|
|
kGe
发表于 2013-12-19 16:31
本帖最后由 kGe 于 2013-12-21 00:15 编辑
超强Excel文件恢复软件(ExcelRebuild表格碎片重组恢复软件) V2.5
Excel表格碎片恢复软件,用来恢复硬盘U盘上损坏严重的表格文件
点击看详细信息 直接下载 :http://www.dataexplore.net/software/excelrebuild.exe
DIE检测结果:ThemIDA/Winlicense(2.X )
EP入口:
0088C000 > 83EC 04 SUB ESP,0x4
0088C003 50 PUSH EAX
0088C004 53 PUSH EBX
0088C005 E8 01000000 CALL excelreb.0088C00B
判定标准TMD 2.0 ++
载入LCF脚本跑完得到near oep
然后我们回溯到real oep ADD:
004593D0 C5DD LDS EBX,EBP ; Illegal use of register
004593D2 1C A5 SBB AL,0xA5
004593D4 41 INC ECX ; winhlp32.03760000
004593D5 92 XCHG EAX,EDX ; ntdll.KiFastSystemCallRet
手工还原得到:
004593D0 > 6A 60 PUSH 0x60
004593D2 68 90024900 PUSH excelreb.00490290
004593D7 E8 E8300000 CALL excelreb.0045C4C4
004593DC BF 94000000 MOV EDI,0x94
004593E1 8BC7 MOV EAX,EDI ; ntdll.7C930228
004593E3 E8 08130000 CALL excelreb.0045A6F0
004593E8 8965 E8 MOV DWORD PTR SS:[EBP-0x18],ESP
004593EB 8BF4 MOV ESI,ESP
004593ED 893E MOV DWORD PTR DS:[ESI],EDI ; ntdll.7C930228
004593EF 56 PUSH ESI
004593F0 FF15 9C724800 CALL DWORD PTR DS:[<&kernel32.GetVersionExA>] ; kernel32.GetVersionExA
004593F6 8B4E 10 MOV ECX,DWORD PTR DS:[ESI+0x10]
004593F9 890D C4094B00 MOV DWORD PTR DS:[0x4B09C4],ECX
004593FF 8B46 04 MOV EAX,DWORD PTR DS:[ESI+0x4]
00459402 A3 D0094B00 MOV DWORD PTR DS:[0x4B09D0],EAX
00459407 8B56 08 MOV EDX,DWORD PTR DS:[ESI+0x8]
0045940A 8915 D4094B00 MOV DWORD PTR DS:[0x4B09D4],EDX ; ntdll.KiFastSystemCallRet
00459410 8B76 0C MOV ESI,DWORD PTR DS:[ESI+0xC]
00459413 81E6 FF7F0000 AND ESI,0x7FFF
00459419 8935 C8094B00 MOV DWORD PTR DS:[0x4B09C8],ESI
0045941F 83F9 02 CMP ECX,0x2
00459422 74 0C JE SHORT excelreb.00459430
00459424 81CE 00800000 OR ESI,0x8000
0045942A 8935 C8094B00 MOV DWORD PTR DS:[0x4B09C8],ESI
00459430 C1E0 08 SHL EAX,0x8
00459433 03C2 ADD EAX,EDX ; ntdll.KiFastSystemCallRet
00459435 A3 CC094B00 MOV DWORD PTR DS:[0x4B09CC],EAX
0045943A 33F6 XOR ESI,ESI
0045943C 56 PUSH ESI
0045943D 8B3D 88724800 MOV EDI,DWORD PTR DS:[<&kernel32.GetModuleHandleA>] ; kernel32.GetModuleHandleA
00459443 FFD7 CALL EDI ; ntdll.7C930228
00459445 66:8138 4D5A CMP WORD PTR DS:[EAX],0x5A4D
----------------------------------------------------
附IAT table:
00487000 >77DAD5E4 advapi32.RegEnumKeyW
00487004 >77DB559B advapi32.RegDeleteKeyW
00487008 >77DA7946 advapi32.RegOpenKeyW
0048700C >77DAD767 advapi32.RegSetValueExW
00487010 >77DA6FFF advapi32.RegQueryValueExW
00487014 >77DA776C advapi32.RegCreateKeyExW
00487018 >77DA6AAF advapi32.RegOpenKeyExW
0048701C >77DAD87A advapi32.RegQueryValueW
00487020 >77DA6C27 advapi32.RegCloseKey
00487024 00000000
00487028 >5D1B4848 comctl32.ImageList_LoadImageW
0048702C >5D180205 comctl32.ImageList_Create
00487030 >5D1803D8 comctl32.ImageList_Destroy
00487034 >5D18DFF1 comctl32.ImageList_Draw
00487038 >5D17C7F4 comctl32.ImageList_ReplaceIcon
0048703C >5D1765CF comctl32.InitCommonControls
00487040 00000000
00487044 >77EF941F gdi32.SetMapMode
00487048 >77EF90EC gdi32.ExcludeClipRect
0048704C >77EFD997 gdi32.LineTo
00487050 >77EFA21A gdi32.MoveToEx
00487054 >77EF7AA0 gdi32.SelectClipRgn
00487058 >77EF7CF1 gdi32.GetViewportExtEx
0048705C >77EF7C79 gdi32.GetWindowExtEx
00487060 >77F26807 gdi32.PtVisible
00487064 >77EF821B gdi32.RectVisible
00487068 >77EF7EAC gdi32.TextOutW
0048706C >77EF8086 gdi32.ExtTextOutW
00487070 >77F06F5A gdi32.Escape
00487074 >77EF7B4C gdi32.SetViewportOrgEx
00487078 >77EFC016 gdi32.OffsetViewportOrgEx
0048707C >77F0737D gdi32.SetViewportExtEx
00487080 >77F1D5CD gdi32.ScaleViewportExtEx
00487084 >77F072D4 gdi32.SetWindowExtEx
00487088 >77EF7874 gdi32.ExtSelectClipRgn
0048708C >77EF6E5F gdi32.DeleteDC
00487090 >77EFACC8 gdi32.CreatePatternBrush
00487094 >77F24C7F gdi32.CreateHatchBrush
00487098 >77EF827C gdi32.CreateRectRgnIndirect
0048709C >77EF869B gdi32.PatBlt
004870A0 >77EF975E gdi32.SetRectRgn
004870A4 >77EF95E7 gdi32.CombineRgn
004870A8 >77EF8EEC gdi32.GetMapMode
004870AC >77EF8F5B gdi32.GetBkColor
004870B0 >77EF8FAF gdi32.GetTextColor
004870B4 >77EFD6E9 gdi32.GetRgnBox
004870B8 >77EFA8BA gdi32.CreatePolygonRgn
004870BC >77EFB009 gdi32.CreateFontW
004870C0 >77EF5D77 gdi32.SetTextColor
004870C4 >77EF5EDB gdi32.SetBkMode
004870C8 >77EF7786 gdi32.CreateRectRgn
004870CC >77EF61A5 gdi32.CreateSolidBrush
004870D0 >77EF7F9D gdi32.GetTextExtentPoint32W
004870D4 >77EFB6D0 gdi32.StretchBlt
004870D8 >77EF6F79 gdi32.BitBlt
004870DC >77EFE9BE gdi32.Rectangle
004870E0 >77EFBF87 gdi32.FrameRgn
004870E4 >77EF5B70 gdi32.SelectObject
004870E8 >77EF5FE0 gdi32.CreateCompatibleDC
004870EC >77EF700A gdi32.CreateCompatibleBitmap
004870F0 >77EF8B28 gdi32.RestoreDC
004870F4 >77EF8BEE gdi32.SaveDC
004870F8 >77EF61EF gdi32.CreateBitmap
004870FC >77EF5E29 gdi32.SetBkColor
00487100 >77EF6AA1 gdi32.GetClipBox
00487104 >77EF5A71 gdi32.GetDeviceCaps
00487108 >77EF833D gdi32.GetCurrentObject
0048710C >77EFE01B gdi32.FillRgn
00487110 >77EFA155 gdi32.CreatePen
00487114 >77EF61C1 gdi32.GetStockObject
00487118 >77EFBFF5 gdi32.CreateRoundRectRgn
0048711C >77EF6BFA gdi32.DeleteObject
00487120 >77EF83B3 gdi32.GetObjectW
00487124 >77F1D6AE gdi32.ScaleWindowExtEx
00487128 >77EF939E gdi32.CreateFontIndirectW
0048712C 00000000
00487130 >7C810C89 kernel32.GetStdHandle
00487134 >7C80B56F kernel32.GetModuleFileNameA
00487138 >7C86461A kernel32.UnhandledExceptionFilter
0048713C >7C81DDE7 kernel32.FreeEnvironmentStringsA
00487140 >7C81D38B kernel32.GetEnvironmentStringsA
00487144 >7C81583F kernel32.FreeEnvironmentStringsW
00487148 >7C810C58 kernel32.GetEnvironmentStringsW
0048714C >7C810C6D kernel32.GetCommandLineA
00487150 >7C81771B kernel32.GetCommandLineW
00487154 >7C80CD37 kernel32.SetHandleCount
00487158 >7C8113C9 kernel32.GetFileType
0048715C >7C801EF2 kernel32.GetStartupInfoA
00487160 >7C811470 kernel32.HeapDestroy
00487164 >7C810908 kernel32.HeapCreate
00487168 >7C809B84 kernel32.VirtualFree
0048716C >7C8099C0 kernel32.GetCurrentProcessId
00487170 >7C809F19 kernel32.IsBadWritePtr
00487174 >7C838DD0 kernel32.LCMapStringA
00487178 >7C80CD48 kernel32.LCMapStringW
0048717C >7C8449B5 kernel32.SetUnhandledExceptionFilter
00487180 >7C81419F kernel32.GetTimeZoneInformation
00487184 >7C812D1F kernel32.GetOEMCP
00487188 >7C810BC6 kernel32.GetCPInfo
0048718C >7C8389F4 kernel32.GetStringTypeA
00487190 >7C80A530 kernel32.GetStringTypeW
00487194 >7C809EA1 kernel32.IsBadReadPtr
00487198 >7C80BD6F kernel32.IsBadCodePtr
0048719C >7C9304DD ntdll.RtlSizeHeap
004871A0 >7C81DA73 kernel32.SetStdHandle
004871A4 >7C80D117 kernel32.CompareStringA
004871A8 >7C80A3FE kernel32.CompareStringW
004871AC >7C833E58 kernel32.SetEnvironmentVariableA
004871B0 >7C810707 kernel32.CreateThread
004871B4 >7C80C0F8 kernel32.ExitThread
004871B8 >7C801E1A kernel32.TerminateProcess
004871BC >7C80BA71 kernel32.VirtualQuery
004871C0 >7C810AA6 kernel32.GetSystemInfo
004871C4 >7C809AF1 kernel32.VirtualAlloc
004871C8 >7C801AD4 kernel32.VirtualProtect
004871CC >7C938477 ntdll.RtlReAllocateHeap
004871D0 >7C8017E9 kernel32.GetSystemTimeAsFileTime
004871D4 >7C9300C4 ntdll.RtlAllocateHeap
004871D8 >7C92FF2D ntdll.RtlFreeHeap
004871DC >7C81D20A kernel32.ExitProcess
004871E0 >7C94AA79 ntdll.RtlUnwind
004871E4 >7C801E54 kernel32.GetStartupInfoW
004871E8 >7C8325FD kernel32.GetFileTime
004871EC >7C80ACAF kernel32.SetErrorMode
004871F0 >7C81F62B kernel32.TlsFree
004871F4 >7C8133E0 kernel32.LocalReAlloc
004871F8 >7C809C65 kernel32.TlsSetValue
004871FC >7C810AEF kernel32.TlsAlloc
00487200 >7C8097E0 kernel32.TlsGetValue
00487204 >7C813D9D kernel32.GlobalHandle
00487208 >7C812931 kernel32.GlobalReAlloc
0048720C >7C809A2D kernel32.LocalAlloc
00487210 >7C83675A kernel32.GlobalFlags
00487214 >7C820574 kernel32.WritePrivateProfileStringW
00487218 >7C80B8F2 kernel32.GetFullPathNameW
0048721C >7C80EE7D kernel32.FindFirstFileW
00487220 >7C80EE9C kernel32.FindClose
00487224 >7C80DE9E kernel32.DuplicateHandle
00487228 >7C832A26 kernel32.SetEndOfFile
0048722C >7C832C9C kernel32.UnlockFile
00487230 >7C832D41 kernel32.LockFile
00487234 >7C812BB9 kernel32.FlushFileBuffers
00487238 >7C8112FF kernel32.WriteFile
0048723C >7C80AA36 kernel32.lstrcmpiW
00487240 >7C80A749 kernel32.CreateEventW
00487244 >7C83971A kernel32.SuspendThread
00487248 >7C80A0B7 kernel32.SetEvent
0048724C >7C802530 kernel32.WaitForSingleObject
00487250 >7C8332D7 kernel32.ResumeThread
00487254 >7C80C1A8 kernel32.SetThreadPriority
00487258 >7C80998B kernel32.GetCurrentThread
0048725C >7C8383B7 kernel32.ConvertDefaultLocale
00487260 >7C811752 kernel32.GetVersion
00487264 >7C860CE9 kernel32.EnumResourceLanguagesW
00487268 >7C811ADA kernel32.GetLocaleInfoW
0048726C >7C80B475 kernel32.GetModuleFileNameW
00487270 >7C92FE30 ntdll.RtlSetLastWin32Error
00487274 >7C80FDFD kernel32.GlobalAlloc
00487278 >7C80BA8F kernel32.lstrcpynW
0048727C >7C81013C kernel32.GlobalAddAtomW
00487280 >7C813F77 kernel32.GlobalFindAtomW
00487284 >7C813673 kernel32.GlobalDeleteAtom
00487288 >7C80B741 kernel32.GetModuleHandleA
0048728C >7C801D7B kernel32.LoadLibraryA
00487290 >7C80AA6C kernel32.lstrcmpW
00487294 >7C80E4DD kernel32.GetModuleHandleW
00487298 >7C80AE40 kernel32.GetProcAddress
0048729C >7C810830 kernel32.GetVersionExA
004872A0 >7C80FFE9 kernel32.GlobalLock
004872A4 >7C80FF52 kernel32.GlobalUnlock
004872A8 >7C80FCFF kernel32.GlobalFree
004872AC >7C80DE95 kernel32.GetCurrentProcess
004872B0 >7C80B7EC kernel32.GetFileAttributesW
004872B4 >7C80E906 kernel32.FileTimeToLocalFileTime
004872B8 >7C80E88C kernel32.FileTimeToSystemTime
004872BC >7C83556F kernel32.FormatMessageW
004872C0 >7C8099CF kernel32.LocalFree
004872C4 >7C80BE56 kernel32.lstrlenA
004872C8 >7C9210E0 ntdll.RtlLeaveCriticalSection
004872CC >7C921000 ntdll.RtlEnterCriticalSection
004872D0 >7C809866 kernel32.MulDiv
004872D4 >7C8277EA kernel32.FreeResource
004872D8 >7C8097D0 kernel32.GetCurrentThreadId
004872DC >7C832DB2 kernel32.CreateDirectoryW
004872E0 >7C83207F kernel32.GetComputerNameW
004872E4 >7C809806 kernel32.InterlockedIncrement
004872E8 >7C80981A kernel32.InterlockedDecrement
004872EC >7C93137A ntdll.RtlDeleteCriticalSection
004872F0 >7C809F91 kernel32.InitializeCriticalSection
004872F4 >7C812F81 kernel32.RaiseException
004872F8 >7C802446 kernel32.Sleep
004872FC >7C80934A kernel32.GetTickCount
00487300 >7C80B370 kernel32.GetDriveTypeW
00487304 >7C80AE1B kernel32.GetWindowsDirectoryW
00487308 >7C80AEEB kernel32.LoadLibraryW
0048730C >7C80AC7E kernel32.FreeLibrary
00487310 >7C8114AA kernel32.lstrcatW
00487314 >7C862B5D kernel32.WinExec
00487318 >7C80BB04 kernel32.lstrcpyW
0048731C >7C810CD9 kernel32.CreateFileW
00487320 >7C801629 kernel32.DeviceIoControl
00487324 >7C812D7B kernel32.GetDiskFreeSpaceExW
00487328 >7C80FAB5 kernel32.GetVolumeInformationW
0048732C >7C810FEF kernel32.GetFileSize
00487330 >7C809BE7 kernel32.CloseHandle
00487334 >7C809C98 kernel32.MultiByteToWideChar
00487338 >7C811106 kernel32.SetFilePointer
0048733C >7C801812 kernel32.ReadFile
00487340 >7C809AA9 kernel32.lstrlenW
00487344 >7C80A174 kernel32.WideCharToMultiByte
00487348 >7C80BD09 kernel32.SizeofResource
0048734C >7C92FE21 ntdll.RtlGetLastWin32Error
00487350 >7C80AF05 kernel32.GetVersionExW
00487354 >7C80A4B5 kernel32.GetThreadLocale
00487358 >7C80D302 kernel32.GetLocaleInfoA
0048735C >7C8099B5 kernel32.GetACP
00487360 >7C80982E kernel32.InterlockedExchange
00487364 >7C80A4C7 kernel32.QueryPerformanceCounter
00487368 >7C831146 kernel32.QueryPerformanceFrequency
0048736C >7C80BC6E kernel32.FindResourceW
00487370 >7C80A055 kernel32.LoadResource
00487374 >7C80CD37 kernel32.SetHandleCount
00487378 00000000
0048737C >762F117F msimg32.GradientFill
00487380 00000000
00487384 >770F4C7E oleaut32.SysStringLen
00487388 >770F4880 oleaut32.SysFreeString
0048738C >770F4980 oleaut32.VariantInit
00487390 >770F6C03 oleaut32.VariantChangeType
00487394 >770F4920 oleaut32.VariantClear
00487398 >770F4BA7 oleaut32.SysAllocStringLen
0048739C >770F5017 oleaut32.SafeArrayDestroy
004873A0 >77105735 oleaut32.SystemTimeToVariantTime
004873A4 >770F4C05 oleaut32.SysAllocString
004873A8 >77114B04 oleaut32.OleCreateFontIndirect
004873AC >770F4D6F oleaut32.VariantCopy
004873B0 00000000
004873B4 >7D5C0A84 shell32.SHGetPathFromIDListW
004873B8 >7D697545 shell32.SHBrowseForFolderW
004873BC >7D5BF1FB shell32.SHGetSpecialFolderLocation
004873C0 >7D5FB50D shell32.SHGetMalloc
004873C4 >7D68614D shell32.ShellExecuteW
004873C8 00000000
004873CC >77F47087 shlwapi.PathFindFileNameW
004873D0 >77F48405 shlwapi.PathStripToRootW
004873D4 >77F46869 shlwapi.PathFindExtensionW
004873D8 >77F46E7F shlwapi.PathIsUNCW
004873DC 00000000
004873E0 >77D1AF34 user32.RegisterWindowMessageW
004873E4 >77D61BD4 user32.WinHelpW
004873E8 >77D2D0A3 user32.CreateWindowExW
004873EC >77D2820F user32.SetWindowsHookExW
004873F0 >77D2B3C6 user32.CallNextHookEx
004873F4 >77D1DEBC user32.GetClassInfoExW
004873F8 >77D29AE9 user32.GetClassLongW
004873FC >77D29D12 user32.GetClassNameW
00487400 >77D2C0B9 user32.SetPropW
00487404 >77D294B3 user32.GetPropW
00487408 >77D2C076 user32.RemovePropW
0048740C >77D273CC user32.SendDlgItemMessageW
00487410 >77D3C2E7 user32.SendDlgItemMessageA
00487414 >77D298C8 user32.GetFocus
00487418 >77D2B112 user32.SetFocus
0048741C >77D1970E user32.IsChild
00487420 >77D27836 user32.GetWindowTextLengthW
00487424 >77D29823 user32.GetForegroundWindow
00487428 >77D3157A user32.GetLastActivePopup
0048742C >77D2F25B user32.GetTopWindow
00487430 >77D2D5F3 user32.UnhookWindowsHookEx
00487434 >77D29DE0 user32.GetMessageTime
00487438 >77D1929B user32.PeekMessageW
0048743C >77D6531E user32.TrackPopupMenu
00487440 >77D2F787 user32.GetScrollRange
00487444 >77D2F750 user32.SetScrollPos
00487448 >77D2F704 user32.GetScrollPos
0048744C >77D242ED user32.SetForegroundWindow
00487450 >77D314BA user32.GetMenu
00487454 >77D4F1C8 user32.GetMenuItemID
00487458 >77D2EF1C user32.GetMenuItemCount
0048745C >77D2E7EA user32.AdjustWindowRectEx
00487460 >77D2DFE2 user32.GetScrollInfo
00487464 >77D19056 user32.SetScrollInfo
00487468 >77D2E81E user32.GetClassInfoW
0048746C >77D1A39A user32.RegisterClassW
00487470 >77D2AF1B user32.GetDlgCtrlID
00487474 >77D28D20 user32.DefWindowProcW
00487478 >77D2A01E user32.CallWindowProcW
0048747C >77D299F3 user32.SetWindowPos
00487480 >77D28F1F user32.IntersectRect
00487484 >77D2DEB2 user32.SystemParametersInfoA
00487488 >77D303C7 user32.GetWindowPlacement
0048748C >77D29655 user32.GetWindow
00487490 >77D2D1D2 user32.GetDesktopWindow
00487494 >77D2C2E8 user32.GetActiveWindow
00487498 >77D27822 user32.SetActiveWindow
0048749C >77D3F01F user32.CreateDialogIndirectParamW
004874A0 >77D2436E user32.GetDlgItem
004874A4 >77D2977A user32.IsWindowEnabled
004874A8 >77D237C3 user32.GetNextDlgTabItem
004874AC >77D24A4E user32.EndDialog
004874B0 >77D66534 user32.MessageBoxW
004874B4 >77D28FE9 user32.BeginPaint
004874B8 >77D191C6 user32.GetMessageW
004874BC >77D18A01 user32.DispatchMessageW
004874C0 >77D2AEAB user32.UpdateWindow
004874C4 >77D20242 user32.LoadBitmapW
004874C8 >77D29E81 user32.EqualRect
004874CC >77D2974E user32.GetCursorPos
004874D0 >77D2EB48 user32.LoadMenuW
004874D4 >77D1F716 user32.RemoveMenu
004874D8 >77D2D896 user32.GetSubMenu
004874DC >77D28FFD user32.EndPaint
004874E0 >77D1A9B6 user32.wsprintfW
004874E4 >77D2929A user32.SendMessageW
004874E8 >77D29849 user32.EnableWindow
004874EC >77D29ED9 user32.GetKeyState
004874F0 >77D2E528 user32.SetWindowRgn
004874F4 >77D29011 user32.OffsetRect
004874F8 >77D290B4 user32.GetWindowRect
004874FC >77D245BB user32.DrawStateW
00487500 >77D29930 user32.SetCursor
00487504 >77D2A042 user32.CopyRect
00487508 >77D29719 user32.PtInRect
0048750C >77D298D5 user32.InflateRect
00487510 >77D29C2F user32.FillRect
00487514 >77D2A5CD user32.GetWindowTextW
00487518 >77D2D7E2 user32.DrawTextW
0048751C >77D19021 user32.GetWindowDC
00487520 >77D19AA4 user32.UnregisterClassW
00487524 >77D2E8BC user32.LoadIconW
00487528 >77D29E3D user32.IsWindowVisible
0048752C >77D18F9C user32.GetSystemMetrics
00487530 >77D29C8A user32.IsZoomed
00487534 >77D297FF user32.IsIconic
00487538 >77D2B222 user32.GetSystemMenu
0048753C >77D232BA user32.AppendMenuW
00487540 >77D3D06C user32.DrawIcon
00487544 >77D2C2BB user32.SetWindowLongW
00487548 >77D19D69 user32.LoadCursorW
0048754C >77D27424 user32.IsDialogMessageW
00487550 >77D2960E user32.SetWindowTextW
00487554 >77D2B29E user32.MoveWindow
00487558 >77D2AF56 user32.ShowWindow
0048755C >77D502F9 user32.GetMenuCheckMarkDimensions
00487560 >77D31ABD user32.CheckMenuItem
00487564 >77D1F967 user32.GetMenuState
00487568 >77D1DE72 user32.CopyIcon
0048756C >77D31F7B user32.MessageBeep
00487570 >77D29507 user32.MapWindowPoints
00487574 >77D19F06 user32.SystemParametersInfoW
00487578 >77D18E78 user32.GetSysColor
0048757C >77D29313 user32.IsWindow
00487580 >77D2996C user32.GetMessagePos
00487584 >77D2C37A user32.ReleaseCapture
00487588 >77D2D427 user32.GetIconInfo
0048758C >77D277B8 user32.PostThreadMessageW
00487590 >77D188A6 user32.GetWindowLongW
00487594 >77D2910F user32.GetParent
00487598 >77D2C35E user32.SetCapture
0048759C >77D1F51F user32.ModifyMenuW
004875A0 >77D4FAB2 user32.SetMenuItemBitmaps
004875A4 >77D5A5B6 user32.TabbedTextOutW
004875A8 >77D2B415 user32.DrawTextExW
004875AC >77D2B19C user32.DestroyWindow
004875B0 >77D55B35 user32.GrayStringW
004875B4 >77D2D2C4 user32.EnableMenuItem
004875B8 >77D18CCB user32.PostMessageW
004875BC >77D2908E user32.GetClientRect
004875C0 >77D29B60 user32.ClientToScreen
004875C4 >77D297A0 user32.ScreenToClient
004875C8 >77D186C7 user32.GetDC
004875CC >77D1869D user32.ReleaseDC
004875D0 >77D28FD5 user32.InvalidateRect
004875D4 >77D18C2E user32.SetTimer
004875D8 >77D18C42 user32.KillTimer
004875DC >77D194DA user32.GetCapture
004875E0 >77D2D39D user32.DestroyMenu
004875E4 >77D29766 user32.WindowFromPoint
004875E8 >77D2CA5A user32.PostQuitMessage
004875EC >77D2FBBD user32.ValidateRect
004875F0 >77D18BF6 user32.TranslateMessage
004875F4 >77D1AF34 user32.RegisterWindowMessageW
004875F8 >77D5BF27 user32.GetNextDlgGroupItem
004875FC >77D2CDFE user32.InvalidateRgn
00487600 >77D4FC5E user32.CopyAcceleratorTableW
00487604 >77D28FA6 user32.SetRect
00487608 >77D298FE user32.IsRectEmpty
0048760C >77D2B1B0 user32.CharNextW
00487610 >77D18EAB user32.GetSysColorBrush
00487614 >77D3FDD9 user32.SetWindowContextHelpId
00487618 >77D5BE4C user32.MapDialogRect
0048761C >77D190D2 user32.CharUpperW
00487620 >77D3FDC5 user32.ClipCursor
00487624 00000000
00487628 >72F769C5 winspool.DocumentPropertiesW
0048762C >72F75091 winspool.OpenPrinterW
00487630 >72F74D40 winspool.ClosePrinter
00487634 00000000
00487638 >76322306 comdlg32.GetFileTitleW
0048763C >76337B9D comdlg32.GetOpenFileNameW
00487640 >76337C2B comdlg32.GetSaveFileNameW
00487644 00000000
00487648 >769F57EC ole32.StgCreateDocfileOnILockBytes
0048764C >769F56BC ole32.CreateILockBytesOnHGlobal
00487650 >769E327F ole32.OleUninitialize
00487654 >769DFC01 ole32.CoFreeUnusedLibraries
00487658 >769B1C0A ole32.OleInitialize
0048765C >769D9EA8 ole32.CoRevokeClassObject
本帖隐藏的内容
00487660 >769AD020 ole32.CoTaskMemAlloc
00487664 >76A8CCC9 ole32.StgOpenStorageOnILockBytes
00487668 >769AD004 ole32.CoTaskMemFree
0048766C >76A2AE4A ole32.OleIsCurrentClipboard
00487670 >76A2AFF9 ole32.OleFlushClipboard
00487674 >00487684 00000000
00487688 >74C946B1 oledlg.OleUIBusyW
这样dump之勉强运行了,HWID call却VM了,这个研究下在开贴
excelrebuild unpacked by kGe.exe:鄙人OO群:禁止留QQ群等信息,欢迎一起研讨抵抗+秘密的壳子,研讨结束希望大家各发自己的研究心得于论坛,共勉并进.
-------------------------------------------------------------------------
http://url.cn/S93usk
当然了,请看:http://www.52pojie.cn/thread-202642-1-1.html平下气压
|
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
[复制链接]
|
发表于 2013-12-19 19:24
