             popad //下断
0174A3B0 75 08          jnz    short 0174A3BA
0174A3B2 B8 01000000    mov    eax, 1
0174A3B7 C2 0C00       retn 0C
0174A3BA 68 00000000    push 0
0174A3BF C3             retn //返加程序入口

返回后的程序为：
00C57A74    55          db    55                         ;  CHAR 'U'//这里应该是程序入口，但我不知为何显示这些东西？
00C57A75    8B          db    8B
00C57A76    EC          db    EC
00C57A77    83          db    83
00C57A78    C4          db    C4
00C57A79    B4          db    B4
00C57A7A    B8          db    B8
00C57A7B    BC6EC500    dd    Hrms.00C56EBC
00C57A7F    E8          db    E8
00C57A80    E8          db    E8
用LordPE选中Ollydbg的loaddll.exe的进程，在下面的列表里选择EdrLib.dll，然后完整脱壳，得到dumped.dll。
至此，基本脱壳完毕。
问题：

不知为什么，我的程序入口语句是这样的呢？

三、输入表+PE修正
运用FLY大侠的方法是“随便从程序找一个API调用，在转存中跟随，上下看到许多函数地址，很明显的可以找到IAT开始和结束的地址：”

但是我在汇编窗口中找来找去都没有一个合适的API调用

我在汇编窗口中找到这样一段程序码？是不是输入表，如果是那么到哪里结束呢？

00878BEC $- FF25 0C63C600 jmp    [C6630C]                      ;  ADVAPI32.RegCloseKey
00878BF2    8BC0       mov    eax, eax
00878BF4 $- FF25 0863C600 jmp    [C66308]                      ;  ADVAPI32.RegCreateKeyExA
00878BFA    8BC0       mov    eax, eax
00878BFC $- FF25 0463C600 jmp    [C66304]                      ;  ADVAPI32.RegFlushKey
00878C02    8BC0       mov    eax, eax
00878C04 $- FF25 0063C600 jmp    [C66300]                      ;  ADVAPI32.RegOpenKeyExA
00878C0A    8BC0       mov    eax, eax
00878C0C $- FF25 0063C600 jmp    [C66300]                      ;  ADVAPI32.RegOpenKeyExA
00878C12    8BC0       mov    eax, eax
00878C14 $- FF25 FC62C600 jmp    [C662FC]                      ;  ADVAPI32.RegQueryValueExA
00878C1A    8BC0       mov    eax, eax
00878C1C $- FF25 FC62C600 jmp    [C662FC]                      ;  ADVAPI32.RegQueryValueExA
00878C22    8BC0       mov    eax, eax
00878C24 $- FF25 F862C600 jmp    [C662F8]                      ;  ADVAPI32.RegSetValueExA
00878C2A    8BC0       mov    eax, eax
00878C2C $- FF25 9064C600 jmp    [C66490]                      ;  kernel32.CloseHandle
00878C32    8BC0       mov    eax, eax
00878C34 $- FF25 8C64C600 jmp    [C6648C]                      ;  kernel32.CompareStringA
00878C3A    8BC0       mov    eax, eax
00878C3C $- FF25 8864C600 jmp    [C66488]                      ;  kernel32.CopyFileA
00878C42    8BC0       mov    eax, eax
00878C44 $- FF25 8464C600 jmp    [C66484]                      ;  kernel32.CreateDirectoryA
00878C4A    8BC0       mov    eax, eax
00878C4C $- FF25 8064C600 jmp    [C66480]                      ;  kernel32.CreateEventA
00878C52    8BC0       mov    eax, eax
00878C54 $- FF25 7C64C600 jmp    [C6647C]                      ;  kernel32.CreateFileA
00878C5A    8BC0       mov    eax, eax
00878C5C $- FF25 7864C600 jmp    [C66478]                      ;  kernel32.CreateMutexA
00878C62    8BC0       mov    eax, eax
00878C64 $- FF25 7464C600 jmp    [C66474]                      ;  kernel32.CreateThread
00878C6A    8BC0       mov    eax, eax
00878C6C $- FF25 7064C600 jmp    [C66470]                      ;  ntdll.RtlDeleteCriticalSection
00878C72    8BC0       mov    eax, eax
00878C74 $- FF25 6C64C600 jmp    [C6646C]                      ;  kernel32.DeleteFileA
00878C7A    8BC0       mov    eax, eax
00878C7C $- FF25 6864C600 jmp    [C66468]                      ;  kernel32.DosDateTimeToFileTime
00878C82    8BC0       mov    eax, eax
00878C84 $- FF25 6464C600 jmp    [C66464]                      ;  ntdll.RtlEnterCriticalSection
00878C8A    8BC0       mov    eax, eax
00878C8C $- FF25 6064C600 jmp    [C66460]                      ;  kernel32.EnumCalendarInfoA
00878C92    8BC0       mov    eax, eax
00878C94 $- FF25 5C64C600 jmp    [C6645C]                      ;  kernel32.FatalAppExitA
00878C9A    8BC0       mov    eax, eax
00878C9C $- FF25 5864C600 jmp    [C66458]                      ;  kernel32.FileTimeToDosDateTime
00878CA2    8BC0       mov    eax, eax
00878CA4 $- FF25 5464C600 jmp    [C66454]                      ;  kernel32.FileTimeToLocalFileTime
00878CAA    8BC0       mov    eax, eax
00878CAC $- FF25 5064C600 jmp    [C66450]                      ;  kernel32.FindClose
00878CB2    8BC0       mov    eax, eax
00878CB4 $- FF25 4C64C600 jmp    [C6644C]                      ;  kernel32.FindFirstFileA
00878CBA    8BC0       mov    eax, eax
00878CBC $- FF25 4C64C600 jmp    [C6644C]                      ;  kernel32.FindFirstFileA
00878CC2    8BC0       mov    eax, eax
00878CC4 $- FF25 4864C600 jmp    [C66448]                      ;  kernel32.FindNextFileA
00878CCA    8BC0       mov    eax, eax
00878CCC $- FF25 4464C600 jmp    [C66444]                      ;  kernel32.FindResourceA
00878CD2    8BC0       mov    eax, eax
00878CD4 $- FF25 4064C600 jmp    [C66440]                      ;  kernel32.FormatMessageA
00878CDA    8BC0       mov    eax, eax
00878CDC $- FF25 3C64C600 jmp    [C6643C]                      ;  kernel32.FreeLibrary
00878CE2    8BC0       mov    eax, eax
00878CE4 $- FF25 3864C600 jmp    [C66438]                      ;  kernel32.InterlockedDecrement
00878CEA    8BC0       mov    eax, eax
00878CEC $- FF25 3464C600 jmp    [C66434]                      ;  kernel32.InterlockedIncrement
00878CF2    8BC0       mov    eax, eax
00878CF4 $- FF25 3064C600 jmp    [C66430]                      ;  kernel32.FreeResource
00878CFA    8BC0       mov    eax, eax
00878CFC $- FF25 2C64C600 jmp    [C6642C]                      ;  kernel32.GetCPInfo
00878D02    8BC0       mov    eax, eax
00878D04 $- FF25 2864C600 jmp    [C66428]                      ;  kernel32.GetCurrentDirectoryA
00878D0A    8BC0       mov    eax, eax
00878D0C $- FF25 2864C600 jmp    [C66428]                      ;  kernel32.GetCurrentDirectoryA
00878D12    8BC0       mov    eax, eax
00878D14 $- FF25 2464C600 jmp    [C66424]                      ;  kernel32.GetCurrentProcessId
00878D1A    8BC0       mov    eax, eax
00878D1C $- FF25 2064C600 jmp    [C66420]                      ;  kernel32.GetCurrentThreadId
00878D22    8BC0       mov    eax, eax
00878D24 $- FF25 1C64C600 jmp    [C6641C]                      ;  kernel32.GetDateFormatA
00878D2A    8BC0       mov    eax, eax
00878D2C $- FF25 1864C600 jmp    [C66418]                      ;  kernel32.GetDiskFreeSpaceA
00878D32    8BC0       mov    eax, eax
00878D34 $- FF25 1464C600 jmp    [C66414]                      ;  kernel32.GetExitCodeThread
00878D3A    8BC0       mov    eax, eax
00878D3C $- FF25 1064C600 jmp    [C66410]                      ;  kernel32.GetFileAttributesA
00878D42    8BC0       mov    eax, eax
00878D44 $- FF25 0C64C600 jmp    [C6640C]                      ;  kernel32.GetFileTime
00878D4A    8BC0       mov    eax, eax
00878D4C $- FF25 0864C600 jmp    [C66408]                      ;  kernel32.GetFullPathNameA
00878D52    8BC0       mov    eax, eax
00878D54 $- FF25 0464C600 jmp    [C66404]                      ;  ntdll.RtlGetLastWin32Error
00878D5A    8BC0       mov    eax, eax
00878D5C $- FF25 0064C600 jmp    [C66400]                      ;  kernel32.GetLocalTime
00878D62    8BC0       mov    eax, eax
00878D64 $- FF25 FC63C600 jmp    [C663FC]                      ;  kernel32.GetLocaleInfoA
00878D6A    8BC0       mov    eax, eax
00878D6C $- FF25 F863C600 jmp    [C663F8]                      ;  kernel32.GetModuleFileNameA
00878D72    8BC0       mov    eax, eax
00878D74 $- FF25 F463C600 jmp    [C663F4]                      ;  kernel32.GetModuleHandleA
00878D7A    8BC0       mov    eax, eax
00878D7C $- FF25 F463C600 jmp    [C663F4]                      ;  kernel32.GetModuleHandleA
00878D82    8BC0       mov    eax, eax
00878D84 $- FF25 F063C600 jmp    [C663F0]                      ;  kernel32.GetPrivateProfileStringA
00878D8A    8BC0       mov    eax, eax
00878D8C $- FF25 EC63C600 jmp    [C663EC]                      ;  kernel32.GetProcAddress
00878D92    8BC0       mov    eax, eax
00878D94 $- FF25 E863C600 jmp    [C663E8]                      ;  kernel32.GetProfileStringA
00878D9A    8BC0       mov    eax, eax
00878D9C $- FF25 E463C600 jmp    [C663E4]                      ;  kernel32.GetSystemDefaultLCID
00878DA2    8BC0       mov    eax, eax
00878DA4 $- FF25 E063C600 jmp    [C663E0]                      ;  kernel32.GetSystemInfo
00878DAA    8BC0       mov    eax, eax
00878DAC $- FF25 DC63C600 jmp    [C663DC]                      ;  kernel32.GetTempFileNameA
00878DB2    8BC0       mov    eax, eax
00878DB4 $- FF25 D863C600 jmp    [C663D8]                      ;  kernel32.GetTempPathA
00878DBA    8BC0       mov    eax, eax
00878DBC $- FF25 D463C600 jmp    [C663D4]                      ;  kernel32.GetThreadLocale
00878DC2    8BC0       mov    eax, eax
00878DC4 $- FF25 D063C600 jmp    [C663D0]                      ;  kernel32.GetTickCount
00878DCA    8BC0       mov    eax, eax
00878DCC $- FF25 CC63C600 jmp    [C663CC]                      ;  kernel32.GetVersion
00878DD2    8BC0       mov    eax, eax
00878DD4 $- FF25 C863C600 jmp    [C663C8]                      ;  kernel32.GetVersionExA
00878DDA    8BC0       mov    eax, eax
00878DDC $- FF25 C463C600 jmp    [C663C4]                      ;  kernel32.GlobalAddAtomA
00878DE2    8BC0       mov    eax, eax
00878DE4 $- FF25 C063C600 jmp    [C663C0]                      ;  kernel32.GlobalAlloc
00878DEA    8BC0       mov    eax, eax
00878DEC $- FF25 BC63C600 jmp    [C663BC]                      ;  kernel32.GlobalDeleteAtom
00878DF2    8BC0       mov    eax, eax
00878DF4 $- FF25 B863C600 jmp    [C663B8]                      ;  kernel32.GlobalFree
00878DFA    8BC0       mov    eax, eax
00878DFC $- FF25 B463C600 jmp    [C663B4]                      ;  kernel32.GlobalLock
00878E02    8BC0       mov    eax, eax
00878E04 $- FF25 B063C600 jmp    [C663B0]                      ;  kernel32.GlobalHandle
00878E0A    8BC0       mov    eax, eax
00878E0C $- FF25 AC63C600 jmp    [C663AC]                      ;  kernel32.GlobalReAlloc
00878E12    8BC0       mov    eax, eax
00878E14 $- FF25 A863C600 jmp    [C663A8]                      ;  kernel32.GlobalSize
00878E1A    8BC0       mov    eax, eax
00878E1C $- FF25 A463C600 jmp    [C663A4]                      ;  kernel32.GlobalUnlock
00878E22    8BC0       mov    eax, eax
00878E24 $- FF25 A063C600 jmp    [C663A0]                      ;  kernel32.InitializeCriticalSection
00878E2A    8BC0       mov    eax, eax
00878E2C $- FF25 9C63C600 jmp    [C6639C]                      ;  kernel32.IsDBCSLeadByte
00878E32    8BC0       mov    eax, eax
00878E34 $- FF25 9863C600 jmp    [C66398]                      ;  ntdll.RtlLeaveCriticalSection
00878E3A    8BC0       mov    eax, eax
00878E3C $- FF25 9463C600 jmp    [C66394]                      ;  kernel32.LoadLibraryA
00878E42    8BC0       mov    eax, eax
00878E44 $- FF25 9463C600 jmp    [C66394]                      ;  kernel32.LoadLibraryA
00878E4A    8BC0       mov    eax, eax
00878E4C $- FF25 9063C600 jmp    [C66390]                      ;  kernel32.LoadResource
00878E52    8BC0       mov    eax, eax
00878E54 $- FF25 8C63C600 jmp    [C6638C]                      ;  kernel32.LocalFileTimeToFileTime
00878E5A    8BC0       mov    eax, eax
00878E5C $- FF25 8863C600 jmp    [C66388]                      ;  kernel32.SetHandleCount
00878E62    8BC0       mov    eax, eax
00878E64 $- FF25 8463C600 jmp    [C66384]                      ;  kernel32.MoveFileA
00878E6A    8BC0       mov    eax, eax
00878E6C $- FF25 8063C600 jmp    [C66380]                      ;  kernel32.MulDiv
00878E72    8BC0       mov    eax, eax
00878E74 $- FF25 7C63C600 jmp    [C6637C]                      ;  kernel32.MultiByteToWideChar
00878E7A    8BC0       mov    eax, eax
00878E7C $- FF25 7863C600 jmp    [C66378]                      ;  kernel32.OpenFileMappingA
00878E82    8BC0       mov    eax, eax
00878E84 $- FF25 7463C600 jmp    [C66374]                      ;  kernel32.ReadFile
00878E8A    8BC0       mov    eax, eax
00878E8C $- FF25 7063C600 jmp    [C66370]                      ;  kernel32.ReleaseMutex
00878E92    8BC0       mov    eax, eax
00878E94 $- FF25 6C63C600 jmp    [C6636C]                      ;  kernel32.RemoveDirectoryA
00878E9A    8BC0       mov    eax, eax
00878E9C $- FF25 6863C600 jmp    [C66368]                      ;  kernel32.ResumeThread
00878EA2    8BC0       mov    eax, eax
00878EA4 $- FF25 6463C600 jmp    [C66364]                      ;  kernel32.SearchPathA
00878EAA    8BC0       mov    eax, eax
00878EAC $- FF25 6063C600 jmp    [C66360]                      ;  kernel32.SetCurrentDirectoryA
00878EB2    8BC0       mov    eax, eax
00878EB4 $- FF25 5C63C600 jmp    [C6635C]                      ;  kernel32.SetEndOfFile
00878EBA    8BC0       mov    eax, eax
00878EBC $- FF25 5863C600 jmp    [C66358]                      ;  kernel32.SetErrorMode
00878EC2    8BC0       mov    eax, eax
00878EC4 $- FF25 5463C600 jmp    [C66354]                      ;  kernel32.SetEvent
00878ECA    8BC0       mov    eax, eax
00878ECC $- FF25 5063C600 jmp    [C66350]                      ;  kernel32.SetFileAttributesA
00878ED2    8BC0       mov    eax, eax
00878ED4 $- FF25 4C63C600 jmp    [C6634C]                      ;  kernel32.SetFilePointer
00878EDA    8BC0       mov    eax, eax
00878EDC $- FF25 4863C600 jmp    [C66348]                      ;  kernel32.SetFileTime
00878EE2    8BC0       mov    eax, eax
00878EE4 $- FF25 4463C600 jmp    [C66344]                      ;  ntdll.RtlSetLastWin32Error
00878EEA    8BC0       mov    eax, eax
00878EEC $- FF25 4063C600 jmp    [C66340]                      ;  kernel32.SetThreadLocale
00878EF2    8BC0       mov    eax, eax
00878EF4 $- FF25 3C63C600 jmp    [C6633C]                      ;  kernel32.SetThreadPriority
00878EFA    8BC0       mov    eax, eax
00878EFC $- FF25 3863C600 jmp    [C66338]                      ;  kernel32.SizeofResource
00878F02    8BC0       mov    eax, eax
00878F04 $- FF25 3463C600 jmp    [C66334]                      ;  kernel32.Sleep
00878F0A    8BC0       mov    eax, eax
00878F0C $- FF25 3063C600 jmp    [C66330]                      ;  kernel32.VirtualAlloc
00878F12    8BC0       mov    eax, eax
00878F14 $- FF25 2C63C600 jmp    [C6632C]                      ;  kernel32.VirtualQuery
00878F1A    8BC0       mov    eax, eax
00878F1C $- FF25 2863C600 jmp    [C66328]                      ;  kernel32.WaitForSingleObject
00878F22    8BC0       mov    eax, eax
00878F24 $- FF25 2463C600 jmp    [C66324]                      ;  kernel32.WideCharToMultiByte
00878F2A    8BC0       mov    eax, eax
00878F2C $- FF25 2063C600 jmp    [C66320]                      ;  kernel32.WriteFile
00878F32    8BC0       mov    eax, eax
00878F34 $- FF25 1C63C600 jmp    [C6631C]                      ;  kernel32.WritePrivateProfileStringA
00878F3A    8BC0       mov    eax, eax
00878F3C $- FF25 1863C600 jmp    [C66318]                      ;  kernel32.lstrcmpA
00878F42    8BC0       mov    eax, eax
00878F44 $- FF25 1463C600 jmp    [C66314]                      ;  kernel32.lstrcpyA
00878F4A    8BC0       mov    eax, eax
00878F4C $- FF25 A464C600 jmp    [C664A4]                      ;  mpr.WNetCloseEnum
00878F52    8BC0       mov    eax, eax
00878F54 $- FF25 A064C600 jmp    [C664A0]                      ;  mpr.WNetEnumResourceA
00878F5A    8BC0       mov    eax, eax
00878F5C $- FF25 9C64C600 jmp    [C6649C]                      ;  mpr.WNetGetUniversalNameA
00878F62    8BC0       mov    eax, eax
00878F64 $- FF25 9864C600 jmp    [C66498]                      ;  mpr.WNetOpenEnumA
00878F6A    8BC0       mov    eax, eax
00878F6C $- FF25 B464C600 jmp    [C664B4]                      ;  version.GetFileVersionInfoA
00878F72    8BC0       mov    eax, eax
00878F74 $- FF25 B064C600 jmp    [C664B0]                      ;  version.GetFileVersionInfoSizeA
00878F7A    8BC0       mov    eax, eax
00878F7C $- FF25 AC64C600 jmp    [C664AC]                      ;  version.VerQueryValueA
00878F82    8BC0       mov    eax, eax
00878F84 $- FF25 B866C600 jmp    [C666B8]                      ;  GDI32.AbortDoc
00878F8A    8BC0       mov    eax, eax
00878F8C $- FF25 B466C600 jmp    [C666B4]                      ;  GDI32.Arc
00878F92    8BC0       mov    eax, eax
00878F94 $- FF25 B066C600 jmp    [C666B0]                      ;  GDI32.BitBlt
00878F9A    8BC0       mov    eax, eax
00878F9C $- FF25 AC66C600 jmp    [C666AC]                      ;  GDI32.Chord
00878FA2    8BC0       mov    eax, eax
00878FA4 $- FF25 A866C600 jmp    [C666A8]                      ;  GDI32.CloseEnhMetaFile
00878FAA    8BC0       mov    eax, eax
00878FAC $- FF25 A466C600 jmp    [C666A4]                      ;  GDI32.CombineRgn
00878FB2    8BC0       mov    eax, eax
00878FB4 $- FF25 A066C600 jmp    [C666A0]                      ;  GDI32.CopyEnhMetaFileA
00878FBA    8BC0       mov    eax, eax
00878FBC $- FF25 9C66C600 jmp    [C6669C]                      ;  GDI32.CreateBitmap
00878FC2    8BC0       mov    eax, eax
00878FC4 $- FF25 9866C600 jmp    [C66698]                      ;  GDI32.CreateBrushIndirect
00878FCA    8BC0       mov    eax, eax
00878FCC $- FF25 9466C600 jmp    [C66694]                      ;  GDI32.CreateCompatibleBitmap
00878FD2    8BC0       mov    eax, eax
00878FD4 $- FF25 9066C600 jmp    [C66690]                      ;  GDI32.CreateCompatibleDC
00878FDA    8BC0       mov    eax, eax
00878FDC $- FF25 8C66C600 jmp    [C6668C]                      ;  GDI32.CreateDCA
00878FE2    8BC0       mov    eax, eax
00878FE4 $- FF25 8866C600 jmp    [C66688]                      ;  GDI32.CreateDIBSection
00878FEA    8BC0       mov    eax, eax
00878FEC $- FF25 8466C600 jmp    [C66684]                      ;  GDI32.CreateDIBitmap
00878FF2    8BC0       mov    eax, eax
00878FF4 $- FF25 8066C600 jmp    [C66680]                      ;  GDI32.CreateEnhMetaFileA
00878FFA    8BC0       mov    eax, eax
00878FFC $- FF25 7C66C600 jmp    [C6667C]                      ;  GDI32.CreateFontA
00879002    8BC0       mov    eax, eax
00879004 $- FF25 7866C600 jmp    [C66678]                      ;  GDI32.CreateFontIndirectA
0087900A    8BC0       mov    eax, eax
0087900C $- FF25 7466C600 jmp    [C66674]                      ;  GDI32.CreateHalftonePalette
00879012    8BC0       mov    eax, eax
00879014 $- FF25 7066C600 jmp    [C66670]                      ;  GDI32.CreateHatchBrush
0087901A    8BC0       mov    eax, eax
0087901C $- FF25 6C66C600 jmp    [C6666C]                      ;  GDI32.CreateICA
00879022    8BC0       mov    eax, eax
00879024 $- FF25 6866C600 jmp    [C66668]                      ;  GDI32.CreatePalette
0087902A    8BC0       mov    eax, eax
0087902C $- FF25 6466C600 jmp    [C66664]                      ;  GDI32.CreatePatternBrush
00879032    8BC0       mov    eax, eax
00879034 $- FF25 6066C600 jmp    [C66660]                      ;  GDI32.CreatePen
0087903A    8BC0       mov    eax, eax
0087903C $- FF25 5C66C600 jmp    [C6665C]                      ;  GDI32.CreatePenIndirect
00879042    8BC0       mov    eax, eax
00879044 $- FF25 5866C600 jmp    [C66658]                      ;  GDI32.CreatePolygonRgn
0087904A    8BC0       mov    eax, eax
0087904C $- FF25 5466C600 jmp    [C66654]                      ;  GDI32.CreateRectRgn
00879052    8BC0       mov    eax, eax
00879054 $- FF25 5066C600 jmp    [C66650]                      ;  GDI32.CreateRectRgnIndirect
0087905A    8BC0       mov    eax, eax
0087905C $- FF25 4C66C600 jmp    [C6664C]                      ;  GDI32.CreateSolidBrush
00879062    8BC0       mov    eax, eax
00879064 $- FF25 4866C600 jmp    [C66648]                      ;  GDI32.DeleteDC
0087906A    8BC0       mov    eax, eax
0087906C $- FF25 4466C600 jmp    [C66644]                      ;  GDI32.DeleteEnhMetaFile
00879072    8BC0       mov    eax, eax
00879074 $- FF25 4066C600 jmp    [C66640]                      ;  GDI32.DeleteObject
0087907A    8BC0       mov    eax, eax
0087907C $- FF25 3C66C600 jmp    [C6663C]                      ;  GDI32.Ellipse
00879082    8BC0       mov    eax, eax
00879084 $- FF25 3866C600 jmp    [C66638]                      ;  GDI32.EndDoc
0087908A    8BC0       mov    eax, eax
0087908C $- FF25 3466C600 jmp    [C66634]                      ;  GDI32.EndPage
00879092    8BC0       mov    eax, eax
00879094 $- FF25 3066C600 jmp    [C66630]                      ;  GDI32.EnumEnhMetaFile
0087909A    8BC0       mov    eax, eax
0087909C $- FF25 2C66C600 jmp    [C6662C]                      ;  GDI32.EnumFontFamiliesA
008790A2    8BC0       mov    eax, eax
008790A4 $- FF25 2866C600 jmp    [C66628]                      ;  GDI32.EnumFontFamiliesExA
008790AA    8BC0       mov    eax, eax
008790AC $- FF25 2466C600 jmp    [C66624]                      ;  GDI32.Escape
008790B2    8BC0       mov    eax, eax
008790B4 $- FF25 2066C600 jmp    [C66620]                      ;  GDI32.ExcludeClipRect
008790BA    8BC0       mov    eax, eax
008790BC $- FF25 1C66C600 jmp    [C6661C]                      ;  GDI32.ExtCreatePen
008790C2    8BC0       mov    eax, eax
008790C4 $- FF25 1866C600 jmp    [C66618]                      ;  GDI32.ExtCreateRegion
008790CA    8BC0       mov    eax, eax
008790CC $- FF25 1466C600 jmp    [C66614]                      ;  GDI32.ExtFloodFill
008790D2    8BC0       mov    eax, eax
008790D4 $- FF25 1066C600 jmp    [C66610]                      ;  GDI32.ExtTextOutA
008790DA    8BC0       mov    eax, eax
008790DC $- FF25 0C66C600 jmp    [C6660C]                      ;  GDI32.FillRgn
008790E2    8BC0       mov    eax, eax
008790E4 $- FF25 0866C600 jmp    [C66608]                      ;  GDI32.GdiFlush
008790EA    8BC0       mov    eax, eax
008790EC $- FF25 0466C600 jmp    [C66604]                      ;  GDI32.GetBitmapBits
008790F2    8BC0       mov    eax, eax
008790F4 $- FF25 0066C600 jmp    [C66600]                      ;  GDI32.GetBkColor
008790FA    8BC0       mov    eax, eax
008790FC $- FF25 FC65C600 jmp    [C665FC]                      ;  GDI32.GetBkMode
00879102    8BC0       mov    eax, eax
00879104 $- FF25 F865C600 jmp    [C665F8]                      ;  GDI32.GetBrushOrgEx
0087910A    8BC0       mov    eax, eax
0087910C $- FF25 F465C600 jmp    [C665F4]                      ;  GDI32.GetClipBox
00879112    8BC0       mov    eax, eax
00879114 $- FF25 F065C600 jmp    [C665F0]                      ;  GDI32.GetClipRgn
0087911A    8BC0       mov    eax, eax
0087911C $- FF25 EC65C600 jmp    [C665EC]                      ;  GDI32.GetCurrentObject
00879122    8BC0       mov    eax, eax
00879124 $- FF25 E865C600 jmp    [C665E8]                      ;  GDI32.GetCurrentPositionEx
0087912A    8BC0       mov    eax, eax
0087912C $- FF25 E465C600 jmp    [C665E4]                      ;  GDI32.GetDCOrgEx
00879132    8BC0       mov    eax, eax
00879134 $- FF25 E065C600 jmp    [C665E0]                      ;  GDI32.GetDIBColorTable
0087913A    8BC0       mov    eax, eax
0087913C $- FF25 DC65C600 jmp    [C665DC]                      ;  GDI32.GetDIBits
00879142    8BC0       mov    eax, eax
00879144 $- FF25 D865C600 jmp    [C665D8]                      ;  GDI32.GetDeviceCaps
0087914A    8BC0       mov    eax, eax
0087914C $- FF25 D465C600 jmp    [C665D4]                      ;  GDI32.GetEnhMetaFileBits
00879152    8BC0       mov    eax, eax
00879154 $- FF25 D065C600 jmp    [C665D0]                      ;  GDI32.GetEnhMetaFileDescriptionA
0087915A    8BC0       mov    eax, eax
0087915C $- FF25 CC65C600 jmp    [C665CC]                      ;  GDI32.GetEnhMetaFileHeader
00879162    8BC0       mov    eax, eax
00879164 $- FF25 C865C600 jmp    [C665C8]                      ;  GDI32.GetEnhMetaFilePaletteEntries
0087916A    8BC0       mov    eax, eax
0087916C $- FF25 C465C600 jmp    [C665C4]                      ;  GDI32.GetMapMode
00879172    8BC0       mov    eax, eax
00879174 $- FF25 C065C600 jmp    [C665C0]                      ;  GDI32.GetNearestColor
0087917A    8BC0       mov    eax, eax
0087917C $- FF25 BC65C600 jmp    [C665BC]                      ;  GDI32.GetObjectA
00879182    8BC0       mov    eax, eax
00879184 $- FF25 B865C600 jmp    [C665B8]                      ;  GDI32.GetPaletteEntries
0087918A    8BC0       mov    eax, eax
0087918C $- FF25 B465C600 jmp    [C665B4]                      ;  GDI32.GetPixel
00879192    8BC0       mov    eax, eax
00879194 $- FF25 B065C600 jmp    [C665B0]                      ;  GDI32.GetRgnBox
0087919A    8BC0       mov    eax, eax
0087919C $- FF25 AC65C600 jmp    [C665AC]                      ;  GDI32.GetStockObject
008791A2    8BC0       mov    eax, eax
008791A4 $- FF25 A865C600 jmp    [C665A8]                      ;  GDI32.GetSystemPaletteEntries
008791AA    8BC0       mov    eax, eax
008791AC $- FF25 A465C600 jmp    [C665A4]                      ;  GDI32.GetTextAlign
008791B2    8BC0       mov    eax, eax
008791B4 $- FF25 A065C600 jmp    [C665A0]                      ;  GDI32.GetTextExtentExPointA
008791BA    8BC0       mov    eax, eax
008791BC $- FF25 9C65C600 jmp    [C6659C]                      ;  GDI32.GetTextExtentPoint32A
008791C2    8BC0       mov    eax, eax
008791C4 $- FF25 9865C600 jmp    [C66598]                      ;  GDI32.GetTextExtentPointA
008791CA    8BC0       mov    eax, eax
008791CC $- FF25 9465C600 jmp    [C66594]                      ;  GDI32.GetTextMetricsA
008791D2    8BC0       mov    eax, eax
008791D4 $- FF25 9065C600 jmp    [C66590]                      ;  GDI32.GetViewportOrgEx
008791DA    8BC0       mov    eax, eax
008791DC $- FF25 8C65C600 jmp    [C6658C]                      ;  GDI32.GetWinMetaFileBits
008791E2    8BC0       mov    eax, eax
008791E4 $- FF25 8865C600 jmp    [C66588]                      ;  GDI32.GetWindowOrgEx
008791EA    8BC0       mov    eax, eax
008791EC $- FF25 8465C600 jmp    [C66584]                      ;  GDI32.IntersectClipRect
008791F2    8BC0       mov    eax, eax
008791F4 $- FF25 8065C600 jmp    [C66580]                      ;  GDI32.LPtoDP
008791FA    8BC0       mov    eax, eax
008791FC $- FF25 7C65C600 jmp    [C6657C]                      ;  GDI32.LineTo
00879202    8BC0       mov    eax, eax
00879204 $- FF25 7865C600 jmp    [C66578]                      ;  GDI32.MaskBlt
0087920A    8BC0       mov    eax, eax
0087920C $- FF25 7465C600 jmp    [C66574]                      ;  GDI32.MoveToEx
00879212    8BC0       mov    eax, eax
00879214 $- FF25 7065C600 jmp    [C66570]                      ;  GDI32.OffsetClipRgn
0087921A    8BC0       mov    eax, eax
0087921C $- FF25 6C65C600 jmp    [C6656C]                      ;  GDI32.PatBlt
00879222    8BC0       mov    eax, eax
00879224 $- FF25 6865C600 jmp    [C66568]                      ;  GDI32.Pie
0087922A    8BC0       mov    eax, eax
0087922C $- FF25 6465C600 jmp    [C66564]                      ;  GDI32.PlayEnhMetaFile
00879232    8BC0       mov    eax, eax
00879234 $- FF25 6065C600 jmp    [C66560]                      ;  GDI32.PolyPolyline
0087923A    8BC0       mov    eax, eax
0087923C $- FF25 5C65C600 jmp    [C6655C]                      ;  GDI32.Polygon
00879242    8BC0       mov    eax, eax
00879244 $- FF25 5865C600 jmp    [C66558]                      ;  GDI32.Polyline
0087924A    8BC0       mov    eax, eax
0087924C $- FF25 5465C600 jmp    [C66554]                      ;  GDI32.PtInRegion
00879252    8BC0       mov    eax, eax
00879254 $- FF25 5065C600 jmp    [C66550]                      ;  GDI32.RealizePalette
0087925A    8BC0       mov    eax, eax
0087925C $- FF25 4C65C600 jmp    [C6654C]                      ;  GDI32.RectVisible
00879262    8BC0       mov    eax, eax
00879264 $- FF25 4865C600 jmp    [C66548]                      ;  GDI32.Rectangle
0087926A    8BC0       mov    eax, eax
0087926C $- FF25 4465C600 jmp    [C66544]                      ;  GDI32.ResetDCA
00879272    8BC0       mov    eax, eax
00879274 $- FF25 4065C600 jmp    [C66540]                      ;  GDI32.RestoreDC
0087927A    8BC0       mov    eax, eax
0087927C $- FF25 3C65C600 jmp    [C6653C]                      ;  GDI32.RoundRect
00879282    8BC0       mov    eax, eax
00879284 $- FF25 3865C600 jmp    [C66538]                      ;  GDI32.SaveDC
0087928A    8BC0       mov    eax, eax
0087928C $- FF25 3465C600 jmp    [C66534]                      ;  GDI32.SelectClipRgn
00879292    8BC0       mov    eax, eax
00879294 $- FF25 3065C600 jmp    [C66530]                      ;  GDI32.SelectObject
0087929A    8BC0       mov    eax, eax
0087929C $- FF25 2C65C600 jmp    [C6652C]                      ;  GDI32.SelectPalette
008792A2    8BC0       mov    eax, eax
008792A4 $- FF25 2865C600 jmp    [C66528]                      ;  GDI32.SetAbortProc
008792AA    8BC0       mov    eax, eax
008792AC $- FF25 2465C600 jmp    [C66524]                      ;  GDI32.SetBkColor
008792B2    8BC0       mov    eax, eax
008792B4 $- FF25 2065C600 jmp    [C66520]                      ;  GDI32.SetBkMode
008792BA    8BC0       mov    eax, eax
008792BC $- FF25 1C65C600 jmp    [C6651C]                      ;  GDI32.SetBrushOrgEx
008792C2    8BC0       mov    eax, eax
008792C4 $- FF25 1865C600 jmp    [C66518]                      ;  GDI32.SetDIBColorTable
008792CA    8BC0       mov    eax, eax
008792CC $- FF25 1465C600 jmp    [C66514]                      ;  GDI32.SetDIBits
008792D2    8BC0       mov    eax, eax
008792D4 $- FF25 1065C600 jmp    [C66510]                      ;  GDI32.SetEnhMetaFileBits
008792DA    8BC0       mov    eax, eax
008792DC $- FF25 0C65C600 jmp    [C6650C]                      ;  GDI32.SetMapMode
008792E2    8BC0       mov    eax, eax
008792E4 $- FF25 0865C600 jmp    [C66508]                      ;  GDI32.SetPixel
008792EA    8BC0       mov    eax, eax
008792EC $- FF25 0465C600 jmp    [C66504]                      ;  GDI32.SetPixelV
008792F2    8BC0       mov    eax, eax
008792F4 $- FF25 0065C600 jmp    [C66500]                      ;  GDI32.SetROP2
008792FA    8BC0       mov    eax, eax
008792FC $- FF25 FC64C600 jmp    [C664FC]                      ;  GDI32.SetRectRgn
00879302    8BC0       mov    eax, eax
00879304 $- FF25 F864C600 jmp    [C664F8]                      ;  GDI32.SetStretchBltMode
0087930A    8BC0       mov    eax, eax
0087930C $- FF25 F464C600 jmp    [C664F4]                      ;  GDI32.SetTextAlign
00879312    8BC0       mov    eax, eax
00879314 $- FF25 F064C600 jmp    [C664F0]                      ;  GDI32.SetTextColor
0087931A    8BC0       mov    eax, eax
0087931C $- FF25 EC64C600 jmp    [C664EC]                      ;  GDI32.SetTextCharacterExtra
00879322    8BC0       mov    eax, eax
00879324 $- FF25 E864C600 jmp    [C664E8]                      ;  GDI32.SetTextJustification
0087932A    8BC0       mov    eax, eax
0087932C $- FF25 E464C600 jmp    [C664E4]                      ;  GDI32.SetViewportExtEx
00879332    8BC0       mov    eax, eax
00879334 $- FF25 E064C600 jmp    [C664E0]                      ;  GDI32.SetViewportOrgEx
0087933A    8BC0       mov    eax, eax
0087933C $- FF25 DC64C600 jmp    [C664DC]                      ;  GDI32.SetWinMetaFileBits
00879342    8BC0       mov    eax, eax
00879344 $- FF25 D864C600 jmp    [C664D8]                      ;  GDI32.SetWindowExtEx
0087934A    8BC0       mov    eax, eax
0087934C $- FF25 D464C600 jmp    [C664D4]                      ;  GDI32.SetWindowOrgEx
00879352    8BC0       mov    eax, eax
00879354 $- FF25 D064C600 jmp    [C664D0]                      ;  GDI32.StartDocA
0087935A    8BC0       mov    eax, eax
0087935C $- FF25 CC64C600 jmp    [C664CC]                      ;  GDI32.StartPage
00879362    8BC0       mov    eax, eax
00879364 $- FF25 C864C600 jmp    [C664C8]                      ;  GDI32.StretchBlt
0087936A    8BC0       mov    eax, eax
0087936C $- FF25 C464C600 jmp    [C664C4]                      ;  GDI32.StretchDIBits
00879372    8BC0       mov    eax, eax
00879374 $- FF25 C064C600 jmp    [C664C0]                      ;  GDI32.TextOutA
0087937A    8BC0       mov    eax, eax
0087937C $- FF25 BC64C600 jmp    [C664BC]                      ;  GDI32.UnrealizeObject
00879382    8BC0       mov    eax, eax
00879384 $- FF25 146AC600 jmp    [C66A14]                      ;  USER32.ActivateKeyboardLayout
0087938A    8BC0       mov    eax, eax
0087938C $- FF25 106AC600 jmp    [C66A10]                      ;  USER32.AdjustWindowRectEx
00879392    8BC0       mov    eax, eax
00879394 $- FF25 FC69C600 jmp    [C669FC]                      ;  USER32.CharLowerA
0087939A    8BC0       mov    eax, eax
0087939C $- FF25 F069C600 jmp    [C669F0]                      ;  USER32.BeginDeferWindowPos
008793A2    8BC0       mov    eax, eax
008793A4 $- FF25 EC69C600 jmp    [C669EC]                      ;  USER32.BeginPaint
008793AA    8BC0       mov    eax, eax
008793AC $- FF25 E869C600 jmp    [C669E8]                      ;  USER32.BringWindowToTop
008793B2    8BC0       mov    eax, eax
008793B4 $- FF25 E469C600 jmp    [C669E4]                      ;  USER32.CallNextHookEx
008793BA    8BC0       mov    eax, eax
008793BC $- FF25 E069C600 jmp    [C669E0]                      ;  USER32.CallWindowProcA
008793C2    8BC0       mov    eax, eax
008793C4 $- FF25 FC69C600 jmp    [C669FC]                      ;  USER32.CharLowerA
008793CA    8BC0       mov    eax, eax
008793CC $- FF25 F869C600 jmp    [C669F8]                      ;  USER32.CharLowerBuffA
008793D2    8BC0       mov    eax, eax
008793D4 $- FF25 F469C600 jmp    [C669F4]                      ;  USER32.CharNextA
008793DA    8BC0       mov    eax, eax
008793DC $- FF25 0C6AC600 jmp    [C66A0C]                      ;  USER32.CharToOemA
008793E2    8BC0       mov    eax, eax
008793E4 $- FF25 086AC600 jmp    [C66A08]                      ;  USER32.CharToOemBuffA
008793EA    8BC0       mov    eax, eax
008793EC $- FF25 046AC600 jmp    [C66A04]                      ;  USER32.CharUpperA
008793F2    8BC0       mov    eax, eax
008793F4 $- FF25 006AC600 jmp    [C66A00]                      ;  USER32.CharUpperBuffA
008793FA    8BC0       mov    eax, eax
008793FC $- FF25 DC69C600 jmp    [C669DC]                      ;  USER32.CheckMenuItem
00879402    8BC0       mov    eax, eax
00879404 $- FF25 D869C600 jmp    [C669D8]                      ;  USER32.ChildWindowFromPoint
0087940A    8BC0       mov    eax, eax
0087940C $- FF25 D469C600 jmp    [C669D4]                      ;  USER32.ClientToScreen
00879412    8BC0       mov    eax, eax
00879414 $- FF25 D069C600 jmp    [C669D0]                      ;  USER32.ClipCursor
0087941A    8BC0       mov    eax, eax
0087941C $- FF25 CC69C600 jmp    [C669CC]                      ;  USER32.CloseClipboard
00879422    8BC0       mov    eax, eax
00879424 $- FF25 C869C600 jmp    [C669C8]                      ;  USER32.CopyIcon
0087942A    8BC0       mov    eax, eax
0087942C $- FF25 C469C600 jmp    [C669C4]                      ;  USER32.CopyImage
00879432    8BC0       mov    eax, eax
00879434 $- FF25 C069C600 jmp    [C669C0]                      ;  USER32.CreateCaret
0087943A    8BC0       mov    eax, eax
0087943C $- FF25 BC69C600 jmp    [C669BC]                      ;  USER32.CreateIcon
00879442    8BC0       mov    eax, eax
00879444 $- FF25 B869C600 jmp    [C669B8]                      ;  USER32.CreateMenu
0087944A    8BC0       mov    eax, eax
0087944C $- FF25 B469C600 jmp    [C669B4]                      ;  USER32.CreatePopupMenu
00879452    8BC0       mov    eax, eax
00879454 $- FF25 B069C600 jmp    [C669B0]                      ;  USER32.CreateWindowExA
0087945A    8BC0       mov    eax, eax
0087945C $- FF25 AC69C600 jmp    [C669AC]                      ;  USER32.DefFrameProcA
00879462    8BC0       mov    eax, eax
00879464 .- FF25 A869C600 jmp    [C669A8]                      ;  USER32.DefMDIChildProcA
0087946A    8BC0       mov    eax, eax
0087946C $- FF25 A469C600 jmp    [C669A4]                      ;  USER32.DefWindowProcA
00879472    8BC0       mov    eax, eax
00879474 $- FF25 A069C600 jmp    [C669A0]                      ;  USER32.DeferWindowPos
0087947A    8BC0       mov    eax, eax
0087947C $- FF25 9C69C600 jmp    [C6699C]                      ;  USER32.DeleteMenu
00879482    8BC0       mov    eax, eax
00879484 $- FF25 9869C600 jmp    [C66998]                      ;  USER32.DestroyCaret
0087948A    8BC0       mov    eax, eax
0087948C $- FF25 9469C600 jmp    [C66994]                      ;  USER32.DestroyIcon
00879492    8BC0       mov    eax, eax
00879494 $- FF25 9069C600 jmp    [C66990]                      ;  USER32.DestroyIcon
0087949A    8BC0       mov    eax, eax
0087949C $- FF25 8C69C600 jmp    [C6698C]                      ;  USER32.DestroyMenu
008794A2    8BC0       mov    eax, eax
008794A4 $- FF25 8869C600 jmp    [C66988]                      ;  USER32.DestroyWindow
008794AA    8BC0       mov    eax, eax
008794AC $- FF25 8469C600 jmp    [C66984]                      ;  USER32.DispatchMessageA
008794B2    8BC0       mov    eax, eax
008794B4 $- FF25 8069C600 jmp    [C66980]                      ;  USER32.DrawEdge
008794BA    8BC0       mov    eax, eax
008794BC $- FF25 7C69C600 jmp    [C6697C]                      ;  USER32.DrawFocusRect
008794C2    8BC0       mov    eax, eax
008794C4 $- FF25 7869C600 jmp    [C66978]                      ;  USER32.DrawFrameControl
008794CA    8BC0       mov    eax, eax
008794CC $- FF25 7469C600 jmp    [C66974]                      ;  USER32.DrawIcon
008794D2    8BC0       mov    eax, eax
008794D4 $- FF25 7069C600 jmp    [C66970]                      ;  USER32.DrawIconEx
008794DA    8BC0       mov    eax, eax
008794DC $- FF25 6C69C600 jmp    [C6696C]                      ;  USER32.DrawMenuBar
008794E2    8BC0       mov    eax, eax
008794E4 $- FF25 6869C600 jmp    [C66968]                      ;  USER32.DrawTextA
008794EA    8BC0       mov    eax, eax
008794EC $- FF25 6469C600 jmp    [C66964]                      ;  USER32.DrawTextW
008794F2    8BC0       mov    eax, eax
008794F4 $- FF25 6869C600 jmp    [C66968]                      ;  USER32.DrawTextA
008794FA    8BC0       mov    eax, eax
008794FC $- FF25 6069C600 jmp    [C66960]                      ;  USER32.DrawTextExA
00879502    8BC0       mov    eax, eax
00879504 $- FF25 5C69C600 jmp    [C6695C]                      ;  USER32.EmptyClipboard
0087950A    8BC0       mov    eax, eax
0087950C $- FF25 5869C600 jmp    [C66958]                      ;  USER32.EnableMenuItem
00879512    8BC0       mov    eax, eax
00879514 .- FF25 5469C600 jmp    [C66954]                      ;  USER32.EnableScrollBar
0087951A    8BC0       mov    eax, eax
0087951C $- FF25 5069C600 jmp    [C66950]                      ;  USER32.EnableWindow
00879522    8BC0       mov    eax, eax
00879524 $- FF25 4C69C600 jmp    [C6694C]                      ;  USER32.EndDeferWindowPos
0087952A    8BC0       mov    eax, eax
0087952C $- FF25 4869C600 jmp    [C66948]                      ;  USER32.EndPaint
00879532    8BC0       mov    eax, eax
00879534 $- FF25 4469C600 jmp    [C66944]                      ;  USER32.EnumChildWindows
0087953A    8BC0       mov    eax, eax
0087953C $- FF25 4069C600 jmp    [C66940]                      ;  USER32.EnumClipboardFormats
00879542    8BC0       mov    eax, eax
00879544 $- FF25 3C69C600 jmp    [C6693C]                      ;  USER32.EnumThreadWindows
0087954A    8BC0       mov    eax, eax
0087954C $- FF25 3869C600 jmp    [C66938]                      ;  USER32.EnumWindows
00879552    8BC0       mov    eax, eax
00879554 $- FF25 3469C600 jmp    [C66934]                      ;  USER32.EqualRect
0087955A    8BC0       mov    eax, eax
0087955C $- FF25 3069C600 jmp    [C66930]                      ;  USER32.FillRect
00879562    8BC0       mov    eax, eax
00879564 $- FF25 2C69C600 jmp    [C6692C]                      ;  USER32.FindWindowA
0087956A    8BC0       mov    eax, eax
0087956C $- FF25 2869C600 jmp    [C66928]                      ;  USER32.FindWindowExA
00879572    8BC0       mov    eax, eax
00879574 $- FF25 2469C600 jmp    [C66924]                      ;  USER32.FrameRect
0087957A    8BC0       mov    eax, eax
0087957C $- FF25 2069C600 jmp    [C66920]                      ;  USER32.GetActiveWindow
00879582    8BC0       mov    eax, eax
00879584 $- FF25 1C69C600 jmp    [C6691C]                      ;  USER32.GetCapture
0087958A    8BC0       mov    eax, eax
0087958C $- FF25 1869C600 jmp    [C66918]                      ;  USER32.GetClassInfoA
00879592    8BC0       mov    eax, eax
00879594 $- FF25 1469C600 jmp    [C66914]                      ;  USER32.GetClassNameA
0087959A    8BC0       mov    eax, eax
0087959C $- FF25 1069C600 jmp    [C66910]                      ;  USER32.GetClientRect
008795A2    8BC0       mov    eax, eax
008795A4 $- FF25 0C69C600 jmp    [C6690C]                      ;  USER32.GetClipboardData
008795AA    8BC0       mov    eax, eax
008795AC $- FF25 0869C600 jmp    [C66908]                      ;  USER32.GetComboBoxInfo
008795B2    8BC0       mov    eax, eax
008795B4 $- FF25 0469C600 jmp    [C66904]                      ;  USER32.GetCursor
008795BA    8BC0       mov    eax, eax
008795BC $- FF25 0069C600 jmp    [C66900]                      ;  USER32.GetCursorPos
008795C2    8BC0       mov    eax, eax
008795C4 $- FF25 FC68C600 jmp    [C668FC]                      ;  USER32.GetDC
008795CA    8BC0       mov    eax, eax
008795CC $- FF25 F868C600 jmp    [C668F8]                      ;  USER32.GetDCEx
008795D2    8BC0       mov    eax, eax
008795D4 $- FF25 F468C600 jmp    [C668F4]                      ;  USER32.GetDesktopWindow
008795DA    8BC0       mov    eax, eax
008795DC $- FF25 F068C600 jmp    [C668F0]                      ;  USER32.GetDlgCtrlID
008795E2    8BC0       mov    eax, eax
008795E4 $- FF25 EC68C600 jmp    [C668EC]                      ;  USER32.GetDlgItem
008795EA    8BC0       mov    eax, eax
008795EC $- FF25 E868C600 jmp    [C668E8]                      ;  USER32.GetDoubleClickTime
008795F2    8BC0       mov    eax, eax
008795F4 $- FF25 E468C600 jmp    [C668E4]                      ;  USER32.GetFocus
008795FA    8BC0       mov    eax, eax
008795FC $- FF25 E068C600 jmp    [C668E0]                      ;  USER32.GetForegroundWindow
00879602    8BC0       mov    eax, eax
00879604 $- FF25 DC68C600 jmp    [C668DC]                      ;  USER32.GetIconInfo
0087960A    8BC0       mov    eax, eax
0087960C $- FF25 D868C600 jmp    [C668D8]                      ;  USER32.GetKeyNameTextA
00879612    8BC0       mov    eax, eax
00879614 $- FF25 D468C600 jmp    [C668D4]                      ;  USER32.GetKeyState
0087961A    8BC0       mov    eax, eax
0087961C $- FF25 D068C600 jmp    [C668D0]                      ;  USER32.GetKeyboardLayout
00879622    8BC0       mov    eax, eax
00879624 $- FF25 CC68C600 jmp    [C668CC]                      ;  USER32.GetKeyboardLayoutList
0087962A    8BC0       mov    eax, eax
0087962C $- FF25 C868C600 jmp    [C668C8]                      ;  USER32.GetKeyboardState
00879632    8BC0       mov    eax, eax
00879634 $- FF25 C468C600 jmp    [C668C4]                      ;  USER32.GetLastActivePopup
0087963A    8BC0       mov    eax, eax
0087963C $- FF25 C068C600 jmp    [C668C0]                      ;  USER32.GetMenu
00879642    8BC0       mov    eax, eax
00879644 $- FF25 BC68C600 jmp    [C668BC]                      ;  USER32.GetMenuItemCount
0087964A    8BC0       mov    eax, eax
0087964C $- FF25 B868C600 jmp    [C668B8]                      ;  USER32.GetMenuItemID
00879652    8BC0       mov    eax, eax
00879654 $- FF25 B468C600 jmp    [C668B4]                      ;  USER32.GetMenuItemInfoA
0087965A    8BC0       mov    eax, eax
0087965C $- FF25 B068C600 jmp    [C668B0]                      ;  USER32.GetMenuState
00879662    8BC0       mov    eax, eax
00879664 $- FF25 AC68C600 jmp    [C668AC]                      ;  USER32.GetMenuStringA
0087966A    8BC0       mov    eax, eax
0087966C $- FF25 A868C600 jmp    [C668A8]                      ;  USER32.GetMessageA
00879672    8BC0       mov    eax, eax
00879674 $- FF25 A468C600 jmp    [C668A4]                      ;  USER32.GetMessagePos
0087967A    8BC0       mov    eax, eax
0087967C $- FF25 A068C600 jmp    [C668A0]                      ;  USER32.GetMessageTime
00879682    8BC0       mov    eax, eax
00879684 $- FF25 9C68C600 jmp    [C6689C]                      ;  USER32.GetWindow
0087968A    8BC0       mov    eax, eax
0087968C $- FF25 9868C600 jmp    [C66898]                      ;  USER32.GetParent
00879692    8BC0       mov    eax, eax
00879694 $- FF25 9468C600 jmp    [C66894]                      ;  USER32.GetPropA
0087969A    8BC0       mov    eax, eax
0087969C $- FF25 9068C600 jmp    [C66890]                      ;  USER32.GetScrollBarInfo
008796A2    8BC0       mov    eax, eax
008796A4 $- FF25 8C68C600 jmp    [C6688C]                      ;  USER32.GetScrollInfo
008796AA    8BC0       mov    eax, eax
008796AC $- FF25 8868C600 jmp    [C66888]                      ;  USER32.GetScrollPos
008796B2    8BC0       mov    eax, eax
008796B4 $- FF25 8468C600 jmp    [C66884]                      ;  USER32.GetScrollRange
008796BA    8BC0       mov    eax, eax
008796BC $- FF25 8068C600 jmp    [C66880]                      ;  USER32.GetSubMenu
008796C2    8BC0       mov    eax, eax
008796C4 $- FF25 7C68C600 jmp    [C6687C]                      ;  USER32.GetSysColor
008796CA    8BC0       mov    eax, eax
008796CC $- FF25 7868C600 jmp    [C66878]                      ;  USER32.GetSysColorBrush
008796D2    8BC0       mov    eax, eax
008796D4 $- FF25 7468C600 jmp    [C66874]                      ;  USER32.GetSystemMenu
008796DA    8BC0       mov    eax, eax
008796DC $- FF25 7068C600 jmp    [C66870]                      ;  USER32.GetSystemMetrics
008796E2    8BC0       mov    eax, eax
008796E4 $- FF25 6C68C600 jmp    [C6686C]                      ;  USER32.GetTopWindow
008796EA    8BC0       mov    eax, eax
008796EC $- FF25 6868C600 jmp    [C66868]                      ;  USER32.GetUpdateRect
008796F2    8BC0       mov    eax, eax
008796F4 $- FF25 9C68C600 jmp    [C6689C]                      ;  USER32.GetWindow
008796FA    8BC0       mov    eax, eax
008796FC $- FF25 6468C600 jmp    [C66864]                      ;  USER32.GetWindowDC
00879702    8BC0       mov    eax, eax
00879704 $- FF25 5C68C600 jmp    [C6685C]                      ;  USER32.GetWindowLongW
0087970A    8BC0       mov    eax, eax
0087970C $- FF25 6068C600 jmp    [C66860]                      ;  USER32.GetWindowLongA
00879712    8BC0       mov    eax, eax
00879714 $- FF25 5868C600 jmp    [C66858]                      ;  USER32.GetWindowPlacement
0087971A    8BC0       mov    eax, eax
0087971C $- FF25 5468C600 jmp    [C66854]                      ;  USER32.GetWindowRect
00879722    8BC0       mov    eax, eax
00879724 $- FF25 4C68C600 jmp    [C6684C]                      ;  USER32.GetWindowTextW
0087972A    8BC0       mov    eax, eax
0087972C $- FF25 5068C600 jmp    [C66850]                      ;  USER32.GetWindowTextA
00879732    8BC0       mov    eax, eax
00879734 $- FF25 4868C600 jmp    [C66848]                      ;  USER32.GetWindowTextLengthW
0087973A    8BC0       mov    eax, eax
0087973C $- FF25 4468C600 jmp    [C66844]                      ;  USER32.GetWindowThreadProcessId
00879742    8BC0       mov    eax, eax
00879744 $- FF25 4068C600 jmp    [C66840]                      ;  USER32.HideCaret
0087974A    8BC0       mov    eax, eax
0087974C $- FF25 3C68C600 jmp    [C6683C]                      ;  USER32.InflateRect
00879752    8BC0       mov    eax, eax
00879754 $- FF25 3868C600 jmp    [C66838]                      ;  USER32.InsertMenuA
0087975A    8BC0       mov    eax, eax
0087975C $- FF25 3468C600 jmp    [C66834]                      ;  USER32.InsertMenuItemA
00879762    8BC0       mov    eax, eax
00879764 $- FF25 3068C600 jmp    [C66830]                      ;  USER32.IntersectRect
0087976A    8BC0       mov    eax, eax
0087976C $- FF25 2C68C600 jmp    [C6682C]                      ;  USER32.InvalidateRect
00879772    8BC0       mov    eax, eax
00879774 $- FF25 2868C600 jmp    [C66828]                      ;  USER32.IsCharAlphaA
0087977A    8BC0       mov    eax, eax
0087977C $- FF25 2468C600 jmp    [C66824]                      ;  USER32.IsCharAlphaNumericA
00879782    8BC0       mov    eax, eax
00879784 $- FF25 2068C600 jmp    [C66820]                      ;  USER32.IsChild
0087978A    8BC0       mov    eax, eax
0087978C $- FF25 1C68C600 jmp    [C6681C]                      ;  USER32.IsClipboardFormatAvailable
00879792    8BC0       mov    eax, eax
00879794 $- FF25 1868C600 jmp    [C66818]                      ;  USER32.IsDialogMessageA
0087979A    8BC0       mov    eax, eax
0087979C $- FF25 1468C600 jmp    [C66814]                      ;  USER32.IsIconic
008797A2    8BC0       mov    eax, eax
008797A4 $- FF25 1068C600 jmp    [C66810]                      ;  USER32.IsRectEmpty
008797AA    8BC0       mov    eax, eax
008797AC $- FF25 0C68C600 jmp    [C6680C]                      ;  USER32.IsWindow
008797B2    8BC0       mov    eax, eax
008797B4 $- FF25 0868C600 jmp    [C66808]                      ;  USER32.IsWindowEnabled
008797BA    8BC0       mov    eax, eax
008797BC $- FF25 0468C600 jmp    [C66804]                      ;  USER32.IsWindowUnicode
008797C2    8BC0       mov    eax, eax
008797C4 $- FF25 0068C600 jmp    [C66800]                      ;  USER32.IsWindowVisible
008797CA    8BC0       mov    eax, eax
008797CC $- FF25 FC67C600 jmp    [C667FC]                      ;  USER32.IsZoomed
008797D2    8BC0       mov    eax, eax
008797D4 $- FF25 F867C600 jmp    [C667F8]                      ;  USER32.KillTimer
008797DA    8BC0       mov    eax, eax
008797DC $- FF25 F467C600 jmp    [C667F4]                      ;  USER32.LoadBitmapA
008797E2    8BC0       mov    eax, eax
008797E4 $- FF25 F067C600 jmp    [C667F0]                      ;  USER32.LoadCursorA
008797EA    8BC0       mov    eax, eax
008797EC $- FF25 EC67C600 jmp    [C667EC]                      ;  USER32.LoadIconA
008797F2    8BC0       mov    eax, eax
008797F4 $- FF25 E867C600 jmp    [C667E8]                      ;  USER32.LoadKeyboardLayoutA
008797FA    8BC0       mov    eax, eax
008797FC $- FF25 E467C600 jmp    [C667E4]                      ;  USER32.LoadStringA
00879802    8BC0       mov    eax, eax
00879804 $- FF25 E067C600 jmp    [C667E0]                      ;  USER32.LockWindowUpdate
0087980A    8BC0       mov    eax, eax
0087980C $- FF25 DC67C600 jmp    [C667DC]                      ;  USER32.MapVirtualKeyA
00879812    8BC0       mov    eax, eax
00879814 $- FF25 D867C600 jmp    [C667D8]                      ;  USER32.MapWindowPoints
0087981A    8BC0       mov    eax, eax
0087981C $- FF25 D467C600 jmp    [C667D4]                      ;  USER32.MessageBeep
00879822    8BC0       mov    eax, eax
00879824 $- FF25 D067C600 jmp    [C667D0]                      ;  USER32.MessageBoxA
0087982A    8BC0       mov    eax, eax
0087982C $- FF25 CC67C600 jmp    [C667CC]                      ;  USER32.ModifyMenuA
00879832    8BC0       mov    eax, eax
00879834 $- FF25 C867C600 jmp    [C667C8]                      ;  USER32.MoveWindow
0087983A    8BC0       mov    eax, eax
0087983C $- FF25 C467C600 jmp    [C667C4]                      ;  USER32.MsgWaitForMultipleObjects
00879842    8BC0       mov    eax, eax
00879844 $- FF25 C067C600 jmp    [C667C0]                      ;  USER32.OemToCharA
0087984A    8BC0       mov    eax, eax
0087984C $- FF25 C067C600 jmp    [C667C0]                      ;  USER32.OemToCharA
00879852    8BC0       mov    eax, eax
00879854 $- FF25 BC67C600 jmp    [C667BC]                      ;  USER32.OemToCharBuffA
0087985A    8BC0       mov    eax, eax
0087985C $- FF25 B867C600 jmp    [C667B8]                      ;  USER32.OffsetRect
00879862    8BC0       mov    eax, eax
00879864 $- FF25 B467C600 jmp    [C667B4]                      ;  USER32.OpenClipboard
0087986A    8BC0       mov    eax, eax
0087986C $- FF25 B067C600 jmp    [C667B0]                      ;  USER32.PeekMessageA
00879872    8BC0       mov    eax, eax
00879874 $- FF25 AC67C600 jmp    [C667AC]                      ;  USER32.PostMessageA
0087987A    8BC0       mov    eax, eax
0087987C $- FF25 A867C600 jmp    [C667A8]                      ;  USER32.PostQuitMessage
00879882    8BC0       mov    eax, eax
00879884 $- FF25 A467C600 jmp    [C667A4]                      ;  USER32.PtInRect
0087988A    8BC0       mov    eax, eax
0087988C $- FF25 A067C600 jmp    [C667A0]                      ;  USER32.RedrawWindow
00879892    8BC0       mov    eax, eax
00879894 $- FF25 9C67C600 jmp    [C6679C]                      ;  USER32.RegisterClassA
0087989A    8BC0       mov    eax, eax
0087989C $- FF25 9867C600 jmp    [C66798]                      ;  USER32.RegisterWindowMessageA
008798A2    8BC0       mov    eax, eax
008798A4 $- FF25 9467C600 jmp    [C66794]                      ;  USER32.RegisterWindowMessageA
008798AA    8BC0       mov    eax, eax
008798AC $- FF25 9067C600 jmp    [C66790]                      ;  USER32.ReleaseCapture
008798B2    8BC0       mov    eax, eax
008798B4 $- FF25 8C67C600 jmp    [C6678C]                      ;  USER32.ReleaseDC
008798BA    8BC0       mov    eax, eax
008798BC $- FF25 8867C600 jmp    [C66788]                      ;  USER32.RemoveMenu
008798C2    8BC0       mov    eax, eax
008798C4 $- FF25 8467C600 jmp    [C66784]                      ;  USER32.RemovePropA
008798CA    8BC0       mov    eax, eax
008798CC $- FF25 8067C600 jmp    [C66780]                      ;  USER32.ScreenToClient
008798D2    8BC0       mov    eax, eax
008798D4 $- FF25 7C67C600 jmp    [C6677C]                      ;  USER32.ScrollWindow
008798DA    8BC0       mov    eax, eax
008798DC $- FF25 7867C600 jmp    [C66778]                      ;  USER32.ScrollWindowEx
008798E2    8BC0       mov    eax, eax
008798E4 $- FF25 7467C600 jmp    [C66774]                      ;  USER32.SendDlgItemMessageA
008798EA    8BC0       mov    eax, eax
008798EC $- FF25 7067C600 jmp    [C66770]                      ;  USER32.SendMessageA
008798F2    8BC0       mov    eax, eax
008798F4 $- FF25 6C67C600 jmp    [C6676C]                      ;  USER32.SetActiveWindow
008798FA    8BC0       mov    eax, eax
008798FC $- FF25 6867C600 jmp    [C66768]                      ;  USER32.SetCapture
00879902    8BC0       mov    eax, eax
00879904 $- FF25 6467C600 jmp    [C66764]                      ;  USER32.SetCaretPos
0087990A    8BC0       mov    eax, eax
0087990C $- FF25 6067C600 jmp    [C66760]                      ;  USER32.SetClassLongA
00879912    8BC0       mov    eax, eax
00879914 $- FF25 5C67C600 jmp    [C6675C]                      ;  USER32.SetClipboardData
0087991A    8BC0       mov    eax, eax
0087991C $- FF25 5867C600 jmp    [C66758]                      ;  USER32.SetCursor
00879922    8BC0       mov    eax, eax
00879924 $- FF25 5467C600 jmp    [C66754]                      ;  USER32.SetFocus
0087992A    8BC0       mov    eax, eax
0087992C $- FF25 5067C600 jmp    [C66750]                      ;  USER32.SetForegroundWindow
00879932    8BC0       mov    eax, eax
00879934 $- FF25 4C67C600 jmp    [C6674C]                      ;  USER32.SetKeyboardState
0087993A    8BC0       mov    eax, eax
0087993C $- FF25 4867C600 jmp    [C66748]                      ;  USER32.SetMenu
00879942    8BC0       mov    eax, eax
00879944 $- FF25 4467C600 jmp    [C66744]                      ;  USER32.SetMenuItemInfoA
0087994A    8BC0       mov    eax, eax
0087994C $- FF25 4067C600 jmp    [C66740]                      ;  USER32.SetParent
00879952    8BC0       mov    eax, eax
00879954 $- FF25 3C67C600 jmp    [C6673C]                      ;  USER32.SetPropA
0087995A    8BC0       mov    eax, eax
0087995C $- FF25 3867C600 jmp    [C66738]                      ;  USER32.SetRect
00879962    8BC0       mov    eax, eax
00879964 $- FF25 3467C600 jmp    [C66734]                      ;  USER32.SetRectEmpty
0087996A    8BC0       mov    eax, eax
0087996C $- FF25 3067C600 jmp    [C66730]                      ;  USER32.SetScrollInfo
00879972    8BC0       mov    eax, eax
00879974 $- FF25 2C67C600 jmp    [C6672C]                      ;  USER32.SetScrollPos
0087997A    8BC0       mov    eax, eax
0087997C $- FF25 2867C600 jmp    [C66728]                      ;  USER32.SetScrollRange
00879982    8BC0       mov    eax, eax
00879984 $- FF25 2467C600 jmp    [C66724]                      ;  USER32.SetTimer
0087998A    8BC0       mov    eax, eax
0087998C $- FF25 1C67C600 jmp    [C6671C]                      ;  USER32.SetWindowLongW
00879992    8BC0       mov    eax, eax
00879994 $- FF25 2067C600 jmp    [C66720]                      ;  USER32.SetWindowLongA
0087999A    8BC0       mov    eax, eax
0087999C $- FF25 1867C600 jmp    [C66718]                      ;  USER32.SetWindowPlacement
008799A2    8BC0       mov    eax, eax
008799A4 $- FF25 1467C600 jmp    [C66714]                      ;  USER32.SetWindowPos
008799AA    8BC0       mov    eax, eax
008799AC $- FF25 1067C600 jmp    [C66710]                      ;  USER32.SetWindowTextA
008799B2    8BC0       mov    eax, eax
008799B4 $- FF25 0C67C600 jmp    [C6670C]                      ;  USER32.SetWindowsHookExA
008799BA    8BC0       mov    eax, eax
008799BC $- FF25 0867C600 jmp    [C66708]                      ;  USER32.SetWindowRgn
008799C2    8BC0       mov    eax, eax
008799C4 $- FF25 0467C600 jmp    [C66704]                      ;  USER32.ShowCaret
008799CA    8BC0       mov    eax, eax
008799CC $- FF25 0067C600 jmp    [C66700]                      ;  USER32.ShowCursor
008799D2    8BC0       mov    eax, eax
008799D4 $- FF25 FC66C600 jmp    [C666FC]                      ;  USER32.ShowOwnedPopups
008799DA    8BC0       mov    eax, eax
008799DC $- FF25 F866C600 jmp    [C666F8]                      ;  USER32.ShowScrollBar
008799E2    8BC0       mov    eax, eax
008799E4 $- FF25 F466C600 jmp    [C666F4]                      ;  USER32.ShowWindow
008799EA    8BC0       mov    eax, eax
008799EC $- FF25 F066C600 jmp    [C666F0]                      ;  USER32.SystemParametersInfoA
008799F2    8BC0       mov    eax, eax
008799F4 $- FF25 EC66C600 jmp    [C666EC]                      ;  USER32.TrackPopupMenu
008799FA    8BC0       mov    eax, eax
008799FC $- FF25 E866C600 jmp    [C666E8]                      ;  USER32.TranslateMDISysAccel
00879A02    8BC0       mov    eax, eax
00879A04 $- FF25 E466C600 jmp    [C666E4]                      ;  USER32.TranslateMessage
00879A0A    8BC0       mov    eax, eax
00879A0C $- FF25 E066C600 jmp    [C666E0]                      ;  USER32.UnhookWindowsHookEx
00879A12    8BC0       mov    eax, eax
00879A14 $- FF25 DC66C600 jmp    [C666DC]                      ;  USER32.UnionRect
00879A1A    8BC0       mov    eax, eax
00879A1C $- FF25 D866C600 jmp    [C666D8]                      ;  USER32.UnregisterClassA
00879A22    8BC0       mov    eax, eax
00879A24 $- FF25 D466C600 jmp    [C666D4]                      ;  USER32.UpdateWindow
00879A2A    8BC0       mov    eax, eax
00879A2C $- FF25 D066C600 jmp    [C666D0]                      ;  USER32.ValidateRect
00879A32    8BC0       mov    eax, eax
00879A34 $- FF25 CC66C600 jmp    [C666CC]                      ;  USER32.WaitMessage
00879A3A    8BC0       mov    eax, eax
00879A3C $- FF25 C866C600 jmp    [C666C8]                      ;  USER32.WinHelpA
00879A42    8BC0       mov    eax, eax
00879A44 $- FF25 C466C600 jmp    [C666C4]                      ;  USER32.WindowFromDC
00879A4A    8BC0       mov    eax, eax
00879A4C $- FF25 C066C600 jmp    [C666C0]                      ;  USER32.WindowFromPoint
相应的转存区为
00C66000  6C 62 C6 00 00 00 00 00 00 00 00 00 6C 62 C6 00  lb?........lb?
00C66010  6C 62 C6 00 80 62 C6 00 00 00 00 00 00 00 00 00  lb???........
00C66020  80 62 C6 00 80 62 C6 00 90 62 C6 00 00 00 00 00  ??????....
00C66030  00 00 00 00 90 62 C6 00 90 62 C6 00 D4 62 C6 00  ....????遭?
00C66040  00 00 00 00 00 00 00 00 D4 62 C6 00 D4 62 C6 00  ........遭?遭?
00C66050  F4 62 C6 00 00 00 00 00 00 00 00 00 F4 62 C6 00  翕?........翕?
00C66060  F4 62 C6 00 10 63 C6 00 00 00 00 00 00 00 00 00  翕?c?........
00C66070  10 63 C6 00 10 63 C6 00 94 64 C6 00 00 00 00 00  c?c???....
00C66080  00 00 00 00 94 64 C6 00 94 64 C6 00 A8 64 C6 00  ....????ㄤ?
00C66090  00 00 00 00 00 00 00 00 A8 64 C6 00 A8 64 C6 00  ........ㄤ?ㄤ?
00C660A0  B8 64 C6 00 00 00 00 00 00 00 00 00 B8 64 C6 00  镐?........镐?
00C660B0  B8 64 C6 00 BC 66 C6 00 00 00 00 00 00 00 00 00  镐?兼?........
00C660C0  BC 66 C6 00 BC 66 C6 00 18 6A C6 00 00 00 00 00  兼?兼?j?....
00C660D0  00 00 00 00 18 6A C6 00 18 6A C6 00 40 6A C6 00  ....j?j?@j?
00C660E0  00 00 00 00 00 00 00 00 40 6A C6 00 40 6A C6 00  ........@j?@j?
00C660F0  54 6A C6 00 00 00 00 00 00 00 00 00 54 6A C6 00  Tj?........Tj?
00C66100  54 6A C6 00 C8 6A C6 00 00 00 00 00 00 00 00 00  Tj?汝?........
00C66110  C8 6A C6 00 C8 6A C6 00 F4 6A C6 00 00 00 00 00  汝?汝?絷?....
00C66120  00 00 00 00 F4 6A C6 00 F4 6A C6 00 FC 6A C6 00  ....絷?絷???
00C66130  00 00 00 00 00 00 00 00 FC 6A C6 00 FC 6A C6 00  ........????
00C66140  20 6B C6 00 00 00 00 00 00 00 00 00 20 6B C6 00 k?........ k?
00C66150  20 6B C6 00 28 6B C6 00 00 00 00 00 00 00 00 00 k?(k?........
00C66160  28 6B C6 00 28 6B C6 00 30 6B C6 00 00 00 00 00  (k?(k?0k?....
00C66170  00 00 00 00 30 6B C6 00 30 6B C6 00 38 6B C6 00  ....0k?0k?8k?
00C66180  00 00 00 00 00 00 00 00 38 6B C6 00 38 6B C6 00  ........8k?8k?
00C66190  40 6B C6 00 00 00 00 00 00 00 00 00 40 6B C6 00  @k?........@k?
00C661A0  40 6B C6 00 00 00 00 00 00 00 00 00 00 00 00 00  @k?............
00C661B0  00 00 00 00 00 00 00 00 37 97 80 7C 8A 18 93 7C  ........7?|??
00C661C0  ED 10 92 7C 05 10 92 7C A1 9F 80 7C 14 9B 80 7C  ??????|
00C661D0  81 9A 80 7C 5D 99 80 7C BD 99 80 7C 94 97 80 7C  ??]?|????
00C661E0  7B 97 80 7C 59 B8 80 7C C7 A0 80 7C AD 9C 80 7C  {?|Y?|沁???
00C661F0  E0 C6 80 7C 11 03 81 7C 29 C7 80 7C 4F 1D 80 7C  嗥??)?|O?
00C66200  05 A4 80 7C EE 1E 80 7C 28 AC 80 7C 29 B5 80 7C  ?|??(?|)?|
00C66210  57 B3 80 7C 7E D4 80 7C 31 03 93 7C 8D 2C 81 7C  W?|~?|1???
00C66220  66 AA 80 7C 59 35 81 7C D7 EF 80 7C A2 CA 81 7C  f?|Y5?罪?⑹?
00C66230  A9 CC 80 7C 2F 08 81 7C 9F 0F 81 7C 8A 2B 86 7C  ┨?/?????
00C66240  A6 0D 81 7C 50 F8 81 7C 40 7A 95 7C 0E 18 80 7C  ??P?|@z??
00C66250  E1 EA 81 7C A9 2C 81 7C 8F 0C 81 7C 6B 17 80 7C  彡?????k?
00C66260  69 10 81 7C 24 1A 80 7C 77 9B 80 7C 00 00 00 00  i?$?w?|....
00C66270  46 FA D3 77 98 EC D3 77 0B 05 D5 77 40 EC D3 77  F?w?喻征@煊w
00C66280  00 00 00 00 83 78 DA 77 1B 76 DA 77 F0 6B DA 77  ....?邝v邝痣邝
00C66290  00 00 00 00 CD C4 11 77 A4 C3 11 77 27 C4 11 77  ....湍wっw'?w
00C662A0  3F 50 0F 77 10 50 0F 77 4F 50 0F 77 9B 50 0F 77  ?PwPwOPw?w
00C662B0  DB C5 11 77 E9 C2 11 77 C4 65 0F 77 48 D3 11 77  叟w槁w腻wH?w
00C662C0  C0 48 0F 77 3B 4C 0F 77 50 48 0F 77 9D C9 11 77  廊w;LwPHw?w
00C662D0  59 4B 0F 77 00 00 00 00 F5 9B 80 7C 50 97 80 7C  YKw....??P?|
00C662E0  53 34 81 7C 0F 2B 81 7C 5D 99 80 7C BD 99 80 7C  S4?+?]?|??
00C662F0  57 B3 80 7C 00 00 00 00 E7 EB DA 77 83 78 DA 77  W?|....珉邝?邝
00C66300  1B 76 DA 77 08 B9 DB 77 F4 EA DA 77 F0 6B DA 77  v邝观w絷邝痣邝
00C66310  00 00 00 00 29 C7 80 7C 79 EE 81 7C B7 2B 82 7C  ....)?|y?|??
00C66320  9F 0F 81 7C C7 A0 80 7C 30 25 80 7C 59 B8 80 7C  ??沁?0%?Y?|
00C66330  81 9A 80 7C 42 24 80 7C F1 BA 80 7C 67 CC 80 7C  ??B$?窈?g?|
00C66340  82 B8 81 7C 40 03 93 7C 55 F9 81 7C A6 0D 81 7C  ??@?U?|??
00C66350  44 FB 81 7C 28 9C 80 7C 97 AA 80 7C 50 F8 81 7C  D?|(?|??P?|
00C66360  53 30 82 7C 01 6A 82 7C 2A E9 81 7C 01 B0 85 7C  S0?j?*?|?|
00C66370  A7 24 80 7C 0E 18 80 7C FE B9 80 7C AD 9C 80 7C  ???????
00C66380  F4 97 80 7C 94 22 82 7C CF C6 80 7C EA 95 83 7C  ????掀???
00C66390  65 A0 80 7C 77 1D 80 7C ED 10 92 7C 64 B6 80 7C  e_?w???d?|
00C663A0  A1 9F 80 7C 82 00 81 7C 66 91 83 7C C9 25 81 7C  ????f?|??
00C663B0  36 8F 83 7C 19 01 81 7C 2F FE 80 7C 9A E1 81 7C  6?|?/?|??
00C663C0  2D FF 80 7C 39 30 82 7C 51 28 81 7C AB 14 81 7C  -?|90?Q(???
00C663D0  AC 92 80 7C 05 A4 80 7C CF 21 82 7C DF 06 86 7C  ???|????
00C663E0  C6 2A 81 7C 65 C8 80 7C 47 2D 82 7C 28 AC 80 7C  ??e?|G-?(?|
00C663F0  54 2A 82 7C 29 B5 80 7C 57 B3 80 7C 7E D4 80 7C  T*?)?|W?|~?|
00C66400  C1 C9 80 7C 31 03 93 7C 7C 36 81 7C E2 F8 81 7C  辽?1?|6?怿?
00C66410  4C 17 81 7C A2 29 82 7C 73 73 82 7C 0C 6E 82 7C  L???ss?.n?
00C66420  37 97 80 7C 4E 99 80 7C A1 97 83 7C E6 2B 81 7C  7?|N?|????
00C66430  82 D5 82 7C 7B 97 80 7C 94 97 80 7C 66 AA 80 7C  ??{?|??f?|
00C66440  62 5F 82 7C B1 C7 80 7C 19 90 83 7C 59 35 81 7C  b_?鼻??|Y5?
00C66450  D7 EF 80 7C 66 EA 80 7C 18 E0 81 7C D8 0A 86 7C  罪?f?|?|??
00C66460  1C 76 83 7C 05 10 92 7C 41 EF 81 7C 5C E8 81 7C  v??A?|\?|
00C66470  8A 18 93 7C 2F 08 81 7C 3F EB 80 7C 24 1A 80 7C  ??/???|$?
00C66480  BD E4 81 7C 19 62 82 7C 53 00 83 7C 93 D2 80 7C  戒?b?S.???
00C66490  77 9B 80 7C 00 00 00 00 C0 B2 A9 71 86 B0 A9 71  w?|....啦???
00C664A0  75 AC A9 71 D7 30 A9 71 00 00 00 00 BA 18 BD 77  u?q??....?谨
00C664B0  FF 19 BD 77 50 1A BD 77 00 00 00 00 AF 89 EF 77  ?谨P谨....?秣
00C664C0  49 C4 EF 77 B7 B8 EF 77 FC C6 EF 77 A6 6A F0 77  I娘w犯秣?秣?瘅
00C664D0  B9 45 F2 77 AD 94 EF 77 B6 E3 F0 77 05 B6 F1 77  古蝼?秣躲瘅恶w
00C664E0  88 79 EF 77 5F E4 F0 77 90 E1 EF 77 6A C5 EF 77  ?秣_漯w?秣j棚w
00C664F0  A7 5B EF 77 21 99 EF 77 5F 9D EF 77 8E A4 EF 77  й秣!?w_?w?秣
00C66500  90 A9 EF 77 AA D4 EF 77 E1 D3 EF 77 F7 A8 EF 77  ?秣?秣嵊秣鳕秣
00C66510  0C 7C F0 77 A1 B3 EF 77 AC D6 EF 77 34 88 EF 77  .|瘅〕秣?秣4?w
00C66520  0B 5D EF 77 59 5C EF 77 32 35 F2 77 DE 82 EF 77  ]秣Y\秣25蝼?秣
00C66530  A0 59 EF 77 DC 78 EF 77 84 98 EF 77 86 B4 F1 77  _Y秣茗秣?秣?聍
00C66540  BE 97 EF 77 69 33 F2 77 CF BA EF 77 70 80 EF 77  ?秣i3蝼虾秣p?w
00C66550  89 BD EF 77 C4 4E F2 77 81 A7 EF 77 EE D1 EF 77  ?秣奈蝼?秣钛秣
00C66560  75 4C F2 77 3F 45 F0 77 A4 BE F1 77 B0 86 EF 77  uL蝼?E瘅ぞ聍?秣
00C66570  49 54 F0 77 60 9C EF 77 74 A1 EF 77 07 9D EF 77  IT瘅`?wt★w?w
00C66580  95 81 EF 77 99 68 EF 77 C8 AB EF 77 13 95 F2 77  ?秣?秣全秣?w
00C66590  3D 7A EF 77 21 A8 EF 77 33 C3 EF 77 3B D7 EF 77  =z秣!?w3蔑w;罪w
00C665A0  3A CD F1 77 20 81 EF 77 5B D5 EF 77 F1 5F EF 77  :婉w ?w[诊w襁秣
00C665B0  E9 A5 EF 77 5B D3 EF 77 EF CD EF 77 82 9A EF 77  楗秣[语w锿秣?秣
00C665C0  07 8E EF 77 59 AB EF 77 62 90 F2 77 A3 DF EF 77  ?wY?wb?w＿秣
00C665D0  72 96 F2 77 D0 EA F0 77 A2 58 EF 77 C5 9F EF 77  r?w嘘瘅⒇秣?秣
00C665E0  47 A1 EF 77 31 9C EF 77 94 FB F0 77 A1 82 EF 77  G★w1?w?瘅?秣
00C665F0  17 69 EF 77 E4 68 EF 77 A5 A6 EF 77 D5 BD F0 77  i秣滂秣ウ秣战瘅
00C66600  D4 84 EF 77 B8 8D EF 77 BE 57 EF 77 19 A7 EF 77  ?秣?秣咀秣эw
00C66610  12 90 EF 77 ED 3B F2 77 3B AC EF 77 7C F7 EF 77  ?w?蝼;?w|黠w
00C66620  65 86 EF 77 BB 7F F0 77 A1 EA F1 77 87 9E F0 77  e?w?瘅￡聍?瘅
00C66630  E9 E3 EF 77 23 59 F0 77 B1 5B F0 77 3B C8 EF 77  殂秣#Y瘅臂瘅;蕊w
00C66640  3B 6A EF 77 C0 DC EF 77 A6 6C EF 77 D5 5F EF 77  ;j秣儡秣?秣者秣
00C66650  CF 80 EF 77 C3 75 EF 77 23 9F EF 77 23 E9 F0 77  ?秣悯秣#?w#轲w
00C66660  6C 9B EF 77 D2 B4 EF 77 D7 8D EF 77 18 CF EF 77  l?w掖秣?秣巷w
00C66670  BF 33 F2 77 47 D5 EF 77 0C D1 EF 77 80 AD F1 77  ?蝼G诊w.扬w?聍
00C66680  56 C5 F0 77 2C B5 EF 77 10 96 EF 77 55 CE EF 77  V硼w,碉w?wU物w
00C66690  10 5E EF 77 51 6E EF 77 29 AA EF 77 1F 60 EF 77  ^秣Qn秣)?w`秣
00C666A0  70 7E F0 77 08 A2 EF 77 62 B6 F0 77 07 3A F2 77  p~瘅?wb娥w:蝼
00C666B0  C0 6D EF 77 5B 38 F2 77 12 34 F2 77 00 00 00 00  理秣[8蝼4蝼....
00C666C0  7E                                              ~

***********************************************************************

[课程]FART 脱壳王！加量不加价！FART作者讲授！

收藏・1

免费・0

支持

最新回复 (6)
zhangld 雪币： 210 活跃值： (40) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 14 粉丝 1 关注私信	zhangld 2 楼我没有权限上传附件，文件请到我的邮箱中下载吧 zld7643@126.com, 密码：19760403 2006-7-18 16:11 0
kanxue 雪币： 44229 活跃值： (19960) 能力值： (RANK：350 ) 在线值：发帖 2369 回帖 17027 粉丝 528 关注私信	kanxue 8 3 楼最初由 zhangld* 发布* 1、找到程序的入口点后，看到的代码为： 00C57A74 55 db 55 ; CHAR 'U'//这里应该是程序入口，但我不知为何显示这些东西？ 00C57A75 8B db 8B 00C57A76 EC db EC 00C57A77 83 db 83 00C57A78 C4 db C4 00C57A79 B4 db B4 00C57A7A B8 db B8 00C57A7B BC6EC500 dd Hrms.00C56EBC 00C57A7F E8 db E8 这与我DUMP出来的代码好像不一样，为什么？怎么处理？ 2、我在脱壳过程中找的重定位表的RVA,SIZE是否正确？ 3、我在修复DUMPED.DLL的输入表时出现了很大的问题，所得指针好象都不正确，试了好多次都不行。为什么会出现这种情况？ 1.按Ctrl＋A试试 2.稍看了一下，应正确。 3.看了你的dumped_.dll，输入表完全错误。 2006-7-18 16:43 0
zhangld 雪币： 210 活跃值： (40) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 14 粉丝 1 关注私信	zhangld 4 楼坛主，能否对输入表修复指点一二。另外，一楼中，我列出的那一长串函数是否是输入表的区域？我尝试找一个API函数，但翻来翻去，发现全是CALL　HRMS.********,的形式。然后在某个区域就发现了上述的函数表，然后到转存中找到区域大约为00C66000--00C66BE8的范围。我初步认为这就是输入表的区域。问题是：脱壳后的程序入口为00C57A74，也就说基址为00C50000 １、输入表的RVA怎么输？是输入00006000还是直接输入00C66000. 2、不管怎么输入，利用IMPORTREC重建输入表时，GET　IMPORT得出的所有指针全是错误的。请大家帮忙看一下，问题出在什么地方？ 2006-7-18 19:44 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 5 楼只是脱壳的话找脱壳机吧 ASPack All Versions UnPacKer.By.PE_Kill 练习脱壳的话先搞exe 2006-7-18 20:43 0
zhangld 雪币： 210 活跃值： (40) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 14 粉丝 1 关注私信	zhangld 6 楼本来只是为了脱壳，但这个文件手动搞不定，心里实在不舒服 2006-7-18 21:07 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 7 楼 1、输入表的RVA＝函数所在处－基址 2、修正dump文件基址 3、对于重定位的DLL，ImportREC->Options->去掉Use PE Header from Disk再获取输入表 4、AsPack可以使用原来的IAT，以后多看些PE知识就明白了 2006-7-18 21:15 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

zhangld

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (6)
zhangld 雪币： 210 活跃值： (40) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 14 粉丝 1 关注私信	zhangld 2 楼我没有权限上传附件，文件请到我的邮箱中下载吧 zld7643@126.com, 密码：19760403 2006-7-18 16:11 0
kanxue 雪币： 44229 活跃值： (19960) 能力值： (RANK：350 ) 在线值：发帖 2369 回帖 17027 粉丝 528 关注私信	kanxue 8 3 楼最初由 zhangld* 发布* 1、找到程序的入口点后，看到的代码为： 00C57A74 55 db 55 ; CHAR 'U'//这里应该是程序入口，但我不知为何显示这些东西？ 00C57A75 8B db 8B 00C57A76 EC db EC 00C57A77 83 db 83 00C57A78 C4 db C4 00C57A79 B4 db B4 00C57A7A B8 db B8 00C57A7B BC6EC500 dd Hrms.00C56EBC 00C57A7F E8 db E8 这与我DUMP出来的代码好像不一样，为什么？怎么处理？ 2、我在脱壳过程中找的重定位表的RVA,SIZE是否正确？ 3、我在修复DUMPED.DLL的输入表时出现了很大的问题，所得指针好象都不正确，试了好多次都不行。为什么会出现这种情况？ 1.按Ctrl＋A试试 2.稍看了一下，应正确。 3.看了你的dumped_.dll，输入表完全错误。 2006-7-18 16:43 0
zhangld 雪币： 210 活跃值： (40) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 14 粉丝 1 关注私信	zhangld 4 楼坛主，能否对输入表修复指点一二。另外，一楼中，我列出的那一长串函数是否是输入表的区域？我尝试找一个API函数，但翻来翻去，发现全是CALL　HRMS.********,的形式。然后在某个区域就发现了上述的函数表，然后到转存中找到区域大约为00C66000--00C66BE8的范围。我初步认为这就是输入表的区域。问题是：脱壳后的程序入口为00C57A74，也就说基址为00C50000 １、输入表的RVA怎么输？是输入00006000还是直接输入00C66000. 2、不管怎么输入，利用IMPORTREC重建输入表时，GET　IMPORT得出的所有指针全是错误的。请大家帮忙看一下，问题出在什么地方？ 2006-7-18 19:44 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 5 楼只是脱壳的话找脱壳机吧 ASPack All Versions UnPacKer.By.PE_Kill 练习脱壳的话先搞exe 2006-7-18 20:43 0
zhangld 雪币： 210 活跃值： (40) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 14 粉丝 1 关注私信	zhangld 6 楼本来只是为了脱壳，但这个文件手动搞不定，心里实在不舒服 2006-7-18 21:07 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 7 楼 1、输入表的RVA＝函数所在处－基址 2、修正dump文件基址 3、对于重定位的DLL，ImportREC->Options->去掉Use PE Header from Disk再获取输入表 4、AsPack可以使用原来的IAT，以后多看些PE知识就明白了 2006-7-18 21:15 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复