在坛子看了PELock 1.0x -> 的手动脱法........-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

在坛子看了PELock 1.0x -> 的手动脱法........

发表于: 2006-8-25 19:40 7636

在坛子看了PELock 1.0x -> 的手动脱法........

loiter

2006-8-25 19:40

7636

在坛子看了PELock 1.0x -> 的手动脱法........

在论坛看一强人写的帖子，因为技术原因很多地方不理解。（不理解还发帖，这里大家要想鄙视一下的话，我个人没意见，就尽情的鄙视我吧。）早早就在看雪注册了ID，潜水大概半年之久。不发言，并非不想。实在是不知道自己该写什么，因为真的没什么好写。如果一味的只去回复：看了，学习，顶。这样的字眼，我又感觉浪费了看学的资源。就好象是在犯罪一样/。

慢慢的感觉在看学我真的学到了不少，走最初不知道什么是壳，到现在能去用OD简单的手脱一些弱壳。要感谢吗？是的，需要感谢那些写出心得和方法的前辈。需要感谢看学提供了这样好的一个地方。要回报吗？需要。我真的很想。但是知识贫乏的象大旱十年，给我点时间好吗？

好了正题来了- -！

其实这次发帖是想请路过的高手是否能给做个PELock 1.0x -> 的手脱动画教程。因为《PELock 1.0x -> Bartosz Wojcik简单脱壳》该强贴对我这个菜鸟实在是本天书，让我无从下手。。

（这时，有人说你这个人真虚伪，说了半天还不是想要一脱壳教程！或许我真的虚伪吧。因为我没有自己去研究的实力很天分，只好厚着脸皮来用嘴求人了。）

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持

最新回复 (21)
pinkafei 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 6 粉丝 0 关注私信	pinkafei 2 楼强烈顶起!!这壳好象真的很变态!! 像我们这样的菜鸟真的需要多点动画学习啊!! 2006-8-25 20:03 0
loiter 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 11 粉丝 0 关注私信	loiter 3 楼为什么就没人给个说法呢？？唉 2006-9-2 19:03 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 4 楼要脱壳过程（比如一个动画）容易，但是如果需要谁"授之以渔"恐怕你理解有困难。如果只是一个动画，我想看了之后你还是不会脱。我只能说这个壳不适合新手，如果一定要脱，就按照教程多思考，花些时间可以搞定的。也许你经过挣扎最后搞定了，会发现自己提高了一个境界。 2006-9-2 23:10 0
loiter 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 11 粉丝 0 关注私信	loiter 5 楼感谢斑竹光临。。斑竹说的很对。。可能一个动画看了之后我还是不懂。。但是总感觉那样比较直观一点。。呵呵。可能我想的有点多了。。不过还是很高兴斑竹能给予回复。。谢谢~！ 2006-9-3 00:47 0
风再起时雪币： 106 活跃值： (255) 能力值： ( LV2，RANK：10 ) 在线值：发帖 23 回帖 79 粉丝 0 关注私信	风再起时 6 楼搞这个多少有点编程基础吧否则看起来像天书一样有基础的学起来很快的明白了原理就好办 2006-9-3 11:00 0
loiter 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 11 粉丝 0 关注私信	loiter 7 楼是啊。。基础是关键。。但是很想脱这个壳。嘿嘿。。。无奈中。。 2006-9-3 20:00 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 8 楼把你的思考分析过程（不是peid的报告或者olly载入后的结果）发上来，如果进行不下去也许有人会帮你。 2006-9-3 20:25 0
loiter 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 11 粉丝 0 关注私信	loiter 9 楼初步接触该壳，是因为遇到一款远程控制软件，灰鸽子VIP2006。该软件前期是用北斗两次加壳来混淆视线，但是技术含量不高，曾成功手脱。大概过了三个月后，该软件改用PELock 1.0x 加壳。还是老规矩，先上网找关于PELock 1.0x 的资料（本人菜鸟，所以只能借助百度的力量了）找了许久，发现该壳的介绍少之又少，就算有也只是简单说过。无奈一下。既然没资料，就还找老方法，自己手动慢慢跟吧。最新使用基础ESP定律寻找OEP，进行中.....几次尝试后发现根本无法这样入手，因为每次ESP跟下后都会出现一个跳转，而照以前的做法，在跳转处下断，只会出现两种可能，一，跳回程序原入口点，二，程序出现异常，无法继续。但是在几次尝试过程中，慢慢发现该壳的代码混淆和保护能力很强，它会调用程序部分代码和函数到壳内来执行。二次无奈。第三次，乱试法，下面是操作经过。一、到达OEP，Dump OD载入，隐藏OD，忽略除内存访问外的所有异常 005A905C > C1C0 05 ROL EAX,5 005A905F F8 CLC 005A9060 73 01 JNB SHORT Doctor.005A9063 005A9062 78 0F JS SHORT Doctor.005A9073 005A9064 AF SCAS DWORD PTR ES:[EDI] 005A9065 C8 F20FB6 ENTER 0FF2,0B6 005A9069 C0E8 01 SHR AL,1 005A906C 0000 ADD BYTE PTR DS:[EAX],AL 005A906E 00EE ADD DH,CH 005A9070 58 POP EAX 005A9071 F8 CLC Shift+F9，10次，查看堆栈 0012FFA4 /0012FFB8 指针到下一个 SEH 记录 0012FFA8 \|0037382B SE 句柄 0012FFAC \|005B0000 ASCII "WTNE / MADE BY E COMPILER - WUTAO " 0012FFB0 \|00183000 0012FFB4 \|00004000 0012FFB8 \0012FFE0 指针到下一个 SEH 记录 CPU窗口，Ctrl+G，来到37382B，F2设断，Shift+F9 0037382B /EB 02 JMP SHORT 0037382F 0037382D ^\|70 E5 JO SHORT 00373814 0037382F \57 PUSH EDI 00373830 8B7C24 10 MOV EDI,DWORD PTR SS:[ESP+10] 00373834 EB 02 JMP SHORT 00373838 F8来到 00373841 018F B8000000 ADD DWORD PTR DS:[EDI+B8],ECX ; 特征，修改ConText结构，DS:[12FD90]=00373876,ECX=3 所以Ctrl+G来到37387+3=373879处，F2设断，F9运行 00373879 2BC9 SUB ECX,ECX 0037387B 64:8F01 POP DWORD PTR FS:[ECX] 0037387E 59 POP ECX 0037387F EB 01 JMP SHORT 00373882 00373881 65:EB 02 JMP SHORT 00373886 ; 多余的前缀 00373884 65:9C PUSHFD ; 多余的前缀 00373886 EB 01 JMP SHORT 00373889 Alt+M打开内存内存镜像，项目 20 地址=00401000 //F2设断，F9运行大小=00001000 (4096.) Owner=Doctor 00400000 区段=XPROT 含=code 类型=Imag 01001002 访问=R 初始访问=RWE 来到 003773FD C602 E9 MOV BYTE PTR DS:[EDX],0E9 00377400 8BC7 MOV EAX,EDI 00377402 2BC2 SUB EAX,EDX 00377404 83E8 05 SUB EAX,5 00377407 8942 01 MOV DWORD PTR DS:[EDX+1],EAX 0037740A 8A06 MOV AL,BYTE PTR DS:[ESI] 0037740C 46 INC ESI 0037740D 0FB6C8 MOVZX ECX,AL 00377410 83E0 03 AND EAX,3 00377413 C1E9 02 SHR ECX,2 00377416 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWO> 00377418 8BC8 MOV ECX,EAX 0037741A F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE> 0037741C 8A06 MOV AL,BYTE PTR DS:[ESI] 0037741E 46 INC ESI 0037741F 03D0 ADD EDX,EAX 00377421 C607 E9 MOV BYTE PTR DS:[EDI],0E9 00377424 2BD7 SUB EDX,EDI 00377426 83EA 05 SUB EDX,5 00377429 8957 01 MOV DWORD PTR DS:[EDI+1],EDX 0037742C 83C7 05 ADD EDI,5 0037742F 4B DEC EBX 00377430 ^ 75 C3 JNZ SHORT 003773F5 00377432 5F POP EDI 00377433 8D4D 66 LEA ECX,DWORD PTR SS:[EBP+66] 00377436 2BCF SUB ECX,EDI 00377438 F3:AA REP STOS BYTE PTR ES:[EDI] 0037743A 61 POPAD ; F4下来 0037743B C3 RETN 返回到 00376391 /EB 03 JMP SHORT 00376396 00376393 ^\|71 9C JNO SHORT 00376331 00376395 \|36:EB 02 JMP SHORT 0037639A ; 多余的前缀 00376398 0FF8EB PSUBB MM5,MM3 0037639B 0291 66EB02CD ADD DL,BYTE PTR DS:[ECX+CD02EB6> 003763A1 207403 75 AND BYTE PTR DS:[EBX+EAX+75],DH 003763A5 0148 78 ADD DWORD PTR DS:[EAX+78],ECX 003763A8 0379 01 ADD EDI,DWORD PTR DS:[ECX+1] 003763AB 8AE8 MOV CH,AL 003763AD 0100 ADD DWORD PTR DS:[EAX],EAX 003763AF 0000 ADD BYTE PTR DS:[EAX],AL 003763B1 ^ E0 8F LOOPDNE SHORT 00376342 理解中这里应该二次内存下断。但是我对内存二次下断真的是很不理解。。所以继续到这里就不能在继续了。。 2006-9-3 21:31 0
loiter 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 11 粉丝 0 关注私信	loiter 10 楼晕啊。。掉下去了。。我再顶一次。。就一次~！ 2006-9-4 23:32 0
bestchao 雪币： 7 能力值： (RANK：50 ) 在线值：发帖 32 回帖 305 粉丝 0 关注私信	bestchao 1 11 楼支持下 2006-9-5 03:08 0
Kisco 雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 43 粉丝 0 关注私信	Kisco 12 楼 pelock 找oep 和还原 iat 不难,不过pelock 1.06是有stolen code 的, 我一见到stolen code 就头痛, 2006-9-5 19:59 0
loiter 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 11 粉丝 0 关注私信	loiter 13 楼兄弟说的很对。。。这个壳还真的是不好对付。。 2006-9-5 20:48 0
无影雪币： 421 活跃值： (32) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 38 粉丝 0 关注私信	无影 14 楼对于要抓的壳我还没脱成功过几个～小菜鸟一个・嘿嘿！对于重定位的壳，无从下手，哎～继续加油吧！ 2006-9-5 23:07 0
无影雪币： 421 活跃值： (32) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 38 粉丝 0 关注私信	无影 15 楼不好意思，借个位～说错了一句话，换了～和楼上一样，我也是个隐者哦～ 2006-9-5 23:09 0
loiter 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 11 粉丝 0 关注私信	loiter 16 楼呵呵。。看来无望了。。。 2006-9-6 23:34 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 17 楼我现在每个月上一次。这个壳不是2次断点可以搞的。这里所谓内存断点，是当访问到原程序代码段的时候进行中断。一般的壳，第一次访问是解码，第二次就是执行了。可是pelock就不一样了，他不但要解码，还要抽走一部分代码，这点可以看精华7里面的fxyang的解说。 2006-9-9 20:38 0
loiter 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 11 粉丝 0 关注私信	loiter 18 楼呵呵。。谢谢斑竹还没忘记我的帖子。。虽然，到现在还是没搞定。。但是还是很开心。。最少有你为我解释了很多。分量与存在好象就是这样体会到的~！ 2006-9-9 21:35 0
damen 雪币： 227 活跃值： (164) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 59 粉丝 1 关注私信	damen 19 楼 ; Syntax for each function in a thunk (the separator is a TAB) ; ------------------------------------------------------------ ; Flag RVA ModuleName Ordinal name ; ; Details for <Valid> parameter: ; ------------------------------ ; Flag: 0 = valid: no -> - Name contains the address of the redirected API (you can set ; it to zero if you edit it). ; - Ordinal is not considered but you should let '0000' as value. ; - ModuleName is not considered but you should let '?' as value. ; ; 1 = valid: yes -> All next parameters on the line will be considered. ; Function imported by ordinal must have no name (the 4th TAB must ; be there though). ; ; 2 = Equivalent to 0 but it is for the loader. ; ; 3 = Equivalent to 1 but it is for the loader. ; ; 4 = Equivalent to 0 with (R) tag. ; ; 5 = Equivalent to 1 with (R) tag. ; ; And finally, edit this file as your own risk! :-) Target: E:\灰鸽子2006\H_Client.exe OEP: 001C68FE IATRVA: 001D421C IATSize: 00000A88 FThunk: 001D421C NbFunc: 00000032 1 001D421C kernel32.dll 0080 DeleteCriticalSection 1 001D4220 kernel32.dll 0241 LeaveCriticalSection 1 001D4224 kernel32.dll 0097 EnterCriticalSection 1 001D4228 kernel32.dll 0216 InitializeCriticalSection 1 001D422C kernel32.dll 036E VirtualFree 1 001D4230 kernel32.dll 036B VirtualAlloc 1 001D4234 kernel32.dll 024C LocalFree 1 001D4238 kernel32.dll 0248 LocalAlloc 1 001D423C kernel32.dll 01D2 GetTickCount 1 001D4240 kernel32.dll 0292 QueryPerformanceCounter 1 001D4244 kernel32.dll 01DB GetVersion 1 001D4248 kernel32.dll 013F GetCurrentThreadId 1 001D424C kernel32.dll 021A InterlockedDecrement 1 001D4250 kernel32.dll 021E InterlockedIncrement 1 001D4254 kernel32.dll 0373 VirtualQuery 1 001D4258 kernel32.dll 037F WideCharToMultiByte 1 001D425C kernel32.dll 02F8 SetCurrentDirectoryA 1 001D4260 kernel32.dll 02B3 RemoveDirectoryA 1 001D4264 kernel32.dll 0265 MultiByteToWideChar 1 001D4268 kernel32.dll 03B3 lstrlen 1 001D426C kernel32.dll 03B0 lstrcpyn 1 001D4270 kernel32.dll 0243 LoadLibraryExA 1 001D4274 kernel32.dll 01CD GetThreadLocale 1 001D4278 kernel32.dll 01AD GetStartupInfoA 1 001D427C kernel32.dll 0198 GetProcAddress 1 001D4280 kernel32.dll 0176 GetModuleHandleA 1 001D4284 kernel32.dll 0174 GetModuleFileNameA 1 001D4288 kernel32.dll 016C GetLocaleInfoA 1 001D428C kernel32.dll 0169 GetLastError 1 001D4290 kernel32.dll 013A GetCurrentDirectoryA 1 001D4294 kernel32.dll 010A GetCommandLineA 1 001D4298 kernel32.dll 00F1 FreeLibrary 1 001D429C kernel32.dll 00D1 FindFirstFileA 1 001D42A0 kernel32.dll 00CD FindClose 1 001D42A4 kernel32.dll 0048 CreateDirectoryA 1 001D42A8 kernel32.dll 00B7 ExitProcess 1 001D42AC kernel32.dll 00B8 ExitThread 1 001D42B0 kernel32.dll 006D CreateThread 1 001D42B4 kernel32.dll 038C WriteFile 1 001D42B8 kernel32.dll 0358 UnhandledExceptionFilter 1 001D42BC kernel32.dll 0307 SetFilePointer 1 001D42C0 kernel32.dll 02FE SetEndOfFile 1 001D42C4 kernel32.dll 02C5 RtlUnwind 1 001D42C8 kernel32.dll 02A4 ReadFile 1 001D42CC kernel32.dll 0297 RaiseException 1 001D42D0 kernel32.dll 01AF GetStdHandle 1 001D42D4 kernel32.dll 015C GetFileSize 1 001D42D8 kernel32.dll 015F GetFileType 1 001D42DC kernel32.dll 0050 CreateFileA 1 001D42E0 kernel32.dll 0032 CloseHandle FThunk: 001D42E8 NbFunc: 00000004 1 001D42E8 user32.dll 0128 GetKeyboardType 1 001D42EC user32.dll 01C9 LoadStringA 1 001D42F0 user32.dll 01DD MessageBoxA 1 001D42F4 user32.dll 002B CharNextA FThunk: 001D42FC NbFunc: 00000003 1 001D42FC advapi32.dll 01EE RegQueryValueExA 1 001D4300 advapi32.dll 01E4 RegOpenKeyExA 1 001D4304 advapi32.dll 01CB RegCloseKey FThunk: 001D430C NbFunc: 00000003 1 001D430C oleaut32.dll 0006 SysFreeString 1 001D4310 oleaut32.dll 0005 SysReAllocStringLen 1 001D4314 oleaut32.dll 0004 SysAllocStringLen FThunk: 001D431C NbFunc: 00000004 1 001D431C kernel32.dll 034F TlsSetValue 1 001D4320 kernel32.dll 034E TlsGetValue 1 001D4324 kernel32.dll 0248 LocalAlloc 1 001D4328 kernel32.dll 0176 GetModuleHandleA FThunk: 001D4330 NbFunc: 0000000E 1 001D4330 advapi32.dll 01FB RegSetValueExA 1 001D4334 advapi32.dll 01EE RegQueryValueExA 1 001D4338 advapi32.dll 01E9 RegQueryInfoKeyA 1 001D433C advapi32.dll 01E4 RegOpenKeyExA 1 001D4340 advapi32.dll 01DD RegFlushKey 1 001D4344 advapi32.dll 01DB RegEnumValueA 1 001D4348 advapi32.dll 01D8 RegEnumKeyExA 1 001D434C advapi32.dll 01D4 RegDeleteValueA 1 001D4350 advapi32.dll 01D2 RegDeleteKeyA 1 001D4354 advapi32.dll 01CF RegCreateKeyExA 1 001D4358 advapi32.dll 01CB RegCloseKey 1 001D435C advapi32.dll 01AB OpenProcessToken 1 001D4360 advapi32.dll 014E LookupPrivilegeValueA 1 001D4364 advapi32.dll 001E AdjustTokenPrivileges FThunk: 001D436C NbFunc: 00000076 1 001D436C kernel32.dll 03AD lstrcpy 1 001D4370 kernel32.dll 03A7 lstrcmp 1 001D4374 kernel32.dll 0391 WritePrivateProfileStringA 1 001D4378 kernel32.dll 038C WriteFile 1 001D437C kernel32.dll 037F WideCharToMultiByte 1 001D4380 kernel32.dll 037B WaitForSingleObject 1 001D4384 kernel32.dll 0373 VirtualQuery 1 001D4388 kernel32.dll 0371 VirtualProtect 1 001D438C kernel32.dll 036B VirtualAlloc 1 001D4390 kernel32.dll 035B UnmapViewOfFile 1 001D4394 kernel32.dll 0341 SuspendThread 1 001D4398 kernel32.dll 0340 SleepEx 1 001D439C kernel32.dll 033F Sleep 1 001D43A0 kernel32.dll 033E SizeofResource 1 001D43A4 kernel32.dll 032E SetThreadPriority 1 001D43A8 kernel32.dll 032D SetThreadLocale 1 001D43AC kernel32.dll 0307 SetFilePointer 1 001D43B0 kernel32.dll 0305 SetFileAttributesA 1 001D43B4 kernel32.dll 0302 SetEvent 1 001D43B8 kernel32.dll 0301 SetErrorMode 1 001D43BC kernel32.dll 02FE SetEndOfFile 1 001D43C0 kernel32.dll 02C0 ResumeThread 1 001D43C4 kernel32.dll 02BD ResetEvent 1 001D43C8 kernel32.dll 02B3 RemoveDirectoryA 1 001D43CC kernel32.dll 02A4 ReadFile 1 001D43D0 kernel32.dll 0293 QueryPerformanceFrequency 1 001D43D4 kernel32.dll 0292 QueryPerformanceCounter 1 001D43D8 kernel32.dll 0280 PeekNamedPipe 1 001D43DC kernel32.dll 026F OpenFileMappingA 1 001D43E0 kernel32.dll 0265 MultiByteToWideChar 1 001D43E4 kernel32.dll 0264 MulDiv 1 001D43E8 kernel32.dll 025E MoveFileA 1 001D43EC kernel32.dll 0258 MapViewOfFile 1 001D43F0 kernel32.dll 0255 LockResource 1 001D43F4 kernel32.dll 0247 LoadResource 1 001D43F8 kernel32.dll 0243 LoadLibraryExA 1 001D43FC kernel32.dll 0242 LoadLibraryA 1 001D4400 kernel32.dll 0241 LeaveCriticalSection 1 001D4404 kernel32.dll 0226 IsBadStringPtrA 1 001D4408 kernel32.dll 0216 InitializeCriticalSection 1 001D440C kernel32.dll 01FD GlobalUnlock 1 001D4410 kernel32.dll 01FA GlobalSize 1 001D4414 kernel32.dll 01F9 GlobalReAlloc 1 001D4418 kernel32.dll 01F5 GlobalHandle 1 001D441C kernel32.dll 01F6 GlobalLock 1 001D4420 kernel32.dll 01F2 GlobalFree 1 001D4424 kernel32.dll 01EE GlobalFindAtomA 1 001D4428 kernel32.dll 01ED GlobalDeleteAtom 1 001D442C kernel32.dll 01EB GlobalAlloc 1 001D4430 kernel32.dll 01E9 GlobalAddAtomA 1 001D4434 kernel32.dll 01E6 GetWindowsDirectoryA 1 001D4438 kernel32.dll 01DD GetVersionExW 1 001D443C kernel32.dll 01DC GetVersionExA 1 001D4440 kernel32.dll 01DB GetVersion 1 001D4444 kernel32.dll 01D6 GetUserDefaultLCID 1 001D4448 kernel32.dll 01D5 GetTimeZoneInformation 1 001D444C kernel32.dll 01D3 GetTimeFormatA 1 001D4450 kernel32.dll 01D2 GetTickCount 1 001D4454 kernel32.dll 01CD GetThreadLocale 1 001D4458 kernel32.dll 01C9 GetTempPathA 1 001D445C kernel32.dll 01C7 GetTempFileNameA 1 001D4460 kernel32.dll 01BC GetSystemTime 1 001D4464 kernel32.dll 01B9 GetSystemInfo 1 001D4468 kernel32.dll 01B7 GetSystemDirectoryA 1 001D446C kernel32.dll 01B1 GetStringTypeExA 1 001D4470 kernel32.dll 01AF GetStdHandle 1 001D4474 kernel32.dll 01A8 GetProfileStringA 1 001D4478 kernel32.dll 0198 GetProcAddress 1 001D447C kernel32.dll 0194 GetPrivateProfileStringA 1 001D4480 kernel32.dll 018C GetOverlappedResult 1 001D4484 kernel32.dll 0176 GetModuleHandleA 1 001D4488 kernel32.dll 0174 GetModuleFileNameA 1 001D448C kernel32.dll 016C GetLocaleInfoA 1 001D4490 kernel32.dll 016B GetLocalTime 1 001D4494 kernel32.dll 0169 GetLastError 1 001D4498 kernel32.dll 0162 GetFullPathNameA 1 001D449C kernel32.dll 015C GetFileSize 1 001D44A0 kernel32.dll 0158 GetFileAttributesExA 1 001D44A4 kernel32.dll 0157 GetFileAttributesA 1 001D44A8 kernel32.dll 0154 GetExitCodeThread 1 001D44AC kernel32.dll 0153 GetExitCodeProcess 1 001D44B0 kernel32.dll 014C GetDriveTypeA 1 001D44B4 kernel32.dll 0146 GetDiskFreeSpaceA 1 001D44B8 kernel32.dll 0140 GetDateFormatA 1 001D44BC kernel32.dll 013F GetCurrentThreadId 1 001D44C0 kernel32.dll 013D GetCurrentProcessId 1 001D44C4 kernel32.dll 013C GetCurrentProcess 1 001D44C8 kernel32.dll 010E GetComputerNameA 1 001D44CC kernel32.dll 00FE GetCPInfo 1 001D44D0 kernel32.dll 00F7 GetACP 1 001D44D4 kernel32.dll 00F3 FreeResource 1 001D44D8 kernel32.dll 021E InterlockedIncrement 1 001D44DC kernel32.dll 021B InterlockedExchange 1 001D44E0 kernel32.dll 021A InterlockedDecrement 1 001D44E4 kernel32.dll 00F1 FreeLibrary 1 001D44E8 kernel32.dll 00EC FormatMessageA 1 001D44EC kernel32.dll 00E0 FindResourceA 1 001D44F0 kernel32.dll 00DA FindNextFileA 1 001D44F4 kernel32.dll 00D1 FindFirstFileA 1 001D44F8 kernel32.dll 00CD FindClose 1 001D44FC kernel32.dll 00C4 FileTimeToSystemTime 1 001D4500 kernel32.dll 00C3 FileTimeToLocalFileTime 1 001D4504 kernel32.dll 00C2 FileTimeToDosDateTime 1 001D4508 kernel32.dll 00A4 EnumResourceNamesA 1 001D450C kernel32.dll 0098 EnumCalendarInfoA 1 001D4510 kernel32.dll 0097 EnterCriticalSection 1 001D4514 kernel32.dll 0082 DeleteFileA 1 001D4518 kernel32.dll 0080 DeleteCriticalSection 1 001D451C kernel32.dll 006D CreateThread 1 001D4520 kernel32.dll 0063 CreateProcessA 1 001D4524 kernel32.dll 0062 CreatePipe 1 001D4528 kernel32.dll 0051 CreateFileMappingA 1 001D452C kernel32.dll 0050 CreateFileA 1 001D4530 kernel32.dll 004C CreateEventA 1 001D4534 kernel32.dll 0048 CreateDirectoryA 1 001D4538 kernel32.dll 0040 CopyFileA 1 001D453C kernel32.dll 0038 CompareStringA 1 001D4540 kernel32.dll 0032 CloseHandle FThunk: 001D4548 NbFunc: 00000001 1 001D4548 mpr.dll 003E WNetGetUserA FThunk: 001D4550 NbFunc: 00000003 1 001D4550 version.dll 000B VerQueryValueA 1 001D4554 version.dll 0002 GetFileVersionInfoSizeA 1 001D4558 version.dll 0001 GetFileVersionInfoA FThunk: 001D4560 NbFunc: 00000060 1 001D4560 gdi32.dll 0253 UnrealizeObject 1 001D4564 gdi32.dll 024A StretchBlt 1 001D4568 gdi32.dll 0249 StartPage 1 001D456C gdi32.dll 0246 StartDocA 1 001D4570 gdi32.dll 0244 SetWindowOrgEx 1 001D4574 gdi32.dll 0243 SetWindowExtEx 1 001D4578 gdi32.dll 0242 SetWinMetaFileBits 1 001D457C gdi32.dll 0240 SetViewportOrgEx 1 001D4580 gdi32.dll 023F SetViewportExtEx 1 001D4584 gdi32.dll 023D SetTextColor 1 001D4588 gdi32.dll 0239 SetStretchBltMode 1 001D458C gdi32.dll 0236 SetROP2 1 001D4590 gdi32.dll 0232 SetPixel 1 001D4594 gdi32.dll 022C SetMapMode 1 001D4598 gdi32.dll 0223 SetEnhMetaFileBits 1 001D459C gdi32.dll 0221 SetDIBitsToDevice 1 001D45A0 gdi32.dll 0220 SetDIBits 1 001D45A4 gdi32.dll 021F SetDIBColorTable 1 001D45A8 gdi32.dll 021A SetBrushOrgEx 1 001D45AC gdi32.dll 0217 SetBkMode 1 001D45B0 gdi32.dll 0216 SetBkColor 1 001D45B4 gdi32.dll 0211 SetAbortProc 1 001D45B8 gdi32.dll 0210 SelectPalette 1 001D45BC gdi32.dll 020F SelectObject 1 001D45C0 gdi32.dll 0208 SaveDC 1 001D45C4 gdi32.dll 0202 RoundRect 1 001D45C8 gdi32.dll 0201 RestoreDC 1 001D45CC gdi32.dll 01F7 Rectangle 1 001D45D0 gdi32.dll 01F6 RectVisible 1 001D45D4 gdi32.dll 01F4 RealizePalette 1 001D45D8 gdi32.dll 01EF Polyline 1 001D45DC gdi32.dll 01EE Polygon 1 001D45E0 gdi32.dll 01EB PolyPolyline 1 001D45E4 gdi32.dll 01E1 PlayEnhMetaFile 1 001D45E8 gdi32.dll 01DE PatBlt 1 001D45EC gdi32.dll 01D2 MoveToEx 1 001D45F0 gdi32.dll 01CF MaskBlt 1 001D45F4 gdi32.dll 01CE LineTo 1 001D45F8 gdi32.dll 01CC LPtoDP 1 001D45FC gdi32.dll 01C8 IntersectClipRect 1 001D4600 gdi32.dll 01C4 GetWindowOrgEx 1 001D4604 gdi32.dll 01C2 GetWinMetaFileBits 1 001D4608 gdi32.dll 01BD GetTextMetricsA 1 001D460C gdi32.dll 01B7 GetTextExtentPointA 1 001D4610 gdi32.dll 01B5 GetTextExtentPoint32A 1 001D4614 gdi32.dll 01AA GetSystemPaletteEntries 1 001D4618 gdi32.dll 01A6 GetStockObject 1 001D461C gdi32.dll 019D GetPixel 1 001D4620 gdi32.dll 019B GetPaletteEntries 1 001D4624 gdi32.dll 0196 GetObjectA 1 001D4628 gdi32.dll 0195 GetNearestPaletteIndex 1 001D462C gdi32.dll 0194 GetNearestColor 1 001D4630 gdi32.dll 018E GetMapMode 1 001D4634 gdi32.dll 0176 GetEnhMetaFilePaletteEntries 1 001D4638 gdi32.dll 0175 GetEnhMetaFileHeader 1 001D463C gdi32.dll 0173 GetEnhMetaFileDescriptionA 1 001D4640 gdi32.dll 0172 GetEnhMetaFileBits 1 001D4644 gdi32.dll 016C GetDeviceCaps 1 001D4648 gdi32.dll 016B GetDIBits 1 001D464C gdi32.dll 016A GetDIBColorTable 1 001D4650 gdi32.dll 0168 GetDCOrgEx 1 001D4654 gdi32.dll 0166 GetCurrentPositionEx 1 001D4658 gdi32.dll 0161 GetClipBox 1 001D465C gdi32.dll 0151 GetBrushOrgEx 1 001D4660 gdi32.dll 014B GetBitmapBits 1 001D4664 gdi32.dll 011C GdiFlush 1 001D4668 gdi32.dll 00DE ExtTextOutA 1 001D466C gdi32.dll 00DA ExtCreateRegion 1 001D4670 gdi32.dll 00D9 ExtCreatePen 1 001D4674 gdi32.dll 00D8 ExcludeClipRect 1 001D4678 gdi32.dll 0099 EndPage 1 001D467C gdi32.dll 0097 EndDoc 1 001D4680 gdi32.dll 0095 Ellipse 1 001D4684 gdi32.dll 0090 DeleteObject 1 001D4688 gdi32.dll 008E DeleteEnhMetaFile 1 001D468C gdi32.dll 008D DeleteDC 1 001D4690 gdi32.dll 0051 CreateSolidBrush 1 001D4694 gdi32.dll 004C CreateRectRgn 1 001D4698 gdi32.dll 0049 CreatePenIndirect 1 001D469C gdi32.dll 0048 CreatePen 1 001D46A0 gdi32.dll 0046 CreatePalette 1 001D46A4 gdi32.dll 0042 CreateICA 1 001D46A8 gdi32.dll 0040 CreateHalftonePalette 1 001D46AC gdi32.dll 003B CreateFontIndirectA 1 001D46B0 gdi32.dll 0038 CreateEnhMetaFileA 1 001D46B4 gdi32.dll 0034 CreateDIBitmap 1 001D46B8 gdi32.dll 0033 CreateDIBSection 1 001D46BC gdi32.dll 002F CreateDCA 1 001D46C0 gdi32.dll 002E CreateCompatibleDC 1 001D46C4 gdi32.dll 002D CreateCompatibleBitmap 1 001D46C8 gdi32.dll 002A CreateBrushIndirect 1 001D46CC gdi32.dll 0028 CreateBitmap 1 001D46D0 gdi32.dll 0024 CopyEnhMetaFileA 1 001D46D4 gdi32.dll 0022 CombineRgn 1 001D46D8 gdi32.dll 001D CloseEnhMetaFile 1 001D46DC gdi32.dll 0013 BitBlt FThunk: 001D46E4 NbFunc: 000000C4 1 001D46E4 user32.dll 0061 CreateWindowExA 1 001D46E8 user32.dll 02D6 WindowFromPoint 1 001D46EC user32.dll 02D3 WinHelpA 1 001D46F0 user32.dll 02D1 WaitMessage 1 001D46F4 user32.dll 02C6 ValidateRect 1 001D46F8 user32.dll 02BC UpdateWindow 1 001D46FC user32.dll 02B7 UnregisterHotKey 1 001D4700 user32.dll 02B4 UnregisterClassA 1 001D4704 user32.dll 02B0 UnionRect 1 001D4708 user32.dll 02AF UnhookWindowsHookEx 1 001D470C user32.dll 02AB TranslateMessage 1 001D4710 user32.dll 02AA TranslateMDISysAccel 1 001D4714 user32.dll 02A5 TrackPopupMenu 1 001D4718 user32.dll 029A SystemParametersInfoA 1 001D471C user32.dll 0293 ShowWindow 1 001D4720 user32.dll 0291 ShowScrollBar 1 001D4724 user32.dll 0290 ShowOwnedPopups 1 001D4728 user32.dll 028F ShowCursor 1 001D472C user32.dll 028E ShowCaret 1 001D4730 user32.dll 0285 SetWindowRgn 1 001D4734 user32.dll 028B SetWindowsHookExA 1 001D4738 user32.dll 0287 SetWindowTextA 1 001D473C user32.dll 0284 SetWindowPos 1 001D4740 user32.dll 0283 SetWindowPlacement 1 001D4744 user32.dll 0281 SetWindowLongA 1 001D4748 user32.dll 027B SetTimer 1 001D474C user32.dll 0271 SetScrollRange 1 001D4750 user32.dll 0270 SetScrollPos 1 001D4754 user32.dll 026F SetScrollInfo 1 001D4758 user32.dll 026D SetRect 1 001D475C user32.dll 026B SetPropA 1 001D4760 user32.dll 0267 SetParent 1 001D4764 user32.dll 0263 SetMenuItemInfoA 1 001D4768 user32.dll 025E SetMenu 1 001D476C user32.dll 025A SetKeyboardState 1 001D4770 user32.dll 0258 SetForegroundWindow 1 001D4774 user32.dll 0257 SetFocus 1 001D4778 user32.dll 024E SetCursor 1 001D477C user32.dll 024B SetClipboardData 1 001D4780 user32.dll 0248 SetClassLongA 1 001D4784 user32.dll 0247 SetCaretPos 1 001D4788 user32.dll 0245 SetCapture 1 001D478C user32.dll 0244 SetActiveWindow 1 001D4790 user32.dll 023C SendMessageA 1 001D4794 user32.dll 0236 ScrollWindowEx 1 001D4798 user32.dll 0235 ScrollWindow 1 001D479C user32.dll 0232 ScreenToClient 1 001D47A0 user32.dll 022D RemovePropA 1 001D47A4 user32.dll 022C RemoveMenu 1 001D47A8 user32.dll 022B ReleaseDC 1 001D47AC user32.dll 022A ReleaseCapture 1 001D47B0 user32.dll 021B RegisterClipboardFormatA 1 001D47B4 user32.dll 021F RegisterHotKey 1 001D47B8 user32.dll 021B RegisterClipboardFormatA 1 001D47BC user32.dll 0217 RegisterClassA 1 001D47C0 user32.dll 0216 RedrawWindow 1 001D47C4 user32.dll 020C PtInRect 1 001D47C8 user32.dll 0202 PostQuitMessage 1 001D47CC user32.dll 0200 PostMessageA 1 001D47D0 user32.dll 01FE PeekMessageA 1 001D47D4 user32.dll 01F4 OpenClipboard 1 001D47D8 user32.dll 01F3 OffsetRect 1 001D47DC user32.dll 01EF OemToCharA 1 001D47E0 user32.dll 01EB MsgWaitForMultipleObjects 1 001D47E4 user32.dll 01DD MessageBoxA 1 001D47E8 user32.dll 01DC MessageBeep 1 001D47EC user32.dll 01D8 MapWindowPoints 1 001D47F0 user32.dll 01D4 MapVirtualKeyA 1 001D47F4 user32.dll 01CD LockWindowUpdate 1 001D47F8 user32.dll 01C9 LoadStringA 1 001D47FC user32.dll 01C0 LoadKeyboardLayoutA 1 001D4800 user32.dll 01BC LoadIconA 1 001D4804 user32.dll 01B9 LoadCursorFromFileA 1 001D4808 user32.dll 01B8 LoadCursorA 1 001D480C user32.dll 01B6 LoadBitmapA 1 001D4810 user32.dll 01B3 KillTimer 1 001D4814 user32.dll 01B1 IsZoomed 1 001D4818 user32.dll 01B0 IsWindowVisible 1 001D481C user32.dll 01AD IsWindowEnabled 1 001D4820 user32.dll 01AC IsWindow 1 001D4824 user32.dll 01A9 IsRectEmpty 1 001D4828 user32.dll 01A7 IsIconic 1 001D482C user32.dll 01A1 IsDialogMessage 1 001D4830 user32.dll 01A0 IsClipboardFormatAvailable 1 001D4834 user32.dll 019F IsChild 1 001D4838 user32.dll 0198 IsCharAlphaNumericA 1 001D483C user32.dll 0197 IsCharAlphaA 1 001D4840 user32.dll 0194 InvalidateRect 1 001D4844 user32.dll 0193 IntersectRect 1 001D4848 user32.dll 018F InsertMenuItemA 1 001D484C user32.dll 018E InsertMenuA 1 001D4850 user32.dll 018B InflateRect 1 001D4854 user32.dll 0180 HideCaret 1 001D4858 user32.dll 017C GetWindowThreadProcessId 1 001D485C user32.dll 0178 GetWindowTextA 1 001D4860 user32.dll 0175 GetWindowRect 1 001D4864 user32.dll 0174 GetWindowPlacement 1 001D4868 user32.dll 016F GetWindowLongA 1 001D486C user32.dll 016D GetWindowDC 1 001D4870 user32.dll 0165 GetUpdateRect 1 001D4874 user32.dll 0164 GetTopWindow 1 001D4878 user32.dll 015E GetSystemMetrics 1 001D487C user32.dll 015D GetSystemMenu 1 001D4880 user32.dll 015C GetSysColorBrush 1 001D4884 user32.dll 015B GetSysColor 1 001D4888 user32.dll 015A GetSubMenu 1 001D488C user32.dll 0158 GetScrollRange 1 001D4890 user32.dll 0157 GetScrollPos 1 001D4894 user32.dll 0156 GetScrollInfo 1 001D4898 user32.dll 014B GetPropA 1 001D489C user32.dll 0146 GetParent 1 001D48A0 user32.dll 016B GetWindow 1 001D48A4 user32.dll 013E GetMessageTime 1 001D48A8 user32.dll 013D GetMessagePos 1 001D48AC user32.dll 0139 GetMenuStringA 1 001D48B0 user32.dll 0138 GetMenuState 1 001D48B4 user32.dll 0135 GetMenuItemInfoA 1 001D48B8 user32.dll 0134 GetMenuItemID 1 001D48BC user32.dll 0133 GetMenuItemCount 1 001D48C0 user32.dll 012D GetMenu 1 001D48C4 user32.dll 0129 GetLastActivePopup 1 001D48C8 user32.dll 0127 GetKeyboardState 1 001D48CC user32.dll 0124 GetKeyboardLayoutList 1 001D48D0 user32.dll 0123 GetKeyboardLayout 1 001D48D4 user32.dll 0122 GetKeyState 1 001D48D8 user32.dll 0120 GetKeyNameTextA 1 001D48DC user32.dll 011B GetIconInfo 1 001D48E0 user32.dll 0118 GetForegroundWindow 1 001D48E4 user32.dll 0117 GetFocus 1 001D48E8 user32.dll 0116 GetDoubleClickTime 1 001D48EC user32.dll 0112 GetDlgItem 1 001D48F0 user32.dll 010F GetDesktopWindow 1 001D48F4 user32.dll 010E GetDCEx 1 001D48F8 user32.dll 010D GetDC 1 001D48FC user32.dll 010C GetCursorPos 1 001D4900 user32.dll 0109 GetCursor 1 001D4904 user32.dll 0102 GetClipboardData 1 001D4908 user32.dll 0100 GetClientRect 1 001D490C user32.dll 00FD GetClassNameA 1 001D4910 user32.dll 00F7 GetClassInfoA 1 001D4914 user32.dll 00F6 GetCaretPos 1 001D4918 user32.dll 00F4 GetCapture 1 001D491C user32.dll 00F3 GetAsyncKeyState 1 001D4920 user32.dll 00EC GetActiveWindow 1 001D4924 user32.dll 00EA FrameRect 1 001D4928 user32.dll 00E5 FindWindowExA 1 001D492C user32.dll 00E4 FindWindowA 1 001D4930 user32.dll 00E3 FillRect 1 001D4934 user32.dll 00E2 ExitWindowsEx 1 001D4938 user32.dll 00E0 EqualRect 1 001D493C user32.dll 00DF EnumWindows 1 001D4940 user32.dll 00DC EnumThreadWindows 1 001D4944 user32.dll 00CD EnumClipboardFormats 1 001D4948 user32.dll 00C9 EndPaint 1 001D494C user32.dll 00C5 EnableWindow 1 001D4950 user32.dll 00C4 EnableScrollBar 1 001D4954 user32.dll 00C3 EnableMenuItem 1 001D4958 user32.dll 00C2 EmptyClipboard 1 001D495C user32.dll 00BD DrawTextA 1 001D4960 user32.dll 00B9 DrawMenuBar 1 001D4964 user32.dll 00B8 DrawIconEx 1 001D4968 user32.dll 00B7 DrawIcon 1 001D496C user32.dll 00B6 DrawFrameControl 1 001D4970 user32.dll 00B4 DrawFocusRect 1 001D4974 user32.dll 00B3 DrawEdge 1 001D4978 user32.dll 00A2 DispatchMessageA 1 001D497C user32.dll 009A DestroyWindow 1 001D4980 user32.dll 0098 DestroyMenu 1 001D4984 user32.dll 0096 DestroyCursor 1 001D4988 user32.dll 0096 DestroyCursor 1 001D498C user32.dll 0095 DestroyCaret 1 001D4990 user32.dll 0092 DeleteMenu 1 001D4994 user32.dll 008F DefWindowProcA 1 001D4998 user32.dll 008C DefMDIChildProcA 1 001D499C user32.dll 008A DefFrameProcA 1 001D49A0 user32.dll 005F CreatePopupMenu 1 001D49A4 user32.dll 005E CreateMenu 1 001D49A8 user32.dll 005A CreateIconFromResourceEx 1 001D49AC user32.dll 0058 CreateIcon 1 001D49B0 user32.dll 004F CreateCaret 1 001D49B4 user32.dll 004A CopyImage 1 001D49B8 user32.dll 0049 CopyIcon 1 001D49BC user32.dll 0043 CloseClipboard 1 001D49C0 user32.dll 0041 ClientToScreen 1 001D49C4 user32.dll 003D ChildWindowFromPoint 1 001D49C8 user32.dll 003A CheckMenuItem 1 001D49CC user32.dll 001C CallWindowProcA 1 001D49D0 user32.dll 001B CallNextHookEx 1 001D49D4 user32.dll 000E BeginPaint 1 001D49D8 user32.dll 002B CharNextA 1 001D49DC user32.dll 0028 CharLowerBuffA 1 001D49E0 user32.dll 0027 CharLowerA 1 001D49E4 user32.dll 0036 CharUpperBuffA 1 001D49E8 user32.dll 0031 CharToOemA 1 001D49EC user32.dll 0003 AdjustWindowRectEx 1 001D49F0 user32.dll 0001 ActivateKeyboardLayout FThunk: 001D49F8 NbFunc: 00000001 1 001D49F8 kernel32.dll 033F Sleep FThunk: 001D4A00 NbFunc: 00000008 1 001D4A00 oleaut32.dll 0094 SafeArrayPtrOfIndex 1 001D4A04 oleaut32.dll 0013 SafeArrayGetUBound 1 001D4A08 oleaut32.dll 0014 SafeArrayGetLBound 1 001D4A0C oleaut32.dll 000F SafeArrayCreate 1 001D4A10 oleaut32.dll 000C VariantChangeType 1 001D4A14 oleaut32.dll 000A VariantCopy 1 001D4A18 oleaut32.dll 0009 VariantClear 1 001D4A1C oleaut32.dll 0008 VariantInit FThunk: 001D4A24 NbFunc: 0000000F 1 001D4A24 ole32.dll 0093 CreateStreamOnHGlobal 1 001D4A28 ole32.dll 00D7 IsAccelerator 1 001D4A2C ole32.dll 00F7 OleDraw 1 001D4A30 ole32.dll 0113 OleSetMenuDescriptor 1 001D4A34 ole32.dll 0115 OleUninitialize 1 001D4A38 ole32.dll 00FE OleInitialize 1 001D4A3C ole32.dll 0066 CoTaskMemFree 1 001D4A40 ole32.dll 0065 CoTaskMemAlloc 1 001D4A44 ole32.dll 0117 ProgIDFromCLSID 1 001D4A48 ole32.dll 0143 StringFromCLSID 1 001D4A4C ole32.dll 0012 CoCreateInstance 1 001D4A50 ole32.dll 0024 CoGetClassObject 1 001D4A54 ole32.dll 006A CoUninitialize 1 001D4A58 ole32.dll 003C CoInitialize 1 001D4A5C ole32.dll 00D8 IsEqualGUID FThunk: 001D4A64 NbFunc: 00000003 1 001D4A64 oleaut32.dll 00C8 GetErrorInfo 1 001D4A68 oleaut32.dll 0023 GetActiveObject 1 001D4A6C oleaut32.dll 0006 SysFreeString FThunk: 001D4A74 NbFunc: 00000019 1 001D4A74 comctl32.dll 004F ImageList_SetIconSize 1 001D4A78 comctl32.dll 003B ImageList_GetIconSize 1 001D4A7C comctl32.dll 0052 ImageList_Write 1 001D4A80 comctl32.dll 0043 ImageList_Read 1 001D4A84 comctl32.dll 0038 ImageList_GetDragImage 1 001D4A88 comctl32.dll 0031 ImageList_DragShowNolock 1 001D4A8C comctl32.dll 004C ImageList_SetDragCursorImage 1 001D4A90 comctl32.dll 0030 ImageList_DragMove 1 001D4A94 comctl32.dll 002F ImageList_DragLeave 1 001D4A98 comctl32.dll 002E ImageList_DragEnter 1 001D4A9C comctl32.dll 0036 ImageList_EndDrag 1 001D4AA0 comctl32.dll 002A ImageList_BeginDrag 1 001D4AA4 comctl32.dll 003A ImageList_GetIcon 1 001D4AA8 comctl32.dll 0044 ImageList_Remove 1 001D4AAC comctl32.dll 0033 ImageList_DrawEx 1 001D4AB0 comctl32.dll 0032 ImageList_Draw 1 001D4AB4 comctl32.dll 0051 ImageList_SetOverlayImage 1 001D4AB8 comctl32.dll 0037 ImageList_GetBkColor 1 001D4ABC comctl32.dll 004B ImageList_SetBkColor 1 001D4AC0 comctl32.dll 0046 ImageList_ReplaceIcon 1 001D4AC4 comctl32.dll 0027 ImageList_Add 1 001D4AC8 comctl32.dll 003C ImageList_GetImageCount 1 001D4ACC comctl32.dll 002D ImageList_Destroy 1 001D4AD0 comctl32.dll 002C ImageList_Create 1 001D4AD4 comctl32.dll 0011 InitCommonControls FThunk: 001D4ADC NbFunc: 00000004 1 001D4ADC winspool.drv 0105 OpenPrinterA 1 001D4AE0 winspool.drv 00EA EnumPrintersA 1 001D4AE4 winspool.drv 00B1 DocumentPropertiesA 1 001D4AE8 winspool.drv 0086 ClosePrinter FThunk: 001D4AF0 NbFunc: 00000008 1 001D4AF0 shell32.dll 016D Shell_NotifyIcon 1 001D4AF4 shell32.dll 0167 ShellExecuteA 1 001D4AF8 shell32.dll 012B SHGetFileInfo 1 001D4AFC shell32.dll 010E SHAppBarMessage 1 001D4B00 shell32.dll 00D8 ExtractIconA 1 001D4B04 shell32.dll 008C DragQueryFile 1 001D4B08 shell32.dll 008B DragFinish 1 001D4B0C shell32.dll 008A DragAcceptFiles FThunk: 001D4B14 NbFunc: 00000005 1 001D4B14 shell32.dll 013C SHGetSpecialFolderLocation 1 001D4B18 shell32.dll 0138 SHGetPathFromIDList 1 001D4B1C shell32.dll 0136 SHGetMalloc 1 001D4B20 shell32.dll 0127 SHGetDesktopFolder 1 001D4B24 shell32.dll 0110 SHBrowseForFolder FThunk: 001D4B2C NbFunc: 00000002 1 001D4B2C comdlg32.dll 0070 GetSaveFileNameA 1 001D4B30 comdlg32.dll 006E GetOpenFileNameA FThunk: 001D4B38 NbFunc: 0000001C 1 001D4B38 wsock32.dll 0074 WSACleanup 1 001D4B3C wsock32.dll 0073 WSAStartup 1 001D4B40 wsock32.dll 006F WSAGetLastError 1 001D4B44 wsock32.dll 006C WSACancelAsyncRequest 1 001D4B48 wsock32.dll 006B WSAAsyncGetServByName 1 001D4B4C wsock32.dll 0067 WSAAsyncGetHostByName 1 001D4B50 wsock32.dll 0065 WSAAsyncSelect 1 001D4B54 wsock32.dll 0037 getservbyname 1 001D4B58 wsock32.dll 0034 gethostbyname 1 001D4B5C wsock32.dll 0017 socket 1 001D4B60 wsock32.dll 0015 setsockopt 1 001D4B64 wsock32.dll 0013 send 1 001D4B68 wsock32.dll 0012 select 1 001D4B6C wsock32.dll 0010 recv 1 001D4B70 wsock32.dll 0009 htons 1 001D4B74 wsock32.dll 000D listen 1 001D4B78 wsock32.dll 000C ioctlsocket 1 001D4B7C wsock32.dll 000B inet_ntoa 1 001D4B80 wsock32.dll 000A inet_addr 1 001D4B84 wsock32.dll 0009 htons 1 001D4B88 wsock32.dll 0008 htonl 1 001D4B8C wsock32.dll 0007 getsockopt 1 001D4B90 wsock32.dll 0006 getsockname 1 001D4B94 wsock32.dll 0005 getpeername 1 001D4B98 wsock32.dll 0004 connect 1 001D4B9C wsock32.dll 0003 closesocket 1 001D4BA0 wsock32.dll 0002 bind 1 001D4BA4 wsock32.dll 0001 accept FThunk: 001D4BAC NbFunc: 0000001F 1 001D4BAC winmm.dll 00CF waveOutWrite 1 001D4BB0 winmm.dll 00CE waveOutUnprepareHeader 1 001D4BB4 winmm.dll 00C9 waveOutReset 1 001D4BB8 winmm.dll 00C8 waveOutPrepareHeader 1 001D4BBC winmm.dll 00C6 waveOutOpen 1 001D4BC0 winmm.dll 00C3 waveOutGetPosition 1 001D4BC4 winmm.dll 00AD waveInGetErrorTextA 1 001D4BC8 winmm.dll 00BC waveOutGetDevCapsW 1 001D4BCC winmm.dll 00BB waveOutGetDevCapsA 1 001D4BD0 winmm.dll 00BA waveOutClose 1 001D4BD4 winmm.dll 00B8 waveInUnprepareHeader 1 001D4BD8 winmm.dll 00B7 waveInStop 1 001D4BDC winmm.dll 00B6 waveInStart 1 001D4BE0 winmm.dll 00B5 waveInReset 1 001D4BE4 winmm.dll 00B4 waveInPrepareHeader 1 001D4BE8 winmm.dll 00B3 waveInOpen 1 001D4BEC winmm.dll 00B1 waveInGetPosition 1 001D4BF0 winmm.dll 00AD waveInGetErrorTextA 1 001D4BF4 winmm.dll 00AC waveInGetDevCapsW 1 001D4BF8 winmm.dll 00AB waveInGetDevCapsA 1 001D4BFC winmm.dll 00AA waveInClose 1 001D4C00 winmm.dll 00A9 waveInAddBuffer 1 001D4C04 winmm.dll 00A8 timeSetEvent 1 001D4C08 winmm.dll 00A7 timeKillEvent 1 001D4C0C winmm.dll 00A4 timeGetDevCaps 1 001D4C10 winmm.dll 00A3 timeEndPeriod 1 001D4C14 winmm.dll 00A2 timeBeginPeriod 1 001D4C18 winmm.dll 009F sndPlaySoundA 1 001D4C1C winmm.dll 000F SendDriverMessage 1 001D4C20 winmm.dll 000B OpenDriver 1 001D4C24 winmm.dll 0003 CloseDriver FThunk: 001D4C2C NbFunc: 00000013 1 001D4C2C msacm32.dll 002C acmStreamUnprepareHeader 1 001D4C30 msacm32.dll 0029 acmStreamPrepareHeader 1 001D4C34 msacm32.dll 0026 acmStreamConvert 1 001D4C38 msacm32.dll 002A acmStreamReset 1 001D4C3C msacm32.dll 002B acmStreamSize 1 001D4C40 msacm32.dll 0025 acmStreamClose 1 001D4C44 msacm32.dll 0028 acmStreamOpen 1 001D4C48 msacm32.dll 0017 acmFormatChooseA 1 001D4C4C msacm32.dll 001D acmFormatSuggest 1 001D4C50 msacm32.dll 001B acmFormatEnumA 1 001D4C54 msacm32.dll 0020 acmFormatTagEnumA 1 001D4C58 msacm32.dll 0006 acmDriverDetailsW 1 001D4C5C msacm32.dll 0005 acmDriverDetailsA 1 001D4C60 msacm32.dll 0009 acmDriverMessage 1 001D4C64 msacm32.dll 0004 acmDriverClose 1 001D4C68 msacm32.dll 000A acmDriverOpen 1 001D4C6C msacm32.dll 0007 acmDriverEnum 1 001D4C70 msacm32.dll 0024 acmMetrics 1 001D4C74 msacm32.dll 0022 acmGetVersion FThunk: 001D4C7C NbFunc: 00000006 1 001D4C7C ws2_32.dll 003C WSAIoctl 1 001D4C80 ws2_32.dll 0039 gethostname 1 001D4C84 ws2_32.dll 0034 gethostbyname 1 001D4C88 ws2_32.dll 000C inet_ntoa 1 001D4C8C ws2_32.dll 0074 WSACleanup 1 001D4C90 ws2_32.dll 0073 WSAStartup FThunk: 001D4C98 NbFunc: 00000001 1 001D4C98 imagehlp.dll 0004 CheckSumMappedFile FThunk: 001D4CA0 NbFunc: 00000001 1 001D4CA0 kernel32.dll 0264 MulDiv 2006-9-13 14:11 0
djog 雪币： 206 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 61 粉丝 0 关注私信	djog 20 楼晕啊..楼上的发这个是什么啊?? 希望你真的想说的话.能说说方法吗?? 我也正在脱PELOCK的脱.实在是............. 希望各位路过高手能指点一二. 2006-11-30 22:36 0
scship 雪币： 212 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 217 粉丝 1 关注私信	scship 21 楼其实。。。PELock1.0x我脱过。。。找到oep后不会修复函数发帖也没有人理我。。。你们不信在外面还有我的贴浮着。。。不会修复函数 2006-12-1 00:25 0
笨笨雄雪币： 846 活跃值： (221) 能力值： (RANK：570 ) 在线值：发帖 212 回帖 3620 粉丝 21 关注私信	笨笨雄 14 22 楼找到OEP不叫脱壳，找OEP就能脱掉的壳叫压缩壳那种东西，基本都是直接秒杀的从STOLEN CODE=>IAT加密=>sdk=>VM 看雪的精华，我看很多了，暂时只知道高手都在VM上下工夫 IAT加密已经很简单了，最初我碰到这个的时候也迷茫了一天。不过假如你有认真看高手的脱文，你自己也认真分析一遍该壳，要理解那些脱文其实并不难。我花了一天，大概就2到3小时，你在外面发贴，还要等多久呢？就算有人回答你问题，你也不过等于再看多一次脱文而已。该是不懂的还是不懂。高手写脱文是为了让大家遇到同样的壳，分析起来的时候有章可寻。并不是写了让新人一步一步跟着做的。假如不懂分析代码，根本就没有意义。汇编代码就在那里，跟做成动画教程没有任何关系。那段代码有什么功能？高手在文章里已经解释得够明白的了。还是授人以鱼和授人以渔的问题了。你想渔还是鱼？ 2006-12-1 01:24 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

loiter

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (21)
pinkafei 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 6 粉丝 0 关注私信	pinkafei 2 楼强烈顶起!!这壳好象真的很变态!! 像我们这样的菜鸟真的需要多点动画学习啊!! 2006-8-25 20:03 0
loiter 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 11 粉丝 0 关注私信	loiter 3 楼为什么就没人给个说法呢？？唉 2006-9-2 19:03 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 4 楼要脱壳过程（比如一个动画）容易，但是如果需要谁"授之以渔"恐怕你理解有困难。如果只是一个动画，我想看了之后你还是不会脱。我只能说这个壳不适合新手，如果一定要脱，就按照教程多思考，花些时间可以搞定的。也许你经过挣扎最后搞定了，会发现自己提高了一个境界。 2006-9-2 23:10 0
loiter 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 11 粉丝 0 关注私信	loiter 5 楼感谢斑竹光临。。斑竹说的很对。。可能一个动画看了之后我还是不懂。。但是总感觉那样比较直观一点。。呵呵。可能我想的有点多了。。不过还是很高兴斑竹能给予回复。。谢谢~！ 2006-9-3 00:47 0
风再起时雪币： 106 活跃值： (255) 能力值： ( LV2，RANK：10 ) 在线值：发帖 23 回帖 79 粉丝 0 关注私信	风再起时 6 楼搞这个多少有点编程基础吧否则看起来像天书一样有基础的学起来很快的明白了原理就好办 2006-9-3 11:00 0
loiter 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 11 粉丝 0 关注私信	loiter 7 楼是啊。。基础是关键。。但是很想脱这个壳。嘿嘿。。。无奈中。。 2006-9-3 20:00 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 8 楼把你的思考分析过程（不是peid的报告或者olly载入后的结果）发上来，如果进行不下去也许有人会帮你。 2006-9-3 20:25 0
loiter 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 11 粉丝 0 关注私信	loiter 9 楼初步接触该壳，是因为遇到一款远程控制软件，灰鸽子VIP2006。该软件前期是用北斗两次加壳来混淆视线，但是技术含量不高，曾成功手脱。大概过了三个月后，该软件改用PELock 1.0x 加壳。还是老规矩，先上网找关于PELock 1.0x 的资料（本人菜鸟，所以只能借助百度的力量了）找了许久，发现该壳的介绍少之又少，就算有也只是简单说过。无奈一下。既然没资料，就还找老方法，自己手动慢慢跟吧。最新使用基础ESP定律寻找OEP，进行中.....几次尝试后发现根本无法这样入手，因为每次ESP跟下后都会出现一个跳转，而照以前的做法，在跳转处下断，只会出现两种可能，一，跳回程序原入口点，二，程序出现异常，无法继续。但是在几次尝试过程中，慢慢发现该壳的代码混淆和保护能力很强，它会调用程序部分代码和函数到壳内来执行。二次无奈。第三次，乱试法，下面是操作经过。一、到达OEP，Dump OD载入，隐藏OD，忽略除内存访问外的所有异常 005A905C > C1C0 05 ROL EAX,5 005A905F F8 CLC 005A9060 73 01 JNB SHORT Doctor.005A9063 005A9062 78 0F JS SHORT Doctor.005A9073 005A9064 AF SCAS DWORD PTR ES:[EDI] 005A9065 C8 F20FB6 ENTER 0FF2,0B6 005A9069 C0E8 01 SHR AL,1 005A906C 0000 ADD BYTE PTR DS:[EAX],AL 005A906E 00EE ADD DH,CH 005A9070 58 POP EAX 005A9071 F8 CLC Shift+F9，10次，查看堆栈 0012FFA4 /0012FFB8 指针到下一个 SEH 记录 0012FFA8 \|0037382B SE 句柄 0012FFAC \|005B0000 ASCII "WTNE / MADE BY E COMPILER - WUTAO " 0012FFB0 \|00183000 0012FFB4 \|00004000 0012FFB8 \0012FFE0 指针到下一个 SEH 记录 CPU窗口，Ctrl+G，来到37382B，F2设断，Shift+F9 0037382B /EB 02 JMP SHORT 0037382F 0037382D ^\|70 E5 JO SHORT 00373814 0037382F \57 PUSH EDI 00373830 8B7C24 10 MOV EDI,DWORD PTR SS:[ESP+10] 00373834 EB 02 JMP SHORT 00373838 F8来到 00373841 018F B8000000 ADD DWORD PTR DS:[EDI+B8],ECX ; 特征，修改ConText结构，DS:[12FD90]=00373876,ECX=3 所以Ctrl+G来到37387+3=373879处，F2设断，F9运行 00373879 2BC9 SUB ECX,ECX 0037387B 64:8F01 POP DWORD PTR FS:[ECX] 0037387E 59 POP ECX 0037387F EB 01 JMP SHORT 00373882 00373881 65:EB 02 JMP SHORT 00373886 ; 多余的前缀 00373884 65:9C PUSHFD ; 多余的前缀 00373886 EB 01 JMP SHORT 00373889 Alt+M打开内存内存镜像，项目 20 地址=00401000 //F2设断，F9运行大小=00001000 (4096.) Owner=Doctor 00400000 区段=XPROT 含=code 类型=Imag 01001002 访问=R 初始访问=RWE 来到 003773FD C602 E9 MOV BYTE PTR DS:[EDX],0E9 00377400 8BC7 MOV EAX,EDI 00377402 2BC2 SUB EAX,EDX 00377404 83E8 05 SUB EAX,5 00377407 8942 01 MOV DWORD PTR DS:[EDX+1],EAX 0037740A 8A06 MOV AL,BYTE PTR DS:[ESI] 0037740C 46 INC ESI 0037740D 0FB6C8 MOVZX ECX,AL 00377410 83E0 03 AND EAX,3 00377413 C1E9 02 SHR ECX,2 00377416 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWO> 00377418 8BC8 MOV ECX,EAX 0037741A F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE> 0037741C 8A06 MOV AL,BYTE PTR DS:[ESI] 0037741E 46 INC ESI 0037741F 03D0 ADD EDX,EAX 00377421 C607 E9 MOV BYTE PTR DS:[EDI],0E9 00377424 2BD7 SUB EDX,EDI 00377426 83EA 05 SUB EDX,5 00377429 8957 01 MOV DWORD PTR DS:[EDI+1],EDX 0037742C 83C7 05 ADD EDI,5 0037742F 4B DEC EBX 00377430 ^ 75 C3 JNZ SHORT 003773F5 00377432 5F POP EDI 00377433 8D4D 66 LEA ECX,DWORD PTR SS:[EBP+66] 00377436 2BCF SUB ECX,EDI 00377438 F3:AA REP STOS BYTE PTR ES:[EDI] 0037743A 61 POPAD ; F4下来 0037743B C3 RETN 返回到 00376391 /EB 03 JMP SHORT 00376396 00376393 ^\|71 9C JNO SHORT 00376331 00376395 \|36:EB 02 JMP SHORT 0037639A ; 多余的前缀 00376398 0FF8EB PSUBB MM5,MM3 0037639B 0291 66EB02CD ADD DL,BYTE PTR DS:[ECX+CD02EB6> 003763A1 207403 75 AND BYTE PTR DS:[EBX+EAX+75],DH 003763A5 0148 78 ADD DWORD PTR DS:[EAX+78],ECX 003763A8 0379 01 ADD EDI,DWORD PTR DS:[ECX+1] 003763AB 8AE8 MOV CH,AL 003763AD 0100 ADD DWORD PTR DS:[EAX],EAX 003763AF 0000 ADD BYTE PTR DS:[EAX],AL 003763B1 ^ E0 8F LOOPDNE SHORT 00376342 理解中这里应该二次内存下断。但是我对内存二次下断真的是很不理解。。所以继续到这里就不能在继续了。。 2006-9-3 21:31 0
loiter 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 11 粉丝 0 关注私信	loiter 10 楼晕啊。。掉下去了。。我再顶一次。。就一次~！ 2006-9-4 23:32 0
bestchao 雪币： 7 能力值： (RANK：50 ) 在线值：发帖 32 回帖 305 粉丝 0 关注私信	bestchao 1 11 楼支持下 2006-9-5 03:08 0
Kisco 雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 43 粉丝 0 关注私信	Kisco 12 楼 pelock 找oep 和还原 iat 不难,不过pelock 1.06是有stolen code 的, 我一见到stolen code 就头痛, 2006-9-5 19:59 0
loiter 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 11 粉丝 0 关注私信	loiter 13 楼兄弟说的很对。。。这个壳还真的是不好对付。。 2006-9-5 20:48 0
无影雪币： 421 活跃值： (32) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 38 粉丝 0 关注私信	无影 14 楼对于要抓的壳我还没脱成功过几个～小菜鸟一个・嘿嘿！对于重定位的壳，无从下手，哎～继续加油吧！ 2006-9-5 23:07 0
无影雪币： 421 活跃值： (32) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 38 粉丝 0 关注私信	无影 15 楼不好意思，借个位～说错了一句话，换了～和楼上一样，我也是个隐者哦～ 2006-9-5 23:09 0
loiter 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 11 粉丝 0 关注私信	loiter 16 楼呵呵。。看来无望了。。。 2006-9-6 23:34 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 17 楼我现在每个月上一次。这个壳不是2次断点可以搞的。这里所谓内存断点，是当访问到原程序代码段的时候进行中断。一般的壳，第一次访问是解码，第二次就是执行了。可是pelock就不一样了，他不但要解码，还要抽走一部分代码，这点可以看精华7里面的fxyang的解说。 2006-9-9 20:38 0
loiter 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 11 粉丝 0 关注私信	loiter 18 楼呵呵。。谢谢斑竹还没忘记我的帖子。。虽然，到现在还是没搞定。。但是还是很开心。。最少有你为我解释了很多。分量与存在好象就是这样体会到的~！ 2006-9-9 21:35 0
damen 雪币： 227 活跃值： (164) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 59 粉丝 1 关注私信	damen 19 楼 ; Syntax for each function in a thunk (the separator is a TAB) ; ------------------------------------------------------------ ; Flag RVA ModuleName Ordinal name ; ; Details for <Valid> parameter: ; ------------------------------ ; Flag: 0 = valid: no -> - Name contains the address of the redirected API (you can set ; it to zero if you edit it). ; - Ordinal is not considered but you should let '0000' as value. ; - ModuleName is not considered but you should let '?' as value. ; ; 1 = valid: yes -> All next parameters on the line will be considered. ; Function imported by ordinal must have no name (the 4th TAB must ; be there though). ; ; 2 = Equivalent to 0 but it is for the loader. ; ; 3 = Equivalent to 1 but it is for the loader. ; ; 4 = Equivalent to 0 with (R) tag. ; ; 5 = Equivalent to 1 with (R) tag. ; ; And finally, edit this file as your own risk! :-) Target: E:\灰鸽子2006\H_Client.exe OEP: 001C68FE IATRVA: 001D421C IATSize: 00000A88 FThunk: 001D421C NbFunc: 00000032 1 001D421C kernel32.dll 0080 DeleteCriticalSection 1 001D4220 kernel32.dll 0241 LeaveCriticalSection 1 001D4224 kernel32.dll 0097 EnterCriticalSection 1 001D4228 kernel32.dll 0216 InitializeCriticalSection 1 001D422C kernel32.dll 036E VirtualFree 1 001D4230 kernel32.dll 036B VirtualAlloc 1 001D4234 kernel32.dll 024C LocalFree 1 001D4238 kernel32.dll 0248 LocalAlloc 1 001D423C kernel32.dll 01D2 GetTickCount 1 001D4240 kernel32.dll 0292 QueryPerformanceCounter 1 001D4244 kernel32.dll 01DB GetVersion 1 001D4248 kernel32.dll 013F GetCurrentThreadId 1 001D424C kernel32.dll 021A InterlockedDecrement 1 001D4250 kernel32.dll 021E InterlockedIncrement 1 001D4254 kernel32.dll 0373 VirtualQuery 1 001D4258 kernel32.dll 037F WideCharToMultiByte 1 001D425C kernel32.dll 02F8 SetCurrentDirectoryA 1 001D4260 kernel32.dll 02B3 RemoveDirectoryA 1 001D4264 kernel32.dll 0265 MultiByteToWideChar 1 001D4268 kernel32.dll 03B3 lstrlen 1 001D426C kernel32.dll 03B0 lstrcpyn 1 001D4270 kernel32.dll 0243 LoadLibraryExA 1 001D4274 kernel32.dll 01CD GetThreadLocale 1 001D4278 kernel32.dll 01AD GetStartupInfoA 1 001D427C kernel32.dll 0198 GetProcAddress 1 001D4280 kernel32.dll 0176 GetModuleHandleA 1 001D4284 kernel32.dll 0174 GetModuleFileNameA 1 001D4288 kernel32.dll 016C GetLocaleInfoA 1 001D428C kernel32.dll 0169 GetLastError 1 001D4290 kernel32.dll 013A GetCurrentDirectoryA 1 001D4294 kernel32.dll 010A GetCommandLineA 1 001D4298 kernel32.dll 00F1 FreeLibrary 1 001D429C kernel32.dll 00D1 FindFirstFileA 1 001D42A0 kernel32.dll 00CD FindClose 1 001D42A4 kernel32.dll 0048 CreateDirectoryA 1 001D42A8 kernel32.dll 00B7 ExitProcess 1 001D42AC kernel32.dll 00B8 ExitThread 1 001D42B0 kernel32.dll 006D CreateThread 1 001D42B4 kernel32.dll 038C WriteFile 1 001D42B8 kernel32.dll 0358 UnhandledExceptionFilter 1 001D42BC kernel32.dll 0307 SetFilePointer 1 001D42C0 kernel32.dll 02FE SetEndOfFile 1 001D42C4 kernel32.dll 02C5 RtlUnwind 1 001D42C8 kernel32.dll 02A4 ReadFile 1 001D42CC kernel32.dll 0297 RaiseException 1 001D42D0 kernel32.dll 01AF GetStdHandle 1 001D42D4 kernel32.dll 015C GetFileSize 1 001D42D8 kernel32.dll 015F GetFileType 1 001D42DC kernel32.dll 0050 CreateFileA 1 001D42E0 kernel32.dll 0032 CloseHandle FThunk: 001D42E8 NbFunc: 00000004 1 001D42E8 user32.dll 0128 GetKeyboardType 1 001D42EC user32.dll 01C9 LoadStringA 1 001D42F0 user32.dll 01DD MessageBoxA 1 001D42F4 user32.dll 002B CharNextA FThunk: 001D42FC NbFunc: 00000003 1 001D42FC advapi32.dll 01EE RegQueryValueExA 1 001D4300 advapi32.dll 01E4 RegOpenKeyExA 1 001D4304 advapi32.dll 01CB RegCloseKey FThunk: 001D430C NbFunc: 00000003 1 001D430C oleaut32.dll 0006 SysFreeString 1 001D4310 oleaut32.dll 0005 SysReAllocStringLen 1 001D4314 oleaut32.dll 0004 SysAllocStringLen FThunk: 001D431C NbFunc: 00000004 1 001D431C kernel32.dll 034F TlsSetValue 1 001D4320 kernel32.dll 034E TlsGetValue 1 001D4324 kernel32.dll 0248 LocalAlloc 1 001D4328 kernel32.dll 0176 GetModuleHandleA FThunk: 001D4330 NbFunc: 0000000E 1 001D4330 advapi32.dll 01FB RegSetValueExA 1 001D4334 advapi32.dll 01EE RegQueryValueExA 1 001D4338 advapi32.dll 01E9 RegQueryInfoKeyA 1 001D433C advapi32.dll 01E4 RegOpenKeyExA 1 001D4340 advapi32.dll 01DD RegFlushKey 1 001D4344 advapi32.dll 01DB RegEnumValueA 1 001D4348 advapi32.dll 01D8 RegEnumKeyExA 1 001D434C advapi32.dll 01D4 RegDeleteValueA 1 001D4350 advapi32.dll 01D2 RegDeleteKeyA 1 001D4354 advapi32.dll 01CF RegCreateKeyExA 1 001D4358 advapi32.dll 01CB RegCloseKey 1 001D435C advapi32.dll 01AB OpenProcessToken 1 001D4360 advapi32.dll 014E LookupPrivilegeValueA 1 001D4364 advapi32.dll 001E AdjustTokenPrivileges FThunk: 001D436C NbFunc: 00000076 1 001D436C kernel32.dll 03AD lstrcpy 1 001D4370 kernel32.dll 03A7 lstrcmp 1 001D4374 kernel32.dll 0391 WritePrivateProfileStringA 1 001D4378 kernel32.dll 038C WriteFile 1 001D437C kernel32.dll 037F WideCharToMultiByte 1 001D4380 kernel32.dll 037B WaitForSingleObject 1 001D4384 kernel32.dll 0373 VirtualQuery 1 001D4388 kernel32.dll 0371 VirtualProtect 1 001D438C kernel32.dll 036B VirtualAlloc 1 001D4390 kernel32.dll 035B UnmapViewOfFile 1 001D4394 kernel32.dll 0341 SuspendThread 1 001D4398 kernel32.dll 0340 SleepEx 1 001D439C kernel32.dll 033F Sleep 1 001D43A0 kernel32.dll 033E SizeofResource 1 001D43A4 kernel32.dll 032E SetThreadPriority 1 001D43A8 kernel32.dll 032D SetThreadLocale 1 001D43AC kernel32.dll 0307 SetFilePointer 1 001D43B0 kernel32.dll 0305 SetFileAttributesA 1 001D43B4 kernel32.dll 0302 SetEvent 1 001D43B8 kernel32.dll 0301 SetErrorMode 1 001D43BC kernel32.dll 02FE SetEndOfFile 1 001D43C0 kernel32.dll 02C0 ResumeThread 1 001D43C4 kernel32.dll 02BD ResetEvent 1 001D43C8 kernel32.dll 02B3 RemoveDirectoryA 1 001D43CC kernel32.dll 02A4 ReadFile 1 001D43D0 kernel32.dll 0293 QueryPerformanceFrequency 1 001D43D4 kernel32.dll 0292 QueryPerformanceCounter 1 001D43D8 kernel32.dll 0280 PeekNamedPipe 1 001D43DC kernel32.dll 026F OpenFileMappingA 1 001D43E0 kernel32.dll 0265 MultiByteToWideChar 1 001D43E4 kernel32.dll 0264 MulDiv 1 001D43E8 kernel32.dll 025E MoveFileA 1 001D43EC kernel32.dll 0258 MapViewOfFile 1 001D43F0 kernel32.dll 0255 LockResource 1 001D43F4 kernel32.dll 0247 LoadResource 1 001D43F8 kernel32.dll 0243 LoadLibraryExA 1 001D43FC kernel32.dll 0242 LoadLibraryA 1 001D4400 kernel32.dll 0241 LeaveCriticalSection 1 001D4404 kernel32.dll 0226 IsBadStringPtrA 1 001D4408 kernel32.dll 0216 InitializeCriticalSection 1 001D440C kernel32.dll 01FD GlobalUnlock 1 001D4410 kernel32.dll 01FA GlobalSize 1 001D4414 kernel32.dll 01F9 GlobalReAlloc 1 001D4418 kernel32.dll 01F5 GlobalHandle 1 001D441C kernel32.dll 01F6 GlobalLock 1 001D4420 kernel32.dll 01F2 GlobalFree 1 001D4424 kernel32.dll 01EE GlobalFindAtomA 1 001D4428 kernel32.dll 01ED GlobalDeleteAtom 1 001D442C kernel32.dll 01EB GlobalAlloc 1 001D4430 kernel32.dll 01E9 GlobalAddAtomA 1 001D4434 kernel32.dll 01E6 GetWindowsDirectoryA 1 001D4438 kernel32.dll 01DD GetVersionExW 1 001D443C kernel32.dll 01DC GetVersionExA 1 001D4440 kernel32.dll 01DB GetVersion 1 001D4444 kernel32.dll 01D6 GetUserDefaultLCID 1 001D4448 kernel32.dll 01D5 GetTimeZoneInformation 1 001D444C kernel32.dll 01D3 GetTimeFormatA 1 001D4450 kernel32.dll 01D2 GetTickCount 1 001D4454 kernel32.dll 01CD GetThreadLocale 1 001D4458 kernel32.dll 01C9 GetTempPathA 1 001D445C kernel32.dll 01C7 GetTempFileNameA 1 001D4460 kernel32.dll 01BC GetSystemTime 1 001D4464 kernel32.dll 01B9 GetSystemInfo 1 001D4468 kernel32.dll 01B7 GetSystemDirectoryA 1 001D446C kernel32.dll 01B1 GetStringTypeExA 1 001D4470 kernel32.dll 01AF GetStdHandle 1 001D4474 kernel32.dll 01A8 GetProfileStringA 1 001D4478 kernel32.dll 0198 GetProcAddress 1 001D447C kernel32.dll 0194 GetPrivateProfileStringA 1 001D4480 kernel32.dll 018C GetOverlappedResult 1 001D4484 kernel32.dll 0176 GetModuleHandleA 1 001D4488 kernel32.dll 0174 GetModuleFileNameA 1 001D448C kernel32.dll 016C GetLocaleInfoA 1 001D4490 kernel32.dll 016B GetLocalTime 1 001D4494 kernel32.dll 0169 GetLastError 1 001D4498 kernel32.dll 0162 GetFullPathNameA 1 001D449C kernel32.dll 015C GetFileSize 1 001D44A0 kernel32.dll 0158 GetFileAttributesExA 1 001D44A4 kernel32.dll 0157 GetFileAttributesA 1 001D44A8 kernel32.dll 0154 GetExitCodeThread 1 001D44AC kernel32.dll 0153 GetExitCodeProcess 1 001D44B0 kernel32.dll 014C GetDriveTypeA 1 001D44B4 kernel32.dll 0146 GetDiskFreeSpaceA 1 001D44B8 kernel32.dll 0140 GetDateFormatA 1 001D44BC kernel32.dll 013F GetCurrentThreadId 1 001D44C0 kernel32.dll 013D GetCurrentProcessId 1 001D44C4 kernel32.dll 013C GetCurrentProcess 1 001D44C8 kernel32.dll 010E GetComputerNameA 1 001D44CC kernel32.dll 00FE GetCPInfo 1 001D44D0 kernel32.dll 00F7 GetACP 1 001D44D4 kernel32.dll 00F3 FreeResource 1 001D44D8 kernel32.dll 021E InterlockedIncrement 1 001D44DC kernel32.dll 021B InterlockedExchange 1 001D44E0 kernel32.dll 021A InterlockedDecrement 1 001D44E4 kernel32.dll 00F1 FreeLibrary 1 001D44E8 kernel32.dll 00EC FormatMessageA 1 001D44EC kernel32.dll 00E0 FindResourceA 1 001D44F0 kernel32.dll 00DA FindNextFileA 1 001D44F4 kernel32.dll 00D1 FindFirstFileA 1 001D44F8 kernel32.dll 00CD FindClose 1 001D44FC kernel32.dll 00C4 FileTimeToSystemTime 1 001D4500 kernel32.dll 00C3 FileTimeToLocalFileTime 1 001D4504 kernel32.dll 00C2 FileTimeToDosDateTime 1 001D4508 kernel32.dll 00A4 EnumResourceNamesA 1 001D450C kernel32.dll 0098 EnumCalendarInfoA 1 001D4510 kernel32.dll 0097 EnterCriticalSection 1 001D4514 kernel32.dll 0082 DeleteFileA 1 001D4518 kernel32.dll 0080 DeleteCriticalSection 1 001D451C kernel32.dll 006D CreateThread 1 001D4520 kernel32.dll 0063 CreateProcessA 1 001D4524 kernel32.dll 0062 CreatePipe 1 001D4528 kernel32.dll 0051 CreateFileMappingA 1 001D452C kernel32.dll 0050 CreateFileA 1 001D4530 kernel32.dll 004C CreateEventA 1 001D4534 kernel32.dll 0048 CreateDirectoryA 1 001D4538 kernel32.dll 0040 CopyFileA 1 001D453C kernel32.dll 0038 CompareStringA 1 001D4540 kernel32.dll 0032 CloseHandle FThunk: 001D4548 NbFunc: 00000001 1 001D4548 mpr.dll 003E WNetGetUserA FThunk: 001D4550 NbFunc: 00000003 1 001D4550 version.dll 000B VerQueryValueA 1 001D4554 version.dll 0002 GetFileVersionInfoSizeA 1 001D4558 version.dll 0001 GetFileVersionInfoA FThunk: 001D4560 NbFunc: 00000060 1 001D4560 gdi32.dll 0253 UnrealizeObject 1 001D4564 gdi32.dll 024A StretchBlt 1 001D4568 gdi32.dll 0249 StartPage 1 001D456C gdi32.dll 0246 StartDocA 1 001D4570 gdi32.dll 0244 SetWindowOrgEx 1 001D4574 gdi32.dll 0243 SetWindowExtEx 1 001D4578 gdi32.dll 0242 SetWinMetaFileBits 1 001D457C gdi32.dll 0240 SetViewportOrgEx 1 001D4580 gdi32.dll 023F SetViewportExtEx 1 001D4584 gdi32.dll 023D SetTextColor 1 001D4588 gdi32.dll 0239 SetStretchBltMode 1 001D458C gdi32.dll 0236 SetROP2 1 001D4590 gdi32.dll 0232 SetPixel 1 001D4594 gdi32.dll 022C SetMapMode 1 001D4598 gdi32.dll 0223 SetEnhMetaFileBits 1 001D459C gdi32.dll 0221 SetDIBitsToDevice 1 001D45A0 gdi32.dll 0220 SetDIBits 1 001D45A4 gdi32.dll 021F SetDIBColorTable 1 001D45A8 gdi32.dll 021A SetBrushOrgEx 1 001D45AC gdi32.dll 0217 SetBkMode 1 001D45B0 gdi32.dll 0216 SetBkColor 1 001D45B4 gdi32.dll 0211 SetAbortProc 1 001D45B8 gdi32.dll 0210 SelectPalette 1 001D45BC gdi32.dll 020F SelectObject 1 001D45C0 gdi32.dll 0208 SaveDC 1 001D45C4 gdi32.dll 0202 RoundRect 1 001D45C8 gdi32.dll 0201 RestoreDC 1 001D45CC gdi32.dll 01F7 Rectangle 1 001D45D0 gdi32.dll 01F6 RectVisible 1 001D45D4 gdi32.dll 01F4 RealizePalette 1 001D45D8 gdi32.dll 01EF Polyline 1 001D45DC gdi32.dll 01EE Polygon 1 001D45E0 gdi32.dll 01EB PolyPolyline 1 001D45E4 gdi32.dll 01E1 PlayEnhMetaFile 1 001D45E8 gdi32.dll 01DE PatBlt 1 001D45EC gdi32.dll 01D2 MoveToEx 1 001D45F0 gdi32.dll 01CF MaskBlt 1 001D45F4 gdi32.dll 01CE LineTo 1 001D45F8 gdi32.dll 01CC LPtoDP 1 001D45FC gdi32.dll 01C8 IntersectClipRect 1 001D4600 gdi32.dll 01C4 GetWindowOrgEx 1 001D4604 gdi32.dll 01C2 GetWinMetaFileBits 1 001D4608 gdi32.dll 01BD GetTextMetricsA 1 001D460C gdi32.dll 01B7 GetTextExtentPointA 1 001D4610 gdi32.dll 01B5 GetTextExtentPoint32A 1 001D4614 gdi32.dll 01AA GetSystemPaletteEntries 1 001D4618 gdi32.dll 01A6 GetStockObject 1 001D461C gdi32.dll 019D GetPixel 1 001D4620 gdi32.dll 019B GetPaletteEntries 1 001D4624 gdi32.dll 0196 GetObjectA 1 001D4628 gdi32.dll 0195 GetNearestPaletteIndex 1 001D462C gdi32.dll 0194 GetNearestColor 1 001D4630 gdi32.dll 018E GetMapMode 1 001D4634 gdi32.dll 0176 GetEnhMetaFilePaletteEntries 1 001D4638 gdi32.dll 0175 GetEnhMetaFileHeader 1 001D463C gdi32.dll 0173 GetEnhMetaFileDescriptionA 1 001D4640 gdi32.dll 0172 GetEnhMetaFileBits 1 001D4644 gdi32.dll 016C GetDeviceCaps 1 001D4648 gdi32.dll 016B GetDIBits 1 001D464C gdi32.dll 016A GetDIBColorTable 1 001D4650 gdi32.dll 0168 GetDCOrgEx 1 001D4654 gdi32.dll 0166 GetCurrentPositionEx 1 001D4658 gdi32.dll 0161 GetClipBox 1 001D465C gdi32.dll 0151 GetBrushOrgEx 1 001D4660 gdi32.dll 014B GetBitmapBits 1 001D4664 gdi32.dll 011C GdiFlush 1 001D4668 gdi32.dll 00DE ExtTextOutA 1 001D466C gdi32.dll 00DA ExtCreateRegion 1 001D4670 gdi32.dll 00D9 ExtCreatePen 1 001D4674 gdi32.dll 00D8 ExcludeClipRect 1 001D4678 gdi32.dll 0099 EndPage 1 001D467C gdi32.dll 0097 EndDoc 1 001D4680 gdi32.dll 0095 Ellipse 1 001D4684 gdi32.dll 0090 DeleteObject 1 001D4688 gdi32.dll 008E DeleteEnhMetaFile 1 001D468C gdi32.dll 008D DeleteDC 1 001D4690 gdi32.dll 0051 CreateSolidBrush 1 001D4694 gdi32.dll 004C CreateRectRgn 1 001D4698 gdi32.dll 0049 CreatePenIndirect 1 001D469C gdi32.dll 0048 CreatePen 1 001D46A0 gdi32.dll 0046 CreatePalette 1 001D46A4 gdi32.dll 0042 CreateICA 1 001D46A8 gdi32.dll 0040 CreateHalftonePalette 1 001D46AC gdi32.dll 003B CreateFontIndirectA 1 001D46B0 gdi32.dll 0038 CreateEnhMetaFileA 1 001D46B4 gdi32.dll 0034 CreateDIBitmap 1 001D46B8 gdi32.dll 0033 CreateDIBSection 1 001D46BC gdi32.dll 002F CreateDCA 1 001D46C0 gdi32.dll 002E CreateCompatibleDC 1 001D46C4 gdi32.dll 002D CreateCompatibleBitmap 1 001D46C8 gdi32.dll 002A CreateBrushIndirect 1 001D46CC gdi32.dll 0028 CreateBitmap 1 001D46D0 gdi32.dll 0024 CopyEnhMetaFileA 1 001D46D4 gdi32.dll 0022 CombineRgn 1 001D46D8 gdi32.dll 001D CloseEnhMetaFile 1 001D46DC gdi32.dll 0013 BitBlt FThunk: 001D46E4 NbFunc: 000000C4 1 001D46E4 user32.dll 0061 CreateWindowExA 1 001D46E8 user32.dll 02D6 WindowFromPoint 1 001D46EC user32.dll 02D3 WinHelpA 1 001D46F0 user32.dll 02D1 WaitMessage 1 001D46F4 user32.dll 02C6 ValidateRect 1 001D46F8 user32.dll 02BC UpdateWindow 1 001D46FC user32.dll 02B7 UnregisterHotKey 1 001D4700 user32.dll 02B4 UnregisterClassA 1 001D4704 user32.dll 02B0 UnionRect 1 001D4708 user32.dll 02AF UnhookWindowsHookEx 1 001D470C user32.dll 02AB TranslateMessage 1 001D4710 user32.dll 02AA TranslateMDISysAccel 1 001D4714 user32.dll 02A5 TrackPopupMenu 1 001D4718 user32.dll 029A SystemParametersInfoA 1 001D471C user32.dll 0293 ShowWindow 1 001D4720 user32.dll 0291 ShowScrollBar 1 001D4724 user32.dll 0290 ShowOwnedPopups 1 001D4728 user32.dll 028F ShowCursor 1 001D472C user32.dll 028E ShowCaret 1 001D4730 user32.dll 0285 SetWindowRgn 1 001D4734 user32.dll 028B SetWindowsHookExA 1 001D4738 user32.dll 0287 SetWindowTextA 1 001D473C user32.dll 0284 SetWindowPos 1 001D4740 user32.dll 0283 SetWindowPlacement 1 001D4744 user32.dll 0281 SetWindowLongA 1 001D4748 user32.dll 027B SetTimer 1 001D474C user32.dll 0271 SetScrollRange 1 001D4750 user32.dll 0270 SetScrollPos 1 001D4754 user32.dll 026F SetScrollInfo 1 001D4758 user32.dll 026D SetRect 1 001D475C user32.dll 026B SetPropA 1 001D4760 user32.dll 0267 SetParent 1 001D4764 user32.dll 0263 SetMenuItemInfoA 1 001D4768 user32.dll 025E SetMenu 1 001D476C user32.dll 025A SetKeyboardState 1 001D4770 user32.dll 0258 SetForegroundWindow 1 001D4774 user32.dll 0257 SetFocus 1 001D4778 user32.dll 024E SetCursor 1 001D477C user32.dll 024B SetClipboardData 1 001D4780 user32.dll 0248 SetClassLongA 1 001D4784 user32.dll 0247 SetCaretPos 1 001D4788 user32.dll 0245 SetCapture 1 001D478C user32.dll 0244 SetActiveWindow 1 001D4790 user32.dll 023C SendMessageA 1 001D4794 user32.dll 0236 ScrollWindowEx 1 001D4798 user32.dll 0235 ScrollWindow 1 001D479C user32.dll 0232 ScreenToClient 1 001D47A0 user32.dll 022D RemovePropA 1 001D47A4 user32.dll 022C RemoveMenu 1 001D47A8 user32.dll 022B ReleaseDC 1 001D47AC user32.dll 022A ReleaseCapture 1 001D47B0 user32.dll 021B RegisterClipboardFormatA 1 001D47B4 user32.dll 021F RegisterHotKey 1 001D47B8 user32.dll 021B RegisterClipboardFormatA 1 001D47BC user32.dll 0217 RegisterClassA 1 001D47C0 user32.dll 0216 RedrawWindow 1 001D47C4 user32.dll 020C PtInRect 1 001D47C8 user32.dll 0202 PostQuitMessage 1 001D47CC user32.dll 0200 PostMessageA 1 001D47D0 user32.dll 01FE PeekMessageA 1 001D47D4 user32.dll 01F4 OpenClipboard 1 001D47D8 user32.dll 01F3 OffsetRect 1 001D47DC user32.dll 01EF OemToCharA 1 001D47E0 user32.dll 01EB MsgWaitForMultipleObjects 1 001D47E4 user32.dll 01DD MessageBoxA 1 001D47E8 user32.dll 01DC MessageBeep 1 001D47EC user32.dll 01D8 MapWindowPoints 1 001D47F0 user32.dll 01D4 MapVirtualKeyA 1 001D47F4 user32.dll 01CD LockWindowUpdate 1 001D47F8 user32.dll 01C9 LoadStringA 1 001D47FC user32.dll 01C0 LoadKeyboardLayoutA 1 001D4800 user32.dll 01BC LoadIconA 1 001D4804 user32.dll 01B9 LoadCursorFromFileA 1 001D4808 user32.dll 01B8 LoadCursorA 1 001D480C user32.dll 01B6 LoadBitmapA 1 001D4810 user32.dll 01B3 KillTimer 1 001D4814 user32.dll 01B1 IsZoomed 1 001D4818 user32.dll 01B0 IsWindowVisible 1 001D481C user32.dll 01AD IsWindowEnabled 1 001D4820 user32.dll 01AC IsWindow 1 001D4824 user32.dll 01A9 IsRectEmpty 1 001D4828 user32.dll 01A7 IsIconic 1 001D482C user32.dll 01A1 IsDialogMessage 1 001D4830 user32.dll 01A0 IsClipboardFormatAvailable 1 001D4834 user32.dll 019F IsChild 1 001D4838 user32.dll 0198 IsCharAlphaNumericA 1 001D483C user32.dll 0197 IsCharAlphaA 1 001D4840 user32.dll 0194 InvalidateRect 1 001D4844 user32.dll 0193 IntersectRect 1 001D4848 user32.dll 018F InsertMenuItemA 1 001D484C user32.dll 018E InsertMenuA 1 001D4850 user32.dll 018B InflateRect 1 001D4854 user32.dll 0180 HideCaret 1 001D4858 user32.dll 017C GetWindowThreadProcessId 1 001D485C user32.dll 0178 GetWindowTextA 1 001D4860 user32.dll 0175 GetWindowRect 1 001D4864 user32.dll 0174 GetWindowPlacement 1 001D4868 user32.dll 016F GetWindowLongA 1 001D486C user32.dll 016D GetWindowDC 1 001D4870 user32.dll 0165 GetUpdateRect 1 001D4874 user32.dll 0164 GetTopWindow 1 001D4878 user32.dll 015E GetSystemMetrics 1 001D487C user32.dll 015D GetSystemMenu 1 001D4880 user32.dll 015C GetSysColorBrush 1 001D4884 user32.dll 015B GetSysColor 1 001D4888 user32.dll 015A GetSubMenu 1 001D488C user32.dll 0158 GetScrollRange 1 001D4890 user32.dll 0157 GetScrollPos 1 001D4894 user32.dll 0156 GetScrollInfo 1 001D4898 user32.dll 014B GetPropA 1 001D489C user32.dll 0146 GetParent 1 001D48A0 user32.dll 016B GetWindow 1 001D48A4 user32.dll 013E GetMessageTime 1 001D48A8 user32.dll 013D GetMessagePos 1 001D48AC user32.dll 0139 GetMenuStringA 1 001D48B0 user32.dll 0138 GetMenuState 1 001D48B4 user32.dll 0135 GetMenuItemInfoA 1 001D48B8 user32.dll 0134 GetMenuItemID 1 001D48BC user32.dll 0133 GetMenuItemCount 1 001D48C0 user32.dll 012D GetMenu 1 001D48C4 user32.dll 0129 GetLastActivePopup 1 001D48C8 user32.dll 0127 GetKeyboardState 1 001D48CC user32.dll 0124 GetKeyboardLayoutList 1 001D48D0 user32.dll 0123 GetKeyboardLayout 1 001D48D4 user32.dll 0122 GetKeyState 1 001D48D8 user32.dll 0120 GetKeyNameTextA 1 001D48DC user32.dll 011B GetIconInfo 1 001D48E0 user32.dll 0118 GetForegroundWindow 1 001D48E4 user32.dll 0117 GetFocus 1 001D48E8 user32.dll 0116 GetDoubleClickTime 1 001D48EC user32.dll 0112 GetDlgItem 1 001D48F0 user32.dll 010F GetDesktopWindow 1 001D48F4 user32.dll 010E GetDCEx 1 001D48F8 user32.dll 010D GetDC 1 001D48FC user32.dll 010C GetCursorPos 1 001D4900 user32.dll 0109 GetCursor 1 001D4904 user32.dll 0102 GetClipboardData 1 001D4908 user32.dll 0100 GetClientRect 1 001D490C user32.dll 00FD GetClassNameA 1 001D4910 user32.dll 00F7 GetClassInfoA 1 001D4914 user32.dll 00F6 GetCaretPos 1 001D4918 user32.dll 00F4 GetCapture 1 001D491C user32.dll 00F3 GetAsyncKeyState 1 001D4920 user32.dll 00EC GetActiveWindow 1 001D4924 user32.dll 00EA FrameRect 1 001D4928 user32.dll 00E5 FindWindowExA 1 001D492C user32.dll 00E4 FindWindowA 1 001D4930 user32.dll 00E3 FillRect 1 001D4934 user32.dll 00E2 ExitWindowsEx 1 001D4938 user32.dll 00E0 EqualRect 1 001D493C user32.dll 00DF EnumWindows 1 001D4940 user32.dll 00DC EnumThreadWindows 1 001D4944 user32.dll 00CD EnumClipboardFormats 1 001D4948 user32.dll 00C9 EndPaint 1 001D494C user32.dll 00C5 EnableWindow 1 001D4950 user32.dll 00C4 EnableScrollBar 1 001D4954 user32.dll 00C3 EnableMenuItem 1 001D4958 user32.dll 00C2 EmptyClipboard 1 001D495C user32.dll 00BD DrawTextA 1 001D4960 user32.dll 00B9 DrawMenuBar 1 001D4964 user32.dll 00B8 DrawIconEx 1 001D4968 user32.dll 00B7 DrawIcon 1 001D496C user32.dll 00B6 DrawFrameControl 1 001D4970 user32.dll 00B4 DrawFocusRect 1 001D4974 user32.dll 00B3 DrawEdge 1 001D4978 user32.dll 00A2 DispatchMessageA 1 001D497C user32.dll 009A DestroyWindow 1 001D4980 user32.dll 0098 DestroyMenu 1 001D4984 user32.dll 0096 DestroyCursor 1 001D4988 user32.dll 0096 DestroyCursor 1 001D498C user32.dll 0095 DestroyCaret 1 001D4990 user32.dll 0092 DeleteMenu 1 001D4994 user32.dll 008F DefWindowProcA 1 001D4998 user32.dll 008C DefMDIChildProcA 1 001D499C user32.dll 008A DefFrameProcA 1 001D49A0 user32.dll 005F CreatePopupMenu 1 001D49A4 user32.dll 005E CreateMenu 1 001D49A8 user32.dll 005A CreateIconFromResourceEx 1 001D49AC user32.dll 0058 CreateIcon 1 001D49B0 user32.dll 004F CreateCaret 1 001D49B4 user32.dll 004A CopyImage 1 001D49B8 user32.dll 0049 CopyIcon 1 001D49BC user32.dll 0043 CloseClipboard 1 001D49C0 user32.dll 0041 ClientToScreen 1 001D49C4 user32.dll 003D ChildWindowFromPoint 1 001D49C8 user32.dll 003A CheckMenuItem 1 001D49CC user32.dll 001C CallWindowProcA 1 001D49D0 user32.dll 001B CallNextHookEx 1 001D49D4 user32.dll 000E BeginPaint 1 001D49D8 user32.dll 002B CharNextA 1 001D49DC user32.dll 0028 CharLowerBuffA 1 001D49E0 user32.dll 0027 CharLowerA 1 001D49E4 user32.dll 0036 CharUpperBuffA 1 001D49E8 user32.dll 0031 CharToOemA 1 001D49EC user32.dll 0003 AdjustWindowRectEx 1 001D49F0 user32.dll 0001 ActivateKeyboardLayout FThunk: 001D49F8 NbFunc: 00000001 1 001D49F8 kernel32.dll 033F Sleep FThunk: 001D4A00 NbFunc: 00000008 1 001D4A00 oleaut32.dll 0094 SafeArrayPtrOfIndex 1 001D4A04 oleaut32.dll 0013 SafeArrayGetUBound 1 001D4A08 oleaut32.dll 0014 SafeArrayGetLBound 1 001D4A0C oleaut32.dll 000F SafeArrayCreate 1 001D4A10 oleaut32.dll 000C VariantChangeType 1 001D4A14 oleaut32.dll 000A VariantCopy 1 001D4A18 oleaut32.dll 0009 VariantClear 1 001D4A1C oleaut32.dll 0008 VariantInit FThunk: 001D4A24 NbFunc: 0000000F 1 001D4A24 ole32.dll 0093 CreateStreamOnHGlobal 1 001D4A28 ole32.dll 00D7 IsAccelerator 1 001D4A2C ole32.dll 00F7 OleDraw 1 001D4A30 ole32.dll 0113 OleSetMenuDescriptor 1 001D4A34 ole32.dll 0115 OleUninitialize 1 001D4A38 ole32.dll 00FE OleInitialize 1 001D4A3C ole32.dll 0066 CoTaskMemFree 1 001D4A40 ole32.dll 0065 CoTaskMemAlloc 1 001D4A44 ole32.dll 0117 ProgIDFromCLSID 1 001D4A48 ole32.dll 0143 StringFromCLSID 1 001D4A4C ole32.dll 0012 CoCreateInstance 1 001D4A50 ole32.dll 0024 CoGetClassObject 1 001D4A54 ole32.dll 006A CoUninitialize 1 001D4A58 ole32.dll 003C CoInitialize 1 001D4A5C ole32.dll 00D8 IsEqualGUID FThunk: 001D4A64 NbFunc: 00000003 1 001D4A64 oleaut32.dll 00C8 GetErrorInfo 1 001D4A68 oleaut32.dll 0023 GetActiveObject 1 001D4A6C oleaut32.dll 0006 SysFreeString FThunk: 001D4A74 NbFunc: 00000019 1 001D4A74 comctl32.dll 004F ImageList_SetIconSize 1 001D4A78 comctl32.dll 003B ImageList_GetIconSize 1 001D4A7C comctl32.dll 0052 ImageList_Write 1 001D4A80 comctl32.dll 0043 ImageList_Read 1 001D4A84 comctl32.dll 0038 ImageList_GetDragImage 1 001D4A88 comctl32.dll 0031 ImageList_DragShowNolock 1 001D4A8C comctl32.dll 004C ImageList_SetDragCursorImage 1 001D4A90 comctl32.dll 0030 ImageList_DragMove 1 001D4A94 comctl32.dll 002F ImageList_DragLeave 1 001D4A98 comctl32.dll 002E ImageList_DragEnter 1 001D4A9C comctl32.dll 0036 ImageList_EndDrag 1 001D4AA0 comctl32.dll 002A ImageList_BeginDrag 1 001D4AA4 comctl32.dll 003A ImageList_GetIcon 1 001D4AA8 comctl32.dll 0044 ImageList_Remove 1 001D4AAC comctl32.dll 0033 ImageList_DrawEx 1 001D4AB0 comctl32.dll 0032 ImageList_Draw 1 001D4AB4 comctl32.dll 0051 ImageList_SetOverlayImage 1 001D4AB8 comctl32.dll 0037 ImageList_GetBkColor 1 001D4ABC comctl32.dll 004B ImageList_SetBkColor 1 001D4AC0 comctl32.dll 0046 ImageList_ReplaceIcon 1 001D4AC4 comctl32.dll 0027 ImageList_Add 1 001D4AC8 comctl32.dll 003C ImageList_GetImageCount 1 001D4ACC comctl32.dll 002D ImageList_Destroy 1 001D4AD0 comctl32.dll 002C ImageList_Create 1 001D4AD4 comctl32.dll 0011 InitCommonControls FThunk: 001D4ADC NbFunc: 00000004 1 001D4ADC winspool.drv 0105 OpenPrinterA 1 001D4AE0 winspool.drv 00EA EnumPrintersA 1 001D4AE4 winspool.drv 00B1 DocumentPropertiesA 1 001D4AE8 winspool.drv 0086 ClosePrinter FThunk: 001D4AF0 NbFunc: 00000008 1 001D4AF0 shell32.dll 016D Shell_NotifyIcon 1 001D4AF4 shell32.dll 0167 ShellExecuteA 1 001D4AF8 shell32.dll 012B SHGetFileInfo 1 001D4AFC shell32.dll 010E SHAppBarMessage 1 001D4B00 shell32.dll 00D8 ExtractIconA 1 001D4B04 shell32.dll 008C DragQueryFile 1 001D4B08 shell32.dll 008B DragFinish 1 001D4B0C shell32.dll 008A DragAcceptFiles FThunk: 001D4B14 NbFunc: 00000005 1 001D4B14 shell32.dll 013C SHGetSpecialFolderLocation 1 001D4B18 shell32.dll 0138 SHGetPathFromIDList 1 001D4B1C shell32.dll 0136 SHGetMalloc 1 001D4B20 shell32.dll 0127 SHGetDesktopFolder 1 001D4B24 shell32.dll 0110 SHBrowseForFolder FThunk: 001D4B2C NbFunc: 00000002 1 001D4B2C comdlg32.dll 0070 GetSaveFileNameA 1 001D4B30 comdlg32.dll 006E GetOpenFileNameA FThunk: 001D4B38 NbFunc: 0000001C 1 001D4B38 wsock32.dll 0074 WSACleanup 1 001D4B3C wsock32.dll 0073 WSAStartup 1 001D4B40 wsock32.dll 006F WSAGetLastError 1 001D4B44 wsock32.dll 006C WSACancelAsyncRequest 1 001D4B48 wsock32.dll 006B WSAAsyncGetServByName 1 001D4B4C wsock32.dll 0067 WSAAsyncGetHostByName 1 001D4B50 wsock32.dll 0065 WSAAsyncSelect 1 001D4B54 wsock32.dll 0037 getservbyname 1 001D4B58 wsock32.dll 0034 gethostbyname 1 001D4B5C wsock32.dll 0017 socket 1 001D4B60 wsock32.dll 0015 setsockopt 1 001D4B64 wsock32.dll 0013 send 1 001D4B68 wsock32.dll 0012 select 1 001D4B6C wsock32.dll 0010 recv 1 001D4B70 wsock32.dll 0009 htons 1 001D4B74 wsock32.dll 000D listen 1 001D4B78 wsock32.dll 000C ioctlsocket 1 001D4B7C wsock32.dll 000B inet_ntoa 1 001D4B80 wsock32.dll 000A inet_addr 1 001D4B84 wsock32.dll 0009 htons 1 001D4B88 wsock32.dll 0008 htonl 1 001D4B8C wsock32.dll 0007 getsockopt 1 001D4B90 wsock32.dll 0006 getsockname 1 001D4B94 wsock32.dll 0005 getpeername 1 001D4B98 wsock32.dll 0004 connect 1 001D4B9C wsock32.dll 0003 closesocket 1 001D4BA0 wsock32.dll 0002 bind 1 001D4BA4 wsock32.dll 0001 accept FThunk: 001D4BAC NbFunc: 0000001F 1 001D4BAC winmm.dll 00CF waveOutWrite 1 001D4BB0 winmm.dll 00CE waveOutUnprepareHeader 1 001D4BB4 winmm.dll 00C9 waveOutReset 1 001D4BB8 winmm.dll 00C8 waveOutPrepareHeader 1 001D4BBC winmm.dll 00C6 waveOutOpen 1 001D4BC0 winmm.dll 00C3 waveOutGetPosition 1 001D4BC4 winmm.dll 00AD waveInGetErrorTextA 1 001D4BC8 winmm.dll 00BC waveOutGetDevCapsW 1 001D4BCC winmm.dll 00BB waveOutGetDevCapsA 1 001D4BD0 winmm.dll 00BA waveOutClose 1 001D4BD4 winmm.dll 00B8 waveInUnprepareHeader 1 001D4BD8 winmm.dll 00B7 waveInStop 1 001D4BDC winmm.dll 00B6 waveInStart 1 001D4BE0 winmm.dll 00B5 waveInReset 1 001D4BE4 winmm.dll 00B4 waveInPrepareHeader 1 001D4BE8 winmm.dll 00B3 waveInOpen 1 001D4BEC winmm.dll 00B1 waveInGetPosition 1 001D4BF0 winmm.dll 00AD waveInGetErrorTextA 1 001D4BF4 winmm.dll 00AC waveInGetDevCapsW 1 001D4BF8 winmm.dll 00AB waveInGetDevCapsA 1 001D4BFC winmm.dll 00AA waveInClose 1 001D4C00 winmm.dll 00A9 waveInAddBuffer 1 001D4C04 winmm.dll 00A8 timeSetEvent 1 001D4C08 winmm.dll 00A7 timeKillEvent 1 001D4C0C winmm.dll 00A4 timeGetDevCaps 1 001D4C10 winmm.dll 00A3 timeEndPeriod 1 001D4C14 winmm.dll 00A2 timeBeginPeriod 1 001D4C18 winmm.dll 009F sndPlaySoundA 1 001D4C1C winmm.dll 000F SendDriverMessage 1 001D4C20 winmm.dll 000B OpenDriver 1 001D4C24 winmm.dll 0003 CloseDriver FThunk: 001D4C2C NbFunc: 00000013 1 001D4C2C msacm32.dll 002C acmStreamUnprepareHeader 1 001D4C30 msacm32.dll 0029 acmStreamPrepareHeader 1 001D4C34 msacm32.dll 0026 acmStreamConvert 1 001D4C38 msacm32.dll 002A acmStreamReset 1 001D4C3C msacm32.dll 002B acmStreamSize 1 001D4C40 msacm32.dll 0025 acmStreamClose 1 001D4C44 msacm32.dll 0028 acmStreamOpen 1 001D4C48 msacm32.dll 0017 acmFormatChooseA 1 001D4C4C msacm32.dll 001D acmFormatSuggest 1 001D4C50 msacm32.dll 001B acmFormatEnumA 1 001D4C54 msacm32.dll 0020 acmFormatTagEnumA 1 001D4C58 msacm32.dll 0006 acmDriverDetailsW 1 001D4C5C msacm32.dll 0005 acmDriverDetailsA 1 001D4C60 msacm32.dll 0009 acmDriverMessage 1 001D4C64 msacm32.dll 0004 acmDriverClose 1 001D4C68 msacm32.dll 000A acmDriverOpen 1 001D4C6C msacm32.dll 0007 acmDriverEnum 1 001D4C70 msacm32.dll 0024 acmMetrics 1 001D4C74 msacm32.dll 0022 acmGetVersion FThunk: 001D4C7C NbFunc: 00000006 1 001D4C7C ws2_32.dll 003C WSAIoctl 1 001D4C80 ws2_32.dll 0039 gethostname 1 001D4C84 ws2_32.dll 0034 gethostbyname 1 001D4C88 ws2_32.dll 000C inet_ntoa 1 001D4C8C ws2_32.dll 0074 WSACleanup 1 001D4C90 ws2_32.dll 0073 WSAStartup FThunk: 001D4C98 NbFunc: 00000001 1 001D4C98 imagehlp.dll 0004 CheckSumMappedFile FThunk: 001D4CA0 NbFunc: 00000001 1 001D4CA0 kernel32.dll 0264 MulDiv 2006-9-13 14:11 0
djog 雪币： 206 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 61 粉丝 0 关注私信	djog 20 楼晕啊..楼上的发这个是什么啊?? 希望你真的想说的话.能说说方法吗?? 我也正在脱PELOCK的脱.实在是............. 希望各位路过高手能指点一二. 2006-11-30 22:36 0
scship 雪币： 212 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 217 粉丝 1 关注私信	scship 21 楼其实。。。PELock1.0x我脱过。。。找到oep后不会修复函数发帖也没有人理我。。。你们不信在外面还有我的贴浮着。。。不会修复函数 2006-12-1 00:25 0
笨笨雄雪币： 846 活跃值： (221) 能力值： (RANK：570 ) 在线值：发帖 212 回帖 3620 粉丝 21 关注私信	笨笨雄 14 22 楼找到OEP不叫脱壳，找OEP就能脱掉的壳叫压缩壳那种东西，基本都是直接秒杀的从STOLEN CODE=>IAT加密=>sdk=>VM 看雪的精华，我看很多了，暂时只知道高手都在VM上下工夫 IAT加密已经很简单了，最初我碰到这个的时候也迷茫了一天。不过假如你有认真看高手的脱文，你自己也认真分析一遍该壳，要理解那些脱文其实并不难。我花了一天，大概就2到3小时，你在外面发贴，还要等多久呢？就算有人回答你问题，你也不过等于再看多一次脱文而已。该是不懂的还是不懂。高手写脱文是为了让大家遇到同样的壳，分析起来的时候有章可寻。并不是写了让新人一步一步跟着做的。假如不懂分析代码，根本就没有意义。汇编代码就在那里，跟做成动画教程没有任何关系。那段代码有什么功能？高手在文章里已经解释得够明白的了。还是授人以鱼和授人以渔的问题了。你想渔还是鱼？ 2006-12-1 01:24 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复