超强Excel文件恢复软件 2.5 脱壳第一步
本帖最后由 kGe 于 2013-12-21 00:15 编辑超强Excel文件恢复软件(ExcelRebuild表格碎片重组恢复软件) V2.5
Excel表格碎片恢复软件,用来恢复硬盘U盘上损坏严重的表格文件
点击看详细信息直接下载 :http://www.dataexplore.net/software/excelrebuild.exe
DIE检测结果:Themida/Winlicense(2.X )
EP入口:
0088C000 >83EC 04 SUB ESP,0x4
0088C003 50 PUSH EAX
0088C004 53 PUSH EBX
0088C005 E8 01000000 CALL excelreb.0088C00B
判定标准TMD 2.0 ++
载入LCF脚本跑完得到near oep
然后我们回溯到real oep ADD:
004593D0 C5DD LDS EBX,EBP ; Illegal use of register
004593D2 1C A5 SBB AL,0xA5
004593D4 41 INC ECX ; winhlp32.03760000
004593D5 92 XCHG EAX,EDX ; ntdll.KiFastSystemCallRet
手工还原得到:
004593D0 >6A 60 PUSH 0x60
004593D2 68 90024900 PUSH excelreb.00490290
004593D7 E8 E8300000 CALL excelreb.0045C4C4
004593DC BF 94000000 MOV EDI,0x94
004593E1 8BC7 MOV EAX,EDI ; ntdll.7C930228
004593E3 E8 08130000 CALL excelreb.0045A6F0
004593E8 8965 E8 MOV DWORD PTR SS:,ESP
004593EB 8BF4 MOV ESI,ESP
004593ED 893E MOV DWORD PTR DS:,EDI ; ntdll.7C930228
004593EF 56 PUSH ESI
004593F0 FF15 9C724800 CALL DWORD PTR DS:[<&kernel32.GetVersionExA>] ; kernel32.GetVersionExA
004593F6 8B4E 10 MOV ECX,DWORD PTR DS:
004593F9 890D C4094B00 MOV DWORD PTR DS:,ECX
004593FF 8B46 04 MOV EAX,DWORD PTR DS:
00459402 A3 D0094B00 MOV DWORD PTR DS:,EAX
00459407 8B56 08 MOV EDX,DWORD PTR DS:
0045940A 8915 D4094B00 MOV DWORD PTR DS:,EDX ; ntdll.KiFastSystemCallRet
00459410 8B76 0C MOV ESI,DWORD PTR DS:
00459413 81E6 FF7F0000 AND ESI,0x7FFF
00459419 8935 C8094B00 MOV DWORD PTR DS:,ESI
0045941F 83F9 02 CMP ECX,0x2
00459422 74 0C JE SHORT excelreb.00459430
00459424 81CE 00800000 OR ESI,0x8000
0045942A 8935 C8094B00 MOV DWORD PTR DS:,ESI
00459430 C1E0 08 SHL EAX,0x8
00459433 03C2 ADD EAX,EDX ; ntdll.KiFastSystemCallRet
00459435 A3 CC094B00 MOV DWORD PTR DS:,EAX
0045943A 33F6 XOR ESI,ESI
0045943C 56 PUSH ESI
0045943D 8B3D 88724800 MOV EDI,DWORD PTR DS:[<&kernel32.GetModuleHandleA>] ; kernel32.GetModuleHandleA
00459443 FFD7 CALL EDI ; ntdll.7C930228
00459445 66:8138 4D5A CMP WORD PTR DS:,0x5A4D
----------------------------------------------------
附IAT table:
00487000 >77DAD5E4advapi32.RegEnumKeyW
00487004 >77DB559Badvapi32.RegDeleteKeyW
00487008 >77DA7946advapi32.RegOpenKeyW
0048700C >77DAD767advapi32.RegSetValueExW
00487010 >77DA6FFFadvapi32.RegQueryValueExW
00487014 >77DA776Cadvapi32.RegCreateKeyExW
00487018 >77DA6AAFadvapi32.RegOpenKeyExW
0048701C >77DAD87Aadvapi32.RegQueryValueW
00487020 >77DA6C27advapi32.RegCloseKey
0048702400000000
00487028 >5D1B4848comctl32.ImageList_LoadImageW
0048702C >5D180205comctl32.ImageList_Create
00487030 >5D1803D8comctl32.ImageList_Destroy
00487034 >5D18DFF1comctl32.ImageList_Draw
00487038 >5D17C7F4comctl32.ImageList_ReplaceIcon
0048703C >5D1765CFcomctl32.InitCommonControls
0048704000000000
00487044 >77EF941Fgdi32.SetMapMode
00487048 >77EF90ECgdi32.ExcludeClipRect
0048704C >77EFD997gdi32.LineTo
00487050 >77EFA21Agdi32.MoveToEx
00487054 >77EF7AA0gdi32.SelectClipRgn
00487058 >77EF7CF1gdi32.GetViewportExtEx
0048705C >77EF7C79gdi32.GetWindowExtEx
00487060 >77F26807gdi32.PtVisible
00487064 >77EF821Bgdi32.RectVisible
00487068 >77EF7EACgdi32.TextOutW
0048706C >77EF8086gdi32.ExtTextOutW
00487070 >77F06F5Agdi32.Escape
00487074 >77EF7B4Cgdi32.SetViewportOrgEx
00487078 >77EFC016gdi32.OffsetViewportOrgEx
0048707C >77F0737Dgdi32.SetViewportExtEx
00487080 >77F1D5CDgdi32.ScaleViewportExtEx
00487084 >77F072D4gdi32.SetWindowExtEx
00487088 >77EF7874gdi32.ExtSelectClipRgn
0048708C >77EF6E5Fgdi32.DeleteDC
00487090 >77EFACC8gdi32.CreatePatternBrush
00487094 >77F24C7Fgdi32.CreateHatchBrush
00487098 >77EF827Cgdi32.CreateRectRgnIndirect
0048709C >77EF869Bgdi32.PatBlt
004870A0 >77EF975Egdi32.SetRectRgn
004870A4 >77EF95E7gdi32.CombineRgn
004870A8 >77EF8EECgdi32.GetMapMode
004870AC >77EF8F5Bgdi32.GetBkColor
004870B0 >77EF8FAFgdi32.GetTextColor
004870B4 >77EFD6E9gdi32.GetRgnBox
004870B8 >77EFA8BAgdi32.CreatePolygonRgn
004870BC >77EFB009gdi32.CreateFontW
004870C0 >77EF5D77gdi32.SetTextColor
004870C4 >77EF5EDBgdi32.SetBkMode
004870C8 >77EF7786gdi32.CreateRectRgn
004870CC >77EF61A5gdi32.CreateSolidBrush
004870D0 >77EF7F9Dgdi32.GetTextExtentPoint32W
004870D4 >77EFB6D0gdi32.StretchBlt
004870D8 >77EF6F79gdi32.BitBlt
004870DC >77EFE9BEgdi32.Rectangle
004870E0 >77EFBF87gdi32.FrameRgn
004870E4 >77EF5B70gdi32.SelectObject
004870E8 >77EF5FE0gdi32.CreateCompatibleDC
004870EC >77EF700Agdi32.CreateCompatibleBitmap
004870F0 >77EF8B28gdi32.RestoreDC
004870F4 >77EF8BEEgdi32.SaveDC
004870F8 >77EF61EFgdi32.CreateBitmap
004870FC >77EF5E29gdi32.SetBkColor
00487100 >77EF6AA1gdi32.GetClipBox
00487104 >77EF5A71gdi32.GetDeviceCaps
00487108 >77EF833Dgdi32.GetCurrentObject
0048710C >77EFE01Bgdi32.FillRgn
00487110 >77EFA155gdi32.CreatePen
00487114 >77EF61C1gdi32.GetStockObject
00487118 >77EFBFF5gdi32.CreateRoundRectRgn
0048711C >77EF6BFAgdi32.DeleteObject
00487120 >77EF83B3gdi32.GetObjectW
00487124 >77F1D6AEgdi32.ScaleWindowExtEx
00487128 >77EF939Egdi32.CreateFontIndirectW
0048712C00000000
00487130 >7C810C89kernel32.GetStdHandle
00487134 >7C80B56Fkernel32.GetModuleFileNameA
00487138 >7C86461Akernel32.UnhandledExceptionFilter
0048713C >7C81DDE7kernel32.FreeEnvironmentStringsA
00487140 >7C81D38Bkernel32.GetEnvironmentStringsA
00487144 >7C81583Fkernel32.FreeEnvironmentStringsW
00487148 >7C810C58kernel32.GetEnvironmentStringsW
0048714C >7C810C6Dkernel32.GetCommandLineA
00487150 >7C81771Bkernel32.GetCommandLineW
00487154 >7C80CD37kernel32.SetHandleCount
00487158 >7C8113C9kernel32.GetFileType
0048715C >7C801EF2kernel32.GetStartupInfoA
00487160 >7C811470kernel32.HeapDestroy
00487164 >7C810908kernel32.HeapCreate
00487168 >7C809B84kernel32.VirtualFree
0048716C >7C8099C0kernel32.GetCurrentProcessId
00487170 >7C809F19kernel32.IsBadWritePtr
00487174 >7C838DD0kernel32.LCMapStringA
00487178 >7C80CD48kernel32.LCMapStringW
0048717C >7C8449B5kernel32.SetUnhandledExceptionFilter
00487180 >7C81419Fkernel32.GetTimeZoneInformation
00487184 >7C812D1Fkernel32.GetOEMCP
00487188 >7C810BC6kernel32.GetCPInfo
0048718C >7C8389F4kernel32.GetStringTypeA
00487190 >7C80A530kernel32.GetStringTypeW
00487194 >7C809EA1kernel32.IsBadReadPtr
00487198 >7C80BD6Fkernel32.IsBadCodePtr
0048719C >7C9304DDntdll.RtlSizeHeap
004871A0 >7C81DA73kernel32.SetStdHandle
004871A4 >7C80D117kernel32.CompareStringA
004871A8 >7C80A3FEkernel32.CompareStringW
004871AC >7C833E58kernel32.SetEnvironmentVariableA
004871B0 >7C810707kernel32.CreateThread
004871B4 >7C80C0F8kernel32.ExitThread
004871B8 >7C801E1Akernel32.TerminateProcess
004871BC >7C80BA71kernel32.VirtualQuery
004871C0 >7C810AA6kernel32.GetSystemInfo
004871C4 >7C809AF1kernel32.VirtualAlloc
004871C8 >7C801AD4kernel32.VirtualProtect
004871CC >7C938477ntdll.RtlReAllocateHeap
004871D0 >7C8017E9kernel32.GetSystemTimeAsFileTime
004871D4 >7C9300C4ntdll.RtlAllocateHeap
004871D8 >7C92FF2Dntdll.RtlFreeHeap
004871DC >7C81D20Akernel32.ExitProcess
004871E0 >7C94AA79ntdll.RtlUnwind
004871E4 >7C801E54kernel32.GetStartupInfoW
004871E8 >7C8325FDkernel32.GetFileTime
004871EC >7C80ACAFkernel32.SetErrorMode
004871F0 >7C81F62Bkernel32.TlsFree
004871F4 >7C8133E0kernel32.LocalReAlloc
004871F8 >7C809C65kernel32.TlsSetValue
004871FC >7C810AEFkernel32.TlsAlloc
00487200 >7C8097E0kernel32.TlsGetValue
00487204 >7C813D9Dkernel32.GlobalHandle
00487208 >7C812931kernel32.GlobalReAlloc
0048720C >7C809A2Dkernel32.LocalAlloc
00487210 >7C83675Akernel32.GlobalFlags
00487214 >7C820574kernel32.WritePrivateProfileStringW
00487218 >7C80B8F2kernel32.GetFullPathNameW
0048721C >7C80EE7Dkernel32.FindFirstFileW
00487220 >7C80EE9Ckernel32.FindClose
00487224 >7C80DE9Ekernel32.DuplicateHandle
00487228 >7C832A26kernel32.SetEndOfFile
0048722C >7C832C9Ckernel32.UnlockFile
00487230 >7C832D41kernel32.LockFile
00487234 >7C812BB9kernel32.FlushFileBuffers
00487238 >7C8112FFkernel32.WriteFile
0048723C >7C80AA36kernel32.lstrcmpiW
00487240 >7C80A749kernel32.CreateEventW
00487244 >7C83971Akernel32.SuspendThread
00487248 >7C80A0B7kernel32.SetEvent
0048724C >7C802530kernel32.WaitForSingleObject
00487250 >7C8332D7kernel32.ResumeThread
00487254 >7C80C1A8kernel32.SetThreadPriority
00487258 >7C80998Bkernel32.GetCurrentThread
0048725C >7C8383B7kernel32.ConvertDefaultLocale
00487260 >7C811752kernel32.GetVersion
00487264 >7C860CE9kernel32.EnumResourceLanguagesW
00487268 >7C811ADAkernel32.GetLocaleInfoW
0048726C >7C80B475kernel32.GetModuleFileNameW
00487270 >7C92FE30ntdll.RtlSetLastWin32Error
00487274 >7C80FDFDkernel32.GlobalAlloc
00487278 >7C80BA8Fkernel32.lstrcpynW
0048727C >7C81013Ckernel32.GlobalAddAtomW
00487280 >7C813F77kernel32.GlobalFindAtomW
00487284 >7C813673kernel32.GlobalDeleteAtom
00487288 >7C80B741kernel32.GetModuleHandleA
0048728C >7C801D7Bkernel32.LoadLibraryA
00487290 >7C80AA6Ckernel32.lstrcmpW
00487294 >7C80E4DDkernel32.GetModuleHandleW
00487298 >7C80AE40kernel32.GetProcAddress
0048729C >7C810830kernel32.GetVersionExA
004872A0 >7C80FFE9kernel32.GlobalLock
004872A4 >7C80FF52kernel32.GlobalUnlock
004872A8 >7C80FCFFkernel32.GlobalFree
004872AC >7C80DE95kernel32.GetCurrentProcess
004872B0 >7C80B7ECkernel32.GetFileAttributesW
004872B4 >7C80E906kernel32.FileTimeToLocalFileTime
004872B8 >7C80E88Ckernel32.FileTimeToSystemTime
004872BC >7C83556Fkernel32.FormatMessageW
004872C0 >7C8099CFkernel32.LocalFree
004872C4 >7C80BE56kernel32.lstrlenA
004872C8 >7C9210E0ntdll.RtlLeaveCriticalSection
004872CC >7C921000ntdll.RtlEnterCriticalSection
004872D0 >7C809866kernel32.MulDiv
004872D4 >7C8277EAkernel32.FreeResource
004872D8 >7C8097D0kernel32.GetCurrentThreadId
004872DC >7C832DB2kernel32.CreateDirectoryW
004872E0 >7C83207Fkernel32.GetComputerNameW
004872E4 >7C809806kernel32.InterlockedIncrement
004872E8 >7C80981Akernel32.InterlockedDecrement
004872EC >7C93137Antdll.RtlDeleteCriticalSection
004872F0 >7C809F91kernel32.InitializeCriticalSection
004872F4 >7C812F81kernel32.RaiseException
004872F8 >7C802446kernel32.Sleep
004872FC >7C80934Akernel32.GetTickCount
00487300 >7C80B370kernel32.GetDriveTypeW
00487304 >7C80AE1Bkernel32.GetWindowsDirectoryW
00487308 >7C80AEEBkernel32.LoadLibraryW
0048730C >7C80AC7Ekernel32.FreeLibrary
00487310 >7C8114AAkernel32.lstrcatW
00487314 >7C862B5Dkernel32.WinExec
00487318 >7C80BB04kernel32.lstrcpyW
0048731C >7C810CD9kernel32.CreateFileW
00487320 >7C801629kernel32.DeviceIoControl
00487324 >7C812D7Bkernel32.GetDiskFreeSpaceExW
00487328 >7C80FAB5kernel32.GetVolumeInformationW
0048732C >7C810FEFkernel32.GetFileSize
00487330 >7C809BE7kernel32.CloseHandle
00487334 >7C809C98kernel32.MultiByteToWideChar
00487338 >7C811106kernel32.SetFilePointer
0048733C >7C801812kernel32.ReadFile
00487340 >7C809AA9kernel32.lstrlenW
00487344 >7C80A174kernel32.WideCharToMultiByte
00487348 >7C80BD09kernel32.SizeofResource
0048734C >7C92FE21ntdll.RtlGetLastWin32Error
00487350 >7C80AF05kernel32.GetVersionExW
00487354 >7C80A4B5kernel32.GetThreadLocale
00487358 >7C80D302kernel32.GetLocaleInfoA
0048735C >7C8099B5kernel32.GetACP
00487360 >7C80982Ekernel32.InterlockedExchange
00487364 >7C80A4C7kernel32.QueryPerformanceCounter
00487368 >7C831146kernel32.QueryPerformanceFrequency
0048736C >7C80BC6Ekernel32.FindResourceW
00487370 >7C80A055kernel32.LoadResource
00487374 >7C80CD37kernel32.SetHandleCount
0048737800000000
0048737C >762F117Fmsimg32.GradientFill
0048738000000000
00487384 >770F4C7Eoleaut32.SysStringLen
00487388 >770F4880oleaut32.SysFreeString
0048738C >770F4980oleaut32.VariantInit
00487390 >770F6C03oleaut32.VariantChangeType
00487394 >770F4920oleaut32.VariantClear
00487398 >770F4BA7oleaut32.SysAllocStringLen
0048739C >770F5017oleaut32.SafeArrayDestroy
004873A0 >77105735oleaut32.SystemTimeToVariantTime
004873A4 >770F4C05oleaut32.SysAllocString
004873A8 >77114B04oleaut32.OleCreateFontIndirect
004873AC >770F4D6Foleaut32.VariantCopy
004873B000000000
004873B4 >7D5C0A84shell32.SHGetPathFromIDListW
004873B8 >7D697545shell32.SHBrowseForFolderW
004873BC >7D5BF1FBshell32.SHGetSpecialFolderLocation
004873C0 >7D5FB50Dshell32.SHGetMalloc
004873C4 >7D68614Dshell32.ShellExecuteW
004873C800000000
004873CC >77F47087shlwapi.PathFindFileNameW
004873D0 >77F48405shlwapi.PathStripToRootW
004873D4 >77F46869shlwapi.PathFindExtensionW
004873D8 >77F46E7Fshlwapi.PathIsUNCW
004873DC00000000
004873E0 >77D1AF34user32.RegisterWindowMessageW
004873E4 >77D61BD4user32.WinHelpW
004873E8 >77D2D0A3user32.CreateWindowExW
004873EC >77D2820Fuser32.SetWindowsHookExW
004873F0 >77D2B3C6user32.CallNextHookEx
004873F4 >77D1DEBCuser32.GetClassInfoExW
004873F8 >77D29AE9user32.GetClassLongW
004873FC >77D29D12user32.GetClassNameW
00487400 >77D2C0B9user32.SetPropW
00487404 >77D294B3user32.GetPropW
00487408 >77D2C076user32.RemovePropW
0048740C >77D273CCuser32.SendDlgItemMessageW
00487410 >77D3C2E7user32.SendDlgItemMessageA
00487414 >77D298C8user32.GetFocus
00487418 >77D2B112user32.SetFocus
0048741C >77D1970Euser32.IsChild
00487420 >77D27836user32.GetWindowTextLengthW
00487424 >77D29823user32.GetForegroundWindow
00487428 >77D3157Auser32.GetLastActivePopup
0048742C >77D2F25Buser32.GetTopWindow
00487430 >77D2D5F3user32.UnhookWindowsHookEx
00487434 >77D29DE0user32.GetMessageTime
00487438 >77D1929Buser32.PeekMessageW
0048743C >77D6531Euser32.TrackPopupMenu
00487440 >77D2F787user32.GetScrollRange
00487444 >77D2F750user32.SetScrollPos
00487448 >77D2F704user32.GetScrollPos
0048744C >77D242EDuser32.SetForegroundWindow
00487450 >77D314BAuser32.GetMenu
00487454 >77D4F1C8user32.GetMenuItemID
00487458 >77D2EF1Cuser32.GetMenuItemCount
0048745C >77D2E7EAuser32.AdjustWindowRectEx
00487460 >77D2DFE2user32.GetScrollInfo
00487464 >77D19056user32.SetScrollInfo
00487468 >77D2E81Euser32.GetClassInfoW
0048746C >77D1A39Auser32.RegisterClassW
00487470 >77D2AF1Buser32.GetDlgCtrlID
00487474 >77D28D20user32.DefWindowProcW
00487478 >77D2A01Euser32.CallWindowProcW
0048747C >77D299F3user32.SetWindowPos
00487480 >77D28F1Fuser32.IntersectRect
00487484 >77D2DEB2user32.SystemParametersInfoA
00487488 >77D303C7user32.GetWindowPlacement
0048748C >77D29655user32.GetWindow
00487490 >77D2D1D2user32.GetDesktopWindow
00487494 >77D2C2E8user32.GetActiveWindow
00487498 >77D27822user32.SetActiveWindow
0048749C >77D3F01Fuser32.CreateDialogIndirectParamW
004874A0 >77D2436Euser32.GetDlgItem
004874A4 >77D2977Auser32.IsWindowEnabled
004874A8 >77D237C3user32.GetNextDlgTabItem
004874AC >77D24A4Euser32.EndDialog
004874B0 >77D66534user32.MessageBoxW
004874B4 >77D28FE9user32.BeginPaint
004874B8 >77D191C6user32.GetMessageW
004874BC >77D18A01user32.DispatchMessageW
004874C0 >77D2AEABuser32.UpdateWindow
004874C4 >77D20242user32.LoadBitmapW
004874C8 >77D29E81user32.EqualRect
004874CC >77D2974Euser32.GetCursorPos
004874D0 >77D2EB48user32.LoadMenuW
004874D4 >77D1F716user32.RemoveMenu
004874D8 >77D2D896user32.GetSubMenu
004874DC >77D28FFDuser32.EndPaint
004874E0 >77D1A9B6user32.wsprintfW
004874E4 >77D2929Auser32.SendMessageW
004874E8 >77D29849user32.EnableWindow
004874EC >77D29ED9user32.GetKeyState
004874F0 >77D2E528user32.SetWindowRgn
004874F4 >77D29011user32.OffsetRect
004874F8 >77D290B4user32.GetWindowRect
004874FC >77D245BBuser32.DrawStateW
00487500 >77D29930user32.SetCursor
00487504 >77D2A042user32.CopyRect
00487508 >77D29719user32.PtInRect
0048750C >77D298D5user32.InflateRect
00487510 >77D29C2Fuser32.FillRect
00487514 >77D2A5CDuser32.GetWindowTextW
00487518 >77D2D7E2user32.DrawTextW
0048751C >77D19021user32.GetWindowDC
00487520 >77D19AA4user32.UnregisterClassW
00487524 >77D2E8BCuser32.LoadIconW
00487528 >77D29E3Duser32.IsWindowVisible
0048752C >77D18F9Cuser32.GetSystemMetrics
00487530 >77D29C8Auser32.IsZoomed
00487534 >77D297FFuser32.IsIconic
00487538 >77D2B222user32.GetSystemMenu
0048753C >77D232BAuser32.AppendMenuW
00487540 >77D3D06Cuser32.DrawIcon
00487544 >77D2C2BBuser32.SetWindowLongW
00487548 >77D19D69user32.LoadCursorW
0048754C >77D27424user32.IsDialogMessageW
00487550 >77D2960Euser32.SetWindowTextW
00487554 >77D2B29Euser32.MoveWindow
00487558 >77D2AF56user32.ShowWindow
0048755C >77D502F9user32.GetMenuCheckMarkDimensions
00487560 >77D31ABDuser32.CheckMenuItem
00487564 >77D1F967user32.GetMenuState
00487568 >77D1DE72user32.CopyIcon
0048756C >77D31F7Buser32.MessageBeep
00487570 >77D29507user32.MapWindowPoints
00487574 >77D19F06user32.SystemParametersInfoW
00487578 >77D18E78user32.GetSysColor
0048757C >77D29313user32.IsWindow
00487580 >77D2996Cuser32.GetMessagePos
00487584 >77D2C37Auser32.ReleaseCapture
00487588 >77D2D427user32.GetIconInfo
0048758C >77D277B8user32.PostThreadMessageW
00487590 >77D188A6user32.GetWindowLongW
00487594 >77D2910Fuser32.GetParent
00487598 >77D2C35Euser32.SetCapture
0048759C >77D1F51Fuser32.ModifyMenuW
004875A0 >77D4FAB2user32.SetMenuItemBitmaps
004875A4 >77D5A5B6user32.TabbedTextOutW
004875A8 >77D2B415user32.DrawTextExW
004875AC >77D2B19Cuser32.DestroyWindow
004875B0 >77D55B35user32.GrayStringW
004875B4 >77D2D2C4user32.EnableMenuItem
004875B8 >77D18CCBuser32.PostMessageW
004875BC >77D2908Euser32.GetClientRect
004875C0 >77D29B60user32.ClientToScreen
004875C4 >77D297A0user32.ScreenToClient
004875C8 >77D186C7user32.GetDC
004875CC >77D1869Duser32.ReleaseDC
004875D0 >77D28FD5user32.InvalidateRect
004875D4 >77D18C2Euser32.SetTimer
004875D8 >77D18C42user32.KillTimer
004875DC >77D194DAuser32.GetCapture
004875E0 >77D2D39Duser32.DestroyMenu
004875E4 >77D29766user32.WindowFromPoint
004875E8 >77D2CA5Auser32.PostQuitMessage
004875EC >77D2FBBDuser32.ValidateRect
004875F0 >77D18BF6user32.TranslateMessage
004875F4 >77D1AF34user32.RegisterWindowMessageW
004875F8 >77D5BF27user32.GetNextDlgGroupItem
004875FC >77D2CDFEuser32.InvalidateRgn
00487600 >77D4FC5Euser32.CopyAcceleratorTableW
00487604 >77D28FA6user32.SetRect
00487608 >77D298FEuser32.IsRectEmpty
0048760C >77D2B1B0user32.CharNextW
00487610 >77D18EABuser32.GetSysColorBrush
00487614 >77D3FDD9user32.SetWindowContextHelpId
00487618 >77D5BE4Cuser32.MapDialogRect
0048761C >77D190D2user32.CharUpperW
00487620 >77D3FDC5user32.ClipCursor
0048762400000000
00487628 >72F769C5winspool.DocumentPropertiesW
0048762C >72F75091winspool.OpenPrinterW
00487630 >72F74D40winspool.ClosePrinter
0048763400000000
00487638 >76322306comdlg32.GetFileTitleW
0048763C >76337B9Dcomdlg32.GetOpenFileNameW
00487640 >76337C2Bcomdlg32.GetSaveFileNameW
0048764400000000
00487648 >769F57ECole32.StgCreateDocfileOnILockBytes
0048764C >769F56BCole32.CreateILockBytesOnHGlobal
00487650 >769E327Fole32.OleUninitialize
00487654 >769DFC01ole32.CoFreeUnusedLibraries
00487658 >769B1C0Aole32.OleInitialize
0048765C >769D9EA8ole32.CoRevokeClassObject
本帖隐藏的内容
00487660 >769AD020ole32.CoTaskMemAlloc
00487664 >76A8CCC9ole32.StgOpenStorageOnILockBytes
00487668 >769AD004ole32.CoTaskMemFree
0048766C >76A2AE4Aole32.OleIsCurrentClipboard
00487670 >76A2AFF9ole32.OleFlushClipboard
00487674 >0048768400000000
00487688 >74C946B1oledlg.OleUIBusyW
这样dump之勉强运行了,HWID call却VM了,这个研究下在开贴
excelrebuild unpacked by kGe.exe:鄙人OO群:禁止留QQ群等信息,欢迎一起研讨抵抗+秘密的壳子,研讨结束希望大家各发自己的研究心得于论坛,共勉并进.
-------------------------------------------------------------------------
http://url.cn/S93usk
当然了,请看:http://www.52pojie.cn/thread-202642-1-1.html平下气压
我很茫然啊,楼主学习多久了? 嗯 不错、、 有待讨论vm还原 撸主大牛啊{:1_891:} 没多久,问下楼上卑职dump出来的文件能不能在您的OS平台上运行? 加油啊,楼主,正需要这款软件,谢谢啦! kGe 发表于 2013-12-20 11:05 static/image/common/back.gif
没多久,问下楼上卑职dump出来的文件能不能在您的OS平台上运行?
XP下表示打不开.双击什么反应都没有.
球破解文件学习 谢谢楼主分享
页:
[1]
2