Hex-Rays
http://www.hex-rays.com/products.shtml
操作视频:
http://hexblog.com/decompilation/video/vd1.swf
比对效果:
http://www.hex-rays.com/compare.shtml
产生VC实例代码:
http://www.hex-rays.com/files/hexrays_listing.zip
[code]
/* This file has been generated by the vD decompiler.
Copyright (c) 2007 Hex-Rays.Com <ig@hexblog.com>
Detected compiler: Unknown
*/
#include <windows.h>
#include <defs.h>
//-------------------------------------------------------------------------
// Data declarations
extern _UNKNOWN GUI__getHwndOfProcessListView;
extern _UNKNOWN GUI__addColumnsToProcessListViewControl;
extern _UNKNOWN GUI__getHwndOfModuleListView;
extern _UNKNOWN GUI__addColumnsToModuleListViewControl;
extern _UNKNOWN dlg__mainWndProc;
extern _UNKNOWN dlg__aboutBox; // idb
extern _UNKNOWN dlg__bhramaServer; // idb
extern _UNKNOWN dlg__mainOptions; // idb
extern _UNKNOWN dlg__chooseUnpacker; // idb
extern _UNKNOWN dlg__unpackerStatus; // idb
extern _UNKNOWN dlg__partialDumpFromContextMenu; // idb
extern _UNKNOWN init__windows_initializationCrap;
extern _UNKNOWN main;
extern _UNKNOWN oSSPECIFIC__module32FirstStubViaPSAPI;
extern int (__stdcall *firstProcessFunctionTable)(int); // weak
extern int (__stdcall *nextProcessFunctionTable)(int); // weak
extern int (__stdcall *firstModuleFunctionTable)(int,int); // weak
extern int (__stdcall *nextModuleFunctionTable)(int); // weak
extern int (*loadImportsFunctionTable)(); // weak
extern _UNKNOWN script__look;
extern _UNKNOWN tracer__handleScriptBreakpoint;
extern char aKernel32_dll_2[]; // idb
extern char aGetcurrentpr_0[]; // idb
extern char aClientQueryAboutPid0x[27]; // weak
extern char a00000000_[12]; // weak
extern char aProcess0x[10]; // weak
extern char a00000000WillBe[27]; // weak
extern char aRawDumpForProcess0x[23]; // weak
extern char a00000000__0[12]; // weak
extern char aName[5]; // weak
extern char aVirtualOffset[15]; // weak
extern char aVirtualSize[13]; // weak
extern char aRawOffset[11]; // weak
extern char aRawSize[9]; // weak
extern char aCharacteristic[16]; // weak
extern _UNKNOWN ClassName; // idb
extern int dword_40A0BB; // weak
extern int dword_40A0BF; // weak
extern char aTooManySection[]; // idb
extern struct tagOFNA openfilestruct; // idb
extern int firstLvItem__mask; // weak
extern int firstLvItem__iItem; // weak
extern int firstLvItem__iSubItem; // weak
extern int firstLvItem__lpszText; // weak
extern int firstLvItem__cchTextMax; // weak
extern HWND GUI__hwndOfProcessListView; // idb
extern int GUI__currentiItemInProcessListView; // weak
extern HWND GUI__hwndOfModuleListView; // idb
extern int GUI__currentiItemInModuleListView; // weak
extern HWND GUI__hwndOfSectionEditorListView; // idb
extern int GUI__currentiItemInSectionEditorListView; // weak
extern char aSelectFilename[30]; // weak
extern char aUnknown[10]; // weak
extern char aSelectDataToIm[35]; // weak
extern char aProcdumpPeEdit[19]; // weak
extern char aSectionSucce_0[35]; // weak
extern char aSectionSuccess[36]; // weak
extern char aFileAccessErro[]; // idb
extern char aErrorWhileAcce[]; // idb
extern _UNKNOWN Caption; // idb
extern _UNKNOWN aThisProcessCan; // idb
extern char aTaskSuccessful[]; // idb
extern char Text[]; // idb
extern char aProcdumpRebuil[]; // idb
extern char aFileSuccessful[]; // idb
extern char aProcdumpUnpack[]; // idb
extern char aCancelCurrentU[]; // idb
extern char aTerminatingThr[25]; // weak
extern char aBhramaServer0_[60]; // weak
extern char aInternalCodeIn[191]; // weak
extern char a00000000h00000[]; // idb
extern char aMzr[4708]; // weak
extern LOGFONTA byte_40B837; // idb
extern const CHAR randomizedClassName; // idb
extern WNDCLASSEXA stru_40B898; // idb
extern char weHaveSavedOrOpened; // weak
extern const CHAR KeyName; // idb
extern _UNKNOWN unk_40B8DD; // weak
extern char Default[]; // idb
extern char a000[]; // idb
extern char aStealth[]; // idb
extern char LibFileName[]; // idb
extern char ProcName[]; // idb
extern char aCloseproc[]; // idb
extern char aReadmemory[]; // idb
extern char aWritememory[]; // idb
extern char aOpenprocess[]; // idb
extern char aClosehandle[]; // idb
extern char aReadprocessmem[]; // idb
extern char aWriteprocessme[]; // idb
extern char ModuleName[]; // idb
extern char aBhrama[]; // idb
extern char aCaption[]; // idb
extern char aIndex[]; // idb
extern char aOptions_0[]; // idb
extern char aOptl[]; // idb
extern char String[]; // idb
extern char aBhramaServer[]; // idb
extern char a__0[]; // idb
extern char aVxdbody_vxd[13]; // weak
extern char PrefixString[]; // idb
extern void VXDINIT__exportPositionOfOpenProcess; // idb
extern int VXDINIT__currentProcess; // weak
extern int VXDINIT__moduleHandleOfK32; // weak
extern int VXDINIT__procAddressOfGetCurrentProcessID; // weak
extern int VXDINIT__exportPositionOfProcess32Next; // weak
extern DWORD nInBufferSize; // idb
extern void OutBuffer; // idb
extern struct _OVERLAPPED Overlapped; // idb
extern HANDLE hDevice; // idb
extern DWORD BytesReturned; // idb
extern char a_[]; // idb
extern CHAR pathToProcdumpExecutable; // idb
extern char aKernel32_dll_0[]; // idb
extern char aOpenprocess_0[12]; // weak
extern char aGetcurrentproc[]; // idb
extern char aProcess32next[14]; // weak
extern char aLockmem[8]; // weak
extern char aProcdump32Fata[]; // idb
extern char aCanTInitialize[]; // idb
extern char aCanTObtainEsse[]; // idb
extern char a0123456789abcdef[17]; // weak
extern _UNKNOWN APIasmStub; // weak
extern char REBIT__nameOfIdataSection[7]; // weak
extern int REBIT__VSizeOfIdataSection; // weak
extern int REBIT__RVAofIdataSection; // weak
extern int REBIT__RawSizeOfIdataSection; // weak
extern int REBIT__RawAddrOfIdataSection; // weak
extern char aKernel32_dll_1[]; // idb
extern char aProcess32first[]; // idb
extern char aProcess32nex_0[]; // idb
extern char aCreatetoolhelp[]; // idb
extern char aModule32first[]; // idb
extern char aModule32next[]; // idb
extern char aPsapi_dll[]; // idb
extern char aEnumprocesses[]; // idb
extern char aEnumprocessmod[]; // idb
extern char aGetmodulefilen[]; // idb
extern char aGetmodulebasen[]; // idb
extern char aGetmoduleinfor[]; // idb
extern _UNKNOWN aTemp_; // idb
extern char a?0123456789abc[19]; // weak
extern char script__LineToReadFromScriptDOTIni[]; // idb
extern _UNKNOWN cc_int3; // weak
extern const CHAR Directory; // idb
extern char Operation[]; // idb
extern char aPleaseSelectTh[34]; // weak
extern char aProcdumpReques[]; // idb
extern const CHAR aShouldWeDumpNowEip0x[]; // idb
extern char a00000000?[12]; // weak
extern _UNKNOWN a00ScriptEvalua;
extern char aPleaseHitOkWhe[50]; // weak
extern char aUseActualEipAs[]; // idb
extern char CODESHOT__aUnpackedWithProcdump[243]; // weak
extern int CODESHOT__lengthOfUnpackedByBanner; // weak
extern char aPredumpingFile[22]; // weak
extern char (*tracerMessages)[24]; // weak
extern char aReg[]; // idb
extern char aDr0[6]; // weak
extern char a00000000[]; // idb
extern char dlg__changesSaveType; // weak
extern char byte_40C73D; // weak
extern DWORD NumberOfBytesRead; // idb
extern HWND hWnd; // idb
extern int currentSectionBeingProcessed; // weak
extern HWND tempHwnd; // idb
extern char fileNameFromCannedDialog[]; // idb
extern CHAR sz; // idb
extern char byte_40C8DE[248]; // weak
extern char copyOfScriptINIOptions[20]; // weak
extern CHAR ReturnedString; // idb
extern char byte_40C9F2[248]; // weak
extern char setToOneWhenUnpackingIsCancelled; // weak
extern int setToZeroByWindowsComponentOfFullDumpingCode; // weak
extern char byte_40CAEF[8]; // weak
extern int dword_40CAF7; // weak
extern int dword_40CB07[3]; // weak
extern char byte_40CB13[260]; // weak
extern char byte_40CC17[4]; // weak
extern int dword_40CC1B; // weak
extern int dword_40CC2F; // weak
extern int dword_40CC33; // weak
extern char byte_40CD37[260]; // weak
extern int dword_40CE3B; // weak
extern int dword_40CE3F; // weak
extern DWORD ThreadId; // idb
extern HANDLE hThread; // idb
extern HMODULE hLibModule; // idb
extern char haveWeLoadedALibrary; // weak
extern const CHAR FileName; // idb
extern HINSTANCE hInstance; // idb
extern HWND GENERAL__MainHWND; // idb
extern int GENERAL__dwPlatformId; // weak
extern LPVOID lpBuffer; // idb
extern WPARAM lpLogFont; // idb
extern int GENERAL__StealthEnabledBool; // weak
extern HMODULE init__hModuleForExportingDLL; // idb
extern int (__cdecl *imported__openProcAddr)(_DWORD,_DWORD,_DWORD,_DWORD,_DWORD); // idb
extern int (__cdecl *imported__closeProcAddr)(_DWORD,_DWORD); // idb
extern int (__cdecl *imported__readMemory)(_DWORD,_DWORD,_DWORD,_DWORD,_DWORD); // idb
extern int imported__writeMemory; // weak
extern DWORD optionsAssociatedWithScriptDOTINI; // idb
extern char opt_predumpAfterThisTime; // weak
extern char opt_BOOLpredumpDelay; // weak
extern char opt_ignoreFaults; // weak
extern char opt_eipConfirmation; // weak
extern char opt_multipleLayerConfirmation; // weak
extern char opt_traceAPI; // weak
extern char opt_recomputeObjectSize; // weak
extern char opt_optimizePEStructure; // weak
extern char opt_rebuildRelocs; // weak
extern char opt_rebuildHeader; // weak
extern char opt_iatRebuildType; // weak
extern char opt_forcerawmode; // weak
extern char opt_onesection; // weak
extern char opt_checkHeaderSections; // weak
extern char byte_40D04B; // weak
extern char stealthKeyFromScriptDotIni[]; // idb
extern const CHAR WindowName; // idb
extern char nameOfBrahamaServerWindow[]; // idb
extern DWORD NumberOfBytesWritten; // idb
extern const CHAR REBIT__nameOfDll; // idb
extern const CHAR REBIT__nameOfAPI__verify; // idb
extern LPSTR REBIT__memoryWithDLLNamesAndBaseAddresses; // idb
extern int REBIT__memory100hBytesPerModule; // weak
extern int REBIT__memoryDLLandIATinformation; // weak
extern char REBIT__nameOfAPI[255]; // weak
extern char byte_40D487[28]; // weak
extern int dword_40D4A3; // weak
extern char byte_40D4A7[256]; // weak
extern char byte_40D5A7[260]; // weak
extern int PE__PeHeaderRVA; // weak
extern int PE__sectionHeadersRVA; // weak
extern LONG PE__rvaOfImportInfosFromDataDirectory; // idb
extern int PE__numberOfSections; // weak
extern int DUMP__PIDofTheFileThatWeAreDumping; // weak
extern DWORD PE__sizeOfImportInformation; // idb
extern int tracer__RVAOfEntryPoint; // weak
extern LPCVOID tracer__rvaOfEntryPointSection; // idb
extern int tracer__virtualSizeOfEntryPointSection; // weak
extern LPCVOID tracer__lpBaseAddress; // idb
extern int tracer__processEIPRelativeAddress; // weak
extern int PE__locationOfImportInformationWithinExeHeader; // weak
extern int PE__sizeOfAllSections; // weak
extern int PE__sizeOfHeaders; // weak
extern int tracer__sectionThatContainsEIP; // weak
extern char DUMP__pathAndNameOfFileThatWeAreDumping[256]; // weak
extern int exportInfo_imageBase; // weak
extern int exportinfo_couldImageBaseBeFound; // weak
extern int exportInfo_exportOrdinalBase; // weak
extern int exportInfo_memBase; // weak
extern DWORD byte_40D847; // idb
extern int REBIT__numberOfIDTs; // weak
extern int GENERAL__memoryTemporaryEXEHeader; // weak
extern LONG REBIT__rvaOfIAT; // idb
extern HANDLE REBIT__sizeOfIAT; // idb
extern HANDLE hFile; // idb
extern DWORD nNumberOfBytesToRead; // idb
extern int REBIT__210hStruct; // weak
extern int REBIT__NumberOfFirstThunkLists; // weak
extern int REBIT__currentPositionWithinImportSectionInMemory; // weak
extern int REBIT__TempSemaphore; // weak
extern int REBIT__memblockForIAT; // weak
extern int REBIT__numberOfModules; // weak
extern int REBIT__BeyondAPICALLStub; // weak
extern int REBIT__LenInSectionAfterAPICallStub; // weak
extern int REBIT__HaveWeCopiedNewIAT; // weak
extern int REBIT__SizeThatTheIdataSectionGrew; // weak
extern int REBIT__RVAofIdataSectionHeaderVSIZEField; // weak
extern char byte_40D8B0[8192]; // weak
extern int dword_40F8B0[]; // idb
extern char module__aFileName[256]; // weak
extern int (__cdecl *process32FirstAddr)(_DWORD,_DWORD); // idb
extern int (__cdecl *process32NextAddr)(_DWORD,_DWORD); // idb
extern int (__cdecl *createToolHelp32SnapshotAddr)(_DWORD,_DWORD); // idb
extern int (__cdecl *module32FirstAddr)(_DWORD,_DWORD); // idb
extern int (__cdecl *module32NextAddr)(_DWORD,_DWORD); // idb
extern int (__stdcall *enumProcessesAddr)(_DWORD,_DWORD); // idb
extern int (__stdcall *enumProcessModulesAddr)(_DWORD,_DWORD,_DWORD,_DWORD); // idb
extern int (__stdcall *getModuleFileNameExAAddr)(_DWORD,_DWORD,_DWORD,_DWORD); // idb
extern int (*getModuleBaseNameExAAddr)(void); // idb
extern int (__stdcall *getModuleInformationAddr)(_DWORD,_DWORD,_DWORD,_DWORD); // idb
extern HMODULE hmodForPSAPI; // idb
extern HANDLE hmodForK32; // idb
extern HANDLE MODULE__openProcessAddr; // idb
extern int dword_4119E4; // weak
extern int dword_4119E8; // weak
extern _UNKNOWN processSnapshot; // idb
extern _UNKNOWN toolHelpSnapShotAddr; // idb
extern int oSSPECIFIC__osInfo; // weak
extern _UNKNOWN unk_4119F8; // weak
extern int dword_4119FC; // weak
extern int dword_411A00; // weak
extern char byte_411A04[24]; // weak
extern int module__sizeOfImage; // weak
extern int module__imageBase; // weak
extern char byte_411A24[256]; // weak
extern char byte_411B24[260]; // weak
extern char byte_411C28[8]; // weak
extern int dword_411C30; // weak
extern char byte_411C4C[260]; // weak
extern struct _OSVERSIONINFOA stru_411D50; // idb
extern int tracer__processBaseAddress2; // weak
extern _UNKNOWN tracer__processBaseAddress; // idb
extern DWORD tracer__sizeOfImage_ofProcess; // idb
extern char script__isScriptFinishedExecuting; // weak
extern char script__currentLineWithin; // weak
extern LPVOID lpAddressOfBreakPoint; // idb
extern const CHAR AppName; // idb
extern const CHAR GENERAL__pathAndFileNameOfScriptDotIni; // idb
extern CONTEXT context_struc; // idb
extern _UNKNOWN tracer__memBlock; // idb
extern DWORD dword_412450; // idb
extern int tracer__Status; // weak
extern DWORD flOldProtect; // idb
extern char byte_412460[256]; // weak
extern char script__returnedStringFromGetPrivateProfileStringA[]; // idb
extern _UNKNOWN byte_412860; // idb
//-------------------------------------------------------------------------
// Function declarations
_DWORD __stdcall GUI__putWindowInMiddleOfScreen(HWND hWnd); // weak
_DWORD __stdcall GUI__getHwndOfListInChooseUnpackerDialog(HWND hDlg,_DWORD nIDDlgItem); // weak
_DWORD __stdcall GUI__findWhichPackerWasSeletedFromChooseUnpackerDialog(LPARAM lParam); // weak
_DWORD __stdcall GUI__addStringToChooseUnpackerList(LPARAM lParam); // weak
void __cdecl GUI__deleteAllItemsInProcessListView();
_DWORD __stdcall GUI__insertItemInProcessListView(_DWORD); // weak
_DWORD __stdcall GUI__setItemInProcessListView(_DWORD,_DWORD,_DWORD); // weak
void __cdecl GUI__deleteAllItemsInModuleListView();
_DWORD __stdcall GUI__insertItemInModuleListView(_DWORD); // weak
_DWORD __stdcall GUI__setItemInModuleListView(_DWORD,_DWORD,_DWORD); // weak
_DWORD __stdcall GUI__getHwndOfSectionEditorListView(HWND hDlg,_DWORD nIDDlgItem); // weak
void __cdecl GUI__deleteAllItemsInSectionEditorListView();
_DWORD __stdcall GUI__insertColumnInSectionEditorListView(_DWORD,_DWORD); // weak
_DWORD __stdcall GUI__insertItemInSectionEditorListView(_DWORD); // weak
_DWORD __stdcall GUI__setItemInSectionEditorListView(_DWORD,_DWORD,_DWORD); // weak
signed int __stdcall GUI__findWhichItemWasSeletedInListView(HWND hWnd);
_DWORD __stdcall GUI__getDlgItemStub(HWND hDlg,_DWORD nIDDlgItem); // weak
_DWORD __stdcall GUI__setTextOfglobvarGDIS(LPARAM lParam,_DWORD); // weak
__int64 __fastcall GUI__setNumberOfTracedLinesInUnpackerStatusBox(__int64 a1,int a2,int a3,LPCSTR lpString);
__int64 __fastcall GUI__setScriptEIPInUnpackerStatusBox(__int64 a1,int a2,int a3,LPCSTR lpString);
__int64 __fastcall GUI__setWindowInsetTextStub(__int64 a1,int a2,int a3,LPARAM a4,int a5);
BOOL __stdcall GUI__cannedSaveFile(int defaultFileToSave);
BOOL __stdcall GUI__cannedOpenFile(CHAR *defaultFileToOpen,const CHAR *titleOfOpenDialog);
__int64 __fastcall GUI__writeProcessInfosToMainListView(__int64 a1,int a2,int a3,LPSTR lpsz,int a5,int a6,int a7,int a8);
__int64 __fastcall GUI__addModuleToListView(__int64 a1,int a2,int a3,LPSTR lpsz,int a5,int a6,int a7);
__int64 __fastcall GUI__setAboutBoxInset(__int64 a1,int a2,int a3,HWND hDlg);
__int64 __fastcall GUI__initializeBrahmaServerWindow(__int64 a1,int a2,int a3,HWND hDlg);
_DWORD __stdcall GUI__initializeMainWindow(_DWORD); // weak
__int64 __fastcall GENERAL__confirmAndKillProcess(__int64 a1,int a2,int a3,HWND hWnd);
// void *__userpurge STUB__dumpTask_full<eax>(int a1<edx>,int a2<ecx>,int a3<ebx>,int a4<edi>,HWND a5,int a6,int a7,DWORD a8);
// void *__userpurge dump__dumpTask_partial<eax>(DWORD a1<eax>,int a2<ecx>,int a3<ebx>,HWND a4,const void *a5,unsigned __int32 a6);
// void *__userpurge STUB__fullDumpModule<eax>(int a1<ebx>,HWND a2);
// int __userpurge brahma__clientDumpTask<eax>(int a1<ebx>,int a2<edi>,HWND hDlg,int a4,int a5,const void *a6);
// __int64 __userpurge STUB__fullDumpProcess<edx:eax>(int a1<ecx>,int a2<ebx>,int a3<edi>,HWND a4);
__int64 __fastcall dlg__fillPartialDumpDialogFromProcess(__int64 a1,int a2,int a3,int a4);
__int64 __fastcall dlg__fillPartialDumpDialogFromModule(__int64 a1,int a2,int a3,int a4);
__int64 __fastcall dlg__fillEditBoxesInPartialDumpTaskDialog(__int64 a1,int a2,int a3,HWND hDlg,int a5,int a6);
// __int64 __userpurge dlg__fullDumpTaskGUIStub<edx:eax>(__int64 a1<edx:eax>,int a2<ebx>,int a3<edi>,HWND hWnd);
// __int64 __userpurge dlg__partialDumpTaskGUIStub<edx:eax>(__int64 a1<edx:eax>,int a2<ebx>,HWND hWnd);
// __int64 __usercall GENERAL__rebuildPeFunction<edx:eax>(__int64 a1<edx:eax>,int a2<ebx>);
__int64 __fastcall dlg__processInfosFunction(__int64 a1);
__int64 __fastcall GENERAL__peEditorFunction(__int64 a1);
__int64 __fastcall GUI__fillProcessListViewControl(__int64 a1,int a2,int a3,int a4);
__int64 __fastcall GUI__fillModuleListViewControl(__int64 a1,int a2,int a3,WPARAM wParam);
__int64 __fastcall dlg__readFromFileIntoSection(__int64 a1,int a2,int a3,HWND hWnd);
__int64 __fastcall dlg__saveSectionToFile(__int64 a1,int a2,int a3,HWND hWnd);
void __cdecl GUI__addSectionInfosToSectionEditorListviewControl();
__int64 __fastcall GUI__fillBanksInStructureEditorDialog(__int64 a1,int a2,int a3,HWND hDlg);
__int64 __fastcall dlg__updateMemoryFromStructureEditor(__int64 a1,int a2,int a3,HWND hDlg);
__int64 __fastcall dlg__fillSectionDialogBanks(__int64 a1,int a2,int a3,HWND hDlg);
__int64 __fastcall dlg__updatePEinMemoryFromSectionDialog(__int64 a1,int a2,int a3,HWND hDlg);
__int64 __fastcall dlg__fillBanksInDataDirectoryDialog(__int64 a1,int a2,int a3,HWND hDlg);
__int64 __fastcall dlg__updateMemoryFromDataDirectoryDialog(__int64 a1,int a2,int a3,HWND hDlg);
__int64 __fastcall dlg__fillChooseUnpackerDialogFromScriptDOTIni(__int64 a1,int a2,int a3,HWND a4);
void __cdecl dlg__restoreReadOptions();
void __cdecl dlg__backupReadOptions();
__int64 __fastcall dlg__getOptionsFromScriptDOTIniAssociatedWithUnpacker(__int64 a1);
__int64 __fastcall dlg__getChosenPackerFromUnpackerListDialog(__int64 a1,int a2,int a3,HWND hDlg);
DWORD __stdcall dlg__cancelUnpacking(HWND hDlg);
int __stdcall THREAD__startTracer(LPVOID a1); // idb
__int64 __fastcall dlg__initializeUnpackerStatusDialogBox(__int64 a1,int a2,int a3,HWND a4);
__int64 __fastcall dlg__initializeOptionsOnDialog(__int64 a1,int a2,int a3,HWND hDlg);
__int64 __fastcall dlg__okPressedOnOptionsDialog(__int64 a1,int a2,int a3,HWND hDlg);
__int64 __fastcall dlg__setRandomizedClassNameAsTitleOfUnpackerStatusWindow(__int64 a1,int a2,int a3,HWND hWnd);
__int32 __stdcall dlg__displayContextMenu(HWND a1,HWND hWnd,unsigned int a3,HMENU hMenu);
signed int __fastcall dlg__wm_notify__callback(int a1,int a2,WPARAM a3,int a4);
int __fastcall dlg__structureEditor(int result,int a2,HWND a3,HWND a4,UINT a5,WPARAM a6,LPARAM a7); // idb
signed int __stdcall dlg__createNewSectionFromDialog(HWND hWnd);
BOOL __stdcall dlg__addSection(HWND,UINT,WPARAM,LPARAM); // idb
BOOL __stdcall dlg__sectionContextMenuFunc(HWND,UINT,WPARAM,LPARAM); // idb
BOOL __stdcall dlg__editSection(HWND,UINT,WPARAM,LPARAM); // idb
BOOL __stdcall dlg__directoryEditor(HWND,UINT,WPARAM,LPARAM); // idb
signed int __stdcall nTKMD__createServiceStub(SC_HANDLE hSCManager,LPCSTR lpDisplayName,LPCSTR lpBinaryPathName);
signed int __stdcall nTKMD__loadKMD(const CHAR *a1,const CHAR *a2,unsigned int a3);
void *__stdcall nTKMD__deleteServiceStub(SC_HANDLE hSCManager,LPCSTR lpServiceName);
void *__stdcall nTKMD__startServiceStub(SC_HANDLE hSCManager,LPCSTR lpServiceName);
void *__stdcall nTKMD__stopService(SC_HANDLE hSCManager,LPCSTR lpServiceName);
__int64 __fastcall init__windows_createFontSendMsgToHwnd(__int64 a1,int a2,int a3,HWND hWnd);
__int64 __fastcall init__grabStuffFromInis(__int64 a1);
__int64 __fastcall dlg__saveOptionsDialogChoices(__int64 a1);
int __fastcall driver__formPathForDriverBasedOnOS(int a1);
void *__cdecl w9XVXD__tellDeviceDriverAboutKernel32();
int __stdcall my_reverse_getprocaddr(int someProcAddress,int baseAddrOfDll);
HMODULE __stdcall getProcAddressCallReverseGetProcAddress(LPCSTR lpModuleName,LPCSTR lpProcName);
__int64 __fastcall w9XVXD__changeVXDdeviceName(__int64 a1);
__int64 __fastcall w9XVXD__load9XVXD(__int64 a1);
int __cdecl init__initializeImports();
__int64 __fastcall init__initializeOSSpecificStuff(__int64 a1);
__int64 __fastcall init__unloadDriverCloseHandlesEtc(__int64 a1);
int __stdcall GENERAL__regToAscii(int a1,int a2);
int __fastcall GENERAL__writeByteInAsciiAfterString(int a1,int a2,int a3,unsigned int a4,int a5);
int __stdcall GENERAL__asciiToReg(int a1);
LPVOID __stdcall STUB__virtualAlloc(DWORD dwSize);
BOOL __stdcall STUB__virtualFree(LPVOID lpAddress);
char __stdcall GENERAL__strCmp(int a1,int a2);
unsigned int __stdcall GENERAL__homebrewedStrlen(const char *a1);
int __fastcall GENERAL__movsbStub(int a1,int a2,int a3,int a4,int a5);
char __stdcall GENERAL__GetAddressOfInstanceWithinMemoryRange(int spaceToSearch,int lenToSearch,int stringToSearchFor);
signed int __stdcall GENERAL__writeToNewlyCreatedFileFile(LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPCSTR lpFileName);
signed int __stdcall GENERAL__writeToFileAtPosition(LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LONG lDistanceToMove,LPCSTR lpFileName);
int __stdcall PE__verifyPeSigsInHeader(int a1);
signed int __stdcall PE__readFirst800hBytesOfFile(LPCSTR lpFileName,LPVOID lpBuffer);
__int64 __fastcall PE__readSectionHeaders(__int64 a1,int a2,int a3,const CHAR *a4,int a5);
void *__stdcall GENERAL__makeSureFileIsReadable(LPCSTR lpFileName);
void __stdcall PE__findAndOrAddSignature(int a1,int a2);
int __stdcall orphanedFunctionNOXREFS(int a1,int a2);
signed int __stdcall PE__FixupAndStampHeader(int a1);
int __stdcall PE__findWhichSectionAnEXEHeaderAddressIsIn(int baseAddr,int a2);
int __stdcall PE__getRawOffsetOfRVA(int a1,int a2);
int __stdcall PE__AddSection(int a1,int a2,int a3);
FARPROC __stdcall REBIT__verifyThatAPIcorrespondsToNameARG8(int exportInfoStruct,int a2,int a3);
int __stdcall REBIT__getExportNumberCorrespondingToAPIaddress(int a1,int a2);
int __stdcall REBIT__getExportNumberCorrespondingToAPIaddressWithDisplacement(int a1,int a2,int a3);
int __stdcall REBIT__fetchNameOfAPIByOrdinal(int a1,int a2,int a3);
signed int __stdcall REBIT__SeeIfAPINameIsFirstInAnOFTList(int a1,int a2,int a3);
int __stdcall REBIT__storeRVAinFirstThunkTable(int a1,int a2);
CHAR *__stdcall REBIT__getImageBaseOfArg0(int a4,LPVOID *lpModuleHandle);
void *__stdcall REBIT__fillStructWithExportInfos(LPCSTR lpModuleName,int exportStruct,void *optionalImageBaseOverride);
int __stdcall REBIT__FindFirstValidAPICALLStub(int exeHeader,int sizeOfAllSections);
int __fastcall REBIT__CopyDLLNameAndThunkInfoTo0x210Struct(int a1,int a2,int a3,int a4,unsigned int a5,int a6,int a7,int a8);
int __stdcall REBIT__DetermineWherefromAddressIsExported(int a1,int a2,int a3);
void *__stdcall REBIT__orphanedFunction(int a1,int a2,int a3,int a4);
int __fastcall REBIT__CheckBoundsOfAllThunks(int a1,int a2,int a3,int a4,const CHAR *a5);
int __stdcall REBIT__FindBeginningOfNextFTList(int a1,int a2,int a3);
// int __userpurge REBIT__Populate210hStructFromFirstThunkLists<eax>(int a1<edx>,int a2<ecx>,int a3<edi>,int a4,int a5,int a6,int a7);
__int64 __fastcall REBIT__CheckAddressForBounds(__int64 a1,int a2,int a3,const void **a4);
void *__fastcall REBIT__LocateFirstThunkListsAndFill210Struct(int a1,int a2,int a3,int a4,int a5,int a6,int a7);
LPVOID __stdcall REBIT__RecreateStructureOfIDTs(int IAT,int exeHeader);
int __stdcall REBIT__returnBaseAddressForDLLName(int a1,int a2);
// void *__userpurge REBIT__RebuildFirstThunkTableAddIATToHeader<eax>(int a1<ebx>,int a2<edi>,int a3,int a4,int a5);
int __stdcall REBIT__fillNameMemoryBanks(int a1,int a2,int a3,int a4);
char __stdcall ORPHAN__getFileNameFromPath(int a1,const char *a2);
signed int __stdcall REBIT__IsStringDLL_DRVorOCX(int a1);
_DWORD __stdcall REBIT__FindImportInformation(_DWORD); // weak
void *__stdcall REBIT__MarkImportsByOrdinal(int a1,int a2);
int __stdcall REBIT__FillStructWithDLLAndIDTInfo(int a1);
int __stdcall REBIT__MarkImportsByOrdinalInAllIDTs(int a1,int a2);
signed int __stdcall PE__investigateEntryPoint(int a1);
void *__stdcall STUB__investigateEntryPoint(const CHAR *a1);
void *__stdcall PE__readAllSectionsIntoAllocedMemory(LPCSTR lpFileName,LPVOID *lpModuleHandle);
void *__stdcall PE__changeRawAddressesToVirtualOnes(LPCSTR lpFileName,int *pointerToMemHand);
int __stdcall PE__createSectionAlignedOffsets(unsigned int a1,unsigned int a2);
void __stdcall GENERAL__zeroMem(int a1,int a2);
__int64 __fastcall PE__packSectionsCloselyTogether(__int64 a1,int a2,int a3,int a4,int a5,int a6);
// int __userpurge PE__cramAllSectionsIntoOne<eax>(int a1<ebx>,int a2);
int __stdcall PE__zeroSection(int a1,signed int a2);
void __stdcall PE__copySectionToPreviousSectionHeaderPosition(int a1,int a2);
int __fastcall REBIT__FixupRVAsInFirstThunkList(int a1,int a2,int a3,int a4,int a5,int a6);
int __stdcall REBIT__InsertIATIntoIdataSectionMarkupPeHeader(int a1);
// CHAR *__userpurge REBIT__RebuildNewIAT<eax>(int a1<ebx>,int a2<edi>,int a3,int a4,int a5);
void *__stdcall killProcessByID(DWORD dwProcessId);
int __stdcall oSSPECIFIC__getFirstProcessViaToolhelp(int a1);
int __stdcall oSSPECIFIC__process32NextStubViaToolHelp(int a1);
int __stdcall oSSPECIFIC__module32FirstStubViaToolHelp(int a1,int a2);
int __stdcall oSSPECIFIC__module32NextStubViaToolHelp(int a1);
int __stdcall oSSPECIFIC__getFirstProcessViaPSAPI(int a1,int a2,int a3,int a4);
void *__stdcall oSSPECIFIC__process32NextStubViaPSAPI(int a1);
signed int __stdcall oSSPECIFIC__module32NextStubViaPSAPI(int a1);
HMODULE __cdecl oSSPECIFIC__loadK32Imports();
HMODULE __cdecl oSSPECIFIC__loadPsapiImports();
int __stdcall oSSPECIFICSTUB__getFirstProcess(int a1);
int __stdcall oSSPECIFICSTUB__getNextProcess(int a1);
_DWORD oSSPECIFICSTUB__closeHandleForProcessSnapshotPSAPI(); // weak
int __stdcall oSSPECIFICSTUB__module32First(int a1,int a2);
int __stdcall oSSPECIFICSTUB__module32Next(int a1);
_DWORD oSSPECIFICSTUB__closeHandleForModuleSnapshotPSAPI(); // weak
__int64 __fastcall init__getOSloadOSSpecificImports(__int64 a1);
char *__stdcall module__getFilenameAndImagebaseOfModule(int a1,int a2);
int __stdcall module__getSizeOfImageFromFilename(int a1);
int __stdcall module__getImageBaseFromPID(int a1,int a2);
int __stdcall GENERAL__getPIDfromFileName(int a1);
int __stdcall GENERAL__getModuleFileNameFromPID(int a1,int a2);
__int64 __fastcall script__updateTracerMessageInGUI(int a1,int a2,LPARAM a3);
signed int __stdcall script__findPositionOfLetterInAlphaNumericOptionString(int a1,int a2);
void __stdcall script__upperCaseLetter(int a1);
int __stdcall script__convertAsciiDataBytesFromScriptIntoData(int a1,int a2,int a3,int a4,int a5);
char __stdcall script__appendHELPparamToCurrentDirectory(int a1);
signed int __fastcall script__writeDebugRegistersToScriptINI(int a1,int a2,int a3);
int __fastcall script__copyUnknownAsciiGlobvarAtPositionOfSpaceInARG0(int a1,int a2,int a3,int a4);
_DWORD __stdcall script__interpretCommand(_DWORD,_DWORD); // weak
int __fastcall script__ReadAndInterpretLineFromScript(int a1,int a2,int a3,int a4);
BOOL __stdcall tracer__clearBreakPointDecrementEIP(LPVOID lpBuffer,CONTEXT *lpContext,int a3,LPVOID lpBaseAddress);
BOOL __stdcall tracer__SetBreakPoint(LPVOID lpBuffer,HANDLE hProcess,const void *lpBaseAddress);
void *__stdcall tracer__findWhichSectionAnRVAIsIn_mallocStub(int a1,HANDLE *a2);
signed int __stdcall tracer__checkProcessEIP(CONTEXT *lpContext,int a2);
BOOL __stdcall tracer__toggleTrapFlagWithinThread(CONTEXT *lpContext,int a2);
int __stdcall tracer__messageBoxAStub(LPCSTR lpText,LPCSTR lpCaption);
__int64 __fastcall tracer__prepOutputFileAndGlobvarsBeforeTracing(__int64 a1);
void *__fastcall tracer__predumpFile(int a1,int a2,LPARAM a3,LPCSTR lpFile);
void *__stdcall tracer__IMPORTreadIATapplyFixupsToFileHeader(int bufferContainingFileHeaders,LPCSTR lpFileName,int lpHandle);
int __cdecl tracer__getObfuscator();
_DWORD __stdcall tracer__realTracerFunc(LPSTR lpCommandLine,_DWORD); // weak
// void *__userpurge dump__realDumpTask<eax>(int a1<eax>,int a2<edx>,int a3<ecx>,int ebx0<ebx>,int edi0<edi>,int a4,int a5,DWORD a6,signed int a7,char *a8);
// HINSTANCE __stdcall ShellExecuteA(HWND hwnd,LPCSTR lpOperation,LPCSTR lpFile,LPCSTR lpParameters,LPCSTR lpDirectory,INT nShowCmd); idb
// UINT __stdcall IsDlgButtonChecked(HWND hDlg,int nIDButton); idb
// BOOL __stdcall CheckRadioButton(HWND hDlg,int nIDFirstButton,int nIDLastButton,int nIDCheckButton); idb
// BOOL __stdcall CheckDlgButton(HWND hDlg,int nIDButton,UINT uCheck); idb
// BOOL __stdcall DestroyMenu(HMENU hMenu); idb
// BOOL __stdcall InvalidateRect(HWND hWnd,const RECT *lpRect,BOOL bErase); idb
// BOOL __stdcall EnableWindow(HWND hWnd,BOOL bEnable); idb
// HWND __stdcall FindWindowA(LPCSTR lpClassName,LPCSTR lpWindowName); idb
// BOOL __stdcall ShowWindow(HWND hWnd,int nCmdShow); idb
// HICON __stdcall LoadIconA(HINSTANCE hInstance,LPCSTR lpIconName); idb
// HCURSOR __stdcall LoadCursorA(HINSTANCE hInstance,LPCSTR lpCursorName); idb
// ATOM __stdcall RegisterClassExA(const WNDCLASSEXA *); idb
// BOOL __stdcall GetMessageA(LPMSG lpMsg,HWND hWnd,UINT wMsgFilterMin,UINT wMsgFilterMax); idb
// int __stdcall IsDialogMessage(_DWORD,_DWORD); weak
// BOOL __stdcall TranslateMessage(const MSG *lpMsg); idb
// LONG __stdcall DispatchMessageA(const MSG *lpMsg); idb
// LRESULT __stdcall SendMessageA(HWND hWnd,UINT Msg,WPARAM wParam,LPARAM lParam); idb
// HWND __stdcall GetDlgItem(HWND hDlg,int nIDDlgItem); idb
// BOOL __stdcall SetDlgItemTextA(HWND hDlg,int nIDDlgItem,LPCSTR lpString); idb
// UINT __stdcall GetDlgItemTextA(HWND hDlg,int nIDDlgItem,LPSTR lpString,int nMaxCount); idb
// BOOL __stdcall SetWindowTextA(HWND hWnd,LPCSTR lpString); idb
// LONG __stdcall SendDlgItemMessageA(HWND hDlg,int nIDDlgItem,UINT Msg,WPARAM wParam,LPARAM lParam); idb
// LPSTR __stdcall CharUpperA(LPSTR lpsz); idb
// LPSTR __stdcall CharLowerA(LPSTR lpsz); idb
// HWND __stdcall SetFocus(HWND hWnd); idb
// BOOL __stdcall EndDialog(HWND hDlg,int nResult); idb
// int __stdcall DialogBoxParamA(HINSTANCE hInstance,LPCSTR lpTemplateName,HWND hWndParent,DLGPROC lpDialogFunc,LPARAM dwInitParam); idb
// LRESULT __stdcall DefWindowProcA(HWND hWnd,UINT Msg,WPARAM wParam,LPARAM lParam); idb
// void __stdcall PostQuitMessage(int nExitCode); idb
// BOOL __stdcall MessageBeep(UINT uType); idb
// int __stdcall MessageBoxA(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType); idb
// HMENU __stdcall LoadMenuA(HINSTANCE hInstance,LPCSTR lpMenuName); idb
// HMENU __stdcall GetSubMenu(HMENU hMenu,int nPos); idb
// BOOL __stdcall TrackPopupMenu(HMENU hMenu,UINT uFlags,int x,int y,int nReserved,HWND hWnd,const RECT *prcRect); idb
// BOOL __stdcall UpdateWindow(HWND hWnd); idb
// HWND __stdcall CreateWindowExA(DWORD dwExStyle,LPCSTR lpClassName,LPCSTR lpWindowName,DWORD dwStyle,int X,int Y,int nWidth,int nHeight,HWND hWndParent,HMENU hMenu,HINSTANCE hInstance,LPVOID lpParam); idb
// HANDLE __stdcall CreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes,DWORD dwStackSize,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,DWORD dwCreationFlags,LPDWORD lpThreadId); idb
// DWORD __stdcall ResumeThread(HANDLE hThread); idb
// DWORD __stdcall SuspendThread(HANDLE hThread); idb
// BOOL __stdcall SetThreadPriority(HANDLE hThread,int nPriority); idb
// HANDLE __stdcall OpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId); idb
// BOOL __stdcall ReadProcessMemory(HANDLE hProcess,LPCVOID lpBaseAddress,LPVOID lpBuffer,DWORD nSize,LPDWORD lpNumberOfBytesRead); idb
// DWORD GetCurrentProcessId(void); idb
// HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName); idb
// BOOL __stdcall FreeLibrary(HMODULE hLibModule); idb
// BOOL __stdcall ReadFile(HANDLE hFile,LPVOID lpBuffer,DWORD nNumberOfBytesToRead,LPDWORD lpNumberOfBytesRead,LPOVERLAPPED lpOverlapped); idb
// HMODULE __stdcall GetModuleHandleA(LPCSTR lpModuleName); idb
// void __stdcall ExitProcess(UINT uExitCode); idb
// DWORD __stdcall GetPrivateProfileStringA(LPCSTR lpAppName,LPCSTR lpKeyName,LPCSTR lpDefault,LPSTR lpReturnedString,DWORD nSize,LPCSTR lpFileName); idb
// BOOL __stdcall WritePrivateProfileStringA(LPCSTR lpAppName,LPCSTR lpKeyName,LPCSTR lpString,LPCSTR lpFileName); idb
// DWORD __stdcall GetCurrentDirectoryA(DWORD nBufferLength,LPSTR lpBuffer); idb
// HANDLE __stdcall CreateFileA(LPCSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile); idb
// BOOL __stdcall CloseHandle(HANDLE hObject); idb
// BOOL __stdcall GetVersionExA(LPOSVERSIONINFOA lpVersionInformation); idb
// DWORD GetTickCount(void); idb
// FARPROC __stdcall GetProcAddress(HMODULE hModule,LPCSTR lpProcName); idb
// DWORD __stdcall GetTempPathA(DWORD nBufferLength,LPSTR lpBuffer); idb
// UINT __stdcall GetTempFileNameA(LPCSTR lpPathName,LPCSTR lpPrefixString,UINT uUnique,LPSTR lpTempFileName); idb
// BOOL __stdcall DeviceIoControl(HANDLE hDevice,DWORD dwIoControlCode,LPVOID lpInBuffer,DWORD nInBufferSize,LPVOID lpOutBuffer,DWORD nOutBufferSize,LPDWORD lpBytesReturned,LPOVERLAPPED lpOverlapped); idb
// BOOL __stdcall DeleteFileA(LPCSTR lpFileName); idb
// DWORD GetLastError(void); idb
// LPVOID __stdcall VirtualAlloc(LPVOID lpAddress,DWORD dwSize,DWORD flAllocationType,DWORD flProtect); idb
// BOOL __stdcall VirtualFree(LPVOID lpAddress,DWORD dwSize,DWORD dwFreeType); idb
// BOOL __stdcall WriteFile(HANDLE hFile,LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPDWORD lpNumberOfBytesWritten,LPOVERLAPPED lpOverlapped); idb
// DWORD __stdcall SetFilePointer(HANDLE hFile,LONG lDistanceToMove,PLONG lpDistanceToMoveHigh,DWORD dwMoveMethod); idb
// DWORD __stdcall GetFileSize(HANDLE hFile,LPDWORD lpFileSizeHigh); idb
// UINT __stdcall GetSystemDirectoryA(LPSTR lpBuffer,UINT uSize); idb
// BOOL __stdcall IsBadReadPtr(const void *lp,UINT ucb); idb
// DWORD __stdcall WaitForSingleObject(HANDLE hHandle,DWORD dwMilliseconds); idb
// BOOL __stdcall TerminateProcess(HANDLE hProcess,UINT uExitCode); idb
// BOOL __stdcall WriteProcessMemory(HANDLE hProcess,LPVOID lpBaseAddress,LPVOID lpBuffer,DWORD nSize,LPDWORD lpNumberOfBytesWritten); idb
// BOOL __stdcall GetThreadContext(HANDLE hThread,LPCONTEXT lpContext); idb
// BOOL __stdcall SetThreadContext(HANDLE hThread,const CONTEXT *lpContext); idb
// void __stdcall Sleep(DWORD dwMilliseconds); idb
// BOOL __stdcall VirtualProtect(LPVOID lpAddress,DWORD dwSize,DWORD flNewProtect,PDWORD lpflOldProtect); idb
// HFONT __stdcall CreateFontIndirectA(const LOGFONTA *); idb
// BOOL __stdcall GetOpenFileNameA(LPOPENFILENAMEA); idb
// BOOL __stdcall GetSaveFileNameA(LPOPENFILENAMEA); idb
// int InitCommonControls(void); weak
// SC_HANDLE __stdcall CreateServiceA(SC_HANDLE hSCManager,LPCSTR lpServiceName,LPCSTR lpDisplayName,DWORD dwDesiredAccess,DWORD dwServiceType,DWORD dwStartType,DWORD dwErrorControl,LPCSTR lpBinaryPathName,LPCSTR lpLoadOrderGroup,LPDWORD lpdwTagId,LPCSTR lpDependencies,LPCSTR lpServiceStartName,LPCSTR lpPassword); idb
// SC_HANDLE __stdcall OpenServiceA(SC_HANDLE hSCManager,LPCSTR lpServiceName,DWORD dwDesiredAccess); idb
// BOOL __stdcall CloseServiceHandle(SC_HANDLE hSCObject); idb
// SC_HANDLE __stdcall OpenSCManagerA(LPCSTR lpMachineName,LPCSTR lpDatabaseName,DWORD dwDesiredAccess); idb
// BOOL __stdcall ControlService(SC_HANDLE hService,DWORD dwControl,LPSERVICE_STATUS lpServiceStatus); idb
// BOOL __stdcall StartServiceA(SC_HANDLE hService,DWORD dwNumServiceArgs,LPCSTR *lpServiceArgVectors); idb
// BOOL __stdcall DeleteService(SC_HANDLE hService); idb
// BOOL __stdcall CloseServiceHandle(SC_HANDLE hSCObject); idb
//----- (00401000) --------------------------------------------------------
#error "40108B: positive sp value has been found"
//----- (0040108E) --------------------------------------------------------
#error "4010B0: positive sp value has been found"
//----- (004010B3) --------------------------------------------------------
#error "40111C: positive sp value has been found"
//----- (0040111F) --------------------------------------------------------
#error "401146: positive sp value has been found"
//----- (00401149) --------------------------------------------------------
#error "401193: positive sp value has been found"
//----- (00401196) --------------------------------------------------------
void __cdecl GUI__deleteAllItemsInProcessListView()
{
SendMessageA(GUI__hwndOfProcessListView, 0x1009u, 0, 0);
GUI__currentiItemInProcessListView = 0;
}
//----- (004011C3) --------------------------------------------------------
#error "401210: positive sp value has been found"
//----- (00401213) --------------------------------------------------------
#error "401272: positive sp value has been found"
//----- (00401275) --------------------------------------------------------
#error "4012D4: positive sp value has been found"
//----- (004012D7) --------------------------------------------------------
#error "401321: positive sp value has been found"
//----- (00401324) --------------------------------------------------------
void __cdecl GUI__deleteAllItemsInModuleListView()
{
SendMessageA(GUI__hwndOfModuleListView, 0x1009u, 0, 0);
GUI__currentiItemInModuleListView = 0;
}
//----- (00401351) --------------------------------------------------------
#error "40139E: positive sp value has been found"
//----- (004013A1) --------------------------------------------------------
#error "401400: positive sp value has been found"
//----- (00401403) --------------------------------------------------------
#error "401462: positive sp value has been found"
//----- (00401465) --------------------------------------------------------
#error "401487: positive sp value has been found"
//----- (0040148A) --------------------------------------------------------
void __cdecl GUI__deleteAllItemsInSectionEditorListView()
{
SendMessageA(GUI__hwndOfSectionEditorListView, 0x1009u, 0, 0);
GUI__currentiItemInSectionEditorListView = 0;
}
//----- (004014B7) --------------------------------------------------------
#error "401504: positive sp value has been found"
//----- (00401507) --------------------------------------------------------
#error "401552: positive sp value has been found"
//----- (00401555) --------------------------------------------------------
#error "4015AA: positive sp value has been found"
//----- (004015AD) --------------------------------------------------------
signed int __stdcall GUI__findWhichItemWasSeletedInListView(HWND hWnd)
{
LRESULT v1; // ebx@1
WPARAM v2; // edi@1
v1 = SendMessageA(hWnd, 0x1004u, 0, 0);
v2 = 0;
while ( !SendMessageA(hWnd, 0x102Cu, v2, 2) )
{
++v2;
if ( v1 == v2 )
return -1;
}
return v2;
}
//----- (004015F3) --------------------------------------------------------
#error "401615: positive sp value has been found"
//----- (00401618) --------------------------------------------------------
#error "401679: positive sp value has been found"
//----- (0040167C) --------------------------------------------------------
__int64 __fastcall GUI__setNumberOfTracedLinesInUnpackerStatusBox(__int64 a1,int a2,int a3,LPCSTR lpString)
{
__int64 v3; // ST0C_8@1
v3 = a1;
SetDlgItemTextA(tempHwnd, 2004, lpString);
return v3;
}
//----- (00401698) --------------------------------------------------------
__int64 __fastcall GUI__setScriptEIPInUnpackerStatusBox(__int64 a1,int a2,int a3,LPCSTR lpString)
{
__int64 v3; // ST0C_8@1
v3 = a1;
SetDlgItemTextA(tempHwnd, 2002, lpString);
UpdateWindow(tempHwnd);
return v3;
}
//----- (004016BF) --------------------------------------------------------
__int64 __fastcall GUI__setWindowInsetTextStub(__int64 a1,int a2,int a3,LPARAM a4,int a5)
{
__int64 v4; // ST08_8@1
v4 = a1;
GUI__setTextOfglobvarGDIS(a4, a5);
return v4;
}
//----- (004016D3) --------------------------------------------------------
BOOL __stdcall GUI__cannedSaveFile(int defaultFileToSave)
{
BOOL result; // eax@1
LPCSTR v2; // ecx@1
CHAR *v3; // ebx@1
const CHAR *v4; // ST08_4@1
openfilestruct.hwndOwner = tempHwnd;
weHaveSavedOrOpened = 1;
v2 = openfilestruct.lpstrTitle;
openfilestruct.lpstrTitle = "Select Filename for saving...";
v3 = openfilestruct.lpstrFile;
openfilestruct.lpstrFile = (LPSTR)defaultFileToSave;
v4 = v2;
result = GetSaveFileNameA(&openfilestruct);
openfilestruct.lpstrFile = v3;
openfilestruct.lpstrTitle = v4;
openfilestruct.hwndOwner = 0;
return result;
}
//----- (00401739) --------------------------------------------------------
BOOL __stdcall GUI__cannedOpenFile(CHAR *defaultFileToOpen,const CHAR *titleOfOpenDialog)
{
BOOL result; // eax@1
LPCSTR v3; // ecx@1
CHAR *v4; // ebx@1
const CHAR *v5; // ST08_4@1
openfilestruct.hwndOwner = tempHwnd;
weHaveSavedOrOpened = 1;
v3 = openfilestruct.lpstrTitle;
openfilestruct.lpstrTitle = titleOfOpenDialog;
v4 = openfilestruct.lpstrFile;
openfilestruct.lpstrFile = defaultFileToOpen;
v5 = v3;
result = GetOpenFileNameA(&openfilestruct);
openfilestruct.lpstrTitle = v5;
openfilestruct.lpstrFile = v4;
openfilestruct.hwndOwner = 0;
return result;
}
//----- (0040179D) --------------------------------------------------------
__int64 __fastcall GUI__writeProcessInfosToMainListView(__int64 a1,int a2,int a3,LPSTR lpsz,int a5,int a6,int a7,int a8)
{
__int64 v7; // ST0C_8@1
v7 = a1;
CharLowerA(lpsz);
GUI__insertItemInProcessListView(lpsz);
GENERAL__regToAscii(a5, (int)&sz);
GUI__setItemInProcessListView(currentSectionBeingProcessed, 1, &sz);
GENERAL__regToAscii(a6, (int)&sz);
GUI__setItemInProcessListView(currentSectionBeingProcessed, 2, &sz);
GENERAL__regToAscii(a7, (int)&sz);
GUI__setItemInProcessListView(currentSectionBeingProcessed, 3, &sz);
GENERAL__regToAscii(a8, (int)&sz);
GUI__setItemInProcessListView(currentSectionBeingProcessed++, 4, &sz);
return v7;
}
//----- (00401838) --------------------------------------------------------
__int64 __fastcall GUI__addModuleToListView(__int64 a1,int a2,int a3,LPSTR lpsz,int a5,int a6,int a7)
{
__int64 v6; // ST0C_8@1
v6 = a1;
CharLowerA(lpsz);
GUI__insertItemInModuleListView(lpsz);
GENERAL__regToAscii(a5, (int)&sz);
GUI__setItemInModuleListView(dword_40CE3F, 1, &sz);
GENERAL__regToAscii(a6, (int)&sz);
GUI__setItemInModuleListView(dword_40CE3F, 2, &sz);
GENERAL__regToAscii(a7, (int)&sz);
GUI__setItemInModuleListView(dword_40CE3F++, 3, &sz);
return v6;
}
//----- (004018B4) --------------------------------------------------------
__int64 __fastcall GUI__setAboutBoxInset(__int64 a1,int a2,int a3,HWND hDlg)
{
__int64 v3; // ST0C_8@1
v3 = a1;
GUI__getDlgItemStub(hDlg, 3004);
GUI__setTextOfglobvarGDIS(
(LPARAM)"Internal code informations\r\n\r\nPE rebuilder\t: Phoenix engine v1.58\r\nTask/dump handler\t: CodeShot engine v1.25\r\nUnpacker handler\t: Shiva engine v1.45\r\nDumper Server\t: Bhrama server version 0.3",
0);
SetDlgItemTextA(hDlg, 3000, "Version 1.6.2 FINAL NT2K, compiled on 01/17/00");
return v3;
}
//----- (004018E8) --------------------------------------------------------
__int64 __fastcall GUI__initializeBrahmaServerWindow(__int64 a1,int a2,int a3,HWND hDlg)
{
__int64 v3; // ST0C_8@1
v3 = a1;
CheckDlgButton(hDlg, 9001, 1u);
GUI__getDlgItemStub(hDlg, 9000);
GUI__setTextOfglobvarGDIS((LPARAM)"Bhrama server 0.3 started\r\n\r\nWaiting Client command ...\r\n\r\n", 0);
return v3;
}
//----- (00401919) --------------------------------------------------------
#error "401A89: positive sp value has been found"
//----- (00401A8C) --------------------------------------------------------
__int64 __fastcall GENERAL__confirmAndKillProcess(__int64 a1,int a2,int a3,HWND hWnd)
{
__int64 v2; // ST10_8@1
signed int v4; // eax@1
int v5; // [sp+0h] [bp-4h]@1
v2 = a1;
v4 = GUI__findWhichItemWasSeletedInListView(hWnd);
firstLvItem__iSubItem = 1;
firstLvItem__cchTextMax = 256;
firstLvItem__lpszText = (int)&sz;
SendMessageA(hWnd, 0x102Du, v4, (LPARAM)&firstLvItem__mask);
v5 = GENERAL__asciiToReg((int)&sz);
firstLvItem__iSubItem = 0;
firstLvItem__lpszText = (int)&Text[30];
SendMessageA(hWnd, 0x1005u, 0, (LPARAM)&firstLvItem__mask);
if ( MessageBoxA(hWnd, "Are you sure you want to kill ", "ProcDump Task Handler", 0x34u) == 6 )
killProcessByID(v5);
return v2;
}
//----- (00401B30) --------------------------------------------------------
void *__userpurge STUB__dumpTask_full<eax>(int a1<edx>,int a2<ecx>,int a3<ebx>,int a4<edi>,HWND a5,int a6,int a7,DWORD a8)
{
tempHwnd = a5;
weHaveSavedOrOpened = 1;
return dump__realDumpTask(
setToZeroByWindowsComponentOfFullDumpingCode,
a1,
a2,
a3,
a4,
a6,
a7,
a8,
setToZeroByWindowsComponentOfFullDumpingCode,
0);
}
//----- (00401B64) --------------------------------------------------------
void *__userpurge dump__dumpTask_partial<eax>(DWORD a1<eax>,int a2<ecx>,int a3<ebx>,HWND a4,const void *a5,unsigned __int32 a6)
{
void *result; // eax@1
int v7; // ST0C_4@1
signed int v8; // eax@2
int v9; // eax@4
int v10; // edx@4
int v11; // ecx@4
char v12; // zf@2
__int64 v13; // ST00_8@9
void *v14; // ST08_4@11
v7 = a2;
result = STUB__virtualAlloc(a1);
if ( result )
{
lpBuffer = result;
memcpy(result, a5, a6);
tempHwnd = a4;
weHaveSavedOrOpened = 1;
v12 = GUI__cannedSaveFile((int)fileNameFromCannedDialog) == 0;
v8 = 2;
if ( !v12 )
{
if ( setToZeroByWindowsComponentOfFullDumpingCode == 1 )
{
v9 = PE__FixupAndStampHeader((int)lpBuffer);
if ( v9 )
{
if ( opt_iatRebuildType )
v9 = REBIT__MarkImportsByOrdinalInAllIDTs((int)lpBuffer, v7);
}
if ( opt_onesection )
v9 = PE__cramAllSectionsIntoOne(a3, (int)lpBuffer);
*((_DWORD *)&v13 + 1) = CODESHOT__lengthOfUnpackedByBanner;
*(_DWORD *)&v13 = lpBuffer;
PE__packSectionsCloselyTogether(
v13,
v9,
v10,
v11,
(int)"\r\nÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ\r\n [þ] Unpacked with ProcDump32 (C) G-RoM, Lorian & Stone - 1998, 1999 [þ] \r\nÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ",
v7);
}
v8 = GENERAL__writeToNewlyCreatedFileFile(lpBuffer, a6, fileNameFromCannedDialog);
}
v14 = (void *)v8;
STUB__virtualFree(lpBuffer);
lpBuffer = 0;
result = v14;
}
return result;
}
//----- (00401C32) --------------------------------------------------------
void *__userpurge STUB__fullDumpModule<eax>(int a1<ebx>,HWND a2)
{
int v2; // eax@1
char *v3; // edi@1
CHAR *v4; // esi@1
void *result; // eax@3
int v6; // ecx@6
void *v7; // ST0C_4@9
signed int v8; // [sp+Ch] [bp-4h]@1
HMODULE hLibModule; // [sp+8h] [bp-8h]@6
v8 = 0;
setToZeroByWindowsComponentOfFullDumpingCode = 1;
firstLvItem__iItem = GUI__findWhichItemWasSeletedInListView(GUI__hwndOfModuleListView);
firstLvItem__iSubItem = 0;
firstLvItem__lpszText = (int)&sz;
SendMessageA(GUI__hwndOfModuleListView, 0x1005u, 0, (LPARAM)&firstLvItem__mask);
CharUpperA(&sz);
v4 = &sz;
v3 = DUMP__pathAndNameOfFileThatWeAreDumping;
v2 = 0;
do
{
LOBYTE(v2) = *v4++;
*v3++ = v2;
}
while ( v2 );
result = GetModuleHandleA(&sz);
if ( !result )
{
result = LoadLibraryA(&sz);
if ( !result )
return result;
v8 = 1;
}
hLibModule = result;
result = (void *)module__getSizeOfImageFromFilename((int)&sz);
if ( result )
result = dump__dumpTask_partial((DWORD)result, v6, a1, a2, hLibModule, (unsigned __int32)result);
if ( v8 == 1 )
{
v7 = result;
FreeLibrary(hLibModule);
result = v7;
}
return result;
}
//----- (00401CFE) --------------------------------------------------------
int __userpurge brahma__clientDumpTask<eax>(int a1<ebx>,int a2<edi>,HWND hDlg,int a4,int a5,const void *a6)
{
int v6; // eax@1
int result; // eax@4
int v8; // edx@7
int v9; // ecx@7
signed int v10; // ecx@10
char *v11; // edi@10
int v12; // [sp+8h] [bp-4h]@5
SetFocus(hDlg);
v6 = IsDlgButtonChecked(hDlg, 9001);
if ( v6 )
{
if ( a5 )
v6 = a5;
}
setToZeroByWindowsComponentOfFullDumpingCode = v6;
DUMP__PIDofTheFileThatWeAreDumping = a4;
result = module__getImageBaseFromPID(a4, (int)&dword_40CE3B);
if ( result )
{
v12 = result;
if ( result <= a5 )
setToZeroByWindowsComponentOfFullDumpingCode -= result;
dlg__backupReadOptions();
if ( !IsDlgButtonChecked(hDlg, 2017) )
{
memcpy(&optionsAssociatedWithScriptDOTINI, a6, 0x14u);
a2 = (int)(&optionsAssociatedWithScriptDOTINI + 5);
v9 = 0;
}
STUB__dumpTask_full(v8, v9, a1, a2, hDlg, a4, v12, dword_40CE3B);
dlg__restoreReadOptions();
}
v11 = &REBIT__nameOfIdataSection[8];
v10 = 32;
while ( v10 )
{
*v11++ = 0;
--v10;
}
DUMP__PIDofTheFileThatWeAreDumping = 0;
return result;
}
//----- (00401DB8) --------------------------------------------------------
__int64 __userpurge STUB__fullDumpProcess<edx:eax>(int a1<ecx>,int a2<ebx>,int a3<edi>,HWND a4)
{
void *v4; // eax@1
int v5; // edx@1
int v6; // ecx@1
__int64 v7; // ST0C_8@1
signed int v8; // ecx@6
char *v9; // edi@6
signed int v11; // eax@1
int v12; // eax@1
char v13; // [sp+Bh] [bp-9h]@1
int v14; // [sp+10h] [bp-4h]@1
int v15; // [sp+Ch] [bp-8h]@2
*((_DWORD *)&v7 + 1) = a1;
setToZeroByWindowsComponentOfFullDumpingCode = 1;
v13 = 0;
firstLvItem__iItem = GUI__findWhichItemWasSeletedInListView(hWnd);
firstLvItem__iSubItem = 0;
firstLvItem__lpszText = (int)DUMP__pathAndNameOfFileThatWeAreDumping;
SendMessageA(hWnd, 0x1005u, 0, (LPARAM)&firstLvItem__mask);
v11 = GUI__findWhichItemWasSeletedInListView(hWnd);
firstLvItem__iSubItem = 1;
firstLvItem__cchTextMax = 256;
firstLvItem__lpszText = (int)&sz;
SendMessageA(hWnd, 0x102Du, v11, (LPARAM)&firstLvItem__mask);
v12 = GENERAL__asciiToReg((int)&sz);
v14 = v12;
DUMP__PIDofTheFileThatWeAreDumping = v12;
v4 = (void *)module__getImageBaseFromPID(v12, (int)&dword_40CE3B);
if ( v4 )
{
v15 = (int)v4;
while ( 1 )
{
v4 = STUB__dumpTask_full(v5, v6, a2, a3, a4, v14, v15, dword_40CE3B);
if ( v4 )
break;
if ( v13 == 1 )
break;
dword_40CE3B = (int)GENERAL__makeSureFileIsReadable(DUMP__pathAndNameOfFileThatWeAreDumping);
++v13;
}
}
*(_DWORD *)&v7 = v4;
v9 = &REBIT__nameOfIdataSection[8];
v8 = 32;
while ( v8 )
{
*v9++ = 0;
--v8;
}
DUMP__PIDofTheFileThatWeAreDumping = 0;
return v7;
}
//----- (00401EC2) --------------------------------------------------------
__int64 __fastcall dlg__fillPartialDumpDialogFromProcess(__int64 a1,int a2,int a3,int a4)
{
__int64 v3; // ST10_8@1
signed int v4; // eax@1
int v5; // eax@1
int v6; // eax@1
__int64 v7; // ST04_8@1
int v8; // edx@1
HWND v9; // ecx@1
int v10; // [sp+0h] [bp-4h]@1
v3 = a1;
v4 = GUI__findWhichItemWasSeletedInListView(hWnd);
firstLvItem__iSubItem = 1;
firstLvItem__cchTextMax = 256;
firstLvItem__lpszText = (int)&sz;
SendMessageA(hWnd, 0x102Du, v4, (LPARAM)&firstLvItem__mask);
byte_40C8DE[0] = 0;
v5 = GENERAL__asciiToReg((int)&sz);
v6 = module__getImageBaseFromPID(v5, (int)&dword_40CE3B);
v10 = v6;
*((_DWORD *)&v7 + 1) = v6;
*(_DWORD *)&v7 = a4;
dlg__fillEditBoxesInPartialDumpTaskDialog(v7, v6, v8, v9, dword_40CE3B, v3);
return v3;
}
//----- (00401F3D) --------------------------------------------------------
__int64 __fastcall dlg__fillPartialDumpDialogFromModule(__int64 a1,int a2,int a3,int a4)
{
void *v2; // eax@1
__int64 v3; // ST10_8@1
int v4; // edx@2
HWND v5; // ecx@2
__int64 v7; // ST04_8@5
__int64 v8; // ST10_8@5
void *v9; // [sp+0h] [bp-4h]@4
v3 = a1;
haveWeLoadedALibrary = 0;
firstLvItem__iItem = GUI__findWhichItemWasSeletedInListView(GUI__hwndOfModuleListView);
firstLvItem__iSubItem = 0;
firstLvItem__lpszText = (int)&sz;
SendMessageA(hWnd, 0x1005u, 0, (LPARAM)&firstLvItem__mask);
CharUpperA(&sz);
v2 = GetModuleHandleA(&sz);
if ( v2 )
goto LABEL_4;
v2 = LoadLibraryA(&sz);
if ( v2 )
{
haveWeLoadedALibrary = 1;
LABEL_4:
v9 = v2;
v2 = (void *)module__getSizeOfImageFromFilename((int)&sz);
}
*((_DWORD *)&v7 + 1) = v9;
*(_DWORD *)&v7 = a4;
dlg__fillEditBoxesInPartialDumpTaskDialog(v7, (int)v2, v4, v5, (int)v2, v3);
return v8;
}
//----- (00401FD1) --------------------------------------------------------
__int64 __fastcall dlg__fillEditBoxesInPartialDumpTaskDialog(__int64 a1,int a2,int a3,HWND hDlg,int a5,int a6)
{
__int64 v5; // ST0C_8@1
v5 = a1;
byte_40C8DE[0] = 0;
GENERAL__regToAscii(a5, (int)&sz);
SetDlgItemTextA(hDlg, 2007, &sz);
GENERAL__regToAscii(a5, (int)"00000000h-00000000h]");
GENERAL__regToAscii(a6 + a5, (int)&a00000000h00000[10]);
SetDlgItemTextA(hDlg, 2005, "00000000h-00000000h]");
GENERAL__regToAscii(0, (int)"00000000h-00000000h]");
GENERAL__regToAscii(a6, (int)&a00000000h00000[10]);
SetDlgItemTextA(hDlg, 2006, "00000000h-00000000h]");
GENERAL__regToAscii(a6, (int)&sz);
SetDlgItemTextA(hDlg, 2008, &sz);
return v5;
}
//----- (00402082) --------------------------------------------------------
__int64 __userpurge dlg__fullDumpTaskGUIStub<edx:eax>(__int64 a1<edx:eax>,int a2<ebx>,int a3<edi>,HWND hWnd)
{
__int64 v4; // ST10_8@1
signed int v6; // eax@1
int v7; // eax@1
int v8; // edx@1
int v9; // ecx@1
int v10; // [sp+0h] [bp-8h]@1
v4 = a1;
setToZeroByWindowsComponentOfFullDumpingCode = 0;
GetDlgItemTextA(hWnd, 2007, &sz, 256);
v10 = GENERAL__asciiToReg((int)&sz);
GetDlgItemTextA(hWnd, 2008, &sz, 256);
dword_40CE3B = GENERAL__asciiToReg((int)&sz);
v6 = GUI__findWhichItemWasSeletedInListView(hWnd);
firstLvItem__iSubItem = 1;
firstLvItem__cchTextMax = 256;
firstLvItem__lpszText = (int)&sz;
SendMessageA(hWnd, 0x102Du, v6, (LPARAM)&firstLvItem__mask);
v7 = GENERAL__asciiToReg((int)&sz);
if ( STUB__dumpTask_full(v8, v9, a2, a3, hWnd, v7, v10, dword_40CE3B) )
{
MessageBoxA(hWnd, "Task successfully dumped to disk", "ProcDump Task Handler", 0x30u);
}
else
{
MessageBeep(0xFFFFFFFFu);
MessageBoxA(hWnd, "This process can't be dumped !!", "ProcDump Task Handler", 0x30u);
}
return v4;
}
//----- (00402172) --------------------------------------------------------
__int64 __userpurge dlg__partialDumpTaskGUIStub<edx:eax>(__int64 a1<edx:eax>,int a2<ebx>,HWND hWnd)
{
__int64 v3; // ST10_8@1
int v5; // eax@1
int v6; // ecx@1
int v7; // [sp+0h] [bp-4h]@1
v3 = a1;
byte_40C8DE[0] = 0;
GetDlgItemTextA(hWnd, 2007, &sz, 256);
v7 = GENERAL__asciiToReg((int)&sz);
GetDlgItemTextA(hWnd, 2008, &sz, 256);
v5 = GENERAL__asciiToReg((int)&sz);
if ( dump__dumpTask_partial(v5, v6, a2, hWnd, (const void *)v7, v5) )
{
MessageBoxA(hWnd, "Task successfully dumped to disk", "ProcDump Task Handler", 0x30u);
}
else
{
MessageBeep(0xFFFFFFFFu);
MessageBoxA(hWnd, "This process can't be dumped !!", "ProcDump Task Handler", 0x30u);
}
return v3;
}
//----- (0040220B) --------------------------------------------------------
__int64 __usercall GENERAL__rebuildPeFunction<edx:eax>(__int64 a1<edx:eax>,int a2<ebx>)
{
__int64 v2; // qax@1
int v3; // ecx@1
__int64 v4; // ST10_8@1
__int64 v6; // ST04_8@7
v4 = a1;
*(_DWORD *)&v2 = PE__changeRawAddressesToVirtualOnes(fileNameFromCannedDialog, (int *)&lpBuffer);
if ( !(_DWORD)v2 )
goto LABEL_12;
if ( opt_iatRebuildType )
*(_DWORD *)&v2 = REBIT__MarkImportsByOrdinalInAllIDTs((int)lpBuffer, v4);
if ( opt_onesection )
*(_DWORD *)&v2 = PE__cramAllSectionsIntoOne(a2, (int)lpBuffer);
*((_DWORD *)&v6 + 1) = CODESHOT__lengthOfUnpackedByBanner;
*(_DWORD *)&v6 = lpBuffer;
PE__packSectionsCloselyTogether(
v6,
v2,
*((int *)&v2 + 1),
v3,
(int)"\r\nÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ\r\n [þ] Unpacked with ProcDump32 (C) G-RoM, Lorian & Stone - 1998, 1999 [þ] \r\nÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ",
v4);
if ( GENERAL__writeToNewlyCreatedFileFile(lpBuffer, nNumberOfBytesToRead, fileNameFromCannedDialog) )
{
MessageBoxA(GENERAL__MainHWND, "File successfully restored", "ProcDump Rebuilder", 0x30u);
}
else
{
LABEL_12:
MessageBeep(0xFFFFFFFFu);
MessageBoxA(GENERAL__MainHWND, "Error while accessing the file (READ/WRITE)", "File Access Error", 0x30u);
}
STUB__virtualFree(lpBuffer);
lpBuffer = 0;
fileNameFromCannedDialog[0] = 0;
return v4;
}
//----- (004022CC) --------------------------------------------------------
__int64 __fastcall dlg__processInfosFunction(__int64 a1)
{
int v1; // eax@1
__int64 v2; // ST14_8@1
void *v3; // eax@2
void *v4; // eax@3
signed int v6; // eax@1
int v7; // eax@1
DWORD dwProcessId; // [sp+Ch] [bp-4h]@1
LPCVOID lpBaseAddress; // [sp+8h] [bp-8h]@2
HANDLE hObject; // [sp+4h] [bp-Ch]@4
v2 = a1;
v6 = GUI__findWhichItemWasSeletedInListView(hWnd);
firstLvItem__iSubItem = 1;
firstLvItem__cchTextMax = 256;
firstLvItem__lpszText = (int)&sz;
SendMessageA(hWnd, 0x102Du, v6, (LPARAM)&firstLvItem__mask);
v7 = GENERAL__asciiToReg((int)&sz);
dwProcessId = v7;
v1 = module__getImageBaseFromPID(v7, (int)&dword_40CE3B);
if ( v1 )
{
lpBaseAddress = (LPCVOID)v1;
v3 = STUB__virtualAlloc(dword_40CE3B);
if ( v3 )
{
lpBuffer = v3;
v4 = OpenProcess(0x10u, 0, dwProcessId);
if ( v4 )
{
hObject = v4;
ReadProcessMemory(v4, lpBaseAddress, lpBuffer, (DWORD)&dword_40CE3B, 0);
CloseHandle(hObject);
PE__investigateEntryPoint((int)lpBuffer);
byte_40D04B = 1;
PE__FixupAndStampHeader((int)lpBuffer);
DialogBoxParamA(
hInstance,
(LPCSTR)0x6F,
GENERAL__MainHWND,
(BOOL (__stdcall *)(HWND,UINT,WPARAM,LPARAM))dlg__structureEditor,
0);
}
byte_40D04B = 0;
STUB__virtualFree(lpBuffer);
}
}
return v2;
}
//----- (004023E4) --------------------------------------------------------
__int64 __fastcall GENERAL__peEditorFunction(__int64 a1)
{
__int64 v1; // ST14_8@1
int v3; // eax@5
__int64 v4; // ST08_8@5
int v5; // edx@5
int v6; // ecx@5
v1 = a1;
byte_40D04B = 1;
if ( PE__changeRawAddressesToVirtualOnes(fileNameFromCannedDialog, (int *)&lpBuffer) )
{
DialogBoxParamA(
hInstance,
(LPCSTR)0x6F,
GENERAL__MainHWND,
(BOOL (__stdcall *)(HWND,UINT,WPARAM,LPARAM))dlg__structureEditor,
0);
if ( !dlg__changesSaveType )
goto LABEL_8;
if ( dlg__changesSaveType == 2 )
{
if ( GENERAL__writeToFileAtPosition(lpBuffer, PE__sizeOfHeaders, 0, fileNameFromCannedDialog) )
goto LABEL_8;
}
else
{
byte_40D04B = 0;
v3 = PE__FixupAndStampHeader((int)lpBuffer);
*((_DWORD *)&v4 + 1) = CODESHOT__lengthOfUnpackedByBanner;
*(_DWORD *)&v4 = lpBuffer;
PE__packSectionsCloselyTogether(
v4,
v3,
v5,
v6,
(int)"\r\nÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ\r\n [þ] Unpacked with ProcDump32 (C) G-RoM, Lorian & Stone - 1998, 1999 [þ] \r\nÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ",
v1);
if ( GENERAL__writeToNewlyCreatedFileFile(lpBuffer, nNumberOfBytesToRead, fileNameFromCannedDialog) )
goto LABEL_8;
}
}
MessageBeep(0xFFFFFFFFu);
MessageBoxA(GENERAL__MainHWND, "Error while accessing the file (READ/WRITE)", "File Access Error", 0x30u);
LABEL_8:
STUB__virtualFree(lpBuffer);
lpBuffer = 0;
byte_40D04B = 0;
fileNameFromCannedDialog[0] = 0;
return v1;
}
//----- (004024DB) --------------------------------------------------------
__int64 __fastcall GUI__fillProcessListViewControl(__int64 a1,int a2,int a3,int a4)
{
__int64 v2; // ST14_8@1
int v4; // eax@2
__int64 v5; // ST00_8@2
int v6; // edx@2
LPSTR v7; // ecx@2
v2 = a1;
currentSectionBeingProcessed = 0;
SendMessageA(GUI__hwndOfProcessListView, 0xBu, 0, 0);
if ( oSSPECIFICSTUB__getFirstProcess((int)byte_40CAEF) )
{
do
{
dword_40CE3B = 0;
v4 = module__getImageBaseFromPID(dword_40CAF7, (int)&dword_40CE3B);
*((_DWORD *)&v5 + 1) = dword_40CAF7;
*(_DWORD *)&v5 = byte_40CB13;
GUI__writeProcessInfosToMainListView(v5, v4, v6, v7, v4, dword_40CE3B, (int)dword_40CB07, v2);
}
while ( oSSPECIFICSTUB__getNextProcess((int)byte_40CAEF) );
}
SendMessageA(GUI__hwndOfProcessListView, 0xBu, 1u, 0);
InvalidateRect(GUI__hwndOfProcessListView, 0, 1);
oSSPECIFICSTUB__closeHandleForProcessSnapshotPSAPI();
return v2;
}
//----- (0040257B) --------------------------------------------------------
__int64 __fastcall GUI__fillModuleListViewControl(__int64 a1,int a2,int a3,WPARAM wParam)
{
__int64 v2; // qax@1
CHAR *v3; // ecx@1
__int64 v4; // ST10_8@1
int v6; // eax@1
__int64 v7; // ST00_8@2
v4 = a1;
SendMessageA(GUI__hwndOfModuleListView, 0xBu, 0, 0);
dword_40CE3F = 0;
firstLvItem__iSubItem = 1;
firstLvItem__cchTextMax = 256;
firstLvItem__lpszText = (int)&sz;
SendMessageA(GUI__hwndOfProcessListView, 0x102Du, wParam, (LPARAM)&firstLvItem__mask);
v6 = GENERAL__asciiToReg((int)&sz);
for ( *(_DWORD *)&v2 = oSSPECIFICSTUB__module32First((int)byte_40CC17, v6); (_DWORD)v2; *(_DWORD *)&v2 = oSSPECIFICSTUB__module32Next((int)byte_40CC17) )
{
*((_DWORD *)&v7 + 1) = dword_40CC1B;
*(_DWORD *)&v7 = byte_40CD37;
GUI__addModuleToListView(v7, v2, *((int *)&v2 + 1), v3, dword_40CC33, dword_40CC2F, v4);
}
SendMessageA(GUI__hwndOfModuleListView, 0xBu, 1u, 0);
InvalidateRect(GUI__hwndOfModuleListView, 0, 1);
oSSPECIFICSTUB__closeHandleForModuleSnapshotPSAPI();
return v4;
}
//----- (00402641) --------------------------------------------------------
__int64 __fastcall dlg__readFromFileIntoSection(__int64 a1,int a2,int a3,HWND hWnd)
{
__int64 v2; // qax@1
DWORD v3; // ecx@1
__int64 v4; // ST24_8@1
void *v5; // eax@2
DWORD v6; // ecx@2
void *v7; // ST1C_4@2
void *v8; // ST20_4@3
char *v9; // ST18_4@4
char *v10; // ST1C_4@4
UINT v11; // ST20_4@4
DWORD v13; // ST20_4@2
v4 = a1;
tempHwnd = hWnd;
GUI__findWhichItemWasSeletedInListView(hWnd);
FileName = 0;
if ( GUI__cannedOpenFile((CHAR *)&FileName, "Select data to import into section") )
{
v13 = v3;
v7 = (void *)*((_DWORD *)&v2 + 1);
v5 = CreateFileA(&FileName, 0x80000000u, 1u, 0, 3u, 0x80u, 0);
v6 = v13;
if ( v5 != (void *)-1 )
{
v8 = v5;
if ( ReadFile(v5, v7, v6, &NumberOfBytesRead, 0) )
{
CloseHandle(v8);
v11 = 48;
v10 = "ProcDump PE Editor";
v9 = "Section successfully read in memory";
LABEL_7:
MessageBoxA(hWnd, v9, v10, v11);
return v4;
}
C
使用SDK,可以进一步优化代码可读性:
Hex-Rays SDK is ready!
A binary analysis tool like a decompiler is incomplete without a programming interface. Sure, decompilers tremendously facilitate binary analysis. You can concentrate of the program logic expressed in a familiar way. Just add comments, rename variables and functions to get
almost the original source code,
almost perfect. However, quite often there is a small ugly detail and the output falls short of being satisfactory.
It can be because of an awkward expression
(result = _putwc_lk(a3, (FILE *)result), result != -1)
which could be represented more concisely:
((result = _putwc_lk(a3, fp)) != -1)
It can also be an inline function
while ( v16 ) { *(_BYTE *)v17++ = 0; --v16; }
which could be collapsed:
memset(ptr, 0, count);
It can be a
while -loop
v7 = 48; v4 = wcstok(&Str, L"."); if ( v4 ) { do { v9 = (unsigned __int16)j___wtol(v4) = 0 && v4 ); }
which could be converted into a
for -loop:
for ( shift=48, ptr=wcstok(&Str, L"."); shift >= 0 && ptr; ptr=wcstok(NULL, L"."), shift-=16 ) { v6 |= (ushort)wtol(ptr)
All these transformations improve the readability but the decompiler can not perform them automatically: they change the meaning of the program. Only the user who knows that these transformations can be safely applied should activate them.
We could add extensive set of manual transformation commands to the decompiler (we might do it one day), but there are really too many of them. Besides, some transformations can be applied only in some particular circumstances proper to a particular version of a compiler used with particular command line options. In short, there is no way we can predict all possible transformations and implement them.
Hex-Rays SDK allows you to manipulate the decompilation result as you want. You can play with the output data structure (called ctree), modify it, rename variables, and change their types. Watch such a plugin in action:
This plugin introduces a new command to swap
if branches. I personally prefer to have the shorter
if branch first: shorter means simpler. Having simplest problems to be solved first is a good approach in programming, it frees one's mind for complex problems and makes the unsolved part of the problem shorter (thus hopefully simpler ;)
Other things you can do with the current SDK:
Decompile any function
Modify the pseudocode
Change local variable names and types
Introduce your own interactive commands
Install callbacks to react to decompiler events
The above functionality it enough to implement the
Inliner, Exporter, Transformer, and Vizier(partially) plugins mentioned
here .
In the future we will add support for other plugin types. The decompiler will handle other target processors and data flow analysis functions will be exported. This will allow you to write more complex analysis and transformation rules.
What about writing your own vulnerability scanner based on Hex-Rays? ;)
It is quite difficult today but will be within reach very soon.
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!