能力值:
( LV2,RANK:10 )
|
-
-
3 楼
由于我现在的权限不能上传附件 简单的说一下过程吧
文件名为p.dll
我试过附加进程 没有成功 无奈 直接加载DLL文件脱壳 用PEID判断是
PESPIN0。3X-1。XX
试着自己手动脱 挫败N次 最后找到skylly提供的脚本 果然可以正常走下去 找到OEP
但代码是:
00B49CB0 90 nop
00B49CB1 90 nop
00B49CB2 90 nop
00B49CB3 90 nop
00B49CB4 61 popad
00B49CB5 85C9 test ecx, ecx ; OEP ////脚本找到的
00B49CB7 F7C0 E51EFF84 test eax, 84FF1EE5
00B49CBD 21C1 and ecx, eax
00B49CBF 8BD0 mov edx, eax
00B49CC1 FFCA dec edx
00B49CC3 F7D9 neg ecx
00B49CC5 8D15 D00B00F4 lea edx, dword ptr [F4000BD0]
00B49CCB 0FBFD0 movsx edx, ax
00B49CCE D1C1 rol ecx, 1
00B49CD0 C1DA 7F rcr edx, 7F
00B49CD3 0FC9 bswap ecx
00B49CD5 0FCA bswap edx
00B49CD7 F7C2 AC7A681F test edx, 1F687AAC
00B49CDD C1D9 4C rcr ecx, 4C
我怎么看也不像是个OEP啊 由于我太菜也只好相信了!!
然后我用lordpe 找到LOADDLL 把P。DLL模块完全DUMP下来 然后修改基址为870000
再用IMP准备修复 但我用这个OEP时 是无效的。。(是不是用LOADDLL加载的DLL文件修复时都这样呢?) 无奈我只能从文件里找这些东西了 最后我找到了这些
00876928 $- FF25 5C62B100 jmp dword ptr [B1625C] ; ADVAPI32.RegCloseKey
0087692E 8BC0 mov eax, eax
00876930 $- FF25 5862B100 jmp dword ptr [B16258] ; ADVAPI32.RegOpenKeyExA
00876936 8BC0 mov eax, eax
00876938 $- FF25 5462B100 jmp dword ptr [B16254] ; ADVAPI32.RegQueryValueExA
0087693E 8BC0 mov eax, eax
00876940 $- FF25 CC63B100 jmp dword ptr [B163CC] ; kernel32.Beep
00876946 8BC0 mov eax, eax
00876948 $- FF25 C863B100 jmp dword ptr [B163C8] ; kernel32.CloseHandle
0087694E 8BC0 mov eax, eax
00876950 $- FF25 C463B100 jmp dword ptr [B163C4] ; kernel32.CompareStringA
00876956 8BC0 mov eax, eax
00876958 $- FF25 C463B100 jmp dword ptr [B163C4] ; kernel32.CompareStringA
0087695E 8BC0 mov eax, eax
00876960 $- FF25 C063B100 jmp dword ptr [B163C0] ; kernel32.CompareStringW
00876966 8BC0 mov eax, eax
00876968 $- FF25 BC63B100 jmp dword ptr [B163BC] ; kernel32.CopyFileA
0087696E 8BC0 mov eax, eax
00876970 $- FF25 B863B100 jmp dword ptr [B163B8] ; kernel32.CreateDirectoryA
00876976 8BC0 mov eax, eax
00876978 $- FF25 B463B100 jmp dword ptr [B163B4] ; kernel32.CreateEventA
0087697E 8BC0 mov eax, eax
00876980 $- FF25 B063B100 jmp dword ptr [B163B0] ; kernel32.CreateFileA
00876986 8BC0 mov eax, eax
00876988 $- FF25 B063B100 jmp dword ptr [B163B0] ; kernel32.CreateFileA
0087698E 8BC0 mov eax, eax
00876990 $- FF25 AC63B100 jmp dword ptr [B163AC] ; kernel32.CreateFileW
00876996 8BC0 mov eax, eax
00876998 $- FF25 A863B100 jmp dword ptr [B163A8] ; kernel32.CreateThread
0087699E 8BC0 mov eax, eax
008769A0 $- FF25 A463B100 jmp dword ptr [B163A4] ; ntdll.RtlDeleteCriticalSection
008769A6 8BC0 mov eax, eax
008769A8 $- FF25 A063B100 jmp dword ptr [B163A0] ; ntdll.RtlEnterCriticalSection
008769AE 8BC0 mov eax, eax
008769B0 $- FF25 9C63B100 jmp dword ptr [B1639C] ; kernel32.EnumCalendarInfoA
008769B6 8BC0 mov eax, eax
008769B8 $- FF25 9863B100 jmp dword ptr [B16398] ; kernel32.FileTimeToDosDateTime
008769BE 8BC0 mov eax, eax
008769C0 $- FF25 9463B100 jmp dword ptr [B16394] ; kernel32.FileTimeToLocalFileTime
008769C6 8BC0 mov eax, eax
008769C8 $- FF25 9063B100 jmp dword ptr [B16390] ; kernel32.FindClose
008769CE 8BC0 mov eax, eax
008769D0 $- FF25 8C63B100 jmp dword ptr [B1638C] ; kernel32.FindFirstFileA
008769D6 8BC0 mov eax, eax
008769D8 $- FF25 8863B100 jmp dword ptr [B16388] ; kernel32.FindResourceA
008769DE 8BC0 mov eax, eax
008769E0 $- FF25 8463B100 jmp dword ptr [B16384] ; kernel32.FormatMessageA
008769E6 8BC0 mov eax, eax
008769E8 $- FF25 8463B100 jmp dword ptr [B16384] ; kernel32.FormatMessageA
008769EE 8BC0 mov eax, eax
008769F0 $- FF25 8063B100 jmp dword ptr [B16380] ; kernel32.FormatMessageW
008769F6 8BC0 mov eax, eax
008769F8 $- FF25 7C63B100 jmp dword ptr [B1637C] ; kernel32.FreeLibrary
008769FE 8BC0 mov eax, eax
00876A00 $- FF25 7863B100 jmp dword ptr [B16378] ; kernel32.InterlockedDecrement
00876A06 8BC0 mov eax, eax
00876A08 $- FF25 7463B100 jmp dword ptr [B16374] ; kernel32.InterlockedExchange
00876A0E 8BC0 mov eax, eax
00876A10 $- FF25 7063B100 jmp dword ptr [B16370] ; kernel32.InterlockedIncrement
00876A16 8BC0 mov eax, eax
00876A18 $- FF25 6C63B100 jmp dword ptr [B1636C] ; kernel32.FreeResource
00876A1E 8BC0 mov eax, eax
00876A20 $- FF25 6863B100 jmp dword ptr [B16368] ; kernel32.GetACP
00876A26 8BC0 mov eax, eax
00876A28 $- FF25 6463B100 jmp dword ptr [B16364] ; kernel32.GetCPInfo
00876A2E 8BC0 mov eax, eax
00876A30 $- FF25 6063B100 jmp dword ptr [B16360] ; kernel32.GetComputerNameA
00876A36 8BC0 mov eax, eax
00876A38 $- FF25 5C63B100 jmp dword ptr [B1635C] ; kernel32.GetCurrentProcess
00876A3E 8BC0 mov eax, eax
00876A40 $- FF25 5863B100 jmp dword ptr [B16358] ; kernel32.GetCurrentProcessId
00876A46 8BC0 mov eax, eax
00876A48 $- FF25 5463B100 jmp dword ptr [B16354] ; kernel32.GetCurrentThreadId
00876A4E 8BC0 mov eax, eax
00876A50 $- FF25 5063B100 jmp dword ptr [B16350] ; kernel32.GetDateFormatA
00876A56 8BC0 mov eax, eax
00876A58 $- FF25 4C63B100 jmp dword ptr [B1634C] ; kernel32.GetDiskFreeSpaceA
00876A5E 8BC0 mov eax, eax
00876A60 $- FF25 4863B100 jmp dword ptr [B16348] ; kernel32.GetExitCodeThread
00876A66 8BC0 mov eax, eax
00876A68 $- FF25 4463B100 jmp dword ptr [B16344] ; kernel32.GetFileAttributesA
00876A6E 8BC0 mov eax, eax
00876A70 $- FF25 4063B100 jmp dword ptr [B16340] ; kernel32.GetFullPathNameA
00876A76 8BC0 mov eax, eax
00876A78 $- FF25 4063B100 jmp dword ptr [B16340] ; kernel32.GetFullPathNameA
00876A7E 8BC0 mov eax, eax
00876A80 $- FF25 3C63B100 jmp dword ptr [B1633C] ; kernel32.GetFullPathNameW
00876A86 8BC0 mov eax, eax
00876A88 $- FF25 3863B100 jmp dword ptr [B16338] ; ntdll.RtlGetLastWin32Error
00876A8E 8BC0 mov eax, eax
00876A90 $- FF25 3463B100 jmp dword ptr [B16334] ; kernel32.GetLocalTime
00876A96 8BC0 mov eax, eax
00876A98 $- FF25 3063B100 jmp dword ptr [B16330] ; kernel32.GetLocaleInfoA
00876A9E 8BC0 mov eax, eax
00876AA0 $- FF25 2C63B100 jmp dword ptr [B1632C] ; kernel32.GetModuleFileNameA
00876AA6 8BC0 mov eax, eax
00876AA8 $- FF25 2863B100 jmp dword ptr [B16328] ; kernel32.GetModuleHandleA
00876AAE 8BC0 mov eax, eax
00876AB0 $- FF25 2463B100 jmp dword ptr [B16324] ; kernel32.GetPrivateProfileStringA
00876AB6 8BC0 mov eax, eax
00876AB8 $- FF25 2063B100 jmp dword ptr [B16320] ; kernel32.GetProcAddress
00876ABE 8BC0 mov eax, eax
00876AC0 $- FF25 1C63B100 jmp dword ptr [B1631C] ; kernel32.GetStdHandle
00876AC6 8BC0 mov eax, eax
00876AC8 $- FF25 1863B100 jmp dword ptr [B16318] ; kernel32.GetStringTypeExA
00876ACE 8BC0 mov eax, eax
00876AD0 $- FF25 1463B100 jmp dword ptr [B16314] ; kernel32.GetSystemInfo
00876AD6 8BC0 mov eax, eax
00876AD8 $- FF25 1063B100 jmp dword ptr [B16310] ; kernel32.GetThreadLocale
00876ADE 8BC0 mov eax, eax
00876AE0 $- FF25 0C63B100 jmp dword ptr [B1630C] ; kernel32.GetTickCount
00876AE6 8BC0 mov eax, eax
00876AE8 $- FF25 0863B100 jmp dword ptr [B16308] ; kernel32.GetVersion
00876AEE 8BC0 mov eax, eax
00876AF0 $- FF25 0463B100 jmp dword ptr [B16304] ; kernel32.GetVersionExA
00876AF6 8BC0 mov eax, eax
00876AF8 $- FF25 0063B100 jmp dword ptr [B16300] ; kernel32.GlobalAddAtomA
00876AFE 8BC0 mov eax, eax
00876B00 $- FF25 FC62B100 jmp dword ptr [B162FC] ; kernel32.GlobalAlloc
00876B06 8BC0 mov eax, eax
00876B08 $- FF25 F862B100 jmp dword ptr [B162F8] ; kernel32.GlobalDeleteAtom
00876B0E 8BC0 mov eax, eax
00876B10 $- FF25 F462B100 jmp dword ptr [B162F4] ; kernel32.GlobalFindAtomA
00876B16 8BC0 mov eax, eax
00876B18 $- FF25 F062B100 jmp dword ptr [B162F0] ; kernel32.GlobalFree
00876B1E 8BC0 mov eax, eax
00876B20 $- FF25 EC62B100 jmp dword ptr [B162EC] ; kernel32.GlobalLock
00876B26 8BC0 mov eax, eax
00876B28 $- FF25 E862B100 jmp dword ptr [B162E8] ; kernel32.GlobalHandle
00876B2E 8BC0 mov eax, eax
00876B30 $- FF25 E462B100 jmp dword ptr [B162E4] ; kernel32.GlobalReAlloc
00876B36 8BC0 mov eax, eax
00876B38 $- FF25 E062B100 jmp dword ptr [B162E0] ; kernel32.GlobalUnlock
00876B3E 8BC0 mov eax, eax
00876B40 $- FF25 DC62B100 jmp dword ptr [B162DC] ; kernel32.InitializeCriticalSection
00876B46 8BC0 mov eax, eax
00876B48 $- FF25 D862B100 jmp dword ptr [B162D8] ; ntdll.RtlLeaveCriticalSection
00876B4E 8BC0 mov eax, eax
00876B50 $- FF25 D462B100 jmp dword ptr [B162D4] ; kernel32.LoadLibraryA
00876B56 8BC0 mov eax, eax
00876B58 $- FF25 D062B100 jmp dword ptr [B162D0] ; kernel32.LoadResource
00876B5E 8BC0 mov eax, eax
00876B60 $- FF25 CC62B100 jmp dword ptr [B162CC] ; kernel32.SetHandleCount
00876B66 8BC0 mov eax, eax
00876B68 $- FF25 C862B100 jmp dword ptr [B162C8] ; kernel32.MulDiv
00876B6E 8BC0 mov eax, eax
00876B70 $- FF25 C462B100 jmp dword ptr [B162C4] ; kernel32.MultiByteToWideChar
00876B76 8BC0 mov eax, eax
00876B78 $- FF25 C062B100 jmp dword ptr [B162C0] ; kernel32.OutputDebugStringA
00876B7E 8BC0 mov eax, eax
00876B80 $- FF25 BC62B100 jmp dword ptr [B162BC] ; kernel32.ReadFile
00876B86 8BC0 mov eax, eax
00876B88 $- FF25 B862B100 jmp dword ptr [B162B8] ; kernel32.ResetEvent
00876B8E 8BC0 mov eax, eax
00876B90 $- FF25 B462B100 jmp dword ptr [B162B4] ; kernel32.ResumeThread
00876B96 8BC0 mov eax, eax
00876B98 $- FF25 B062B100 jmp dword ptr [B162B0] ; kernel32.SetEndOfFile
00876B9E 8BC0 mov eax, eax
00876BA0 $- FF25 AC62B100 jmp dword ptr [B162AC] ; kernel32.SetErrorMode
00876BA6 8BC0 mov eax, eax
00876BA8 $- FF25 A862B100 jmp dword ptr [B162A8] ; kernel32.SetEvent
00876BAE 8BC0 mov eax, eax
00876BB0 $- FF25 A462B100 jmp dword ptr [B162A4] ; kernel32.SetFilePointer
00876BB6 8BC0 mov eax, eax
00876BB8 $- FF25 A062B100 jmp dword ptr [B162A0] ; ntdll.RtlSetLastWin32Error
00876BBE 8BC0 mov eax, eax
00876BC0 $- FF25 9C62B100 jmp dword ptr [B1629C] ; kernel32.SetThreadLocale
00876BC6 8BC0 mov eax, eax
00876BC8 $- FF25 9862B100 jmp dword ptr [B16298] ; kernel32.SizeofResource
00876BCE 8BC0 mov eax, eax
00876BD0 $- FF25 9462B100 jmp dword ptr [B16294] ; kernel32.Sleep
00876BD6 8BC0 mov eax, eax
00876BD8 $- FF25 9062B100 jmp dword ptr [B16290] ; kernel32.SuspendThread
00876BDE 8BC0 mov eax, eax
00876BE0 $- FF25 8C62B100 jmp dword ptr [B1628C] ; kernel32.VirtualAlloc
00876BE6 8BC0 mov eax, eax
00876BE8 $- FF25 8862B100 jmp dword ptr [B16288] ; kernel32.VirtualProtect
00876BEE 8BC0 mov eax, eax
00876BF0 $- FF25 8462B100 jmp dword ptr [B16284] ; kernel32.VirtualQuery
00876BF6 8BC0 mov eax, eax
00876BF8 $- FF25 8062B100 jmp dword ptr [B16280] ; kernel32.WaitForSingleObject
00876BFE 8BC0 mov eax, eax
00876C00 $- FF25 7C62B100 jmp dword ptr [B1627C] ; kernel32.WideCharToMultiByte
00876C06 8BC0 mov eax, eax
00876C08 $- FF25 7862B100 jmp dword ptr [B16278] ; kernel32.WriteFile
00876C0E 8BC0 mov eax, eax
00876C10 $- FF25 7462B100 jmp dword ptr [B16274] ; kernel32.WritePrivateProfileStringA
00876C16 8BC0 mov eax, eax
00876C18 $- FF25 7062B100 jmp dword ptr [B16270] ; kernel32.WriteProcessMemory
00876C1E 8BC0 mov eax, eax
00876C20 $- FF25 6C62B100 jmp dword ptr [B1626C] ; kernel32.lstrcmpA
00876C26 8BC0 mov eax, eax
00876C28 $- FF25 6862B100 jmp dword ptr [B16268] ; kernel32.lstrcmpW
00876C2E 8BC0 mov eax, eax
00876C30 $- FF25 6462B100 jmp dword ptr [B16264] ; kernel32.lstrcpyA
00876C36 8BC0 mov eax, eax
00876C38 $- FF25 DC63B100 jmp dword ptr [B163DC] ; VERSION.GetFileVersionInfoA
00876C3E 8BC0 mov eax, eax
00876C40 $- FF25 D863B100 jmp dword ptr [B163D8] ; VERSION.GetFileVersionInfoSizeA
00876C46 8BC0 mov eax, eax
00876C48 $- FF25 D463B100 jmp dword ptr [B163D4] ; VERSION.VerQueryValueA
00876C4E 8BC0 mov eax, eax
00876C50 $- FF25 0065B100 jmp dword ptr [B16500] ; GDI32.BitBlt
00876C56 8BC0 mov eax, eax
00876C58 $- FF25 FC64B100 jmp dword ptr [B164FC] ; GDI32.CopyEnhMetaFileA
00876C5E 8BC0 mov eax, eax
00876C60 $- FF25 F864B100 jmp dword ptr [B164F8] ; GDI32.CreateBitmap
00876C66 8BC0 mov eax, eax
00876C68 $- FF25 F464B100 jmp dword ptr [B164F4] ; GDI32.CreateBrushIndirect
00876C6E 8BC0 mov eax, eax
00876C70 $- FF25 F064B100 jmp dword ptr [B164F0] ; GDI32.CreateCompatibleBitmap
00876C76 8BC0 mov eax, eax
00876C78 $- FF25 EC64B100 jmp dword ptr [B164EC] ; GDI32.CreateCompatibleDC
00876C7E 8BC0 mov eax, eax
00876C80 $- FF25 E864B100 jmp dword ptr [B164E8] ; GDI32.CreateDIBSection
00876C86 8BC0 mov eax, eax
00876C88 $- FF25 E464B100 jmp dword ptr [B164E4] ; GDI32.CreateDIBitmap
00876C8E 8BC0 mov eax, eax
00876C90 $- FF25 E064B100 jmp dword ptr [B164E0] ; GDI32.CreateFontIndirectA
00876C96 8BC0 mov eax, eax
00876C98 $- FF25 DC64B100 jmp dword ptr [B164DC] ; GDI32.CreateHalftonePalette
00876C9E 8BC0 mov eax, eax
00876CA0 $- FF25 D864B100 jmp dword ptr [B164D8] ; GDI32.CreatePalette
00876CA6 8BC0 mov eax, eax
00876CA8 $- FF25 D464B100 jmp dword ptr [B164D4] ; GDI32.CreatePenIndirect
00876CAE 8BC0 mov eax, eax
00876CB0 $- FF25 D064B100 jmp dword ptr [B164D0] ; GDI32.CreateSolidBrush
00876CB6 8BC0 mov eax, eax
00876CB8 $- FF25 CC64B100 jmp dword ptr [B164CC] ; GDI32.DeleteDC
00876CBE 8BC0 mov eax, eax
00876CC0 $- FF25 C864B100 jmp dword ptr [B164C8] ; GDI32.DeleteEnhMetaFile
00876CC6 8BC0 mov eax, eax
00876CC8 $- FF25 C464B100 jmp dword ptr [B164C4] ; GDI32.DeleteObject
00876CCE 8BC0 mov eax, eax
00876CD0 $- FF25 C064B100 jmp dword ptr [B164C0] ; GDI32.Ellipse
00876CD6 8BC0 mov eax, eax
00876CD8 $- FF25 BC64B100 jmp dword ptr [B164BC] ; GDI32.ExcludeClipRect
00876CDE 8BC0 mov eax, eax
00876CE0 $- FF25 B864B100 jmp dword ptr [B164B8] ; GDI32.ExtTextOutA
00876CE6 8BC0 mov eax, eax
00876CE8 $- FF25 B464B100 jmp dword ptr [B164B4] ; GDI32.ExtTextOutW
00876CEE 8BC0 mov eax, eax
00876CF0 $- FF25 B064B100 jmp dword ptr [B164B0] ; GDI32.GdiFlush
00876CF6 8BC0 mov eax, eax
00876CF8 $- FF25 AC64B100 jmp dword ptr [B164AC] ; GDI32.GetBitmapBits
00876CFE 8BC0 mov eax, eax
00876D00 $- FF25 A864B100 jmp dword ptr [B164A8] ; GDI32.GetBrushOrgEx
00876D06 8BC0 mov eax, eax
00876D08 $- FF25 A464B100 jmp dword ptr [B164A4] ; GDI32.GetClipBox
00876D0E 8BC0 mov eax, eax
00876D10 $- FF25 A064B100 jmp dword ptr [B164A0] ; GDI32.GetCurrentPositionEx
00876D16 8BC0 mov eax, eax
00876D18 $- FF25 9C64B100 jmp dword ptr [B1649C] ; GDI32.GetDCOrgEx
00876D1E 8BC0 mov eax, eax
00876D20 $- FF25 9864B100 jmp dword ptr [B16498] ; GDI32.GetDIBColorTable
00876D26 8BC0 mov eax, eax
00876D28 $- FF25 9464B100 jmp dword ptr [B16494] ; GDI32.GetDIBits
00876D2E 8BC0 mov eax, eax
00876D30 $- FF25 9064B100 jmp dword ptr [B16490] ; GDI32.GetDeviceCaps
00876D36 8BC0 mov eax, eax
00876D38 $- FF25 8C64B100 jmp dword ptr [B1648C] ; GDI32.GetEnhMetaFileBits
00876D3E 8BC0 mov eax, eax
00876D40 $- FF25 8864B100 jmp dword ptr [B16488] ; GDI32.GetEnhMetaFileHeader
00876D46 8BC0 mov eax, eax
00876D48 $- FF25 8464B100 jmp dword ptr [B16484] ; GDI32.GetEnhMetaFilePaletteEntries
00876D4E 8BC0 mov eax, eax
00876D50 $- FF25 8064B100 jmp dword ptr [B16480] ; GDI32.GetObjectA
00876D56 8BC0 mov eax, eax
00876D58 $- FF25 7C64B100 jmp dword ptr [B1647C] ; GDI32.GetPaletteEntries
00876D5E 8BC0 mov eax, eax
00876D60 $- FF25 7864B100 jmp dword ptr [B16478] ; GDI32.GetPixel
00876D66 8BC0 mov eax, eax
00876D68 $- FF25 7464B100 jmp dword ptr [B16474] ; GDI32.GetStockObject
00876D6E 8BC0 mov eax, eax
00876D70 $- FF25 7064B100 jmp dword ptr [B16470] ; GDI32.GetSystemPaletteEntries
00876D76 8BC0 mov eax, eax
00876D78 $- FF25 6C64B100 jmp dword ptr [B1646C] ; GDI32.GetTextExtentPoint32A
00876D7E 8BC0 mov eax, eax
00876D80 $- FF25 6864B100 jmp dword ptr [B16468] ; GDI32.GetTextExtentPoint32W
00876D86 8BC0 mov eax, eax
00876D88 $- FF25 6464B100 jmp dword ptr [B16464] ; GDI32.GetTextMetricsA
00876D8E 8BC0 mov eax, eax
00876D90 $- FF25 6064B100 jmp dword ptr [B16460] ; GDI32.GetWinMetaFileBits
00876D96 8BC0 mov eax, eax
00876D98 $- FF25 5C64B100 jmp dword ptr [B1645C] ; GDI32.GetWindowOrgEx
00876D9E 8BC0 mov eax, eax
00876DA0 $- FF25 5864B100 jmp dword ptr [B16458] ; GDI32.IntersectClipRect
00876DA6 8BC0 mov eax, eax
00876DA8 $- FF25 5464B100 jmp dword ptr [B16454] ; GDI32.LineTo
00876DAE 8BC0 mov eax, eax
00876DB0 $- FF25 5064B100 jmp dword ptr [B16450] ; GDI32.MaskBlt
00876DB6 8BC0 mov eax, eax
00876DB8 $- FF25 4C64B100 jmp dword ptr [B1644C] ; GDI32.MoveToEx
00876DBE 8BC0 mov eax, eax
00876DC0 $- FF25 4864B100 jmp dword ptr [B16448] ; GDI32.PatBlt
00876DC6 8BC0 mov eax, eax
00876DC8 $- FF25 4464B100 jmp dword ptr [B16444] ; GDI32.Pie
00876DCE 8BC0 mov eax, eax
00876DD0 $- FF25 4064B100 jmp dword ptr [B16440] ; GDI32.PlayEnhMetaFile
00876DD6 8BC0 mov eax, eax
00876DD8 $- FF25 3C64B100 jmp dword ptr [B1643C] ; GDI32.Polyline
00876DDE 8BC0 mov eax, eax
00876DE0 $- FF25 3864B100 jmp dword ptr [B16438] ; GDI32.RealizePalette
00876DE6 8BC0 mov eax, eax
00876DE8 $- FF25 3464B100 jmp dword ptr [B16434] ; GDI32.RectVisible
00876DEE 8BC0 mov eax, eax
00876DF0 $- FF25 3064B100 jmp dword ptr [B16430] ; GDI32.Rectangle
00876DF6 8BC0 mov eax, eax
00876DF8 $- FF25 2C64B100 jmp dword ptr [B1642C] ; GDI32.RestoreDC
00876DFE 8BC0 mov eax, eax
00876E00 $- FF25 2864B100 jmp dword ptr [B16428] ; GDI32.SaveDC
00876E06 8BC0 mov eax, eax
00876E08 $- FF25 2464B100 jmp dword ptr [B16424] ; GDI32.SelectClipRgn
00876E0E 8BC0 mov eax, eax
00876E10 $- FF25 2064B100 jmp dword ptr [B16420] ; GDI32.SelectObject
00876E16 8BC0 mov eax, eax
00876E18 $- FF25 1C64B100 jmp dword ptr [B1641C] ; GDI32.SelectPalette
00876E1E 8BC0 mov eax, eax
00876E20 $- FF25 1864B100 jmp dword ptr [B16418] ; GDI32.SetBkColor
00876E26 8BC0 mov eax, eax
00876E28 $- FF25 1464B100 jmp dword ptr [B16414] ; GDI32.SetBkMode
00876E2E 8BC0 mov eax, eax
00876E30 $- FF25 1064B100 jmp dword ptr [B16410] ; GDI32.SetBrushOrgEx
00876E36 8BC0 mov eax, eax
00876E38 $- FF25 0C64B100 jmp dword ptr [B1640C] ; GDI32.SetDIBColorTable
00876E3E 8BC0 mov eax, eax
00876E40 $- FF25 0864B100 jmp dword ptr [B16408] ; GDI32.SetEnhMetaFileBits
00876E46 8BC0 mov eax, eax
00876E48 $- FF25 0464B100 jmp dword ptr [B16404] ; GDI32.SetPixel
00876E4E 8BC0 mov eax, eax
00876E50 $- FF25 0064B100 jmp dword ptr [B16400] ; GDI32.SetROP2
00876E56 8BC0 mov eax, eax
00876E58 $- FF25 FC63B100 jmp dword ptr [B163FC] ; GDI32.SetStretchBltMode
00876E5E 8BC0 mov eax, eax
00876E60 $- FF25 F863B100 jmp dword ptr [B163F8] ; GDI32.SetTextColor
00876E66 8BC0 mov eax, eax
00876E68 $- FF25 F463B100 jmp dword ptr [B163F4] ; GDI32.SetViewportOrgEx
00876E6E 8BC0 mov eax, eax
00876E70 $- FF25 F063B100 jmp dword ptr [B163F0] ; GDI32.SetWinMetaFileBits
00876E76 8BC0 mov eax, eax
00876E78 $- FF25 EC63B100 jmp dword ptr [B163EC] ; GDI32.SetWindowOrgEx
00876E7E 8BC0 mov eax, eax
00876E80 $- FF25 E863B100 jmp dword ptr [B163E8] ; GDI32.StretchBlt
00876E86 8BC0 mov eax, eax
00876E88 $- FF25 E463B100 jmp dword ptr [B163E4] ; GDI32.UnrealizeObject
00876E8E 8BC0 mov eax, eax
00876E90 $- FF25 0468B100 jmp dword ptr [B16804] ; USER32.ActivateKeyboardLayout
00876E96 8BC0 mov eax, eax
00876E98 $- FF25 0068B100 jmp dword ptr [B16800] ; USER32.AdjustWindowRectEx
00876E9E 8BC0 mov eax, eax
00876EA0 $- FF25 F467B100 jmp dword ptr [B167F4] ; USER32.CharLowerA
00876EA6 8BC0 mov eax, eax
00876EA8 $- FF25 E867B100 jmp dword ptr [B167E8] ; USER32.BeginDeferWindowPos
00876EAE 8BC0 mov eax, eax
00876EB0 $- FF25 E467B100 jmp dword ptr [B167E4] ; USER32.BeginPaint
00876EB6 8BC0 mov eax, eax
00876EB8 $- FF25 E067B100 jmp dword ptr [B167E0] ; USER32.CallNextHookEx
00876EBE 8BC0 mov eax, eax
00876EC0 $- FF25 DC67B100 jmp dword ptr [B167DC] ; USER32.CallWindowProcA
00876EC6 8BC0 mov eax, eax
00876EC8 $- FF25 DC67B100 jmp dword ptr [B167DC] ; USER32.CallWindowProcA
00876ECE 8BC0 mov eax, eax
00876ED0 $- FF25 D867B100 jmp dword ptr [B167D8] ; USER32.CallWindowProcW
00876ED6 8BC0 mov eax, eax
00876ED8 $- FF25 F067B100 jmp dword ptr [B167F0] ; USER32.CharLowerBuffA
00876EDE 8BC0 mov eax, eax
00876EE0 $- FF25 EC67B100 jmp dword ptr [B167EC] ; USER32.CharNextA
00876EE6 8BC0 mov eax, eax
00876EE8 $- FF25 FC67B100 jmp dword ptr [B167FC] ; USER32.CharToOemA
00876EEE 8BC0 mov eax, eax
00876EF0 $- FF25 F867B100 jmp dword ptr [B167F8] ; USER32.CharUpperBuffA
00876EF6 8BC0 mov eax, eax
00876EF8 $- FF25 D467B100 jmp dword ptr [B167D4] ; USER32.CheckMenuItem
00876EFE 8BC0 mov eax, eax
00876F00 $- FF25 D067B100 jmp dword ptr [B167D0] ; USER32.ChildWindowFromPoint
00876F06 8BC0 mov eax, eax
00876F08 $- FF25 CC67B100 jmp dword ptr [B167CC] ; USER32.ClientToScreen
00876F0E 8BC0 mov eax, eax
00876F10 $- FF25 C867B100 jmp dword ptr [B167C8] ; USER32.CreateIcon
00876F16 8BC0 mov eax, eax
00876F18 $- FF25 C467B100 jmp dword ptr [B167C4] ; USER32.CreateMenu
00876F1E 8BC0 mov eax, eax
00876F20 $- FF25 C067B100 jmp dword ptr [B167C0] ; USER32.CreatePopupMenu
00876F26 8BC0 mov eax, eax
00876F28 $- FF25 BC67B100 jmp dword ptr [B167BC] ; USER32.DefFrameProcA
00876F2E 8BC0 mov eax, eax
00876F30 .- FF25 B867B100 jmp dword ptr [B167B8] ; USER32.DefMDIChildProcA
00876F36 8BC0 mov eax, eax
00876F38 $- FF25 B467B100 jmp dword ptr [B167B4] ; USER32.DefWindowProcA
00876F3E 8BC0 mov eax, eax
00876F40 $- FF25 B067B100 jmp dword ptr [B167B0] ; USER32.DefWindowProcW
00876F46 8BC0 mov eax, eax
00876F48 $- FF25 AC67B100 jmp dword ptr [B167AC] ; USER32.DeferWindowPos
00876F4E 8BC0 mov eax, eax
00876F50 $- FF25 A867B100 jmp dword ptr [B167A8] ; USER32.DeleteMenu
00876F56 8BC0 mov eax, eax
00876F58 $- FF25 A467B100 jmp dword ptr [B167A4] ; USER32.DestroyIcon
00876F5E 8BC0 mov eax, eax
00876F60 $- FF25 A067B100 jmp dword ptr [B167A0] ; USER32.DestroyIcon
00876F66 8BC0 mov eax, eax
00876F68 $- FF25 9C67B100 jmp dword ptr [B1679C] ; USER32.DestroyMenu
00876F6E 8BC0 mov eax, eax
00876F70 $- FF25 9867B100 jmp dword ptr [B16798] ; USER32.DestroyWindow
00876F76 8BC0 mov eax, eax
00876F78 $- FF25 9467B100 jmp dword ptr [B16794] ; USER32.DispatchMessageA
00876F7E 8BC0 mov eax, eax
00876F80 $- FF25 9067B100 jmp dword ptr [B16790] ; USER32.DispatchMessageW
00876F86 8BC0 mov eax, eax
00876F88 $- FF25 8C67B100 jmp dword ptr [B1678C] ; USER32.DrawEdge
00876F8E 8BC0 mov eax, eax
00876F90 $- FF25 8867B100 jmp dword ptr [B16788] ; USER32.DrawFocusRect
00876F96 8BC0 mov eax, eax
00876F98 $- FF25 8467B100 jmp dword ptr [B16784] ; USER32.DrawFrameControl
00876F9E 8BC0 mov eax, eax
00876FA0 $- FF25 8067B100 jmp dword ptr [B16780] ; USER32.DrawIcon
00876FA6 8BC0 mov eax, eax
00876FA8 $- FF25 7C67B100 jmp dword ptr [B1677C] ; USER32.DrawIconEx
00876FAE 8BC0 mov eax, eax
00876FB0 $- FF25 7867B100 jmp dword ptr [B16778] ; USER32.DrawMenuBar
00876FB6 8BC0 mov eax, eax
00876FB8 $- FF25 7467B100 jmp dword ptr [B16774] ; USER32.DrawTextA
00876FBE 8BC0 mov eax, eax
00876FC0 $- FF25 7467B100 jmp dword ptr [B16774] ; USER32.DrawTextA
00876FC6 8BC0 mov eax, eax
00876FC8 $- FF25 7067B100 jmp dword ptr [B16770] ; USER32.DrawTextW
00876FCE 8BC0 mov eax, eax
00876FD0 $- FF25 6C67B100 jmp dword ptr [B1676C] ; USER32.EnableMenuItem
00876FD6 8BC0 mov eax, eax
00876FD8 .- FF25 6867B100 jmp dword ptr [B16768] ; USER32.EnableScrollBar
00876FDE 8BC0 mov eax, eax
00876FE0 $- FF25 6467B100 jmp dword ptr [B16764] ; USER32.EnableWindow
00876FE6 8BC0 mov eax, eax
00876FE8 $- FF25 6067B100 jmp dword ptr [B16760] ; USER32.EndDeferWindowPos
00876FEE 8BC0 mov eax, eax
00876FF0 $- FF25 5C67B100 jmp dword ptr [B1675C] ; USER32.EndPaint
00876FF6 8BC0 mov eax, eax
00876FF8 $- FF25 5867B100 jmp dword ptr [B16758] ; USER32.EnumThreadWindows
00876FFE 8BC0 mov eax, eax
00877000 $- FF25 5467B100 jmp dword ptr [B16754] ; USER32.EnumWindows
00877006 8BC0 mov eax, eax
00877008 $- FF25 5067B100 jmp dword ptr [B16750] ; USER32.EqualRect
0087700E 8BC0 mov eax, eax
00877010 $- FF25 4C67B100 jmp dword ptr [B1674C] ; USER32.FillRect
00877016 8BC0 mov eax, eax
00877018 $- FF25 4867B100 jmp dword ptr [B16748] ; USER32.FindWindowA
0087701E 8BC0 mov eax, eax
00877020 $- FF25 4467B100 jmp dword ptr [B16744] ; USER32.FrameRect
00877026 8BC0 mov eax, eax
00877028 $- FF25 4067B100 jmp dword ptr [B16740] ; USER32.GetActiveWindow
0087702E 8BC0 mov eax, eax
00877030 $- FF25 3C67B100 jmp dword ptr [B1673C] ; USER32.GetCapture
00877036 8BC0 mov eax, eax
00877038 $- FF25 3867B100 jmp dword ptr [B16738] ; USER32.GetClassInfoA
0087703E 8BC0 mov eax, eax
00877040 $- FF25 3467B100 jmp dword ptr [B16734] ; USER32.GetClassInfoW
00877046 8BC0 mov eax, eax
00877048 $- FF25 3067B100 jmp dword ptr [B16730] ; USER32.GetClassNameA
0087704E 8BC0 mov eax, eax
00877050 $- FF25 2C67B100 jmp dword ptr [B1672C] ; USER32.GetClassNameW
00877056 8BC0 mov eax, eax
00877058 $- FF25 2867B100 jmp dword ptr [B16728] ; USER32.GetClientRect
0087705E 8BC0 mov eax, eax
00877060 $- FF25 2467B100 jmp dword ptr [B16724] ; USER32.GetClipboardData
00877066 8BC0 mov eax, eax
00877068 $- FF25 2067B100 jmp dword ptr [B16720] ; USER32.GetCursor
0087706E 8BC0 mov eax, eax
00877070 $- FF25 1C67B100 jmp dword ptr [B1671C] ; USER32.GetCursorPos
00877076 8BC0 mov eax, eax
00877078 $- FF25 1867B100 jmp dword ptr [B16718] ; USER32.GetDC
0087707E 8BC0 mov eax, eax
00877080 $- FF25 1467B100 jmp dword ptr [B16714] ; USER32.GetDCEx
00877086 8BC0 mov eax, eax
00877088 $- FF25 1067B100 jmp dword ptr [B16710] ; USER32.GetDesktopWindow
0087708E 8BC0 mov eax, eax
00877090 $- FF25 0C67B100 jmp dword ptr [B1670C] ; USER32.GetFocus
00877096 8BC0 mov eax, eax
00877098 $- FF25 0867B100 jmp dword ptr [B16708] ; USER32.GetForegroundWindow
0087709E 8BC0 mov eax, eax
008770A0 $- FF25 0467B100 jmp dword ptr [B16704] ; USER32.GetIconInfo
008770A6 8BC0 mov eax, eax
008770A8 $- FF25 0067B100 jmp dword ptr [B16700] ; USER32.GetKeyNameTextA
008770AE 8BC0 mov eax, eax
008770B0 $- FF25 FC66B100 jmp dword ptr [B166FC] ; USER32.GetKeyNameTextW
008770B6 8BC0 mov eax, eax
008770B8 $- FF25 F866B100 jmp dword ptr [B166F8] ; USER32.GetKeyState
008770BE 8BC0 mov eax, eax
008770C0 $- FF25 F466B100 jmp dword ptr [B166F4] ; USER32.GetKeyboardLayout
008770C6 8BC0 mov eax, eax
008770C8 $- FF25 F066B100 jmp dword ptr [B166F0] ; USER32.GetKeyboardLayoutList
008770CE 8BC0 mov eax, eax
008770D0 $- FF25 EC66B100 jmp dword ptr [B166EC] ; USER32.GetKeyboardState
008770D6 8BC0 mov eax, eax
008770D8 $- FF25 E866B100 jmp dword ptr [B166E8] ; USER32.GetLastActivePopup
008770DE 8BC0 mov eax, eax
008770E0 $- FF25 E466B100 jmp dword ptr [B166E4] ; USER32.GetMenu
008770E6 8BC0 mov eax, eax
008770E8 $- FF25 E066B100 jmp dword ptr [B166E0] ; USER32.GetMenuItemCount
008770EE 8BC0 mov eax, eax
008770F0 $- FF25 DC66B100 jmp dword ptr [B166DC] ; USER32.GetMenuItemID
008770F6 8BC0 mov eax, eax
008770F8 $- FF25 D866B100 jmp dword ptr [B166D8] ; USER32.GetMenuItemInfoA
008770FE 8BC0 mov eax, eax
00877100 $- FF25 D466B100 jmp dword ptr [B166D4] ; USER32.GetMenuItemInfoW
00877106 8BC0 mov eax, eax
00877108 $- FF25 D066B100 jmp dword ptr [B166D0] ; USER32.GetMenuState
0087710E 8BC0 mov eax, eax
00877110 $- FF25 CC66B100 jmp dword ptr [B166CC] ; USER32.GetMenuStringA
00877116 8BC0 mov eax, eax
00877118 $- FF25 C866B100 jmp dword ptr [B166C8] ; USER32.GetMenuStringW
0087711E 8BC0 mov eax, eax
00877120 $- FF25 C466B100 jmp dword ptr [B166C4] ; USER32.GetMessagePos
00877126 8BC0 mov eax, eax
00877128 $- FF25 C066B100 jmp dword ptr [B166C0] ; USER32.GetWindow
0087712E 8BC0 mov eax, eax
00877130 $- FF25 BC66B100 jmp dword ptr [B166BC] ; USER32.GetParent
00877136 8BC0 mov eax, eax
00877138 $- FF25 B866B100 jmp dword ptr [B166B8] ; USER32.GetPropA
0087713E 8BC0 mov eax, eax
00877140 .- FF25 B466B100 jmp dword ptr [B166B4] ; USER32.GetScrollInfo
00877146 8BC0 mov eax, eax
00877148 $- FF25 B066B100 jmp dword ptr [B166B0] ; USER32.GetScrollPos
0087714E 8BC0 mov eax, eax
00877150 .- FF25 AC66B100 jmp dword ptr [B166AC] ; USER32.GetScrollRange
00877156 8BC0 mov eax, eax
00877158 $- FF25 A866B100 jmp dword ptr [B166A8] ; USER32.GetSubMenu
0087715E 8BC0 mov eax, eax
00877160 $- FF25 A466B100 jmp dword ptr [B166A4] ; USER32.GetSysColor
00877166 8BC0 mov eax, eax
00877168 $- FF25 A066B100 jmp dword ptr [B166A0] ; USER32.GetSysColorBrush
0087716E 8BC0 mov eax, eax
00877170 $- FF25 9C66B100 jmp dword ptr [B1669C] ; USER32.GetSystemMenu
00877176 8BC0 mov eax, eax
00877178 $- FF25 9866B100 jmp dword ptr [B16698] ; USER32.GetSystemMetrics
0087717E 8BC0 mov eax, eax
00877180 $- FF25 9466B100 jmp dword ptr [B16694] ; USER32.GetTopWindow
00877186 8BC0 mov eax, eax
00877188 $- FF25 C066B100 jmp dword ptr [B166C0] ; USER32.GetWindow
0087718E 8BC0 mov eax, eax
00877190 $- FF25 9066B100 jmp dword ptr [B16690] ; USER32.GetWindowDC
00877196 8BC0 mov eax, eax
00877198 $- FF25 8C66B100 jmp dword ptr [B1668C] ; USER32.GetWindowLongA
0087719E 8BC0 mov eax, eax
008771A0 $- FF25 8866B100 jmp dword ptr [B16688] ; USER32.GetWindowLongW
008771A6 8BC0 mov eax, eax
008771A8 $- FF25 8466B100 jmp dword ptr [B16684] ; USER32.GetWindowPlacement
008771AE 8BC0 mov eax, eax
008771B0 $- FF25 8066B100 jmp dword ptr [B16680] ; USER32.GetWindowRect
008771B6 8BC0 mov eax, eax
008771B8 $- FF25 7C66B100 jmp dword ptr [B1667C] ; USER32.GetWindowTextA
008771BE 8BC0 mov eax, eax
008771C0 $- FF25 7866B100 jmp dword ptr [B16678] ; USER32.GetWindowTextW
008771C6 8BC0 mov eax, eax
008771C8 $- FF25 7466B100 jmp dword ptr [B16674] ; USER32.GetWindowTextLengthW
008771CE 8BC0 mov eax, eax
008771D0 $- FF25 7066B100 jmp dword ptr [B16670] ; USER32.GetWindowThreadProcessId
008771D6 8BC0 mov eax, eax
008771D8 $- FF25 7066B100 jmp dword ptr [B16670] ; USER32.GetWindowThreadProcessId
008771DE 8BC0 mov eax, eax
008771E0 $- FF25 6C66B100 jmp dword ptr [B1666C] ; USER32.InflateRect
008771E6 8BC0 mov eax, eax
008771E8 $- FF25 6866B100 jmp dword ptr [B16668] ; USER32.InsertMenuA
008771EE 8BC0 mov eax, eax
008771F0 $- FF25 6466B100 jmp dword ptr [B16664] ; USER32.InsertMenuItemA
008771F6 8BC0 mov eax, eax
008771F8 $- FF25 6066B100 jmp dword ptr [B16660] ; USER32.IntersectRect
008771FE 8BC0 mov eax, eax
00877200 $- FF25 5C66B100 jmp dword ptr [B1665C] ; USER32.InvalidateRect
00877206 8BC0 mov eax, eax
00877208 $- FF25 5866B100 jmp dword ptr [B16658] ; USER32.IsChild
0087720E 8BC0 mov eax, eax
00877210 $- FF25 5466B100 jmp dword ptr [B16654] ; USER32.IsDialogMessageA
00877216 8BC0 mov eax, eax
00877218 $- FF25 5466B100 jmp dword ptr [B16654] ; USER32.IsDialogMessageA
0087721E 8BC0 mov eax, eax
00877220 $- FF25 5066B100 jmp dword ptr [B16650] ; USER32.IsDialogMessageW
00877226 8BC0 mov eax, eax
00877228 $- FF25 4C66B100 jmp dword ptr [B1664C] ; USER32.IsIconic
0087722E 8BC0 mov eax, eax
00877230 $- FF25 4866B100 jmp dword ptr [B16648] ; USER32.IsRectEmpty
00877236 8BC0 mov eax, eax
00877238 $- FF25 4466B100 jmp dword ptr [B16644] ; USER32.IsWindow
0087723E 8BC0 mov eax, eax
00877240 $- FF25 4066B100 jmp dword ptr [B16640] ; USER32.IsWindowEnabled
00877246 8BC0 mov eax, eax
00877248 $- FF25 3C66B100 jmp dword ptr [B1663C] ; USER32.IsWindowUnicode
0087724E 8BC0 mov eax, eax
00877250 $- FF25 3866B100 jmp dword ptr [B16638] ; USER32.IsWindowVisible
00877256 8BC0 mov eax, eax
00877258 $- FF25 3466B100 jmp dword ptr [B16634] ; USER32.IsZoomed
0087725E 8BC0 mov eax, eax
00877260 $- FF25 3066B100 jmp dword ptr [B16630] ; USER32.KillTimer
00877266 8BC0 mov eax, eax
00877268 $- FF25 2C66B100 jmp dword ptr [B1662C] ; USER32.LoadBitmapA
0087726E 8BC0 mov eax, eax
00877270 $- FF25 2866B100 jmp dword ptr [B16628] ; USER32.LoadCursorA
00877276 8BC0 mov eax, eax
00877278 $- FF25 2466B100 jmp dword ptr [B16624] ; USER32.LoadIconA
0087727E 8BC0 mov eax, eax
00877280 $- FF25 2066B100 jmp dword ptr [B16620] ; USER32.LoadKeyboardLayoutA
00877286 8BC0 mov eax, eax
00877288 $- FF25 1C66B100 jmp dword ptr [B1661C] ; USER32.LoadStringA
0087728E 8BC0 mov eax, eax
00877290 $- FF25 1866B100 jmp dword ptr [B16618] ; USER32.LoadStringW
00877296 8BC0 mov eax, eax
00877298 $- FF25 1466B100 jmp dword ptr [B16614] ; USER32.MapVirtualKeyA
0087729E 8BC0 mov eax, eax
008772A0 $- FF25 1066B100 jmp dword ptr [B16610] ; USER32.MapVirtualKeyW
008772A6 8BC0 mov eax, eax
008772A8 $- FF25 0C66B100 jmp dword ptr [B1660C] ; USER32.MapWindowPoints
008772AE 8BC0 mov eax, eax
008772B0 $- FF25 0866B100 jmp dword ptr [B16608] ; USER32.MessageBeep
008772B6 8BC0 mov eax, eax
008772B8 $- FF25 0466B100 jmp dword ptr [B16604] ; USER32.MessageBoxA
008772BE 8BC0 mov eax, eax
008772C0 $- FF25 0066B100 jmp dword ptr [B16600] ; USER32.MsgWaitForMultipleObjects
008772C6 8BC0 mov eax, eax
008772C8 $- FF25 FC65B100 jmp dword ptr [B165FC] ; USER32.OemToCharA
008772CE 8BC0 mov eax, eax
008772D0 $- FF25 F865B100 jmp dword ptr [B165F8] ; USER32.OffsetRect
008772D6 8BC0 mov eax, eax
008772D8 $- FF25 F465B100 jmp dword ptr [B165F4] ; USER32.PeekMessageA
008772DE 8BC0 mov eax, eax
008772E0 $- FF25 F065B100 jmp dword ptr [B165F0] ; USER32.PostMessageA
008772E6 8BC0 mov eax, eax
008772E8 $- FF25 EC65B100 jmp dword ptr [B165EC] ; USER32.PostMessageW
008772EE 8BC0 mov eax, eax
008772F0 $- FF25 E865B100 jmp dword ptr [B165E8] ; USER32.PostQuitMessage
008772F6 8BC0 mov eax, eax
008772F8 $- FF25 E465B100 jmp dword ptr [B165E4] ; USER32.PtInRect
008772FE 8BC0 mov eax, eax
00877300 $- FF25 E065B100 jmp dword ptr [B165E0] ; USER32.RedrawWindow
00877306 8BC0 mov eax, eax
00877308 $- FF25 DC65B100 jmp dword ptr [B165DC] ; USER32.RegisterClassA
0087730E 8BC0 mov eax, eax
00877310 $- FF25 D865B100 jmp dword ptr [B165D8] ; USER32.RegisterClassW
00877316 8BC0 mov eax, eax
00877318 $- FF25 D465B100 jmp dword ptr [B165D4] ; USER32.RegisterWindowMessageA
0087731E 8BC0 mov eax, eax
00877320 $- FF25 D065B100 jmp dword ptr [B165D0] ; USER32.RegisterWindowMessageA
00877326 8BC0 mov eax, eax
00877328 $- FF25 CC65B100 jmp dword ptr [B165CC] ; USER32.ReleaseCapture
0087732E 8BC0 mov eax, eax
00877330 $- FF25 C865B100 jmp dword ptr [B165C8] ; USER32.ReleaseDC
00877336 8BC0 mov eax, eax
00877338 $- FF25 C465B100 jmp dword ptr [B165C4] ; USER32.RemoveMenu
0087733E 8BC0 mov eax, eax
00877340 $- FF25 C065B100 jmp dword ptr [B165C0] ; USER32.RemovePropA
00877346 8BC0 mov eax, eax
00877348 $- FF25 BC65B100 jmp dword ptr [B165BC] ; USER32.ScreenToClient
0087734E 8BC0 mov eax, eax
00877350 $- FF25 B865B100 jmp dword ptr [B165B8] ; USER32.ScrollWindow
00877356 8BC0 mov eax, eax
00877358 $- FF25 B465B100 jmp dword ptr [B165B4] ; USER32.SendMessageA
0087735E 8BC0 mov eax, eax
00877360 $- FF25 B465B100 jmp dword ptr [B165B4] ; USER32.SendMessageA
00877366 8BC0 mov eax, eax
00877368 $- FF25 B065B100 jmp dword ptr [B165B0] ; USER32.SendMessageW
0087736E 8BC0 mov eax, eax
00877370 $- FF25 AC65B100 jmp dword ptr [B165AC] ; USER32.SetActiveWindow
00877376 8BC0 mov eax, eax
00877378 $- FF25 A865B100 jmp dword ptr [B165A8] ; USER32.SetCapture
0087737E 8BC0 mov eax, eax
00877380 $- FF25 A465B100 jmp dword ptr [B165A4] ; USER32.SetClassLongA
00877386 8BC0 mov eax, eax
00877388 $- FF25 A065B100 jmp dword ptr [B165A0] ; USER32.SetCursor
0087738E 8BC0 mov eax, eax
00877390 $- FF25 9C65B100 jmp dword ptr [B1659C] ; USER32.SetFocus
00877396 8BC0 mov eax, eax
00877398 $- FF25 9865B100 jmp dword ptr [B16598] ; USER32.SetForegroundWindow
0087739E 8BC0 mov eax, eax
008773A0 $- FF25 9465B100 jmp dword ptr [B16594] ; USER32.SetMenu
008773A6 8BC0 mov eax, eax
008773A8 $- FF25 9065B100 jmp dword ptr [B16590] ; USER32.SetMenuItemInfoA
008773AE 8BC0 mov eax, eax
008773B0 $- FF25 8C65B100 jmp dword ptr [B1658C] ; USER32.SetMenuItemInfoW
008773B6 8BC0 mov eax, eax
008773B8 $- FF25 8865B100 jmp dword ptr [B16588] ; USER32.SetParent
008773BE 8BC0 mov eax, eax
008773C0 $- FF25 8465B100 jmp dword ptr [B16584] ; USER32.SetPropA
008773C6 8BC0 mov eax, eax
008773C8 $- FF25 8065B100 jmp dword ptr [B16580] ; USER32.SetRect
008773CE 8BC0 mov eax, eax
008773D0 .- FF25 7C65B100 jmp dword ptr [B1657C] ; USER32.SetScrollInfo
008773D6 8BC0 mov eax, eax
008773D8 .- FF25 7865B100 jmp dword ptr [B16578] ; USER32.SetScrollPos
008773DE 8BC0 mov eax, eax
008773E0 .- FF25 7465B100 jmp dword ptr [B16574] ; USER32.SetScrollRange
008773E6 8BC0 mov eax, eax
008773E8 $- FF25 7065B100 jmp dword ptr [B16570] ; USER32.SetTimer
008773EE 8BC0 mov eax, eax
008773F0 $- FF25 6C65B100 jmp dword ptr [B1656C] ; USER32.SetWindowLongA
008773F6 8BC0 mov eax, eax
008773F8 $- FF25 6C65B100 jmp dword ptr [B1656C] ; USER32.SetWindowLongA
008773FE 8BC0 mov eax, eax
00877400 $- FF25 6865B100 jmp dword ptr [B16568] ; USER32.SetWindowLongW
00877406 8BC0 mov eax, eax
00877408 $- FF25 6465B100 jmp dword ptr [B16564] ; USER32.SetWindowPlacement
0087740E 8BC0 mov eax, eax
00877410 $- FF25 6065B100 jmp dword ptr [B16560] ; USER32.SetWindowPos
00877416 8BC0 mov eax, eax
00877418 $- FF25 5C65B100 jmp dword ptr [B1655C] ; USER32.SetWindowTextA
0087741E 8BC0 mov eax, eax
00877420 $- FF25 5C65B100 jmp dword ptr [B1655C] ; USER32.SetWindowTextA
00877426 8BC0 mov eax, eax
00877428 $- FF25 5865B100 jmp dword ptr [B16558] ; USER32.SetWindowTextW
0087742E 8BC0 mov eax, eax
00877430 $- FF25 5465B100 jmp dword ptr [B16554] ; USER32.SetWindowsHookExA
00877436 8BC0 mov eax, eax
00877438 $- FF25 5065B100 jmp dword ptr [B16550] ; USER32.SetWindowsHookExW
0087743E 8BC0 mov eax, eax
00877440 $- FF25 4C65B100 jmp dword ptr [B1654C] ; USER32.ShowCursor
00877446 8BC0 mov eax, eax
00877448 $- FF25 4865B100 jmp dword ptr [B16548] ; USER32.ShowOwnedPopups
0087744E 8BC0 mov eax, eax
00877450 .- FF25 4465B100 jmp dword ptr [B16544] ; USER32.ShowScrollBar
00877456 8BC0 mov eax, eax
00877458 $- FF25 4065B100 jmp dword ptr [B16540] ; USER32.ShowWindow
0087745E 8BC0 mov eax, eax
00877460 $- FF25 3C65B100 jmp dword ptr [B1653C] ; USER32.SystemParametersInfoA
00877466 8BC0 mov eax, eax
00877468 $- FF25 3865B100 jmp dword ptr [B16538] ; USER32.TrackPopupMenu
0087746E 8BC0 mov eax, eax
00877470 $- FF25 3465B100 jmp dword ptr [B16534] ; USER32.TranslateMDISysAccel
00877476 8BC0 mov eax, eax
00877478 $- FF25 3065B100 jmp dword ptr [B16530] ; USER32.TranslateMessage
0087747E 8BC0 mov eax, eax
00877480 $- FF25 2C65B100 jmp dword ptr [B1652C] ; USER32.UnhookWindowsHookEx
00877486 8BC0 mov eax, eax
00877488 $- FF25 2865B100 jmp dword ptr [B16528] ; USER32.UnregisterClassA
0087748E 8BC0 mov eax, eax
00877490 $- FF25 2465B100 jmp dword ptr [B16524] ; USER32.UnregisterClassW
00877496 8BC0 mov eax, eax
00877498 $- FF25 2065B100 jmp dword ptr [B16520] ; USER32.UpdateWindow
0087749E 8BC0 mov eax, eax
008774A0 $- FF25 1C65B100 jmp dword ptr [B1651C] ; USER32.VkKeyScanW
008774A6 8BC0 mov eax, eax
008774A8 $- FF25 1865B100 jmp dword ptr [B16518] ; USER32.WaitMessage
008774AE 8BC0 mov eax, eax
008774B0 $- FF25 1465B100 jmp dword ptr [B16514] ; USER32.WinHelpA
008774B6 8BC0 mov eax, eax
008774B8 $- FF25 1065B100 jmp dword ptr [B16510] ; USER32.WindowFromPoint
008774BE 8BC0 mov eax, eax
上面那些里面的B16204---B16924 里就应该是我要找的吧? 于是我就用IMP在RAV=B16204-870000=2A6204的位置大小为1000 查找输入表 果然 找到了17个有效 还有一些无效的 跑到地址B1692C处 看到下面除了
00B1690C F4 2B A2 71 66 2B A2 71 6A 40 A2 71 39 96 A2 71 ?f+j@9枹q
00B1691C 00 3E A2 71 00 00 00 00 F7 A8 B2 76 00 00 00 00 .>....鳕瞯....
00B1692C 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 00 44 00 KERNEL32.DLL..D.
00B1693C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00B1694C 00 00 00 00 00 00 4C 00 00 00 00 00 00 00 00 00 ......L.........
00B1695C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 45 00 ..............E.
00B1696C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
这些往 下全是0000了 于是我修改RAV为B16204 大小为158重新查一下 得到全部为有效函数,,, 这时的IAT还是没办法 (这里用IMP怎么搞》?) 直接修复DUMP出来的文件。
再用LORDPE打开修复后的文件 修改OEP为2D9CB5 RAV为2E1000(新加的区段就为这个,不知道我添的对不对) 重新校验和 保存。。。。。 修复PE文件
3个成功。。RAV不需要修复的提示!。。
运行程序 开始正常 当一点STAR的时候 程序就消失了 呵呵 进程退出!(正常进程也会退出 但会启动另一个进程,这修复后的却不会了。头疼!)
再用OD加载下看看吧 哈 这回好了 干脆提示 格式错误或未知格式了!
是不是 那个OEP不对哦?
|
