SDprotector v1.1加壳的某软件脱壳过程
 
     日期:2005年7月16日   脱壳人:csjwaman[DFCG]
———————————————————————————————————————————
 
 
【软件名称】:某软件
【下载地址】:本站找
【软件限制】:SDprotector v1.1加壳
【破解声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【操作系统】:WINXP
【脱壳工具】:OD等传统工具

———————————————————————————————————————————
 
【脱壳过程】:
 
SDprotector v1.1壳,softworm大侠曾写过有关文章。本人认真拜读过。本文就是在softworm大侠文章指引下完成的。在此谢过softworm大侠:)

本软件用PEiD检测显示为Microsoft Visual C++,显然被伪装了。用十六进制工具打开文件,在文件头可以看到如下字符:

000003D0   00 00 00 00 00 00 00 00  00 00 00 00 31 2E 31 00   ............1.1.
000003E0   53 44 50 21 0C 09 FF FF  45 32 1E 7F 9A AA 27 A8   SDP!..E2.毆'

可见是SDP1.1的壳。



一、查找入口

先侦察一下,设置OD忽略所有异常载入程序,F9运行,程序发现调试器。看来程序有反调试手段。下面利用异常来跟踪。跟踪时总的原则:一是多用脚本(这是从softworm处学到的,能省去好多麻烦),因为程序对运行时间检测非常严格;二是不要修改代码(或修改后及时恢复),因为程序有代码完整性检查;三是不要对API下普通断点(硬件断点会被壳删除),因为程序会检查CC。

 1、设置OD忽略除INT3中断、单步中断、内存访问异常外的其他所有异常(注意“同时忽略以下定义异常或异常范围”处不能打钩)
 2、运行 UnhandleExceptionFilter 插件(每次运行脚本前都须先运行这个插件。原因不赘述,见softworm大侠的相关文章)。
 3、写个简单的脚本记录一下程序出现警告提示时的中断和异常次数。

我的脚本(挺烂,但能用就行):

var seh
eoe aman1
eob aman1
run
aman1:
add seh,1
log seh
esto

运行脚本直到出现警告提示,查看LOG:


004EF000   ID 00000908 的主要线程已经创建
00400000   模块 C:\Documents and Settings\csjwaman\桌面\Project2\Project2.exe
             固定表格已经被封装或者已经损坏!
77E40000   模块 C:\WINDOWS\system32\kernel32.dll
77F50000   模块 C:\WINDOWS\System32\ntdll.dll
004EF000   程序入口
004EF07A   单步事件位于 Project2.004EF07A
           seh = 00000001
004F44FA   INT3 命令在 Project2.004F44FA
           seh = 00000002
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000003
77D10000   模块 C:\WINDOWS\system32\user32.dll
7E190000   模块 C:\WINDOWS\system32\GDI32.dll
77DA0000   模块 C:\WINDOWS\system32\ADVAPI32.dll
78000000   模块 C:\WINDOWS\system32\RPCRT4.dll
76300000   模块 C:\WINDOWS\System32\IMM32.DLL
62C20000   模块 C:\WINDOWS\System32\LPK.DLL
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000004
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000005
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000006
004EF8F8   INT3 命令在 Project2.004EF8F8
           seh = 00000007
004EFB3A   INT3 命令在 Project2.004EFB3A
           seh = 00000008
004EFD54   单步事件位于 Project2.004EFD54
           seh = 00000009
004EFEFA   单步事件位于 Project2.004EFEFA
           seh = 0000000A
72F10000   模块 C:\WINDOWS\System32\USP10.dll
5ADC0000   模块 C:\WINDOWS\System32\uxtheme.dll
77BE0000   模块 C:\WINDOWS\system32\msvcrt.dll
74680000   模块 C:\WINDOWS\System32\MSCTF.dll
53000000   模块 C:\PROGRA~1\3721\helper.dll
53001000     Code size in header is 00000000, extending to size of section '.rdata'
70A70000   模块 C:\WINDOWS\system32\SHLWAPI.dll
77310000   模块 C:\WINDOWS\system32\COMCTL32.dll
37210000   模块 C:\WINDOWS\DOWNLO~1\CnsMin.dll
71BA0000   模块 C:\WINDOWS\System32\NETAPI32.dll
77BD0000   模块 C:\WINDOWS\system32\VERSION.dll
10000000   模块 C:\Herosoft\HeroV8\VCvtShell.dll
773A0000   模块 C:\WINDOWS\system32\SHELL32.dll
00B90000   模块 C:\WINDOWS\System32\msctfime.ime
71950000   模块 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1515_x-ww_7bb98b8a\comctl32.dll
00BC0000   模块 C:\WINDOWS\System32\wnwbio.ime
7CAB0000   模块 C:\WINDOWS\System32\ole32.dll


从LOG可以发现当第10次中断后,程序提示错误。那么我们就在第10次中断时开始跟踪:

修改一下上面的脚本:

var seh
eoe aman1
eob aman1
run
aman1:
add seh,1
log seh
cmp seh,a
je stop1
esto

stop1:
coe
cob
ret

运行脚本后中断在

004EFEFA     64:8F00              pop dword ptr fs:[eax] ///中断在此。
004EFEFD     5B                   pop ebx
004EFEFE     E8 01000000          call 004EFF04                       ; 004EFF04
004EFF03     FF58 05              call far fword ptr ds:[eax+5]
004EFF06     6BFF FF              imul edi,edi,-1
004EFF09     FF80 38E97587        inc dword ptr ds:[eax+8775E938]

堆栈:

0012FF98    0012FFE0   指针到下一个 SEH 记录
0012FF9C    004EFED3   SE 句柄

在004EFED3处下断,然后SHIFT+F9通过,来到:

004EFED3     E8 01000000          call 004EFED9///中断在此。取消断点。
004EFED8     FF58 05              call far fword ptr ds:[eax+5]
004EFEDB     96                   xchg eax,esi

这里有花指令,按一下F7代码变成:

004EFED9     58                   pop eax                             ; Project2.004EFED8
004EFEDA     05 96FFFFFF          add eax,-6A
004EFEDF     8038 E8              cmp byte ptr ds:[eax],0E8
004EFEE2   ^ 75 B2                jnz short 004EFE96                  ; 004EFE96
004EFEE4     C600 E9              mov byte ptr ds:[eax],0E9///为后面的检测单步跟踪设标志。
004EFEE7     2BC0                 sub eax,eax
004EFEE9     C3                   retn///到系统DLL中。

在4EFEFD处下断,F9后从系统DLL回到:

004EFEFD     5B                   pop ebx ///中断在此。取消断点。
004EFEFE     E8 01000000          call 004EFF04                       ; 004EFF04
004EFF03     FF58 05              call far fword ptr ds:[eax+5]

这里有花指令,按二下F7代码变成:

004EFF04     58                   pop eax                             ; Project2.004EFF03
004EFF05     05 6BFFFFFF          add eax,-95
004EFF0A     8038 E9              cmp byte ptr ds:[eax],0E9///检测前面设置的检测单步跟踪的标志。
004EFF0D   ^ 75 87                jnz short 004EFE96 ///不能跳。
004EFF0F     C600 E8              mov byte ptr ds:[eax],0E8
004EFF12     9D                   popfd
004EFF13     61                   popad
004EFF14     3D 00000080          cmp eax,80000000
004EFF19     7C 06                jl short 004EFF21                   ; 004EFF21
004EFF1B     EB 06                jmp short 004EFF23                  ; 004EFF23
004EFF1D     0010                 add byte ptr ds:[eax],dl

用F7走到:

004EFF49     58                   pop eax
004EFF4A     58                   pop eax
004EFF4B     9D                   popfd
004EFF4C     74 31                je short 004EFF7F ///这里必须跳,不跳则提示错误。修改标志位强行跳转。
004EFF4E     74 03                je short 004EFF53                   ; 004EFF53
004EFF50     75 01                jnz short 004EFF53                  ; 004EFF53
004EFF52     E8 E8010000          call 004F013F                       ; 004F013F
004EFF57     00FF                 add bh,bh
004EFF59     58                   pop eax

004FBBBA     E8 F784FFFF          call 004F40B6                       ; 004F40B6
004FBBBF     05 08010000          add eax,108
004FBBC4     50                   push eax
004FBBC5     E8 73FFFFFF          call 004FBB3D                       ; 004FBB3D
004FBBCA     35 47F2EA87          xor eax,87EAF247///这个固定值可能是用于加密的。
004FBBCF     C3                   retn

004F0191    /EB 01                jmp short 004F0194                  ; 004F0194
004F0193    |90                   nop///花指令。
004F0194    \0F84 0E010000        je 004F02A8  ///此处是子进程和父进程的分支处。跳则以子进程身份运行。修改标志位强行跳转。
004F019A     E8 01000000          call 004F01A0                       ; 004F01A0
004F019F     FF58 05              call far fword ptr ds:[eax+5]


在004F0194处如果不跳,则程序后面调用CreateProcessA创建新的进程,父进程则退出。

下面再用脚本来看看程序强行以子进程身份运行后的中断和异常次数。

脚本如下:

var seh
var mess
//#log
eoe aman1
eob aman1
run
aman1:
add seh,1
log seh
cmp seh,a //第10次中断时跳转。
je stop1
esto


stop1:
coe
cob
mov seh,0
bp 4eff4c
esto
bc eip
mov !zf,1
sti
run
bp 4f0194 //子进程与父进程分流处。
esto
bc eip
mov eip,4f02a8 //直接跳过创建子进程,强行让父进程以子进程运行。
eoe aman2
eob aman2
run

aman2:
add seh,1
log seh
esto
ret

运行脚本后,程序直接运行了。看LOG记录:


004EF000   ID 00000E60 的主要线程已经创建
00400000   模块 C:\Documents and Settings\csjwaman\桌面\Project2\Project2.exe
             固定表格已经被封装或者已经损坏!
77E40000   模块 C:\WINDOWS\system32\kernel32.dll
77F50000   模块 C:\WINDOWS\System32\ntdll.dll
004EF000   程序入口
             IsDebugPresent hidden
             IsDebugPresent hidden
004EF07A   单步事件位于 Project2.004EF07A
           seh = 00000001
004F44FA   INT3 命令在 Project2.004F44FA
           seh = 00000002
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000003
77D10000   模块 C:\WINDOWS\system32\user32.dll
7E190000   模块 C:\WINDOWS\system32\GDI32.dll
77DA0000   模块 C:\WINDOWS\system32\ADVAPI32.dll
78000000   模块 C:\WINDOWS\system32\RPCRT4.dll
76300000   模块 C:\WINDOWS\System32\IMM32.DLL
62C20000   模块 C:\WINDOWS\System32\LPK.DLL
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000004
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000005
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000006
004EF8F8   INT3 命令在 Project2.004EF8F8
           seh = 00000007
004EFB3A   INT3 命令在 Project2.004EFB3A
           seh = 00000008
004EFD54   单步事件位于 Project2.004EFD54
           seh = 00000009
004EFEFA   单步事件位于 Project2.004EFEFA
           seh = 0000000A
004EFF4C   中断在 Project2.004EFF4C
004F013D   单步事件位于 Project2.004F013D
004F0194   中断在 Project2.004F0194
004F0431   INT3 命令在 Project2.004F0431
           seh = 00000001
004F0673   INT3 命令在 Project2.004F0673
           seh = 00000002
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000003
004F0A35   单步事件位于 Project2.004F0A35
           seh = 00000004
004F44FA   INT3 命令在 Project2.004F44FA
           seh = 00000005
004F0CCA   INT3 命令在 Project2.004F0CCA
           seh = 00000006
004F0F0C   INT3 命令在 Project2.004F0F0C
           seh = 00000007
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000008
004F12AF   INT3 命令在 Project2.004F12AF
           seh = 00000009
004F150F   INT3 命令在 Project2.004F150F
           seh = 0000000A
004F21FF   访问违反: 写入到 [00000000]
           seh = 0000000B
004F23C3   INT3 命令在 Project2.004F23C3
           seh = 0000000C
004F2605   INT3 命令在 Project2.004F2605
           seh = 0000000D
004F44FA   INT3 命令在 Project2.004F44FA
           seh = 0000000E
004F48E2   单步事件位于 Project2.004F48E2
           seh = 0000000F
004F29F4   访问违反: 读取 [FFFFFFFF]
           seh = 00000010
004F2BCE   单步事件位于 Project2.004F2BCE
           seh = 00000011
004F44FA   INT3 命令在 Project2.004F44FA
           seh = 00000012
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000013
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000014
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000015
72F10000   模块 C:\WINDOWS\System32\USP10.dll
770F0000   模块 C:\WINDOWS\system32\oleaut32.dll
77BE0000   模块 C:\WINDOWS\system32\MSVCRT.DLL
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000016
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000017
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000018
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000019
7CAB0000   模块 C:\WINDOWS\system32\OLE32.DLL
004F48E2   单步事件位于 Project2.004F48E2
           seh = 0000001A
004F48E2   单步事件位于 Project2.004F48E2
           seh = 0000001B
004F48E2   单步事件位于 Project2.004F48E2
           seh = 0000001C
004F48E2   单步事件位于 Project2.004F48E2
           seh = 0000001D
004F48E2   单步事件位于 Project2.004F48E2
           seh = 0000001E
004F48E2   单步事件位于 Project2.004F48E2
           seh = 0000001F
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000020
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000021
77BD0000   模块 C:\WINDOWS\system32\version.dll
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000022
77310000   模块 C:\WINDOWS\system32\comctl32.dll
63000000   模块 C:\WINDOWS\system32\wininet.dll
76230000   模块 C:\WINDOWS\system32\CRYPT32.dll
76210000   模块 C:\WINDOWS\system32\MSASN1.dll
70A70000   模块 C:\WINDOWS\system32\SHLWAPI.dll
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000023
71950000   模块 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1515_x-ww_7bb98b8a\comctl32.dll
009E0000   模块 C:\WINDOWS\System32\WS2_32.dll
71A40000   模块 C:\WINDOWS\System32\wsock32.dll
003D0000   模块 C:\WINDOWS\System32\WS2HELP.dll
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000024
004F2D33   单步事件位于 Project2.004F2D33
           seh = 00000025
004F2ED4   单步事件位于 Project2.004F2ED4
           seh = 00000026
004F48E2   单步事件位于 Project2.004F48E2
           seh = 00000027
004F308A   INT3 命令在 Project2.004F308A
           seh = 00000028
004F32D0   INT3 命令在 Project2.004F32D0
           seh = 00000029
004F36D3   INT3 命令在 Project2.004F36D3
           seh = 0000002A
004F3919   INT3 命令在 Project2.004F3919
           seh = 0000002B
004F3C00   INT3 命令在 Project2.004F3C00
           seh = 0000002C
004F3E46   INT3 命令在 Project2.004F3E46
           seh = 0000002D
004F407A   单步事件位于 Project2.004F407A
           seh = 0000002E
5ADC0000   模块 C:\WINDOWS\System32\uxtheme.dll
74680000   模块 C:\WINDOWS\System32\MSCTF.dll
53000000   模块 C:\PROGRA~1\3721\helper.dll
53001000     Code size in header is 00000000, extending to size of section '.rdata'
37210000   模块 C:\WINDOWS\DOWNLO~1\CnsMin.dll
71BA0000   模块 C:\WINDOWS\System32\NETAPI32.dll
10000000   模块 C:\Herosoft\HeroV8\VCvtShell.dll
00BD0000   模块 C:\WINDOWS\System32\msctfime.ime
773A0000   模块 C:\WINDOWS\system32\SHELL32.dll
00C00000   模块 C:\WINDOWS\System32\wnwbio.ime

从LOG记录可以发现,当程序第2E次中断后就直接运行了。那我们修改一下脚本,让程序在第2E次中断时停下(脚本不贴了参考前面的)。

004F407A     64:8F00              pop dword ptr fs:[eax] ///停在这里。
004F407D     5B                   pop ebx
004F407E     E8 01000000          call 004F4084///F7
004F4083     FF58 05              call far fword ptr ds:[eax+5]
004F4086     6BFF FF              imul edi,edi,-1
004F4089     FF80 38E97587        inc dword ptr ds:[eax+8775E938]
004F408F     C600 E8              mov byte ptr ds:[eax],0E8
004F4092     9D                   popfd
004F4093     61                   popad
004F4094     C3                   retn

在004F407E处F7后,代码如下:

004F4084     58                   pop eax         ; Project2.004F4083
004F4085     05 6BFFFFFF          add eax,-95
004F408A     8038 E9              cmp byte ptr ds:[eax],0E9///单步跟踪检测。
004F408D   ^ 75 87                jnz short 004F4016  ///不能跳。修改标志位不让跳转。
004F408F     C600 E8              mov byte ptr ds:[eax],0E8///恢复代码。
004F4092     9D                   popfd
004F4093     61                   popad
004F4094     C3                   retn///返回。

0047ED53     C3                   retn///再返回一次。
0047ED54   ^ E9 934BF8FF          jmp 004038EC                        ; 004038EC

0047EBB8     55                   push ebp///这就是入口了。
0047EBB9     8BEC                 mov ebp,esp
0047EBBB     B9 06000000          mov ecx,6
0047EBC0     6A 00                push 0
0047EBC2     6A 00                push 0
0047EBC4     49                   dec ecx
0047EBC5   ^ 75 F9                jnz short 0047EBC0                  ; 0047EBC0
0047EBC7     51                   push ecx
0047EBC8     53                   push ebx
0047EBC9     B8 20E94700          mov eax,47E920
0047EBCE     E8 DD74F8FF          call 004060B0                       ; 004060B0
0047EBD3     8B1D B81C4800        mov ebx,dword ptr ds:[481CB8]       ; Project2.00483CD0
0047EBD9     33C0                 xor eax,eax
0047EBDB     55                   push ebp
0047EBDC     68 54ED4700          push 47ED54

到入口后,修改各区段读写权限为完全权限,然后DUMP下来,并将DUMP下来的文件入口改为7EBB8。

二、修复IAT

用OD载入DUMP后的文件,可以找到IAT地址:

00484164  00 00 00 00 70 38 14 00  ....p8.
0048416C  A8 38 14 00 E0 38 14 00  ?.?.
00484174  18 39 14 00 50 39 14 00  9.P9.
0048417C  88 39 14 00 C0 39 14 00  ?.?.
00484184  F8 39 14 00 C9 A5 4F 00  ?.丧O.
。。。。。。
004847EC  B7 4E 31 77 F6 7F 31 77  種1w?1w
004847F4  54 50 31 77 25 74 32 77  TP1w%t2w
004847FC  A4 7F 33 77 57 A4 31 77  ?3wW?w
00484804  3D 51 31 77 E3 AD 31 77  =Q1w悱1w
0048480C  00 00 00 00 1B 31 06 63  ....1c
00484814  9D 30 06 63 98 9F 01 63  ?c槦c
0048481C  00 00 00 00 DA DF 9E 00  ....谶?
00484824  F3 DD 9E 00 3E BF 9E 00  筝?>繛.
0048482C  50 72 9E 00 E8 78 9E 00  Pr?鑨?
00484834  59 D1 9E 00 20 10 A4 71  Y褳. 
0048483C  F2 20 9E 00 D5 21 9E 00  ????
00484844  06 21 9E 00 F2 20 9E 00  !???
0048484C  28 C3 9E 00 00 00 00 00  (脼.....
00484854  FF FF FF FF FF FF FF FF  

IAT的起始地址为484164,结束地址为484854,大小为6F0。

现在来找程序是从何处开始处理IAT的。

还是分析前面的LOG记录。我们可以发现从第12H次中断以后,连续出现004F48E2这个地址,前面也出现过几次。那么这个地址是否和处理IAT有关?我们载入带壳程序,还是用脚本停在第12H次中断处:


004F44FB     90                   nop///异常。
004F44FC     3C 04                cmp al,4
004F44FE     74 32                je short 004F4532                   ; 004F4532
004F4500     74 03                je short 004F4505                   ; 004F4505
004F4502     75 01                jnz short 004F4505                  ; 004F4505

堆栈:

0012DB68    0012FFE0   指针到下一个 SEH 记录
0012DB6C    004F4594   SE 句柄

从004F4594处开始跟踪:

004F4594     8B4424 04            mov eax,dword ptr ss:[esp+4]
004F4598     8B4C24 0C            mov ecx,dword ptr ss:[esp+C]
004F459C     FF81 B8000000        inc dword ptr ds:[ecx+B8]
004F45A2     8B00                 mov eax,dword ptr ds:[eax]///注意!执行这句后EAX=4F44FB
004F45A4     2D 03000080          sub eax,80000003
004F45A9     75 16                jnz short 004F45C1                  ; 004F45C1
004F45AB     B8 55010000          mov eax,155
004F45B0     8941 18              mov dword ptr ds:[ecx+18],eax
004F45B3     33C0                 xor eax,eax
004F45B5     8941 04              mov dword ptr ds:[ecx+4],eax///清理硬件断点。
004F45B8     8941 08              mov dword ptr ds:[ecx+8],eax
004F45BB     8941 0C              mov dword ptr ds:[ecx+C],eax
004F45BE     8941 10              mov dword ptr ds:[ecx+10],eax
004F45C1     C3                   retn///返回到系统DLL中。


在4F44FB处下断,然后F9:

004F44FB     90                   nop///断下。以下均用F7走。
004F44FC     3C 04                cmp al,4
004F44FE     74 32                je short 004F4532 ///跳!
004F4500     74 03                je short 004F4505                   ; 004F4505
004F4502     75 01                jnz short 004F4505                  ; 004F4505
004F4504     E8 E8010000          call 004F46F1                       ; 004F46F1

004F4532     64:8F05 00000000     pop dword ptr fs:[0]                ; 0012FFE0
004F4539     83C4 04              add esp,4
004F453C     0F31                 rdtsc///急甘奔浼觳狻?
004F453E     8BC8                 mov ecx,eax
004F4540     8BDA                 mov ebx,edx
004F4542     7E 06                jle short 004F454A ///JMP的变形。
004F4544     7F 04                jg short 004F454A                   ; 004F454A
004F4546     0010                 add byte ptr ds:[eax],dl

004F456F     9D                   popfd
004F4570     58                   pop eax
004F4571     0F31                 rdtsc///第2次。
004F4573     2BC1                 sub eax,ecx
004F4575     1BD3                 sbb edx,ebx
004F4577     83FA 00              cmp edx,0
004F457A   ^ 75 84                jnz short 004F4500 ///不能跳。
004F457C     3D 00000060          cmp eax,60000000
004F4581   ^ 0F87 79FFFFFF        ja 004F4500  ///不能跳。
004F4587     74 39                je short 004F45C2  ///JMP的变形。
004F4589     75 37                jnz short 004F45C2                  ; 004F45C2
004F458B     E8 00104000          call 008F5590

最后来到:

004FC17C     57                   push edi
004FC17D     E8 4483FFFF          call 004F44C6 
004FC182     8B8424 4C040000      mov eax,dword ptr ss:[esp+44C]
004FC189     33ED                 xor ebp,ebp
004FC18B     85C0                 test eax,eax
004FC18D     896C24 14            mov dword ptr ss:[esp+14],ebp
004FC191     75 6D                jnz short 004FC200 ///跳。以下用F8跟。
004FC193     68 FDDE4000          push 40DEFD
004FC198     E8 007FFFFF          call 004F409D                           ; 004F409D
004FC19D     50                   push eax
004FC19E     68 C4AA4000          push 40AAC4
004FC1A3     E8 F57EFFFF          call 004F409D                           ; 004F409D
004FC1A8     50                   push eax
004FC1A9     E8 452C0000          call 004FEDF3                           ; 004FEDF3
004FC1AE     50                   push eax
004FC1AF     E8 E4C2FFFF          call 004F8498                           ; 004F8498
004FC1B4     68 0CDF4000          push 40DF0C
004FC1B9     8BF8                 mov edi,eax
004FC1BB     E8 DD7EFFFF          call 004F409D                           ; 004F409D
004FC1C0     50                   push eax
004FC1C1     68 C4AA4000          push 40AAC4
004FC1C6     E8 D27EFFFF          call 004F409D                           ; 004F409D
004FC1CB     50                   push eax
004FC1CC     E8 222C0000          call 004FEDF3                           ; 004FEDF3
004FC1D1     50                   push eax
004FC1D2     E8 C1C2FFFF          call 004F8498                           ; 004F8498
004FC1D7     8BF0                 mov esi,eax
004FC1D9     E8 D87EFFFF          call 004F40B6                           ; 004F40B6
004FC1DE     85F6                 test esi,esi
004FC1E0     8BD8                 mov ebx,eax
004FC1E2     74 16                je short 004FC1FA                       ; 004FC1FA
004FC1E4     85FF                 test edi,edi
004FC1E6     74 12                je short 004FC1FA                       ; 004FC1FA
004FC1E8     68 20030000          push 320
004FC1ED     6A 08                push 8
004FC1EF     FFD7                 call edi
004FC1F1     50                   push eax
004FC1F2     FFD6                 call esi
004FC1F4     8BE8                 mov ebp,eax
004FC1F6     896C24 14            mov dword ptr ss:[esp+14],ebp
004FC1FA     89AB 94000000        mov dword ptr ds:[ebx+94],ebp
004FC200     33FF                 xor edi,edi
004FC202     897C24 1C            mov dword ptr ss:[esp+1C],edi
004FC206     897C24 2C            mov dword ptr ss:[esp+2C],edi
004FC20A     E8 7FF9FFFF          call 004FBB8E                           ; 004FBB8E
004FC20F     3D B9C8B813          cmp eax,13B8C8B9
004FC214     BE 01000000          mov esi,1
004FC219     75 04                jnz short 004FC21F                      ; 004FC21F
004FC21B     897424 1C            mov dword ptr ss:[esp+1C],esi
004FC21F     E8 54F9FFFF          call 004FBB78                           ; 004FBB78
004FC224     35 47F2EA87          xor eax,87EAF247
004FC229     3D F71219C1          cmp eax,C11912F7
004FC22E     75 04                jnz short 004FC234                      ; 004FC234
004FC230     897424 2C            mov dword ptr ss:[esp+2C],esi
004FC234     68 16DF4000          push 40DF16
004FC239     E8 5F7EFFFF          call 004F409D                           ; 004F409D
004FC23E     50                   push eax
004FC23F     68 C4AA4000          push 40AAC4
004FC244     E8 547EFFFF          call 004F409D                           ; 004F409D
004FC249     50                   push eax
004FC24A     E8 FAC2FFFF          call 004F8549                           ; 004F8549
004FC24F     50                   push eax
004FC250     E8 43C2FFFF          call 004F8498                           ; 004F8498
004FC255     3BC7                 cmp eax,edi
004FC257     894424 38            mov dword ptr ss:[esp+38],eax
004FC25B     75 08                jnz short 004FC265                      ; 004FC265
004FC25D     C74424 38 F30D4100   mov dword ptr ss:[esp+38],410DF3
004FC265     6A 00                push 0
004FC267     E8 D32A0000          call 004FED3F                           ; 004FED3F
004FC26C     8BE8                 mov ebp,eax
004FC26E     896C24 34            mov dword ptr ss:[esp+34],ebp
004FC272     E8 3F7EFFFF          call 004F40B6                           ; 004F40B6
004FC277     8BF8                 mov edi,eax
004FC279     8D4C24 40            lea ecx,dword ptr ss:[esp+40]
004FC27D     51                   push ecx
004FC27E     6A 10                push 10
004FC280     8D87 F0000000        lea eax,dword ptr ds:[edi+F0]
004FC286     50                   push eax
004FC287     894424 24            mov dword ptr ss:[esp+24],eax
004FC28B     E8 3BB3FFFF          call 004F75CB                           ; 004F75CB
004FC290     8B8424 58040000      mov eax,dword ptr ss:[esp+458]
004FC297     83C4 0C              add esp,0C
004FC29A     85C0                 test eax,eax
004FC29C     74 05                je short 004FC2A3                       ; 004FC2A3
004FC29E     8B77 1C              mov esi,dword ptr ds:[edi+1C]
004FC2A1     EB 03                jmp short 004FC2A6                      ; 004FC2A6
004FC2A3     8B77 0C              mov esi,dword ptr ds:[edi+C]
004FC2A6     8B97 98000000        mov edx,dword ptr ds:[edi+98]
004FC2AC     03F5                 add esi,ebp
004FC2AE     895424 28            mov dword ptr ss:[esp+28],edx
004FC2B2     E8 88C5FFFF          call 004F883F                           ; 004F883F
004FC2B7     8B5C24 14            mov ebx,dword ptr ss:[esp+14]
004FC2BB     897424 20            mov dword ptr ss:[esp+20],esi
004FC2BF     8B46 10              mov eax,dword ptr ds:[esi+10]
004FC2C2     8B0E                 mov ecx,dword ptr ds:[esi]
004FC2C4     0BC1                 or eax,ecx
004FC2C6     0F84 61080000        je 004FCB2D                             ; 004FCB2D
004FC2CC     8B4424 18            mov eax,dword ptr ss:[esp+18]
004FC2D0     8D4C24 40            lea ecx,dword ptr ss:[esp+40]
004FC2D4     8D9424 44010000      lea edx,dword ptr ss:[esp+144]
004FC2DB     51                   push ecx
004FC2DC     52                   push edx
004FC2DD     6A 10                push 10
004FC2DF     50                   push eax
004FC2E0     6A 14                push 14
004FC2E2     56                   push esi
004FC2E3     E8 18C5FFFF          call 004F8800                           ; 004F8800
004FC2E8     8B5E 0C              mov ebx,dword ptr ds:[esi+C]
004FC2EB     8B8424 4C040000      mov eax,dword ptr ss:[esp+44C]
004FC2F2     85C0                 test eax,eax
004FC2F4     74 0A                je short 004FC300                       ; 004FC300
004FC2F6     8B4424 28            mov eax,dword ptr ss:[esp+28]
004FC2FA     03DD                 add ebx,ebp
004FC2FC     03D8                 add ebx,eax
004FC2FE     EB 02                jmp short 004FC302                      ; 004FC302
004FC300     03DD                 add ebx,ebp
004FC302     8B4424 18            mov eax,dword ptr ss:[esp+18]
004FC306     8D4C24 40            lea ecx,dword ptr ss:[esp+40]
004FC30A     8D9424 44010000      lea edx,dword ptr ss:[esp+144]
004FC311     51                   push ecx
004FC312     8B4E 04              mov ecx,dword ptr ds:[esi+4]
004FC315     52                   push edx
004FC316     6A 10                push 10
004FC318     50                   push eax
004FC319     51                   push ecx
004FC31A     53                   push ebx
004FC31B     895C24 54            mov dword ptr ss:[esp+54],ebx
004FC31F     E8 DCC4FFFF          call 004F8800                           ; 004F8800
004FC324     E8 16C5FFFF          call 004F883F                           ; 004F883F
004FC329     8B7C24 38            mov edi,dword ptr ss:[esp+38]
004FC32D     68 C4AA4000          push 40AAC4
004FC332     E8 667DFFFF          call 004F409D                           ; 004F409D
004FC337     50                   push eax ///eax=004F8AC4 (Project2.004F8AC4), ASCII "kernel32.dll" 程序预置的DLL。
004FC338     53                   push ebx  ///ebx=00484854 (Project2.00484854), ASCII "kernel32.dll"  当前准备处理的DLL。
004FC339     E8 BB96FFFF          call 004F59F9 ///比较。如果相同则置EAX为0。
004FC33E     85C0                 test eax,eax
004FC340     74 5C                je short 004FC39E ///如果和程序预置的DLL同名则加密处理,所以不能跳。修改标志位不让跳转。
004FC342     68 23DF4000          push 40DF23
004FC347     E8 517DFFFF          call 004F409D                           ; 004F409D
004FC34C     50                   push eax ///eax=004FBF23 (Project2.004FBF23), ASCII "user32.dll"
004FC34D     53                   push ebx  ///ebx=00484854 (Project2.00484854), ASCII "kernel32.dll"
004FC34E     E8 A696FFFF          call 004F59F9                           ; 004F59F9
004FC353     85C0                 test eax,eax
004FC355     74 47                je short 004FC39E ///不能跳。
004FC357     68 2EDF4000          push 40DF2E
004FC35C     E8 3C7DFFFF          call 004F409D                           ; 004F409D
004FC361     50                   push eax  ///eax=004FBF2E (Project2.004FBF2E), ASCII "gdi32.dll"
004FC362     53                   push ebx  ///ebx=00484854 (Project2.00484854), ASCII "kernel32.dll"
004FC363     E8 9196FFFF          call 004F59F9                           ; 004F59F9
004FC368     85C0                 test eax,eax
004FC36A     74 32                je short 004FC39E///不能跳。
004FC36C     68 38DF4000          push 40DF38
004FC371     E8 277DFFFF          call 004F409D                           ; 004F409D
004FC376     50                   push eax  ///eax=004FBF38 (Project2.004FBF38), ASCII "advapi32.dll"
004FC377     53                   push ebx  ///ebx=00484854 (Project2.00484854), ASCII "kernel32.dll"
004FC378     E8 7C96FFFF          call 004F59F9                           ; 004F59F9
004FC37D     85C0                 test eax,eax
004FC37F     74 1D                je short 004FC39E ///不能跳。
004FC381     68 45DF4000          push 40DF45
004FC386     E8 127DFFFF          call 004F409D                           ; 004F409D
004FC38B     50                   push eax  ///eax=004FBF45 (Project2.004FBF45), ASCII "shell32.dll"
004FC38C     53                   push ebx  ///ebx=00484854 (Project2.00484854), ASCII "kernel32.dll"
004FC38D     E8 6796FFFF          call 004F59F9                           ; 004F59F9
004FC392     85C0                 test eax,eax
004FC394     C74424 24 00000000   mov dword ptr ss:[esp+24],0  ///设置不加密标志。
004FC39C     75 08                jnz short 004FC3A6 ///如果和以上预置的DLL均不相符,则跳走。
004FC39E     C74424 24 01000000   mov dword ptr ss:[esp+24],1 ///设置需加密标志。
004FC3A6     68 51DF4000          push 40DF51
004FC3AB     E8 ED7CFFFF          call 004F409D                           ; 004F409D
004FC3B0     50                   push eax  ///eax=004FBF51 (Project2.004FBF51), ASCII "sdprotector.dll" 
004FC3B1     53                   push ebx  ///ebx=00484854 (Project2.00484854), ASCII "kernel32.dll"
004FC3B2     E8 4296FFFF          call 004F59F9                           ; 004F59F9
004FC3B7     85C0                 test eax,eax
004FC3B9     74 7F                je short 004FC43A ///不能跳。
004FC3BB     8B8424 4C040000      mov eax,dword ptr ss:[esp+44C]
004FC3C2     C74424 30 00000000   mov dword ptr ss:[esp+30],0 ///设置不加密标志。
004FC3CA     85C0                 test eax,eax
004FC3CC     74 10                je short 004FC3DE                       ; 004FC3DE
004FC3CE     8B4424 1C            mov eax,dword ptr ss:[esp+1C]
004FC3D2     85C0                 test eax,eax
004FC3D4     74 08                je short 004FC3DE                       ; 004FC3DE
004FC3D6     53                   push ebx
004FC3D7     E8 6DC1FFFF          call 004F8549                           ; 004F8549
004FC3DC     EB 07                jmp short 004FC3E5                      ; 004FC3E5
004FC3DE     53                   push ebx
004FC3DF     57                   push edi
004FC3E0     E8 7DC1FFFF          call 004F8562                           ; 004F8562
004FC3E5     85C0                 test eax,eax
004FC3E7     894424 10            mov dword ptr ss:[esp+10],eax
004FC3EB     75 55                jnz short 004FC442                      ; 004FC442
004FC3ED     E8 652C0000          call 004FF057                           ; 004FF057
004FC3F2     50                   push eax
004FC3F3     53                   push ebx
004FC3F4     68 61DF4000          push 40DF61
004FC3F9     E8 9F7CFFFF          call 004F409D                           ; 004F409D
004FC3FE     8D9424 50020000      lea edx,dword ptr ss:[esp+250]
004FC405     50                   push eax
004FC406     52                   push edx
004FC407     E8 1F2E0000          call 004FF22B                           ; 004FF22B
004FC40C     83C4 10              add esp,10
004FC40F     6A 12                push 12
004FC411     68 72A34000          push 40A372
004FC416     E8 827CFFFF          call 004F409D                           ; 004F409D
004FC41B     50                   push eax
004FC41C     8D8424 50020000      lea eax,dword ptr ss:[esp+250]
004FC423     50                   push eax
004FC424     6A 00                push 0
004FC426     E8 EC290000          call 004FEE17                           ; 004FEE17
004FC42B     83F8 03              cmp eax,3
004FC42E     74 32                je short 004FC462                       ; 004FC462
004FC430     83F8 04              cmp eax,4
004FC433     75 36                jnz short 004FC46B                      ; 004FC46B
004FC435   ^ E9 F3FEFFFF          jmp 004FC32D                            ; 004FC32D
004FC43A     C74424 30 01000000   mov dword ptr ss:[esp+30],1 ///设置需加密标志。
004FC442     8B8424 4C040000      mov eax,dword ptr ss:[esp+44C]
004FC449     85C0                 test eax,eax
004FC44B     8B06                 mov eax,dword ptr ds:[esi]
004FC44D     8D4C05 00            lea ecx,dword ptr ss:[ebp+eax]
004FC451     74 20                je short 004FC473                       ; 004FC473
004FC453     8B76 10              mov esi,dword ptr ds:[esi+10]
004FC456     8B5424 28            mov edx,dword ptr ss:[esp+28]
004FC45A     03F5                 add esi,ebp
004FC45C     03CA                 add ecx,edx
004FC45E     03F2                 add esi,edx
004FC460     EB 16                jmp short 004FC478                      ; 004FC478
004FC462     6A 00                push 0
004FC464     E8 66290000          call 004FEDCF                           ; 004FEDCF
004FC469   ^ EB D7                jmp short 004FC442                      ; 004FC442
004FC46B     83C6 14              add esi,14
004FC46E   ^ E9 44FEFFFF          jmp 004FC2B7                            ; 004FC2B7
004FC473     8B76 10              mov esi,dword ptr ds:[esi+10]///
004FC476     03F5                 add esi,ebp
004FC478     85C0                 test eax,eax
004FC47A     8BE9                 mov ebp,ecx
004FC47C     75 02                jnz short 004FC480                      ; 004FC480
004FC47E     8BEE                 mov ebp,esi
004FC480     E8 BAC3FFFF          call 004F883F                           ; 004F883F
004FC485     8B5C24 18            mov ebx,dword ptr ss:[esp+18]
004FC489     8B7C24 10            mov edi,dword ptr ss:[esp+10]
004FC48D     837D 00 00           cmp dword ptr ss:[ebp],0  ///这里开始处理函数。
004FC491     0F84 5E060000        je 004FCAF5                             ; 004FCAF5
004FC497     8D4C24 40            lea ecx,dword ptr ss:[esp+40]
004FC49B     8D9424 44010000      lea edx,dword ptr ss:[esp+144]
004FC4A2     51                   push ecx
004FC4A3     52                   push edx
004FC4A4     6A 10                push 10
004FC4A6     53                   push ebx
004FC4A7     6A 04                push 4
004FC4A9     55                   push ebp
004FC4AA     E8 51C3FFFF          call 004F8800                           ; 004F8800
004FC4AF     8D4424 40            lea eax,dword ptr ss:[esp+40]
004FC4B3     8D8C24 44010000      lea ecx,dword ptr ss:[esp+144]
004FC4BA     50                   push eax
004FC4BB     51                   push ecx
004FC4BC     6A 10                push 10
004FC4BE     53                   push ebx
004FC4BF     6A 04                push 4
004FC4C1     56                   push esi
004FC4C2     E8 39C3FFFF          call 004F8800                           ; 004F8800
004FC4C7     8B8424 4C040000      mov eax,dword ptr ss:[esp+44C]
004FC4CE     85C0                 test eax,eax
004FC4D0     8B45 00              mov eax,dword ptr ss:[ebp]
004FC4D3     74 0F                je short 004FC4E4                       ; 004FC4E4
004FC4D5     8B5424 34            mov edx,dword ptr ss:[esp+34]
004FC4D9     8B4C24 28            mov ecx,dword ptr ss:[esp+28]
004FC4DD     8D1C02               lea ebx,dword ptr ds:[edx+eax]
004FC4E0     03D9                 add ebx,ecx
004FC4E2     EB 07                jmp short 004FC4EB                      ; 004FC4EB
004FC4E4     8B4C24 34            mov ecx,dword ptr ss:[esp+34]
004FC4E8     8D1C01               lea ebx,dword ptr ds:[ecx+eax]
004FC4EB     A9 00000080          test eax,80000000
004FC4F0     0F84 19010000        je 004FC60F                             ; 004FC60F
004FC4F6     8B4C24 30            mov ecx,dword ptr ss:[esp+30]
004FC4FA     85C9                 test ecx,ecx
004FC4FC     8B8C24 4C040000      mov ecx,dword ptr ss:[esp+44C]
004FC503     0F84 AB000000        je 004FC5B4                             ; 004FC5B4
004FC509     85C9                 test ecx,ecx
004FC50B     0F84 EB000000        je 004FC5FC                             ; 004FC5FC
004FC511     25 FFFFFF7F          and eax,7FFFFFFF
004FC516     83F8 01              cmp eax,1
004FC519     75 11                jnz short 004FC52C                      ; 004FC52C
004FC51B     68 EDA84000          push 40A8ED
004FC520     E8 787BFFFF          call 004F409D                           ; 004F409D
004FC525     8906                 mov dword ptr ds:[esi],eax
004FC527     E9 AE050000          jmp 004FCADA                            ; 004FCADA
004FC52C     83F8 02              cmp eax,2
004FC52F     75 11                jnz short 004FC542                      ; 004FC542
004FC531     68 FBA84000          push 40A8FB
004FC536     E8 627BFFFF          call 004F409D                           ; 004F409D
004FC53B     8906                 mov dword ptr ds:[esi],eax
004FC53D     E9 98050000          jmp 004FCADA                            ; 004FCADA
004FC542     83F8 03              cmp eax,3
004FC545     75 11                jnz short 004FC558                      ; 004FC558
004FC547     68 11A94000          push 40A911
004FC54C     E8 4C7BFFFF          call 004F409D                           ; 004F409D
004FC551     8906                 mov dword ptr ds:[esi],eax
004FC553     E9 82050000          jmp 004FCADA                            ; 004FCADA
004FC558     83F8 04              cmp eax,4
004FC55B     75 11                jnz short 004FC56E                      ; 004FC56E
004FC55D     68 24A94000          push 40A924
004FC562     E8 367BFFFF          call 004F409D                           ; 004F409D
004FC567     8906                 mov dword ptr ds:[esi],eax
004FC569     E9 6C050000          jmp 004FCADA                            ; 004FCADA
004FC56E     83F8 05              cmp eax,5
004FC571     75 11                jnz short 004FC584                      ; 004FC584
004FC573     68 37A94000          push 40A937
004FC578     E8 207BFFFF          call 004F409D                           ; 004F409D
004FC57D     8906                 mov dword ptr ds:[esi],eax
004FC57F     E9 56050000          jmp 004FCADA                            ; 004FCADA
004FC584     83F8 06              cmp eax,6
004FC587     75 11                jnz short 004FC59A                      ; 004FC59A
004FC589     68 4AA94000          push 40A94A
004FC58E     E8 0A7BFFFF          call 004F409D                           ; 004F409D
004FC593     8906                 mov dword ptr ds:[esi],eax
004FC595     E9 40050000          jmp 004FCADA                            ; 004FCADA
004FC59A     83F8 07              cmp eax,7
004FC59D     0F85 37050000        jnz 004FCADA                            ; 004FCADA
004FC5A3     68 5DA94000          push 40A95D
004FC5A8     E8 F07AFFFF          call 004F409D                           ; 004F409D
004FC5AD     8906                 mov dword ptr ds:[esi],eax
004FC5AF     E9 26050000          jmp 004FCADA                            ; 004FCADA
004FC5B4     85C9                 test ecx,ecx
004FC5B6     74 44                je short 004FC5FC                       ; 004FC5FC
004FC5B8     8B4C24 1C            mov ecx,dword ptr ss:[esp+1C]
004FC5BC     85C9                 test ecx,ecx
004FC5BE     74 16                je short 004FC5D6                       ; 004FC5D6
004FC5C0     8B16                 mov edx,dword ptr ds:[esi]
004FC5C2     81E2 FFFFFF7F        and edx,7FFFFFFF
004FC5C8     52                   push edx
004FC5C9     57                   push edi
004FC5CA     E8 94270000          call 004FED63                           ; 004FED63
004FC5CF     8906                 mov dword ptr ds:[esi],eax
004FC5D1     E9 04050000          jmp 004FCADA                            ; 004FCADA
004FC5D6     8B4C24 24            mov ecx,dword ptr ss:[esp+24]
004FC5DA     85C9                 test ecx,ecx
004FC5DC     74 1E                je short 004FC5FC                       ; 004FC5FC
004FC5DE     8B4C24 2C            mov ecx,dword ptr ss:[esp+2C]
004FC5E2     25 FFFFFF7F          and eax,7FFFFFFF
004FC5E7     51                   push ecx
004FC5E8     50                   push eax
004FC5E9     57                   push edi
004FC5EA     E8 A9BEFFFF          call 004F8498                           ; 004F8498
004FC5EF     50                   push eax
004FC5F0     E8 EAF6FFFF          call 004FBCDF                           ; 004FBCDF
004FC5F5     8906                 mov dword ptr ds:[esi],eax
004FC5F7     E9 DE040000          jmp 004FCADA                            ; 004FCADA
004FC5FC     25 FFFFFF7F          and eax,7FFFFFFF
004FC601     50                   push eax
004FC602     57                   push edi
004FC603     E8 90BEFFFF          call 004F8498                           ; 004F8498
004FC608     8906                 mov dword ptr ds:[esi],eax
004FC60A     E9 CB040000          jmp 004FCADA                            ; 004FCADA
004FC60F     8B4C24 18            mov ecx,dword ptr ss:[esp+18]
004FC613     8D5424 40            lea edx,dword ptr ss:[esp+40]
004FC617     8D8424 44010000      lea eax,dword ptr ss:[esp+144]
004FC61E     52                   push edx
004FC61F     50                   push eax
004FC620     6A 10                push 10
004FC622     51                   push ecx
004FC623     6A 02                push 2
004FC625     53                   push ebx
004FC626     E8 D5C1FFFF          call 004F8800                           ; 004F8800
004FC62B     8D5424 40            lea edx,dword ptr ss:[esp+40]
004FC62F     8D8424 44010000      lea eax,dword ptr ss:[esp+144]
004FC636     8B4C24 18            mov ecx,dword ptr ss:[esp+18]
004FC63A     52                   push edx
004FC63B     33D2                 xor edx,edx
004FC63D     50                   push eax
004FC63E     66:8B13              mov dx,word ptr ds:[ebx]
004FC641     6A 10                push 10
004FC643     8D7B 02              lea edi,dword ptr ds:[ebx+2]
004FC646     51                   push ecx
004FC647     52                   push edx
004FC648     57                   push edi
004FC649     E8 B2C1FFFF          call 004F8800                           ; 004F8800
004FC64E     8B4424 30            mov eax,dword ptr ss:[esp+30]
004FC652     85C0                 test eax,eax
004FC654     8B8424 4C040000      mov eax,dword ptr ss:[esp+44C]
004FC65B     0F84 16010000        je 004FC777                             ; 004FC777
004FC661     85C0                 test eax,eax
004FC663     0F84 39040000        je 004FCAA2                             ; 004FCAA2
004FC669     68 CFDF4000          push 40DFCF
004FC66E     E8 2A7AFFFF          call 004F409D                           ; 004F409D
004FC673     50                   push eax
004FC674     57                   push edi
004FC675     E8 F883FFFF          call 004F4A72                           ; 004F4A72
004FC67A     85C0                 test eax,eax
004FC67C     75 11                jnz short 004FC68F                      ; 004FC68F
004FC67E     68 EDA84000          push 40A8ED
004FC683     E8 157AFFFF          call 004F409D                           ; 004F409D
004FC688     8906                 mov dword ptr ds:[esi],eax
004FC68A     E9 31040000          jmp 004FCAC0                            ; 004FCAC0
004FC68F     68 E0DF4000          push 40DFE0
004FC694     E8 047AFFFF          call 004F409D                           ; 004F409D
004FC699     50                   push eax
004FC69A     57                   push edi
004FC69B     E8 D283FFFF          call 004F4A72                           ; 004F4A72
004FC6A0     85C0                 test eax,eax
004FC6A2     75 11                jnz short 004FC6B5                      ; 004FC6B5
004FC6A4     68 FBA84000          push 40A8FB
004FC6A9     E8 EF79FFFF          call 004F409D                           ; 004F409D
004FC6AE     8906                 mov dword ptr ds:[esi],eax
004FC6B0     E9 0B040000          jmp 004FCAC0                            ; 004FCAC0
004FC6B5     68 F8DF4000          push 40DFF8
004FC6BA     E8 DE79FFFF          call 004F409D                           ; 004F409D
004FC6BF     50                   push eax
004FC6C0     57                   push edi
004FC6C1     E8 AC83FFFF          call 004F4A72                           ; 004F4A72
004FC6C6     85C0                 test eax,eax
004FC6C8     75 11                jnz short 004FC6DB                      ; 004FC6DB
004FC6CA     68 11A94000          push 40A911
004FC6CF     E8 C979FFFF          call 004F409D                           ; 004F409D
004FC6D4     8906                 mov dword ptr ds:[esi],eax
004FC6D6     E9 E5030000          jmp 004FCAC0                            ; 004FCAC0
004FC6DB     68 11E04000          push 40E011
004FC6E0     E8 B879FFFF          call 004F409D                           ; 004F409D
004FC6E5     50                   push eax
004FC6E6     57                   push edi
004FC6E7     E8 8683FFFF          call 004F4A72                           ; 004F4A72
004FC6EC     85C0                 test eax,eax
004FC6EE     75 11                jnz short 004FC701                      ; 004FC701
004FC6F0     68 24A94000          push 40A924
004FC6F5     E8 A379FFFF          call 004F409D                           ; 004F409D
004FC6FA     8906                 mov dword ptr ds:[esi],eax
004FC6FC     E9 BF030000          jmp 004FCAC0                            ; 004FCAC0
004FC701     68 27E04000          push 40E027
004FC706     E8 9279FFFF          call 004F409D                           ; 004F409D
004FC70B     50                   push eax
004FC70C     57                   push edi
004FC70D     E8 6083FFFF          call 004F4A72                           ; 004F4A72
004FC712     85C0                 test eax,eax
004FC714     75 11                jnz short 004FC727                      ; 004FC727
004FC716     68 37A94000          push 40A937
004FC71B     E8 7D79FFFF          call 004F409D                           ; 004F409D
004FC720     8906                 mov dword ptr ds:[esi],eax
004FC722     E9 99030000          jmp 004FCAC0                            ; 004FCAC0
004FC727     68 3CE04000          push 40E03C
004FC72C     E8 6C79FFFF          call 004F409D                           ; 004F409D
004FC731     50                   push eax
004FC732     57                   push edi
004FC733     E8 3A83FFFF          call 004F4A72                           ; 004F4A72
004FC738     85C0                 test eax,eax
004FC73A     75 11                jnz short 004FC74D                      ; 004FC74D
004FC73C     68 4AA94000          push 40A94A
004FC741     E8 5779FFFF          call 004F409D                           ; 004F409D
004FC746     8906                 mov dword ptr ds:[esi],eax
004FC748     E9 73030000          jmp 004FCAC0                            ; 004FCAC0
004FC74D     68 57E04000          push 40E057
004FC752     E8 4679FFFF          call 004F409D                           ; 004F409D
004FC757     50                   push eax
004FC758     57                   push edi
004FC759     E8 1483FFFF          call 004F4A72                           ; 004F4A72
004FC75E     85C0                 test eax,eax
004FC760     0F85 FC020000        jnz 004FCA62                            ; 004FCA62
004FC766     68 5DA94000          push 40A95D
004FC76B     E8 2D79FFFF          call 004F409D                           ; 004F409D
004FC770     8906                 mov dword ptr ds:[esi],eax
004FC772     E9 49030000          jmp 004FCAC0                            ; 004FCAC0
004FC777     85C0                 test eax,eax
004FC779     0F84 23030000        je 004FCAA2                             ; 004FCAA2
004FC77F     8B4424 1C            mov eax,dword ptr ss:[esp+1C]
004FC783     85C0                 test eax,eax
004FC785     74 5E                je short 004FC7E5                       ; 004FC7E5
004FC787     68 6AE04000          push 40E06A
004FC78C     E8 0C79FFFF          call 004F409D                           ; 004F409D
004FC791     50                   push eax
004FC792     57                   push edi
004FC793     E8 DA82FFFF          call 004F4A72                           ; 004F4A72
004FC798     85C0                 test eax,eax
004FC79A     75 11                jnz short 004FC7AD                      ; 004FC7AD
004FC79C     68 B1CE4000          push 40CEB1
004FC7A1     E8 F778FFFF          call 004F409D                           ; 004F409D
004FC7A6     8906                 mov dword ptr ds:[esi],eax
004FC7A8     E9 13030000          jmp 004FCAC0                            ; 004FCAC0
004FC7AD     68 10CF4000          push 40CF10
004FC7B2     E8 E678FFFF          call 004F409D                           ; 004F409D
004FC7B7     50                   push eax
004FC7B8     57                   push edi
004FC7B9     E8 B482FFFF          call 004F4A72                           ; 004F4A72
004FC7BE     85C0                 test eax,eax
004FC7C0     75 11                jnz short 004FC7D3                      ; 004FC7D3
004FC7C2     68 27CF4000          push 40CF27
004FC7C7     E8 D178FFFF          call 004F409D                           ; 004F409D
004FC7CC     8906                 mov dword ptr ds:[esi],eax
004FC7CE     E9 ED020000          jmp 004FCAC0                            ; 004FCAC0
004FC7D3     8B4424 10            mov eax,dword ptr ss:[esp+10]
004FC7D7     57                   push edi
004FC7D8     50                   push eax
004FC7D9     E8 85250000          call 004FED63                           ; 004FED63
004FC7DE     8906                 mov dword ptr ds:[esi],eax
004FC7E0     E9 DB020000          jmp 004FCAC0                            ; 004FCAC0
004FC7E5     8B4424 24            mov eax,dword ptr ss:[esp+24]
004FC7E9     85C0                 test eax,eax
004FC7EB     0F84 5C020000        je 004FCA4D                             ; 004FCA4D
004FC7F1     68 76E04000          push 40E076
004FC7F6     E8 A278FFFF          call 004F409D                           ; 004F409D
004FC7FB     50                   push eax
004FC7FC     57                   push edi
004FC7FD     E8 7082FFFF          call 004F4A72                           ; 004F4A72
004FC802     85C0                 test eax,eax
004FC804     75 11                jnz short 004FC817                      ; 004FC817
004FC806     68 E4CF4000          push 40CFE4
004FC80B     E8 8D78FFFF          call 004F409D                           ; 004F409D
004FC810     8906                 mov dword ptr ds:[esi],eax
004FC812     E9 A9020000          jmp 004FCAC0                            ; 004FCAC0
004FC817     68 8AE04000          push 40E08A
004FC81C     E8 7C78FFFF          call 004F409D                           ; 004F409D
004FC821     50                   push eax
004FC822     57                   push edi
004FC823     E8 4A82FFFF          call 004F4A72                           ; 004F4A72
004FC828     85C0                 test eax,eax
004FC82A     75 11                jnz short 004FC83D                      ; 004FC83D
004FC82C     68 32D04000          push 40D032
004FC831     E8 6778FFFF          call 004F409D                           ; 004F409D
004FC836     8906                 mov dword ptr ds:[esi],eax
004FC838     E9 83020000          jmp 004FCAC0                            ; 004FCAC0
004FC83D     68 98E04000          push 40E098
004FC842     E8 5678FFFF          call 004F409D                           ; 004F409D
004FC847     50                   push eax
004FC848     57                   push edi
004FC849     E8 2482FFFF          call 004F4A72                           ; 004F4A72
004FC84E     85C0                 test eax,eax
004FC850     75 11                jnz short 004FC863                      ; 004FC863
004FC852     68 C9C54000          push 40C5C9
004FC857     E8 4178FFFF          call 004F409D                           ; 004F409D
004FC85C     8906                 mov dword ptr ds:[esi],eax
004FC85E     E9 5D020000          jmp 004FCAC0                            ; 004FCAC0
004FC863     68 A3E04000          push 40E0A3
004FC868     E8 3078FFFF          call 004F409D                           ; 004F409D
004FC86D     50                   push eax
004FC86E     57                   push edi
004FC86F     E8 FE81FFFF          call 004F4A72                           ; 004F4A72
004FC874     85C0                 test eax,eax
004FC876     75 11                jnz short 004FC889                      ; 004FC889
004FC878     68 6FD04000          push 40D06F
004FC87D     E8 1B78FFFF          call 004F409D                           ; 004F409D
004FC882     8906                 mov dword ptr ds:[esi],eax
004FC884     E9 37020000          jmp 004FCAC0                            ; 004FCAC0
004FC889     68 B3E04000          push 40E0B3
004FC88E     E8 0A78FFFF          call 004F409D                           ; 004F409D
004FC893     50                   push eax
004FC894     57                   push edi
004FC895     E8 D881FFFF          call 004F4A72                           ; 004F4A72
004FC89A     85C0                 test eax,eax
004FC89C     75 11                jnz short 004FC8AF                      ; 004FC8AF
004FC89E     68 56CE4000          push 40CE56
004FC8A3     E8 F577FFFF          call 004F409D                           ; 004F409D
004FC8A8     8906                 mov dword ptr ds:[esi],eax
004FC8AA     E9 11020000          jmp 004FCAC0                            ; 004FCAC0
004FC8AF     68 BFE04000          push 40E0BF
004FC8B4     E8 E477FFFF          call 004F409D                           ; 004F409D
004FC8B9     50                   push eax
004FC8BA     57                   push edi
004FC8BB     E8 B281FFFF          call 004F4A72                           ; 004F4A72
004FC8C0     85C0                 test eax,eax
004FC8C2     75 11                jnz short 004FC8D5                      ; 004FC8D5
004FC8C4     68 CDD24000          push 40D2CD
004FC8C9     E8 CF77FFFF          call 004F409D                           ; 004F409D
004FC8CE     8906                 mov dword ptr ds:[esi],eax
004FC8D0     E9 EB010000          jmp 004FCAC0                            ; 004FCAC0
004FC8D5     68 D0E04000          push 40E0D0                             ; ASCII "'H"
004FC8DA     E8 BE77FFFF          call 004F409D                           ; 004F409D
004FC8DF     50                   push eax
004FC8E0     57                   push edi
004FC8E1     E8 8C81FFFF          call 004F4A72                           ; 004F4A72
004FC8E6     85C0                 test eax,eax
004FC8E8     75 11                jnz short 004FC8FB                      ; 004FC8FB
004FC8EA     68 4BD24000          push 40D24B
004FC8EF     E8 A977FFFF          call 004F409D                           ; 004F409D
004FC8F4     8906                 mov dword ptr ds:[esi],eax
004FC8F6     E9 C5010000          jmp 004FCAC0                            ; 004FCAC0
004FC8FB     68 6AE04000          push 40E06A
004FC900     E8 9877FFFF          call 004F409D                           ; 004F409D
004FC905     50                   push eax
004FC906     57                   push edi
004FC907     E8 6681FFFF          call 004F4A72                           ; 004F4A72
004FC90C     85C0                 test eax,eax
004FC90E     75 11                jnz short 004FC921                      ; 004FC921
004FC910     68 B1CE4000          push 40CEB1
004FC915     E8 8377FFFF          call 004F409D                           ; 004F409D
004FC91A     8906                 mov dword ptr ds:[esi],eax
004FC91C     E9 9F010000          jmp 004FCAC0                            ; 004FCAC0
004FC921     68 10CF4000          push 40CF10
004FC926     E8 7277FFFF          call 004F409D                           ; 004F409D
004FC92B     50                   push eax
004FC92C     57                   push edi
004FC92D     E8 4081FFFF          call 004F4A72                           ; 004F4A72
004FC932     85C0                 test eax,eax
004FC934     75 11                jnz short 004FC947                      ; 004FC947
004FC936     68 27CF4000          push 40CF27
004FC93B     E8 5D77FFFF          call 004F409D                           ; 004F409D
004FC940     8906                 mov dword ptr ds:[esi],eax
004FC942     E9 79010000          jmp 004FCAC0                            ; 004FCAC0
004FC947     68 E3E04000          push 40E0E3
004FC94C     E8 4C77FFFF          call 004F409D                           ; 004F409D
004FC951     50                   push eax
004FC952     57                   push edi
004FC953     E8 1A81FFFF          call 004F4A72                           ; 004F4A72
004FC958     85C0                 test eax,eax
004FC95A     75 11                jnz short 004FC96D                      ; 004FC96D
004FC95C     68 80D04000          push 40D080
004FC961     E8 3777FFFF          call 004F409D                           ; 004F409D
004FC966     8906                 mov dword ptr ds:[esi],eax
004FC968     E9 53010000          jmp 004FCAC0                            ; 004FCAC0
004FC96D     68 AFD04000          push 40D0AF
004FC972     E8 2677FFFF          call 004F409D                           ; 004F409D
004FC977     50                   push eax
004FC978     57                   push edi
004FC979     E8 F480FFFF          call 004F4A72                           ; 004F4A72
004FC97E     85C0                 test eax,eax
004FC980     75 11                jnz short 004FC993                      ; 004FC993
004FC982     68 96CF4000          push 40CF96                             ; ASCII "MPM"
004FC987     E8 1177FFFF          call 004F409D                           ; 004F409D
004FC98C     8906                 mov dword ptr ds:[esi],eax
004FC98E     E9 2D010000          jmp 004FCAC0                            ; 004FCAC0
004FC993     68 F3E04000          push 40E0F3
004FC998     E8 0077FFFF          call 004F409D                           ; 004F409D
004FC99D     50                   push eax
004FC99E     57                   push edi
004FC99F     E8 CE80FFFF          call 004F4A72                           ; 004F4A72
004FC9A4     85C0                 test eax,eax
004FC9A6     75 11                jnz short 004FC9B9                      ; 004FC9B9
004FC9A8     68 E7D14000          push 40D1E7
004FC9AD     E8 EB76FFFF          call 004F409D                           ; 004F409D
004FC9B2     8906                 mov dword ptr ds:[esi],eax
004FC9B4     E9 07010000          jmp 004FCAC0                            ; 004FCAC0
004FC9B9     68 08E14000          push 40E108
004FC9BE     E8 DA76FFFF          call 004F409D                           ; 004F409D
004FC9C3     50                   push eax
004FC9C4     57                   push edi
004FC9C5     E8 A880FFFF          call 004F4A72                           ; 004F4A72
004FC9CA     85C0                 test eax,eax
004FC9CC     75 11                jnz short 004FC9DF                      ; 004FC9DF
004FC9CE     68 A0D04000          push 40D0A0
004FC9D3     E8 C576FFFF          call 004F409D                           ; 004F409D
004FC9D8     8906                 mov dword ptr ds:[esi],eax
004FC9DA     E9 E1000000          jmp 004FCAC0                            ; 004FCAC0
004FC9DF     68 1CE14000          push 40E11C
004FC9E4     E8 B476FFFF          call 004F409D                           ; 004F409D
004FC9E9     50                   push eax
004FC9EA     57                   push edi
004FC9EB     E8 8280FFFF          call 004F4A72                           ; 004F4A72
004FC9F0     85C0                 test eax,eax
004FC9F2     75 11                jnz short 004FCA05                      ; 004FCA05
004FC9F4     68 EFD24000          push 40D2EF
004FC9F9     E8 9F76FFFF          call 004F409D                           ; 004F409D
004FC9FE     8906                 mov dword ptr ds:[esi],eax
004FCA00     E9 BB000000          jmp 004FCAC0                            ; 004FCAC0
004FCA05     68 31E14000          push 40E131
004FCA0A     E8 8E76FFFF          call 004F409D                           ; 004F409D
004FCA0F     50                   push eax
004FCA10     57                   push edi
004FCA11     E8 5C80FFFF          call 004F4A72                           ; 004F4A72
004FCA16     85C0                 test eax,eax
004FCA18     75 19                jnz short 004FCA33                      ; 004FCA33
004FCA1A     8B4C24 10            mov ecx,dword ptr ss:[esp+10]
004FCA1E     50                   push eax
004FCA1F     57                   push edi
004FCA20     51                   push ecx
004FCA21     E8 72BAFFFF          call 004F8498                           ; 004F8498
004FCA26     50                   push eax
004FCA27     E8 B3F2FFFF          call 004FBCDF                           ; 004FBCDF
004FCA2C     8906                 mov dword ptr ds:[esi],eax
004FCA2E     E9 8D000000          jmp 004FCAC0                            ; 004FCAC0
004FCA33     8B5424 2C            mov edx,dword ptr ss:[esp+2C]
004FCA37     8B4424 10            mov eax,dword ptr ss:[esp+10]
004FCA3B     52                   push edx
004FCA3C     57                   push edi
004FCA3D     50                   push eax
004FCA3E     E8 55BAFFFF          call 004F8498                           ; 004F8498
004FCA43     50                   push eax
004FCA44     E8 96F2FFFF          call 004FBCDF                           ; 004FBCDF
004FCA49     8906                 mov dword ptr ds:[esi],eax
004FCA4B     EB 73                jmp short 004FCAC0                      ; 004FCAC0
004FCA4D     68 6AE04000          push 40E06A
004FCA52     E8 4676FFFF          call 004F409D                           ; 004F409D
004FCA57     50                   push eax
004FCA58     57                   push edi
004FCA59     E8 1480FFFF          call 004F4A72 ///检查是不是MessageBoxA函数。                          ; 004F4A72
004FCA5E     85C0                 test eax,eax
004FCA60     75 0E                jnz short 004FCA70 ///必须跳。
004FCA62     68 B1CE4000          push 40CEB1
004FCA67     E8 3176FFFF          call 004F409D                           ; 004F409D
004FCA6C     8906                 mov dword ptr ds:[esi],eax
004FCA6E     EB 50                jmp short 004FCAC0                      ; 004FCAC0
004FCA70     68 10CF4000          push 40CF10
004FCA75     E8 2376FFFF          call 004F409D                           ; 004F409D
004FCA7A     50                   push eax
004FCA7B     57                   push edi
004FCA7C     E8 F17FFFFF          call 004F4A72 ///检查是不是MessageBoxW函数。                          ; 004F4A72
004FCA81     85C0                 test eax,eax
004FCA83     75 0E                jnz short 004FCA93  ///必须跳。
004FCA85     68 27CF4000          push 40CF27
004FCA8A     E8 0E76FFFF          call 004F409D                           ; 004F409D
004FCA8F     8906                 mov dword ptr ds:[esi],eax
004FCA91     EB 2D                jmp short 004FCAC0                      ; 004FCAC0
004FCA93     8B4C24 10            mov ecx,dword ptr ss:[esp+10]
004FCA97     57                   push edi
004FCA98     51                   push ecx
004FCA99     E8 FAB9FFFF          call 004F8498                           ; 004F8498
004FCA9E     8906                 mov dword ptr ds:[esi],eax
004FCAA0     EB 1E                jmp short 004FCAC0                      ; 004FCAC0
004FCAA2     8B5424 10            mov edx,dword ptr ss:[esp+10]
004FCAA6     57                   push edi
004FCAA7     52                   push edx
004FCAA8     E8 EBB9FFFF          call 004F8498                           ; 004F8498
004FCAAD     8906                 mov dword ptr ds:[esi],eax
004FCAAF     8B4C24 14            mov ecx,dword ptr ss:[esp+14]
004FCAB3     85C9                 test ecx,ecx
004FCAB5     74 09                je short 004FCAC0                       ; 004FCAC0
004FCAB7     8901                 mov dword ptr ds:[ecx],eax
004FCAB9     83C1 04              add ecx,4
004FCABC     894C24 14            mov dword ptr ss:[esp+14],ecx
004FCAC0     33C0                 xor eax,eax
004FCAC2     66:8B03              mov ax,word ptr ds:[ebx]
004FCAC5     50                   push eax
004FCAC6     68 FF000000          push 0FF
004FCACB     57                   push edi
004FCACC     E8 5D8DFFFF          call 004F582E                           ; 004F582E
004FCAD1     66:C703 0000         mov word ptr ds:[ebx],0
004FCAD6     8B7C24 10            mov edi,dword ptr ss:[esp+10]
004FCADA     3BEE                 cmp ebp,esi
004FCADC     74 08                je short 004FCAE6                       ; 004FCAE6
004FCADE     6A 04                push 4
004FCAE0     55                   push ebp
004FCAE1     E8 B27FFFFF          call 004F4A98                           ; 004F4A98
004FCAE6     8B5C24 18            mov ebx,dword ptr ss:[esp+18]
004FCAEA     83C5 04              add ebp,4
004FCAED     83C6 04              add esi,4
004FCAF0   ^ E9 98F9FFFF          jmp 004FC48D ///循环处理函数。
004FCAF5     E8 8E7DFFFF          call 004F4888                           ; 004F4888
004FCAFA     8B7424 20            mov esi,dword ptr ss:[esp+20]           ; Project2.004840B4
004FCAFE     8B5424 3C            mov edx,dword ptr ss:[esp+3C]
004FCB02     8B4E 04              mov ecx,dword ptr ds:[esi+4]
004FCB05     51                   push ecx
004FCB06     68 FF000000          push 0FF
004FCB0B     52                   push edx
004FCB0C     E8 1D8DFFFF          call 004F582E                           ; 004F582E
004FCB11     6A 14                push 14
004FCB13     56                   push esi
004FCB14     E8 7F7FFFFF          call 004F4A98                           ; 004F4A98
004FCB19     83C6 14              add esi,14
004FCB1C     8B5C24 14            mov ebx,dword ptr ss:[esp+14]
004FCB20     8B6C24 34            mov ebp,dword ptr ss:[esp+34]
004FCB24     897424 20            mov dword ptr ss:[esp+20],esi
004FCB28   ^ E9 92F7FFFF          jmp 004FC2BF  ///循环处理DLL。
004FCB2D     8B8424 4C040000      mov eax,dword ptr ss:[esp+44C]
004FCB34     85C0                 test eax,eax

从以上分析可以看出,程序对kernel32.dll、user32.dll、gdi32.dll、advapi32.dll、shell32.dll、sdprotector.dll等6个DLL的函数进行加密处理,同时对MessageBoxA、MessageBoxW两个函数进行加密处理。跳过这些加密处理就可以得到完整的IAT。

仍然用脚本跳过这些加密处理,得到的IAT全部有效。脚本运行结束后就可以用ImportREC修复IAT了,OEP=7EBB8 RVA=84164 SIZE=6F0即可。

最后完整的IAT:

; Syntax for each function in a thunk (the separator is a TAB)
; ------------------------------------------------------------
; Flag   RVA   ModuleName   Ordinal   Name
;
; Details for <Valid> parameter:
; ------------------------------
; Flag:  0 = valid: no  -> - Name contains the address of the redirected API (you can set
;                            it to zero if you edit it).
;                          - Ordinal is not considered but you should let '0000' as value.
;                          - ModuleName is not considered but you should let '?' as value.
;
;        1 = valid: yes -> All next parameters on the line will be considered.
;                          Function imported by ordinal must have no name (the 4th TAB must
;                                                                          be there though).
;
;        2 = Equivalent to 0 but it is for the loader.
;
;        3 = Equivalent to 1 but it is for the loader.
;
; And finally, edit this file as your own risk! :-)

Target: C:\Documents and Settings\csjwaman\桌面\Project2\Project2.exe
OEP: 0007EBB8  IATRVA: 00084164  IATSize: 000006F0

FThunk: 00084168  NbFunc: 00000022
1  00084168  kernel32.dll  007B  DeleteCriticalSection
1  0008416C  kernel32.dll  023A  LeaveCriticalSection
1  00084170  kernel32.dll  0090  EnterCriticalSection
1  00084174  kernel32.dll  020F  InitializeCriticalSection
1  00084178  kernel32.dll  0367  VirtualFree
1  0008417C  kernel32.dll  0364  VirtualAlloc
1  00084180  kernel32.dll  0245  LocalFree
1  00084184  kernel32.dll  0241  LocalAlloc
1  00084188  kernel32.dll  01D4  GetVersion
1  0008418C  kernel32.dll  0138  GetCurrentThreadId
1  00084190  kernel32.dll  0213  InterlockedDecrement
1  00084194  kernel32.dll  0217  InterlockedIncrement
1  00084198  kernel32.dll  036C  VirtualQuery
1  0008419C  kernel32.dll  0378  WideCharToMultiByte
1  000841A0  kernel32.dll  025E  MultiByteToWideChar
1  000841A4  kernel32.dll  03AC  lstrlen
1  000841A8  kernel32.dll  03A9  lstrcpyn
1  000841AC  kernel32.dll  023C  LoadLibraryExA
1  000841B0  kernel32.dll  01C6  GetThreadLocale
1  000841B4  kernel32.dll  01A6  GetStartupInfoA
1  000841B8  kernel32.dll  0191  GetProcAddress
1  000841BC  kernel32.dll  016F  GetModuleHandleA
1  000841C0  kernel32.dll  016D  GetModuleFileNameA
1  000841C4  kernel32.dll  0165  GetLocaleInfoA
1  000841C8  kernel32.dll  0103  GetCommandLineA
1  000841CC  kernel32.dll  00EA  FreeLibrary
1  000841D0  kernel32.dll  00CA  FindFirstFileA
1  000841D4  kernel32.dll  00C6  FindClose
1  000841D8  kernel32.dll  00B0  ExitProcess
1  000841DC  kernel32.dll  0385  WriteFile
1  000841E0  kernel32.dll  0351  UnhandledExceptionFilter
1  000841E4  kernel32.dll  02BE  RtlUnwind
1  000841E8  kernel32.dll  0290  RaiseException
1  000841EC  kernel32.dll  01A8  GetStdHandle

FThunk: 000841F4  NbFunc: 00000004
1  000841F4  user32.dll  0128  GetKeyboardType
1  000841F8  user32.dll  01C9  LoadStringA
1  000841FC  user32.dll  01DD  MessageBoxA
1  00084200  user32.dll  002B  CharNextA

FThunk: 00084208  NbFunc: 00000003
1  00084208  advapi32.dll  01EC  RegQueryValueExA
1  0008420C  advapi32.dll  01E2  RegOpenKeyExA
1  00084210  advapi32.dll  01C9  RegCloseKey

FThunk: 00084218  NbFunc: 00000003
1  00084218  oleaut32.dll  0006  SysFreeString
1  0008421C  oleaut32.dll  0005  SysReAllocStringLen
1  00084220  oleaut32.dll  0004  SysAllocStringLen

FThunk: 00084228  NbFunc: 00000004
1  00084228  kernel32.dll  0348  TlsSetValue
1  0008422C  kernel32.dll  0347  TlsGetValue
1  00084230  kernel32.dll  0241  LocalAlloc
1  00084234  kernel32.dll  016F  GetModuleHandleA

FThunk: 0008423C  NbFunc: 00000009
1  0008423C  advapi32.dll  01F9  RegSetValueExA
1  00084240  advapi32.dll  01EC  RegQueryValueExA
1  00084244  advapi32.dll  01E7  RegQueryInfoKeyA
1  00084248  advapi32.dll  01E2  RegOpenKeyExA
1  0008424C  advapi32.dll  01DB  RegFlushKey
1  00084250  advapi32.dll  01D6  RegEnumKeyExA
1  00084254  advapi32.dll  01D0  RegDeleteKeyA
1  00084258  advapi32.dll  01CD  RegCreateKeyExA
1  0008425C  advapi32.dll  01C9  RegCloseKey

FThunk: 00084264  NbFunc: 0000004A
1  00084264  kernel32.dll  03A6  lstrcpy
1  00084268  kernel32.dll  0385  WriteFile
1  0008426C  kernel32.dll  0374  WaitForSingleObject
1  00084270  kernel32.dll  036C  VirtualQuery
1  00084274  kernel32.dll  0364  VirtualAlloc
1  00084278  kernel32.dll  0338  Sleep
1  0008427C  kernel32.dll  0337  SizeofResource
1  00084280  kernel32.dll  0327  SetThreadPriority
1  00084284  kernel32.dll  0326  SetThreadLocale
1  00084288  kernel32.dll  0300  SetFilePointer
1  0008428C  kernel32.dll  02FB  SetEvent
1  00084290  kernel32.dll  02FA  SetErrorMode
1  00084294  kernel32.dll  02F7  SetEndOfFile
1  00084298  kernel32.dll  02B6  ResetEvent
1  0008429C  kernel32.dll  029D  ReadFile
1  000842A0  kernel32.dll  025E  MultiByteToWideChar
1  000842A4  kernel32.dll  025D  MulDiv
1  000842A8  kernel32.dll  024E  LockResource
1  000842AC  kernel32.dll  0240  LoadResource
1  000842B0  kernel32.dll  023B  LoadLibraryA
1  000842B4  kernel32.dll  023A  LeaveCriticalSection
1  000842B8  kernel32.dll  020F  InitializeCriticalSection
1  000842BC  kernel32.dll  01F6  GlobalUnlock
1  000842C0  kernel32.dll  01F3  GlobalSize
1  000842C4  kernel32.dll  01F2  GlobalReAlloc
1  000842C8  kernel32.dll  01EE  GlobalHandle
1  000842CC  kernel32.dll  01EF  GlobalLock
1  000842D0  kernel32.dll  01EB  GlobalFree
1  000842D4  kernel32.dll  01E7  GlobalFindAtomA
1  000842D8  kernel32.dll  01E6  GlobalDeleteAtom
1  000842DC  kernel32.dll  01E4  GlobalAlloc
1  000842E0  kernel32.dll  01E2  GlobalAddAtomA
1  000842E4  kernel32.dll  01D5  GetVersionExA
1  000842E8  kernel32.dll  01D4  GetVersion
1  000842EC  kernel32.dll  01CF  GetUserDefaultLCID
1  000842F0  kernel32.dll  01CB  GetTickCount
1  000842F4  kernel32.dll  01C7  GetThreadPriority
1  000842F8  kernel32.dll  01C6  GetThreadLocale
1  000842FC  kernel32.dll  01B2  GetSystemInfo
1  00084300  kernel32.dll  01AA  GetStringTypeExA
1  00084304  kernel32.dll  01A8  GetStdHandle
1  00084308  kernel32.dll  0191  GetProcAddress
1  0008430C  kernel32.dll  016F  GetModuleHandleA
1  00084310  kernel32.dll  016D  GetModuleFileNameA
1  00084314  kernel32.dll  0165  GetLocaleInfoA
1  00084318  kernel32.dll  0164  GetLocalTime
1  0008431C  kernel32.dll  0162  GetLastError
1  00084320  kernel32.dll  015B  GetFullPathNameA
1  00084324  kernel32.dll  013F  GetDiskFreeSpaceA
1  00084328  kernel32.dll  0139  GetDateFormatA
1  0008432C  kernel32.dll  0138  GetCurrentThreadId
1  00084330  kernel32.dll  0137  GetCurrentThread
1  00084334  kernel32.dll  0136  GetCurrentProcessId
1  00084338  kernel32.dll  0107  GetComputerNameA
1  0008433C  kernel32.dll  00F7  GetCPInfo
1  00084340  kernel32.dll  00F0  GetACP
1  00084344  kernel32.dll  00EC  FreeResource
1  00084348  kernel32.dll  0214  InterlockedExchange
1  0008434C  kernel32.dll  00EA  FreeLibrary
1  00084350  kernel32.dll  00E5  FormatMessageA
1  00084354  kernel32.dll  00D9  FindResourceA
1  00084358  kernel32.dll  00CA  FindFirstFileA
1  0008435C  kernel32.dll  00C6  FindClose
1  00084360  kernel32.dll  00BC  FileTimeToLocalFileTime
1  00084364  kernel32.dll  00BB  FileTimeToDosDateTime
1  00084368  kernel32.dll  0091  EnumCalendarInfoA
1  0008436C  kernel32.dll  0090  EnterCriticalSection
1  00084370  kernel32.dll  0084  DeviceIoControl
1  00084374  kernel32.dll  007B  DeleteCriticalSection
1  00084378  kernel32.dll  006A  CreateThread
1  0008437C  kernel32.dll  004E  CreateFileA
1  00084380  kernel32.dll  004A  CreateEventA
1  00084384  kernel32.dll  0036  CompareStringA
1  00084388  kernel32.dll  0030  CloseHandle

FThunk: 00084390  NbFunc: 00000003
1  00084390  version.dll  000B  VerQueryValueA
1  00084394  version.dll  0002  GetFileVersionInfoSizeA
1  00084398  version.dll  0001  GetFileVersionInfoA

FThunk: 000843A0  NbFunc: 00000048
1  000843A0  gdi32.dll  0253  UnrealizeObject
1  000843A4  gdi32.dll  024A  StretchBlt
1  000843A8  gdi32.dll  0244  SetWindowOrgEx
1  000843AC  gdi32.dll  0242  SetWinMetaFileBits
1  000843B0  gdi32.dll  0240  SetViewportOrgEx
1  000843B4  gdi32.dll  023D  SetTextColor
1  000843B8  gdi32.dll  0239  SetStretchBltMode
1  000843BC  gdi32.dll  0236  SetROP2
1  000843C0  gdi32.dll  0232  SetPixel
1  000843C4  gdi32.dll  022C  SetMapMode
1  000843C8  gdi32.dll  0223  SetEnhMetaFileBits
1  000843CC  gdi32.dll  021F  SetDIBColorTable
1  000843D0  gdi32.dll  021A  SetBrushOrgEx
1  000843D4  gdi32.dll  0217  SetBkMode
1  000843D8  gdi32.dll  0216  SetBkColor
1  000843DC  gdi32.dll  0210  SelectPalette
1  000843E0  gdi32.dll  020F  SelectObject
1  000843E4  gdi32.dll  0208  SaveDC
1  000843E8  gdi32.dll  0201  RestoreDC
1  000843EC  gdi32.dll  01F7  Rectangle
1  000843F0  gdi32.dll  01F6  RectVisible
1  000843F4  gdi32.dll  01F4  RealizePalette
1  000843F8  gdi32.dll  01EF  Polyline
1  000843FC  gdi32.dll  01E1  PlayEnhMetaFile
1  00084400  gdi32.dll  01DE  PatBlt
1  00084404  gdi32.dll  01D2  MoveToEx
1  00084408  gdi32.dll  01CF  MaskBlt
1  0008440C  gdi32.dll  01CE  LineTo
1  00084410  gdi32.dll  01CC  LPtoDP
1  00084414  gdi32.dll  01C8  IntersectClipRect
1  00084418  gdi32.dll  01C4  GetWindowOrgEx
1  0008441C  gdi32.dll  01C2  GetWinMetaFileBits
1  00084420  gdi32.dll  01BD  GetTextMetricsA
1  00084424  gdi32.dll  01B5  GetTextExtentPoint32A
1  00084428  gdi32.dll  01AA  GetSystemPaletteEntries
1  0008442C  gdi32.dll  01A6  GetStockObject
1  00084430  gdi32.dll  019D  GetPixel
1  00084434  gdi32.dll  019B  GetPaletteEntries
1  00084438  gdi32.dll  0196  GetObjectA
1  0008443C  gdi32.dll  0176  GetEnhMetaFilePaletteEntries
1  00084440  gdi32.dll  0175  GetEnhMetaFileHeader
1  00084444  gdi32.dll  0173  GetEnhMetaFileDescriptionA
1  00084448  gdi32.dll  0172  GetEnhMetaFileBits
1  0008444C  gdi32.dll  016C  GetDeviceCaps
1  00084450  gdi32.dll  016B  GetDIBits
1  00084454  gdi32.dll  016A  GetDIBColorTable
1  00084458  gdi32.dll  0168  GetDCOrgEx
1  0008445C  gdi32.dll  0166  GetCurrentPositionEx
1  00084460  gdi32.dll  0161  GetClipBox
1  00084464  gdi32.dll  0151  GetBrushOrgEx
1  00084468  gdi32.dll  014B  GetBitmapBits
1  0008446C  gdi32.dll  011C  GdiFlush
1  00084470  gdi32.dll  00DE  ExtTextOutA
1  00084474  gdi32.dll  00D8  ExcludeClipRect
1  00084478  gdi32.dll  0090  DeleteObject
1  0008447C  gdi32.dll  008E  DeleteEnhMetaFile
1  00084480  gdi32.dll  008D  DeleteDC
1  00084484  gdi32.dll  0051  CreateSolidBrush
1  00084488  gdi32.dll  0049  CreatePenIndirect
1  0008448C  gdi32.dll  0046  CreatePalette
1  00084490  gdi32.dll  0040  CreateHalftonePalette
1  00084494  gdi32.dll  003B  CreateFontIndirectA
1  00084498  gdi32.dll  0038  CreateEnhMetaFileA
1  0008449C  gdi32.dll  0034  CreateDIBitmap
1  000844A0  gdi32.dll  0033  CreateDIBSection
1  000844A4  gdi32.dll  002E  CreateCompatibleDC
1  000844A8  gdi32.dll  002D  CreateCompatibleBitmap
1  000844AC  gdi32.dll  002A  CreateBrushIndirect
1  000844B0  gdi32.dll  0028  CreateBitmap
1  000844B4  gdi32.dll  0024  CopyEnhMetaFileA
1  000844B8  gdi32.dll  001D  CloseEnhMetaFile
1  000844BC  gdi32.dll  0013  BitBlt

FThunk: 000844C4  NbFunc: 0000009E
1  000844C4  user32.dll  0061  CreateWindowExA
1  000844C8  user32.dll  02D6  WindowFromPoint
1  000844CC  user32.dll  02D3  WinHelpA
1  000844D0  user32.dll  02D1  WaitMessage
1  000844D4  user32.dll  02BC  UpdateWindow
1  000844D8  user32.dll  02B4  UnregisterClassA
1  000844DC  user32.dll  02AF  UnhookWindowsHookEx
1  000844E0  user32.dll  02AB  TranslateMessage
1  000844E4  user32.dll  02AA  TranslateMDISysAccel
1  000844E8  user32.dll  02A5  TrackPopupMenu
1  000844EC  user32.dll  029A  SystemParametersInfoA
1  000844F0  user32.dll  0293  ShowWindow
1  000844F4  user32.dll  0291  ShowScrollBar
1  000844F8  user32.dll  0290  ShowOwnedPopups
1  000844FC  user32.dll  028F  ShowCursor
1  00084500  user32.dll  028B  SetWindowsHookExA
1  00084504  user32.dll  0287  SetWindowTextA
1  00084508  user32.dll  0284  SetWindowPos
1  0008450C  user32.dll  0283  SetWindowPlacement
1  00084510  user32.dll  0281  SetWindowLongA
1  00084514  user32.dll  027B  SetTimer
1  00084518  user32.dll  0271  SetScrollRange
1  0008451C  user32.dll  0270  SetScrollPos
1  00084520  user32.dll  026F  SetScrollInfo
1  00084524  user32.dll  026D  SetRect
1  00084528  user32.dll  026B  SetPropA
1  0008452C  user32.dll  0267  SetParent
1  00084530  user32.dll  0263  SetMenuItemInfoA
1  00084534  user32.dll  025E  SetMenu
1  00084538  user32.dll  0258  SetForegroundWindow
1  0008453C  user32.dll  0257  SetFocus
1  00084540  user32.dll  024E  SetCursor
1  00084544  user32.dll  0248  SetClassLongA
1  00084548  user32.dll  0245  SetCapture
1  0008454C  user32.dll  0244  SetActiveWindow
1  00084550  user32.dll  023C  SendMessageA
1  00084554  user32.dll  0235  ScrollWindow
1  00084558  user32.dll  0232  ScreenToClient
1  0008455C  user32.dll  022D  RemovePropA
1  00084560  user32.dll  022C  RemoveMenu
1  00084564  user32.dll  022B  ReleaseDC
1  00084568  user32.dll  022A  ReleaseCapture
1  0008456C  user32.dll  021B  RegisterClipboardFormatA
1  00084570  user32.dll  021B  RegisterClipboardFormatA
1  00084574  user32.dll  0217  RegisterClassA
1  00084578  user32.dll  0216  RedrawWindow
1  0008457C  user32.dll  020C  PtInRect
1  00084580  user32.dll  0202  PostQuitMessage
1  00084584  user32.dll  0200  PostMessageA
1  00084588  user32.dll  01FE  PeekMessageA
1  0008458C  user32.dll  01F3  OffsetRect
1  00084590  user32.dll  01EF  OemToCharA
1  00084594  user32.dll  01DD  MessageBoxA
1  00084598  user32.dll  01D8  MapWindowPoints
1  0008459C  user32.dll  01D4  MapVirtualKeyA
1  000845A0  user32.dll  01C9  LoadStringA
1  000845A4  user32.dll  01C0  LoadKeyboardLayoutA
1  000845A8  user32.dll  01BC  LoadIconA
1  000845AC  user32.dll  01B8  LoadCursorA
1  000845B0  user32.dll  01B6  LoadBitmapA
1  000845B4  user32.dll  01B3  KillTimer
1  000845B8  user32.dll  01B1  IsZoomed
1  000845BC  user32.dll  01B0  IsWindowVisible
1  000845C0  user32.dll  01AD  IsWindowEnabled
1  000845C4  user32.dll  01AC  IsWindow
1  000845C8  user32.dll  01A9  IsRectEmpty
1  000845CC  user32.dll  01A7  IsIconic
1  000845D0  user32.dll  01A1  IsDialogMessage
1  000845D4  user32.dll  019F  IsChild
1  000845D8  user32.dll  0194  InvalidateRect
1  000845DC  user32.dll  0193  IntersectRect
1  000845E0  user32.dll  018F  InsertMenuItemA
1  000845E4  user32.dll  018E  InsertMenuA
1  000845E8  user32.dll  018B  InflateRect
1  000845EC  user32.dll  017C  GetWindowThreadProcessId
1  000845F0  user32.dll  0178  GetWindowTextA
1  000845F4  user32.dll  0175  GetWindowRect
1  000845F8  user32.dll  0174  GetWindowPlacement
1  000845FC  user32.dll  016F  GetWindowLongA
1  00084600  user32.dll  016D  GetWindowDC
1  00084604  user32.dll  0164  GetTopWindow
1  00084608  user32.dll  015E  GetSystemMetrics
1  0008460C  user32.dll  015D  GetSystemMenu
1  00084610  user32.dll  015C  GetSysColorBrush
1  00084614  user32.dll  015B  GetSysColor
1  00084618  user32.dll  015A  GetSubMenu
1  0008461C  user32.dll  0158  GetScrollRange
1  00084620  user32.dll  0157  GetScrollPos
1  00084624  user32.dll  0156  GetScrollInfo
1  00084628  user32.dll  014B  GetPropA
1  0008462C  user32.dll  0146  GetParent
1  00084630  user32.dll  016B  GetWindow
1  00084634  user32.dll  013E  GetMessageTime
1  00084638  user32.dll  0139  GetMenuStringA
1  0008463C  user32.dll  0138  GetMenuState
1  00084640  user32.dll  0135  GetMenuItemInfoA
1  00084644  user32.dll  0134  GetMenuItemID
1  00084648  user32.dll  0133  GetMenuItemCount
1  0008464C  user32.dll  012D  GetMenu
1  00084650  user32.dll  0129  GetLastActivePopup
1  00084654  user32.dll  0127  GetKeyboardState
1  00084658  user32.dll  0124  GetKeyboardLayoutList
1  0008465C  user32.dll  0123  GetKeyboardLayout
1  00084660  user32.dll  0122  GetKeyState
1  00084664  user32.dll  0120  GetKeyNameTextA
1  00084668  user32.dll  011B  GetIconInfo
1  0008466C  user32.dll  0118  GetForegroundWindow
1  00084670  user32.dll  0117  GetFocus
1  00084674  user32.dll  010F  GetDesktopWindow
1  00084678  user32.dll  010E  GetDCEx
1  0008467C  user32.dll  010D  GetDC
1  00084680  user32.dll  010C  GetCursorPos
1  00084684  user32.dll  0109  GetCursor
1  00084688  user32.dll  0102  GetClipboardData
1  0008468C  user32.dll  0100  GetClientRect
1  00084690  user32.dll  00FD  GetClassNameA
1  00084694  user32.dll  00F7  GetClassInfoA
1  00084698  user32.dll  00F4  GetCapture
1  0008469C  user32.dll  00EC  GetActiveWindow
1  000846A0  user32.dll  00EA  FrameRect
1  000846A4  user32.dll  00E4  FindWindowA
1  000846A8  user32.dll  00E3  FillRect
1  000846AC  user32.dll  00E0  EqualRect
1  000846B0  user32.dll  00DF  EnumWindows
1  000846B4  user32.dll  00DC  EnumThreadWindows
1  000846B8  user32.dll  00C9  EndPaint
1  000846BC  user32.dll  00C5  EnableWindow
1  000846C0  user32.dll  00C4  EnableScrollBar
1  000846C4  user32.dll  00C3  EnableMenuItem
1  000846C8  user32.dll  00BD  DrawTextA
1  000846CC  user32.dll  00B9  DrawMenuBar
1  000846D0  user32.dll  00B8  DrawIconEx
1  000846D4  user32.dll  00B7  DrawIcon
1  000846D8  user32.dll  00B6  DrawFrameControl
1  000846DC  user32.dll  00B3  DrawEdge
1  000846E0  user32.dll  00A2  DispatchMessageA
1  000846E4  user32.dll  009A  DestroyWindow
1  000846E8  user32.dll  0098  DestroyMenu
1  000846EC  user32.dll  0096  DestroyCursor
1  000846F0  user32.dll  0096  DestroyCursor
1  000846F4  user32.dll  0092  DeleteMenu
1  000846F8  user32.dll  008F  DefWindowProcA
1  000846FC  user32.dll  008C  DefMDIChildProcA
1  00084700  user32.dll  008A  DefFrameProcA
1  00084704  user32.dll  005F  CreatePopupMenu
1  00084708  user32.dll  005E  CreateMenu
1  0008470C  user32.dll  0058  CreateIcon
1  00084710  user32.dll  0041  ClientToScreen
1  00084714  user32.dll  003A  CheckMenuItem
1  00084718  user32.dll  001C  CallWindowProcA
1  0008471C  user32.dll  001B  CallNextHookEx
1  00084720  user32.dll  000E  BeginPaint
1  00084724  user32.dll  002B  CharNextA
1  00084728  user32.dll  0028  CharLowerBuffA
1  0008472C  user32.dll  0027  CharLowerA
1  00084730  user32.dll  0031  CharToOemA
1  00084734  user32.dll  0003  AdjustWindowRectEx
1  00084738  user32.dll  0001  ActivateKeyboardLayout

FThunk: 00084740  NbFunc: 00000001
1  00084740  kernel32.dll  0338  Sleep

FThunk: 00084748  NbFunc: 00000008
1  00084748  oleaut32.dll  0094  SafeArrayPtrOfIndex
1  0008474C  oleaut32.dll  0013  SafeArrayGetUBound
1  00084750  oleaut32.dll  0014  SafeArrayGetLBound
1  00084754  oleaut32.dll  000F  SafeArrayCreate
1  00084758  oleaut32.dll  000C  VariantChangeType
1  0008475C  oleaut32.dll  000A  VariantCopy
1  00084760  oleaut32.dll  0009  VariantClear
1  00084764  oleaut32.dll  0008  VariantInit

FThunk: 0008476C  NbFunc: 0000000D
1  0008476C  ole32.dll  0092  CreateStreamOnHGlobal
1  00084770  ole32.dll  00D6  IsAccelerator
1  00084774  ole32.dll  00F6  OleDraw
1  00084778  ole32.dll  0112  OleSetMenuDescriptor
1  0008477C  ole32.dll  0065  CoTaskMemFree
1  00084780  ole32.dll  0008  CLSIDFromProgID
1  00084784  ole32.dll  0116  ProgIDFromCLSID
1  00084788  ole32.dll  0142  StringFromCLSID
1  0008478C  ole32.dll  0012  CoCreateInstance
1  00084790  ole32.dll  0024  CoGetClassObject
1  00084794  ole32.dll  0069  CoUninitialize
1  00084798  ole32.dll  003B  CoInitialize
1  0008479C  ole32.dll  00D7  IsEqualGUID

FThunk: 000847A4  NbFunc: 00000003
1  000847A4  oleaut32.dll  00C8  GetErrorInfo
1  000847A8  oleaut32.dll  0023  GetActiveObject
1  000847AC  oleaut32.dll  0006  SysFreeString

FThunk: 000847B4  NbFunc: 00000016
1  000847B4  comctl32.dll  004F  ImageList_SetIconSize
1  000847B8  comctl32.dll  003B  ImageList_GetIconSize
1  000847BC  comctl32.dll  0052  ImageList_Write
1  000847C0  comctl32.dll  0043  ImageList_Read
1  000847C4  comctl32.dll  0038  ImageList_GetDragImage
1  000847C8  comctl32.dll  0031  ImageList_DragShowNolock
1  000847CC  comctl32.dll  004C  ImageList_SetDragCursorImage
1  000847D0  comctl32.dll  0030  ImageList_DragMove
1  000847D4  comctl32.dll  002F  ImageList_DragLeave
1  000847D8  comctl32.dll  002E  ImageList_DragEnter
1  000847DC  comctl32.dll  0036  ImageList_EndDrag
1  000847E0  comctl32.dll  002A  ImageList_BeginDrag
1  000847E4  comctl32.dll  0044  ImageList_Remove
1  000847E8  comctl32.dll  0033  ImageList_DrawEx
1  000847EC  comctl32.dll  0032  ImageList_Draw
1  000847F0  comctl32.dll  0037  ImageList_GetBkColor
1  000847F4  comctl32.dll  004B  ImageList_SetBkColor
1  000847F8  comctl32.dll  0046  ImageList_ReplaceIcon
1  000847FC  comctl32.dll  0027  ImageList_Add
1  00084800  comctl32.dll  003C  ImageList_GetImageCount
1  00084804  comctl32.dll  002D  ImageList_Destroy
1  00084808  comctl32.dll  002C  ImageList_Create

FThunk: 00084810  NbFunc: 00000003
1  00084810  wininet.dll  0092  FindNextUrlCacheEntryExA
1  00084814  wininet.dll  008B  FindFirstUrlCacheEntryExA
1  00084818  wininet.dll  0087  FindCloseUrlCache

FThunk: 00084820  NbFunc: 0000000C
1  00084820  wsock32.dll  0074  WSACleanup
1  00084824  wsock32.dll  0073  WSAStartup
1  00084828  wsock32.dll  0065  WSAAsyncSelect
1  0008482C  wsock32.dll  0039  gethostname
1  00084830  wsock32.dll  0034  gethostbyname
1  00084834  wsock32.dll  0017  socket
1  00084838  wsock32.dll  0010  recv
1  0008483C  wsock32.dll  0009  htons
1  00084840  wsock32.dll  000B  inet_ntoa
1  00084844  wsock32.dll  000A  inet_addr
1  00084848  wsock32.dll  0009  htons
1  0008484C  wsock32.dll  0002  bind

三、脱壳总结

  学会多用脚本。