资源描述:
《软件逆向分析实用技术》由会员上传分享,免费在线阅读,更多相关内容在学术论文-天天文库。
��⌮ᔣᑖ᪆.'.1.ii»<:11【•】C*IeiW]ir.;^7?¾^J^MVi^H ᱐ᩗ�ᨵ�ᩗ����ᙠ᱐��(cn>)ᦪ���⌮ᔣᑖ᪆�ᵨᢈ�/��,ᑢ"℉.%ᓅ':ᓅ'ᳮ*ᜧ,-᱐.,2009.8ISBN978-7-5640-2516-8I.�…n.①�…②ᑢ…ffl.��*D-ᑖ᪆DEW.TP31L5KL᱐M��✂0?ᦪ�᪶Q(2009)S124172T-᱐UV/ᓅ'ᳮ*ᜧ,-᱐..ᙬ/ᓅ'XYZ[Kᐵᓭᜧ⊙5T`�/100081ᵯb/(010)68914775(cde)68944990(ᢇ├Ki)68911084(jὅlmn)oᙬ/http://www.biQ)ress.com.cnp├/ᐰLᔜᙢtu�vᓺᑵ/ᓅ'ᙛz{ᓺᑵᔆ}M/787~x1092~1/16ᓺ/7.75Qᦪ/175ᓟ᱐�/2009�8ᨴ�1᱐20098ᨴS1ᓺᑵᓺᦪ/1~3000᪥/▰᳝/20.00ᐗᓺᑴ/i��-ᓺ⚪,M.ᣚ Ḅ��*D ¡¢£¤Ḅ¥¦◤¨-U,©ª«¬Ḅ®¯°᪀²³¢´µ¶·¢ᑜ²}U,¹º-»�▭½VḄ¢£¤��,¾¿·DÀÁ��Ḅ“Ãᔣ*D”。ÆÇ,¡»½VḄDEÈ-U,½ᵨÉÊ、ÆÌ�、Èᑖ᪆ÍÎDEᳮÉÏÐÑ¢£¤ᢈ�,��Ḅ°᪀、ÒD、£Ó²ÔṹÏÖV⌮ᔣ×ɲᑖ᪆,ØÙ-��ºÚḄÛÔṹ、³¢Üᳮ、°᪀、£Ó、ᜐᳮ·D、½VÞÓÎßᐵᦻÏḄ·D,ÀÁ��Ḅ“⌮ᔣ*D”(SoftwareReverseEngineering),îÀ��“Æᔣ*D”。¶ï,ðñò��ÖV⌮ᔣᑖ᪆Ḅ¿·DÀÁ��⌮ᔣ*D,òᙠ¾¿·DKᡠõᵨḄᢈ�ÀÁ��⌮ᔣ*Dᢈ�。Ḅ��*Dö⌕ᐵøtÚ��Ḅᑖ᪆ù³¢,ú⌮ᔣ*DᑣᐵøᡂÚ��Ḅ×Éùᒈ᪆。⌮ᔣ*D»ÍþðñÿÉDEḄ°᪀ÍÎDEḄ®¯,��,ᑭᵨ⌮ᔣ*D»Í�ᐭ��DEḄ½V·D。»ÍÿÉ�᪗DEÃᙠᵨḄÈᦪḄ��,�»ÍÿÉ�᪗DE�Ḅᦻ�,�ᯠ�»ÍÿÉ�᪗��ᵨḄ��ÍÎ�᪗�� �ùo�Ḅᐸ�nᑖ¶�Ḅ。ᙠÖV����²Æ��Ḅ·DK,��⌮ᔣ*DḄ��ú᧕"Ḅ。�#,ᨵ$Ð¥¦%ᜧ、ᵨÞ&Ḅ��⌮ᔣᑖ᪆*ᐹ。¾(��⌮ᔣᑖ᪆*ᐹ)ᢝº¹DEḄª«¬,&+ᑖ᪆DE°᪀,�,�ὅ-.᧕ᳮÉDE,/ᵨ0Ôṹ,ᡈ᪷�◤⌕3ᐭt¥¦,¡úᦋ5ÜᨵDEḄ®¯Ò。⌕,6��Ḅ⌮ᔣᑖ᪆ᢈ�,◤⌕789:Ì�;<Ḅßᐵ=>²;Ó,?⌕��½VḄÈ@AᨵB�ᐭḄÿÉ。M�CᙠDEᨵᐶG,6��⌮ᔣᑖ᪆ᢈ�Ḅjὅ,ÿÉ��“⌮ᔣ*D”ḄᭆI,,6��⌮ᔣᑖ᪆ᢈ�ḄJMÜᳮ,,6��⌮ᔣᑖ᪆ᡠKÎḄÌ�;<Ḅßᐵ=>²ᵨÓ,%1^2M?1NÜᳮÎßᐵᦪ,ÍÎïᵨ��⌮ᔣᑖ᪆*ᐹḄᵨÞÓÏ。OÍ�▭PQᫀSᩭUV“⌮ᔣᑖ᪆”Ḅ·D²ÞÓ。M�WᙠᳮXYZ·ÐḄ[,ú ø/�ᵨᢈ�²�▭PQ¦]Ḅ^8。ᵫ+Qὅ`@ᨵ▲,bcᨵW�²deÇᜐ,fghjὅᢇiᢣÃ。Qὅ20093ᨴ M�k⁚ᑁ.n⌕S%kPEᦻ�ᭆÎ⚜ᜓqrᑁ.᤺⌕:PEPortableExecutaWeFileFormat(»{|ḄV~)Ḅᑏ, �#Windows@AYḄöÒ»Vᦻ�,ᙠ¾ᜧh◤⌕ᨵ%¿ᓫḄÿÉ。Sk��Ḅ3Êᢈ�ᑁ.᤺⌕:Mkö⌕3ʲ。◤⌕3Ḅ��ᢥ᯿ᐸ�Ḅ²Qᵨ,»ᑖÁ�:% ,ö⌕�Ḅ DE~;3Ê,��DEW×É?Ü,úᑮ��Ḅqrºᩗ。SkN*ᐹḄᵨ•ᑁ.᤺⌕:Mkö⌕Nᑖ᪆*ᐹḄᵨ,ᒹ☟ᑖ᪆*ᐹ²ᑖ᪆*ᐹ。Sk 1^2ð?1NÜᳮÎßᐵᦪᑁ.᤺⌕:ö⌕¢Xᑩ^32^1ᦪ®¯¤ᑴ°᪀ÎᐸᙠÌ�;.......................................................625.5Ú{ᢣ>.............................................................68S6k⌮ᔣ*Dᢈ�.................................................................................................................706.1⌮ᔣ*Dᢈ�ḄJM�Þ...........................................706.2ÑᦻM�ṹ.........................................................716.3ï"�D;<ḄᐭÛÎ[ÜᱯÝ..............................-..........726.4?ÜDE.........................................................756.5Þ?ÜDE.....................................................76 2��⌮ᔣᑖ᪆�ᵨᢈ�6.6?ÜḄᔜÑÞÓ.................................................866.7、☟ᑖ᪆.......................................................886.8/J、@..................................................................926.9ß.....................:............................................93S7kᢙ⌮ᔣ*Dᢈ�........................................................957.1⌮ᔣᑖ᪆*D.........................................................957.2ᢙ⌮ᔣ*Dᢈ�ḄJM�Þ.........................................957.3ᑖ᪆DEḄá²......................................................1077.4anti-debuggersᢈ�â¢................................................109▬äðᦪåæ.............................................................111#è@.....................................................................114^¾¾......................................................................115 �1�?£ᦻ�ᭆ�⚜ᜓ��i.iPExmsam^PEᦻ�,êᐸ�Ḅë�»Vᦻ%᪵,ᨵ%ÈᑡḄQÜ,îᙠ%¿ïqḄðÕY,ñᦻ�Ḅᐸ�nᑖ。PE⊤ᜮᑁóḄ/⌕�ÒᒹDEÔṹ²ôᧇ[öḄᜧðÕ、〉ᵨḄPQÈÍÎᚮ᪘(stack)ḄᨬüᜧÏ。?ïḄý´þ?0⊈《6£160^�,—32��ᡠ�ḄV~ᦻ�。Ḅ%(ᱯឋ�UMXḄCOFF(CommonObjectFileFormat)ᦻ�。“%�«6executable”(»{|ḄV~)ýᕡḼ�ᦻ��Win32@AḄ:ᓽWindows½Vᙠ¹bUelḄCPUY,�Win32@AḄPE�ᘤ�¦r�²ᵨ�ᦻ�。�ᯠ,{|ᑮW�ḄCPUYPEV~�ᯠ�ᨵ%(ᦋ5。ᡠᨵWin32V~(◀ÿVxD²16ðḄDEO�ᵨPEᦻ�,ᒹNTḄᑁ᪶��DE(kemdmodedrivers)。�úẆ�?£ᦻ�ᡃñ�៉Windows°᪀Ḅ#¤。$ᡃñ?&�ÿÉ¥^32KḄ“ß)*ᙢᙬ”(RelativeVirudAddress,RVA)¾¿+,。?£ᦻ�KḄ-ÐḄ⚗� Í&¥MÞᢣḄ,&0MᐸKḄ%¿⚗ß+ᦻ�êᙢᙬḄ2{ᙢᙬ。S:�DE◤⌕©%¿?£ᦻ�ᐭᑮ)*ᙢᙬ34K,¡100001156Ḅᑁ×K,7?£K8¿⊤ᙠêKḄ96DosVZᙢᙬ 10868h,;<�⊤ḄRVAþ868h。©RVAᣚÁ»ᵨḄᢣHeader┐,>⌕©?0MḄ@3Y^(^16ḄJᙬᓽ»。Jᙢᙬ ᢣᐭᑮᑁ×.‘Dos^tubKḄ£^ᡈ00^DEḄ96ᙢᙬ,�32KḄ%¿/⌕ᭆI。PEHeadcr1.ᓹ�ᦻ�����Scction,"MlS,PEᦻ�°᪀ḄB~«ᑖC�1-1ᡠD。Section1(1)DOSMZHeader(PE⊤ᜮ)。PEᦻ�ᨬ}6 %¿ᓫḄDOSMZHeader, %¿《4&£6_008_>63<^[°᪀。ᨵÿ,7DEᙠSection2008JV,008þ¦r�-¾ ᨵᦔḄV~,ᯠK½VLM005MZHeaderᐸKḄDOSStuboSection.•(2)DOSStub。DOSStub %¿ᨵᦔḄDOSDE,²ᐸ�Ḅë�»Vᦻ%᪵,PE⊤ᜮO¹ᙠᦻ�Ḅᨬ}6ᜐ。ᦻ�ᨬ#☢SectionNḄᦪOQ⁚DOSStub%¿ḄDOSDE,ᵨᩭQ-ê“This�1-1?£ᦻ�°᪀ḄProgramcannotruninDOSmodew¾᪵Ḅ┯S�Ò。7ᙠ%¿W)ᢝB~«ᑖCWin32ḄPQÈY½V%¿〜U032DE,þ§V�¾¿┯S�Ò。�>^323�ᘤò%¿?Âᦻêᑮᑁ×,ᑁ×êᦻ�(memorymappedfile)ḄS%¿Q⁚&ᑮDOSStubḄS%¿Q⁚。ᡃñ�W�DOSStubÖV-�ḄẆ�,�ÁᜧÐ 2��⌮ᔣᑖ᪆�ᵨᢈ�ᦪª«JᵫÌ�ᘤ/�Yᘤ¹ᡂḄ,ᡃñᐸÿÉᓽ»。LZḼDOSStubḄ PEHeadero(3)PEHeader。?£U&(^《^�6_▬%1^"^1^°᪀ḄÀ,ᒹóÿ-Ð?Âᦻ��ᐭᑁצᡠ◤⌕ᵨᑮḄ/⌕ö。V~ᙠ)ᢝPEᦻ�°᪀ḄPQÈKV,�¦ᓹ£�ᘤ©¡DOSMZHeaderK[ᑮPEHeaderḄ962{,]Zðᑮ^ÃḄᦻ�ᜮPEHeadero(4)SectionTable。PEHeaderZJᩭḄᓽ ᦪÙ°᪀SectionTable(⁚⊤)。PEᦻ�»ÍᨵN¿⁚,_⁚ %ᙽ`ᨵᐳ�bឋḄᦪ�,cÔṹ/ᦪ�、j/ᑏÏ。ᡃñ»ÍòPEᦻ�µᡂÁ%¿⌶¯ef,PEHeaderefḄbootᡧ[,úsectionsþ ᔜÑᦻ�,_Ñᦻ�ᯠþᨵW�bឋ>j、È、◚iᡈᦻÏ。;<�SectionTable°᪀ᦪÙᑁᨵj¿⁚,þᨵj¿ᡂᕒ,_¿ᡂᕒᒹó&⁚Ḅbឋ、ᦻ�2{Î)*2{Ï。2.PEᦻ��⌕�����PEᦻ�Ḅö⌕½VklJ。①?£ᦻ�V,?£�ᘤmnDOSMZHeader☢ḄPEHeader2{。7ᑮᑣoÚᑮPEHeadero②?£�ᘤmn?£-3(^Ḅᨵᦔឋ。7ᨵᦔ,þoÚᑮ?£᱐&(^Ḅpn。③LrPEHeaderḄ ⁚⊤。PE�ᘤjsᐸKḄ⁚�Ò,Otᵨᦻ�uÞÓ©¾(⁚uᑮᑁ×,�¦vY⁚⊤ᢣḄ⁚bឋ。④?£ᦻ�uᐭᑁ×K,?£�ᘤ©ᜐᳮ?£ᦻ�K��importtable(æᐭ⊤)Ḅ®¯nᑖ。DE�Ḅ¦◤⌕�-Ðᦪ²Ûᓃᓃᦻ�,¾¦DE◤⌕ᑨ�᪗�ᦪḄᙢᙬO©�ᦪ{⊡ᑮ�Vᦻ�ḄêK,ᡠ◤⌕Ḅ�Ò�}ᙠ?£ᦻ�Ḅ^^0Ô⊤K,PEᦻ�KḄ_%¿Qᐭ�ᦪ�V~ᙢᑡ+�⊤K。%ᩭUtaport⊤×}ᙠDEḄidataᙽK,%ᒹóᐸ�ᩭDLLḄᦪÎᦪ��Ò。�ᨵ-ÐDEḄ10?0«⊤W×ᙠ1(1&13ᙽK,¥ᡃñᑨÔ_11⊤Ḅᙢᙬ⌼ᡂÿb,WᵨḼញ,>⌕ÿÉÿ3^11⊤Ḅ°᪀þ¦ð10^(«1⊤Ḅᙢᙬ。1.2ᔜÑᙽḄÄᵫ+◤⌕8(ᐵ"ᙽÖV3Êᜐᳮ²⌮ᔣᑖ᪆,ᡠÍᡃñᨵ�⌕ÿÉᔜVᦻ�Kpï⍗ᑮḄᔜÑï"ᙽ。(1)textoò ᙠ�YᡈÌ�°¦º¹Ḅ%Ñᙽ。Ḅᑁ.ᐰ ᢣ>Ôṹ, �⌕3ÊḄ。Ḅ3Ê»Íᨵᦔᙢ■ÜDEᢣ>ÔṹḄ☟ᑖ᪆²ᦋ。� ⌮ᔣᑖ᪆¦�øýḄ。?£ᦻ� ½Vᙠ32ðÞJ,ᡠÍᨵ�⌕©W�ᦻ�º¹ḄÔṹᑖᡂᑖḄᙽ。Zᘤòᡠᨵ�᪗ᦻ�ḄtextᙽZᡂ%¿ᜧḄ1^1ᙽ。7ᵨḄ BorlandOHf,ᐸ�Yᘤ©º¹ḄÔṹ×++ÀÁ《^*Ḅ[öK,úWc。(2)data。�11ÊḄÔṹᙽ%᪵,c�ü6ᓄḄᦪ�ᙽ。¾(ᦪ�ᒹ�Y¦ü6ᓄḄgloble²static5,�ᒹQ。Zᘤ©OBJsÎUBsᦻ�Ḅdata°ᔠᡂ%¿ᜧḄdata。local5×}ᙠ%¿ឋḄᚮK,Wᓰdata²bbsḄ34。²text—᪵, S1kPEᦻ�ᭆÎ⚜ᜓqr3ᦪ�ᙽ ÍVᦻḄ×}ᙠᦻ�KḄ,ᡠÍᡃñ-ᨵ�⌕©ᐸ3Ê。(3)idata。idata⁚Qᐭᦪ�,ᒹQᐭ�ä²Qᐭᙢᙬ+Q⊤。idataᒹóᐸ�ᩭ。ᓃḄᦪÎᦪ��Ò。�ᙽ¥¦ùᦻ�Ḅ�ᙽæᵨ⊤��,ᐵ"Ḅᙠ+?£ᦻ�KḄ_%¿Qᐭ�ᦪ�V~ᙢᑡ+�ᙽK,⌕ᑮß�Ḅ�Ò,�¡ᔜ¿ÜḄ/ðᦪ�Kn。(4)rsrc。《『(:ᒹó�ᙽḄᐰnôÛ,�᪗、ᓫ²ð�Ï,�ôÛ°᪀ᩖ。(5)reloc。^10€�×Jᙢᙬ/ð⊤。��DEW¦ᢥZᘤᡠᢣḄᙢᙬ�ᦻ�¦,◤⌕ᢣ>ᡈïü6ᓄḄ5ÖV,Jᙢᙬ/ð⊤ᒹóÿᡠ◤Ḅᦪ�。7�DE¦¢Ãï�ᦻ�,þ£ᶍ^10€KḄ/ðᦪ�。(6)edata。6^ð�?£ᦻ�Q-ᦪ²ᦪ�Ḅᑡ⊤,ͬᐸ��ᙽæᵨ。ùᦻ�KḄᐭÛ⊤、¥ᶇ+⊤ι¥ᶇ+⊤§ᔠ¥¦ß�。PEᦻ�ᨵ�⌕Q-%¿ᦪ,ᡠͶï> ᙠDLLᦻ�K¨»Í"ᑮedataᙽ。(7)tlsotlsḄý´ “threadlocalstorage”(DMᙢשᘤ),ùWin32ḄTlsAUocÈᑡ¥¦ᨵᐵ。(8)rdata。[13ᙽ¶ï ᙠ4&Íᡈ588K4,DEK-ªᵨᑮ�ᙽKḄᦪ�。«ªᨵѪ«J⌕ᵨᑮ&3ð,% ᙠMiCr0S0ftḄZᘤº¹ḄEXEᦻ�K,ᵨ+×}N�ä, ᵨ+×}UVQ。7DEḄDEFᦻ�KᢣÿDESCR^y^ON,ᑣQþ§-ᙠrdataK。1.3ImportTable(ÆUᐭ⊤)✌ᐜ,ᡃñᐜÿÉ®<æᐭ�ᦪ。%¿æᐭ�ᦪ 8�ᙽᵨîWᙠᵨὅ�ᙽKḄᦪ,�ú=+Á“ᓃ?0«”(æᐭ)。æᐭ�ᦪ�▭ð+%¿ᡈὅ-ÐḄᓹᓃᓃ。ᵨὅ�ᙽ>�ᶇ%(�ᦪ�Ò,ᒹ�ᦪ+Îᐸ¥ᶇḄ01ᓃ+。?£ᦻ�Ḅ0^0>0?¯ᙠᵨnDLL¦,CALLᢣ>�▭YÚᓄᡂEXEᦻ�textᙽKḄJmpdwordptr[xxxxxxxx]ᢣ>(7ᵨḄ Bo^landC++,ᑣᙠU0^6ᙽK),10²ᢣ>⌕oÚᑮḄᙢÞ¨^ÃḄ�Ḅᙢᙬ。�DEᑨ�᪗�ᦪḄᙢᙬO©�ᦪ{⊡ᑮVᦻ�ḄêK,ᡠ◤⌕Ḅ�Ò�}ᙠPEᦻ�ḄidataK,�þImportᙽ。ᵫ+ᡃñḄDE◤⌕ᙠÜDEV#ÖV%ÈᑡḄ*Q,◤⌕ᵨᑮᜧḄ^³0〜8ḄM?1ᵨ,ᡠÍᡃñ��ᐭᙢÿÉឰ?0·ᙽḄ°᪀²ᐭ¤ᑴ。1.4ExportTable(æ-⊤)�?£�ᘤV%¿DE¦,©ßᐵ01ᓃ�ᐭ�ÖDḄᙢᙬ34,ᯠK᪷�öDEḄæᐭ�ᦪ�Ò,nßᐵ01^KḄ^�ᦪᙢᙬᩭÃöDE4£�ᘤµ[Ḅ 00^KḄæ-ᦪ。0117£^⌕æ-%¿ᦪ¥ᐸ�01^¶£ᵨ,ᨵÑ�ÞÓ:¶·ᦪ+æ-ᡈὅ±¶·Eᦪæ-。c8¿0^⌕æ-+Á“0^7·0#¸”Ḅᦪ,7Íᦪ+æ-,;<ᐸ�007£>^¹⌕ᵨ¾¿ᦪ,�¶·ᦪ+,þ0%7(006§。$%¿cÓþ ¶·Eᦪæ-。®< Eᦪᕖ?Eᦪ ½%ᢣ00^K8¿ᦪḄ16ð 4��⌮ᔣᑖ᪆�ᵨᢈ�ᦪQ,ᙠᡠᢣᔣḄ0ᓃ1¾%¿Ḅ。S,00^»Í⌱Á¶·Eᦪæ-,Ꮇ³ 16,;<ᐸ�DU7EXE¹⌕ᵨ¾¿ᦪ�Í�@QÁGetProcAddressᵨᦪ。¾þ ᡠÄḄ±☠Eᦪæ-。ᡃñWn±¶·Eᦪæ-ᦪ¾ÑÞÓ,¾§�ᩭ0。^,�YḄ⚪。%Ç00^ᓣÉ/ᦋ,DEᕒ¿Óᦋ5�ᦪḄEᦪ,¾᪵ᵨ�00^Ḅᐸ�DE�©¿Ó*Q。1.5ᓹÊᦻ�KḄ°᪀ÎᐸQᵨ1.�᪀ᙠPEḄᔜÑ°᪀K,KÎ-Ðᙢᙬ、2{。ᨵ(ᢣᙠᦻ�KḄ2{,ᨵḄ ᢣᙠᑁ×KḄ2{。%⌕ËÌÍ,¾¿ᙢᙬᡈὅ 2{, ᢣᙠᦻ�K,?ᢣᙠᑁ×K。S%Ñ,ᦻ�KḄᙢᙬ。cᵨ16Öᑴ�¯ᘤᡭ}?£ᦻ�,ÏᑮḄᙢᙬ(2{)þᦻ�KḄᙢᙬ,ᡃñᵨ8¿°᪀Ḅᦻ�ᙢᙬ,þ»Íᙠᦻ�Kᑮ�°᪀。SÑ,ᦻ�¿uᑮᑁצ,c8(?£ᑖ᪆��,ò¿?£ᦻ�uᑮᑁ×K,¾¦ᑁ×KḄᙢᙬ,7q⍝8%¿°᪀ᙠᦻ�KḄᙢᙬḄb,;<¾¿PEᦻ�uᑮᑁ×ÇK�°᪀ᙠᑁ×KḄᙢᙬ,ᵨᦻ�KḄᙢᙬ3Yuᑁ×Ḅᙢᙬþ»Í�ᑮᙠ�°᪀ᑁ×KḄᙢᙬ。SÑ,V?£¦,PEᦻ�§�ᐭᘤ�ᐭᑮᑁ×,¾¦pï◤⌕Ḅ ?0M。cq⍝%¿°᪀ḄRVA,;<�ᐭ²3YRVAþ»Í�ᑮᑁ×K�°᪀Ḅ�▭ᙢᙬ。2.ᑖ!?£ᦻ�°᪀ḄB~«ᑖC:ᡠᨵ?£ᦻ��Í%¿ᓫḄDOSMZheader}6,ᙠ2{0ᜐᨵDOSJ»Vᦻ�Ḅ“MZ᪗Ñ”,ᨵÿ,%ÇDEᙠDOSJV,DOSþ¦r�-¾ ᨵᦔḄV~,ᯠK½VLMMZHeaderÇKḄDOSStub。0053�▭Y ¿ᨵᦔḄ£%£,ᙠW)ᢝ?£ᦻ�ḄPQÈK,©ᓫD%¿┯SnD,��+Q“ThisprogramcaimotruninDOSmode”ᡈὅDEᕒ»᪷�Ḅý��ÓḄ00«Ôṹ。¶ï008StubᵫÌ�ᘤ/�Yᘤ¹ᡂ,ᡃñḄᵨᜐW-ᜧ,ᓫᵨKÔ21hlm9ᩭDQ“¯!^programcannotruninDOSmode”。LZḼ1>0380*Ḅ ?£U&(^。?ï-&(161'?£ßᐵ°᪀D4AGE_NTJiEADERSḄÀ,ᐸKᒹóÿ$Ð?£�ᘤᵨᑮḄ/⌕ö。»Vᦻ�ᙠ)ᢝ?£ᦻ�°᪀ḄPQÈKV¦,?£�ᘤ©¡DOSMZHeaderḄ2{3CHᜐᑮPEHeaderḄ962{。�úo·ÿDOSStub]Zðᑮ^ÃḄᦻ�ᜮPEHeader。?£ᦻ�Ḅ^Ãᑁ.ᑜᑖᡂᙽ,ÀÇÁ86<^03(⁚)。_⁚ %ᙽ`ᨵᐳ�bឋḄᦪ�,c“text”⁚Ï,;<,_%⁚Ḅᑁ.�®<ᕖ?�▭Y?£Ḅᦻ�òᐹᨵß�bឋḄᑁ.}ᐭ�%¿⁚K,úW�ᐵi��“16”、“c�”Ḅ=+,ᐸ=+> Áÿ&+r�,ᡠÍ,ᡃñ7?£Ḅᦻ�ÖVᦋ,ᳮXYÖ»Íᑏᐭ�%¿⁚ᑁ,O�⁚Ḅbឋþ»Íÿ。PEHeaderZJᩭḄᦪÙ°᪀36(^^131^(⁚⊤),_¿°᪀ᒹó&⁚Ḅbឋ、ᦻ� S1kPEᦻ�ᭆÎ⚜ᜓqr52{²)*2{Ï。7?£ᦻ�ᨵ5¿⁚,;<�°᪀ᦪÙᑁþᨵ5¿ᡂᕒ。ÍYþPEᦻ�ḄᱥᳮᑖC。1.6°»ÍÏ-,?£ᦻ�c9Ḅ008Ḅ%2Ḅ»Vᦻ�⌕ᩖ�Ð,¥¦²ឋ¦�ᑮÿØᜧḄᐙ²Û%,¾�ᵫt�PQÈḄ¤ᑴᡠÜḄ。îᙠ¥¦Û%ḄJẠY,cWindows3.1ḄNEᦻ�ᓫÿ-Ð,¾ᐙᑖUVÿPEᦻ�Ý¥¦%ᜧîBÁÞḄ°᪀²�Ḅᐭᦔ᳛Îᐸឋ¦。 �2�"�Ḅ$%ᢈ'2.1�Ḅ��(¾¿“”ᙠMᦻKÝᢣ�ᒹ3Ê) ᵨᩭ■DE⌮ᔣᑖ᪆Ḅ。ñᖪá��ᔠÓᙢᵨ+■�Òâ☄、äᦋÎå᱐。»æូý���J+�᪵Ḅᳮᵫᙠᵨ,>W· ¤W#úï。ᜧh�§Uᙠᯠ �K,|ᱥᵨᩭ��Ñè,ᱥᵨᩭ��Ḅ8(nðÏ。�᪵,ᙠ¢£¤���ᨵ%Üéᵨᩭ����W¹Óᦋᡈ⌮ᔣᑖ᪆ḄDE。ñ%�ᐜ+DE½V,êᑮ¤ᑴᩗ,ᯠKÓᡂñ����Ḅm。þê|ᱥḄ%� ᙠ�~☢%᪵,ᵫ+¾ÜDE²ᯠ �KḄᙠ¥¦Yᨵ-Ðß�ḄᙢÞ,��ᜧhþò¾᪵ḄDEÀÁ“”ÿ。��Ḅ²ᯠKḄß¿j,�Ḅ���²◚ëᑁḄìí。7ᡃñ¡ᢈ�Ḅº»ᑖ᪆Ḅb,þ %ÜV+Ü6DE#☢ḄÔṹ。ÜDEÔṹᙠ3·DK»¦、3Ê。�3KḄDE◤⌕½V¦,Ḅ¾ÜÔṹᐜ+Ü6DE½V,ò、3ÊKḄÔṹ?ÜᡂÜ6DEḄÔṹ,ᯠKòVᩗî?¥Ü6DE。��Ḅ»ᑖÁ3ʲ。3ÊḄö⌕�Ḅþ Áÿ◚iDE^ÃḄᐭÛ²,Ḅö⌕�Ḅ ~、Þ&ï。2.2������Áÿ��ðḄ��,ᨵ�⌕��ÖV%(3ÊḄ��,ú�#ïpᨵ-ÐḄᡂ7Ḅ�ádñᙠòᑏ3Ê��»¬ᡃñ⌱Á。ᙠ�áḄ3Ê��ᨵ-Ð,¾ᔣᜧhjóï"Ḅ3Ê��。1.ThemidaMS*�2-1ᡠD,11^0�130^3^Ḅ%óᖪá, %ó%ᨵ]Ḅ3Ê��,Á��DEcôᐜÖḄ⌮ᔣ*D²��ẚÉḄ◤⌕ú³¢Ḅ。2.ArmadiUo$%(�2-2ᡠD,—3-110»Í½ᵨᔜѳÕᩭ��DE,»Í�¦Á��Ḅ��ÖV³Õ▲ᑴ、¦4▲ᑴ、ᦪ▲ᑴ,-Ðᖪᵨ��ᙳõᵨArmadiUo3。 �÷øÇ%,ᐸ+`ᨵù/Ḅᵬ,ᐸ3ÞᨵÑ,S%Ñ ᪗ûÞ,SÑ :CopyMem-H+Debug-Blocker。 S2k��Ḅ3Êᢈ�7*UNSAVED*^|^^^^Py^|JJ^^^AdvancedM1ndowsSoftwdreProtectionSystemjWew^JQpen..LJ^Lg|sdvefis...j^¾DemoVersion:r>i^•^,.r^?^dx^L^2:-------------------------------------------^5^.^^;iySi^^^~j.^^!■!■LiBS^^^y^^T.Tm^^^f^Mm.TwxM^^^anQApp4k4(KX>brformdbonQProtocttonOp«wsjQCodeRepioccQWualMachneQCetfrofn,£1Cus3tog?Q>Rjnc%drᑖThemWdᕸOv«fVtew&fWic6ttcnWforru^K^�2-1111«^c3Ê5[HevProject]-[NevProject.ARM]-SoftwareP.asspor...j^T^|^^|:Xi£il«Prot*ction&ysH«lpM^j^jjy±iz^i©ijjProjectustsdefaultlanguagcttxt.Vtrsionnotd*fin*d(inproj«ctfil*).Prot*ction:St«nd«rdOnly,StftndurdSoftICEd«i«ctionUsingBETTERcompression.d*fined.�2-2>^0(1^03Êᐸ᪗û3ÞßᩭUᑣ.᧕�Ð,ýÖDÞ3ḄDE A^nadmoḄᨬᜧᱯ²。•■«3.EncryptPE$%(、£�15^^^�2-3ᡠD《>(1)£þ^^£ÿ3Ê��ï�?£ᦻ�(EXE、0^²0€0Ï%DEᡈ?^lmDE),■☟ᑖ᪆ᦋ,Ær�N,ᨵᦔᙢ����,■å᱐。◀ï《8ḄᢙNᘤ(Softfce、1^Î0c068Ï)、��ᘤ²DUMP*ᐹÞÓ,£þ^?0>£õᵨḄ3Ê� 8��⌮ᔣᑖ᪆�ᵨᢈ�Acrypti;K;V2-2QQ4.8.iqB?EP.EngfcshFtetoenctypl:opupreg«ti«liondMogovecy(minUotJ13Encfypbonpdts%wdGachsession»Medto[mnutet]jDctel©the1Sh^£3Ê�ḄÞÜ?ᨵ:M¤3Ê£Ó、CRC᪥、*5、Ôṹᣚ、ÖDøᐭ、APffiOOK、ÐD、N35⚶2^^^^&^Ï6;-;'.>.)j^Wj_d;'•••^W:.,i/^•*:i;.4<".v:'A.._•."*(2)�_�UVWX"Z#^ᡂ⋰__#%^a&^1ᵫ、ᕸeᵨgh、▲ᑴeᵨ�ᦪ、lᑴeᵨᜩᦲo▲ᑴp�eᵨ᱇rsᔣuvw<•(3)Enc^E¦᪷�ᨬ�ᵨᡝḄ¤ᘤ�Ò、øᵨᡝÎ3ʦḄ��Êṹ¢£øṹ,¡�Ð3Ê£?1_�¤⌱Á%Ñᵨ+øṹḄ¢£。^....(4)EncryptPE{ᢝ}~,$%ᦑ�}~。(5)EnerypffEᔣ�3Ê��n¬��ḄÞ�Ḅ☜DZÛ,&+³¢¿ឋøÞ,�¦�3Ê�Eù3ÊÇ4�Á%¿’~,:Uᚮ3ÿ⌮ᔣᑖ᪆Ḅb»。(6)EnCryptPEÎp3ÊḄ��»Í½_+ÐÑW5ndows@A,ᒹWndows9X1METNT/2000/2003/XP。:.‘:/.:.2.3⌿��1.î*��•:、%…••^*/•••i••.�2^ᡠD᧿UPX��⊤½V�DOSJḄDEᦻ�。(1)0?î %_ᐜḄ»Ἕ^�#ᘤ,ᐸ·Ḅ»Vᦻ�~»50%〜70%,¾᪵ªÿefᓰᵨ34、o�YJ�Ḅ¦4²ᐸ�ᑖCÍÎש#ᵨ^(2)Ḅoᐰᨵvwᜫ,o᪵ᙢ��,¡¢{ᢝḄᜧ}ᦪ¤¥ᦻ�¦ᨵ§ᑭḄ©ª。UPX{ᢝ¬}§Ḅ�ᦻ�¤¥,ᒹ°±(10#895ᵨ8^£^72000^0>/%(3oº¼、DOS¾�LimK�ᦻ�o᪶Â。•., S2k��Ḅ3Êᢈ�C:Documentsand561^11^3$%☢Xᦻ²᱄302'²᱄3Jsage:upxll2345678?dlthULl[qvfk][ofilclfileinnand^-1.cor»pi*essfaster-Vconpi*essbe11ev-ddeconpi*ess~1listconpressedfile~ttestconpressedfile-Udisplayuersionr>unbei*-hgivenoreltelp-Ldisplaysoftwai*elicense)ptions:-qhequiet'-vbeverhose^-oFILKwriteoutputto*FILE^iforcecompressionofsuspiciousfi*les■-kkeepbackupfiles■ile..axecutahlestoconpress•■ype*upx—}»e1p*fornoi*edetailedliclp.■■IPXconesuithftBSOLUlHLVHOUrtRRAHTV;fordetailsuisithttp?//upx.sf.net�24(0��DEᦻ�2.ASPackÑÒ(�2-5ᡠDM8?3。^ᵫ)LQὅAiexeySolodovnikovᑏḄ%ó¹ïðḄWin32»Vᦻ��,ᵨ¹ïÞ&,ú*P.ASPack2.12Q-+ᣩ。Í-Ḅ*ᐹ,¶ï ©¢£¤K789ḄôᧇᡈᦻÖV,ᵨᩭ©×34,ᐳ》�«M,ø;6:UNBE6ISTERE0KþW¦½Vÿ,7µ½V�É․M30days^Jj。$�.ḄÈK¿��¦,ᒹᓽᡭ}ᦻ�|ᘤ。ᐕ$¿»Vᦻ�、Ôṹᡈᦪ�,¦?£ᦻ�Ḅ00^Î(^ÏôÛ。?-16»ÍÜ»Vᦻ�Ḅ@(nᑖ,ÍÎ@(nᑖ◤⌕�ᶇ。·Ḅᦻ�½V9ᩭþêÜ 10��⌮ᔣᑖ᪆�ᵨᢈ�6ḄA᱐M%᪵。Level0#CCCCCCCCCcf57Compresssports..andEXE!abteWP*^[angteimportsR?yirusdetection£ompcos$aSbut1$ticonPStripEXEictecations..and£LL「•*•-^-^~^.»..>*^—^»"..m,mmmmmm^—»—-■«—«•—_••___-、->^^"^-r--—.■■”■■—Jhttp://www.un4seen.com/petite/、.B2~6Pctite.%••••••.,•■••.•..i*•••jÍY>Eᓫᙢÿ-ªḄ%nᑖ3ʲ。7ᜧhᨵᐶG,»Íᑮï"3ÊFÞG....w&-•..HI〜。:•••...•^•••••••,.••••••,….••%%T•ᓃ2.4°、;:•y••',•:••.•;.••••••••^•*••.•»•DEᕒᙠ_ᑭ_ᨵ3J��Ḅ�¦1»Í©-ÐḄK]}ᑮDE³¢�ᑏKL,nªDEḄ��%Ó。ᙠᵨM��Ḅᔣ¦NÐᑭg;(3Êᜐᜓ��ḄJMᑖ᪆´O,3ᐭÆ⌮ᔣᑖ᪆Ḅᐵ"ÔṹÍÎÆNᘤḄ;P,ᐵ" ᵨ�⌕ð,⌕©DEᐵ"ÔṹÖVᜐᳮ。�ᯠ,ᙠ⌱Á3��¦⌕⌱%¿ᨵῃ¤Ḅ3��,ᡈὅWᜧ»¦ᑏ-ῃ¤Ḅ3��。¾᪵ḄDEᨵBðḄ��RS,S:^^ÖV3Êᜐᳮ,WAAnti-DebugÔṹ■NDEÖV⌮ᔣᑖ᪆ùῃ。3Ḅ¦ᐜ⌕ÛDEḄÔṹÖVᑖ᪆,ᯠKÖVᐵ"ÔṹḄᣚù3Ê,ᙠ¾¿·DK§º¹ß&ḄÉÊÔṹ{ᐭᑮÛDEK。3KḄDEᙠVḄ¦ ᑖÜÉÊVḄ,ú*ÉṹḄ·D ᙠᚮ᪘KÓᡂḄ,¾᪵Z ÁÿÛ3Ôṹ?ÜḄb»,ÜDEḄ%(ᣚḄÔṹ§ᙠHEAPVKᯠKJMPᑮÉṹḄDEᜐV。ᙠ-Ð�ᵨÿ¾᪵ḄÞÓ,ᨵ(3DEᨵᙠDEK“{ᐭ/ᣚ”3/ÉÊÔṹ,> ©�Ḅ3ÊᒹᙠÜDEḄ☢,¾᪵Ḅ��DEOWTᐰ,>⌕ᑮÿᐵ"ḄoÚ²(^?ᐭÛ²þ»Í¹ïUVᙢῃ。ᵫ+ᜧḄូý���×ᙠ3,Ẇ�ðᕒ²ូýÔṹᑖ᪆ðᕒÁÿᑖ᪆Ôṹ,}6,6ῃḄᢈW。MḼ¦4ḄØ{,Á■⌮ᔣᑖ᪆ðᕒᑖ᪆ô��ḄDEOᡂ¥ῃ,tḄÆ⌮ᔣᑖ᪆ᢈ��WÔᙢX3ᑮK。ᙠYßØÖ?ᙠ�Z,tḄÆ⌮ᔣᢈ�}UḄ�¦⌮ᔣᑖ᪆ðᕒ�ᙠ┐[ßᙢUᢈW、Ẇ�ᢈ�O}U*ᐹᩭ]ñ。¿X¡@¿Þ☢Ö,,6、ÿÉ3Êù⌮ᔣᑖ᪆ᢈ�ᡃñ÷KḄDE}Uù��©9ᑮ-ᜧḄØÖQᵨ。 �3�ÔeÕᐹḄ×ᵨ“•.•r•-'r4-•••••••'*•'■••%.•_*.•.■V*•.■•、%、•-、>•..••:.V•••-Vt■,»••.^••#**••••••••*•••_••••••:、••..*••^;..••#••••ai_ᦻ���ᑖ᪆•'M:.,;,y'-^,/••',:'.r.'☟ᑖ᪆Ḅ✌⌕m ᑖ×DEḄ��, ᵨ☟<;<�ᑏ�YḄ,ÍÎDE ᔲ3、3Ḅ ®<。ᯠKᡃ_iK`^ÍaïbòᣣGᶭ⁎�ßᑖ᪆,ᦻ�ᑖ᪆*ᐹᨵ?£®,FileMo^o0’,'^''^:*r*";''""V'';.•」••1.PEEDᑖ᪆�3-1ᡠD,PEiDr�-¾¿�� ᵨBoriandDelphi6.0_7.0}U�}UḄDE。�3-2ᡠD,PEiDr�-¾¿�� ᵫArmadmo3Ḅ。PEiDᑖ᪆W-��Ḅᦻ�þ§D“Nothingfound*”,¾Ñª«%� t᱐ḄᡈAqḄ。-¾:.、8'9.:;<^^=QES3E8QHl^^^^^^HHBBI^B^Fte-*iC:PoamentsandSettingsVi^ftSiJnitl.pas.exe;|Pte:£:PocumentsandSett»^s^Ul®i6SvWiX#^VCra£*Mel.0.e>fcjEntrypant:00050744E>Sertoo:.itextEntryport:OOOAD243B>S*ction:|itextlFteOffsefc0005CB44"'-¾¾FwtBytes:55,89,EC,83FteOffeet:0003E243Rrst8ytes::SS^B,EC,6AUnker&>fb:;2.2SSubsystem:w%i32GUILrtcerWb:83.82Subsystem;vWo32GUI>?ḄAᑏCDEḄFGHὅᡈKL|BorlandDeiphi6lo•7.0*|p^SET^TTS^^S^SS?^5^?U^^"5u^Son|TldskVie-A^jQpSong.j;^bout;E»t�j^^jficS^*^Bwe^rr**^Sre*T^ApoutIEjjtj9•_a__^___<^^^^^J’•■__*o^<^,_■■_J__<■_mmm^m^m^^mt^^m_m_^—^—^»»_•••»^^m^mm^^^mJPStayontopᓃ]:->)R7Stayontop?7j]•>{�3-1?Â10ᑖ᪆%�3-2?ᔊ0ᑖ᪆2.Filetofoᑖ᪆�3~3ᡠDiᓄ¦0(À>)½Vᙠ008JḄᦻ�☢,©⌕ᑖ᪆Ḅ»Vᦻ�jᑮ☢ᓽ»,½V☢�34ᡠD。•�3-3i^¦0ᦻ�☢ 12��⌮ᔣᑖ᪆�ᵨᢈ�«Au^'Oi*^〜♦►t々O^g^^g^|i.UOKl.ft.HtX)f>9v,〖luetbli*ffi^t.u**t*t'**.W4i;h2G60«H00J00lift1iwnneiic«001202H0htntry|ioint^un0.ti1onsxrtflW/C*mmhRUftHMH»,!MMlhn4i.i5ic(.Wi^!MtH1HHhKi2eVtMMMJ,ode?tHMVhHHihhSi;^'.Vl0W)i590:》i.JJiscFX0B(tivi.mWlH02fVtVd2hti.Si;?cᑖ1»He^ir*1t1*tUHh^l(|BhNTIkh'Si^em«m.I«Oc.rf)a:|t1W)UhTin**i>t^nj>2A42SRI?hC,)tt^tinofIMMt1MHHMM^hLinkeiVi^lOOz.?shc^00lWH0001i/WMHHI^WMhf.Mmm19rutHGl)twj^gggeh‘?》@A1*lSl>SC3r.B«1VR*>U.>Efi50�3~4FilcMb½V☢FileMo %óW┯Ḅᦻ�mm*ᐹ。FI½V¦DOS☢,ᙠDOSnÛK½VDEß�W&,RleMoᓣÉ᠒,ᐸr�pW¦ñ。ᡃñ©FI+ᣩÞ}ÖWindows^SendToᦻ�ᜳ,ÍK⌕ᑖ᪆8ᦻ�,>◤rs⌱Á“U〈ᑮ”=>þ»ᡭ}5。SendToOu:C:VDocumentsan4SettingsWSeadTooi•'.•9*a3.pe-scan.�>5.ᡠD,pe^can^*¿��FiteMo、PEiDentifierḄ*ᐹ,ᐹᨵGUI☢,»ÍÞ&ᙢmm-��ᑮvᵨ®<3Ê��3Ḅ,¥ῃ—É�ᩭÿᜧḄPo.^ibX*.P• S3N*ᐹḄᵨ13l•W32Dasm×ᵨäå.V.j:.(1)W32DasmVer8.93½VÇKḄö☢²ᐸ�*ᐹ��%᪵,ᒹᓫ²*ᐹ,�3~6ᡠD。:'•URSoftW32DasraVer8.93ProgramDisassemb...LJfpliXgisasseablergrojectDe^ueS«»rchJotogxecuteTextExmctions!gefsQ«lpjgiM^iijdyyy^i^y^^y^Jtd^Mia^i~^T)>"vi4¾)¾)r.ᛊ-ᦊ/•«f^0"•^yv/mi'0.Awmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm-■•^F^^•'*»«_..~^",•"v^_.._.»*.'..*^».••-*^^^-fc•..—‘》»•...»^^v.-—-•V'.."«.v^•**•«C^»••«^~—*»•••••■»■SetectaFite>«Ditau^^|.^^WiM^>-^^M^^^>-HM»«^»•__—_,PrintPreview£rint...P^uvtSetup...CopySelect*dLines—>»、____•___.^^__«^_»»^,—„_*—_9,D》.-___»___*^»^_^^_~^_>^_9^^^^^,Eont.•■—^^―ii_»»»»^,—、-^.^«^~-»—^^^>^-«^^^^.^•^—^■9E^-—■—_•-—H__.___*^^m¢10^:AllTrtceKaxks..DisassemblerQptions..^^^^^^^^^©s^ss^^s^sswasoWM^?^rT*.W》^,、SC、t:〉、v、,、.•w^A>CSx^<C*>^ssrs,'&Sv#'-*#'^^,?S.::i:::;r--')^::^^^^>s^^jfKCi>^^vj^**S^,”yyM�3«7DEᐭ••.*•••、•(2)Ñçèéêᦻëᦻ�oìíîᫀᦻ�(SaveDisassemblyTextFUeandCreateProjectFile)ᡈᓫóÕᐹôõḄḂᢥø。(3)èéêùúṹḄüëýþ:ᙠÕᐹôõᓫó^ᢥøᡈ��ᓫḄ�ᑮ(Qoto)⌱⚗⌱��ᑮúṹ(GotoCodeStart)��ᡈᢥ011+8�ᔠ�,’.�᪵ᐝ᪗�ᩭᑮúṹḄ�ᜐ。¾�ó�᪗ᡈᵨShift+õ�ᐝ᪗�ᔠ�ᦋ�ᐝ᪗Ḅ�,"3-8ᡠ$。 14��⌮ᔣᑖ᪆�ᵨᢈ�URSoftW32DasmVer8.93ProgramDis...^]gTj^jdisassemblerPr03ectDebugSearch:ExecrteText£unctionsHexgatagefsHelpGotoQod?iStartGotoProgramEntryPointF10^^MkL&LijJ^OWa^a—fc^^i»»,v*“m_.,•«,,,••••_•■•„:..'-.....GotoPageFll♦♦++++++++++++++♦++ASSZKBLYCOD*LI//*•••••,••••*•,••,•••**StartofCoGotoCodeLocationShiftF12Pzogrsu*toCryPoxnt•0100739D{C:VoCmWKVrvro^$r«xwomnn»r01001000C86FDA77enteKDA6F,7?01001004F0lock010010056BDA77iAui.«bx#«dx#00000077010010087»8FJdBartotheStartoftt*«CodeLi$tng�3«8ÚᑮÔṹ}6(4)oÚᑮ⚓(GotoPage),ᙠ*ᐹYᓫs0ᢥᡈ⌱ÁᓫḄ“Úᑮ”(Goto)⌱⚗⌱Á“Úᑮ⚓”=>(GotoPage)ᡈᢥ?11",¾¦-%¿b᪾,Qᐭ⚓ᦪ»oÚᑮµᑮḄ⚓☢L,�3»9ᡠD。.'..BEBBnMHna#%*V.J&VKItoUM^MJ,f-*M^^JM*w*ar%^fg^i-wfc#>^^aMr^*w^^^M^ir>*i-,•*.j++♦+♦+++♦♦♦+♦♦♦♦♦+♦AS3IHH♦♦♦♦++♦+♦♦♦+♦♦♦+//…………•,…,__;^#Ct.t#*tM^f*t***tr*oProgrC77H>Cancal|dpcr[cdi-0310100100DDSDC•220)0100X00F??P394Line:309Pg7of376File:C:D0cument5and$61109$^^☢ᦻ1^ᓹ.0<£(GotoCodeLocation)ᡈᢥF12",%¿b᪾©-,ᐕ$ᵨᡝQᐭÔṹ2{ᙢᙬ,ÍoÚᑮ�ðÕYL,�3-10ᡠD。•f**rrjgrrr^^…^—------*^*^T^^^S^CST——?:X^S^MZ2T'^―ᔆ、-....^,-^a_tfi^^^^^^B^i^^::..^^se>>M^^BWB9BWBl^WBI^BWU^^^H^x{R^fi^H^^^B^^HiH^^^Hi^^HHHHB^HHBBi^HHBBBHBHHBHBBHBEnletfnHex)thev^jeo#theCodeOUte(youwarUto^¾'>::fegokothenprestOK.:tHooH>cocesfv:theCodeOifseten(eredis^stthanorgrealer^han0100X004WttJthe«^vaitebleCodeOffsetvahjes.i^*be&LAorrMtc^:010010056BDX70tt^lothetowe$torhighetlvabdvAkie.r0100100e7D8F:0100100ADC?7riIftheCodeOHsetvalue©fVecedt$inther^ngeofvdbd:0X00100DD5DCCodeOffsetvaKjesbu(notanexactmatch.Ihenexlr0100100P7783tewestvaluewiMbe^alecteddutoma(icaVy.:OXOOlOXX78DA:01001013771B:OlOOlOlS7SDACodeOffset(Hex)^fcAWfet~:0100101?77CCCancel;0100101907OKLine314Pg7of376CodeDala@'01001000@Offset00000400hir>Fite:CADocumenJsandSeMingsaji�3-10GotoCodeLocationb᪾ S3N*ᐹḄᵨ15(6)oÚḄV:�¥¦ᙠ“VᦻM”(ExecuteTtext)ᓫ⌱⚗,“Vo”(&60^Jump)¥¦ ,ᩩ� ᐝ᪗ᙠÔṹḄoÚᢣ>¾VY(¾¦ᐝᩩ¢£»Ḅ¤¥⁐)。�¦*ᐹᩩYḄJumpToᢥⓊ�ïp 。ᓫs_ᢥ¨©ᑮY%o,�3-11ᡠD,ᡈᢥªᐝ᪗",ᐝ᪗ᩩ©¨©ᑮY%oðÕᜐ。^mm^^^#i^^s^^MLdpt:rfcx»00Q000y8)«bx>ᨵᐝ#_.010073F6ᜐḄoÚ|.ᜐ,�ᜐ¯°±Z²Þ» 。iL:OlffO73?035rO-----------------010073FJi399918000000�3»11¨©ᑮY%o_•.(7)V«¬(ExecuteTextCaH):�⚗¥¦ ᙠ“VᦻM”(ExecuteText)ᓫ⌱⚗Ḅ,�¥¦ Ḅᩩ� ᐝ᪗ᩩᙠ^ᓃᢣ>%V¦,¾%VḄᐝ᪗ᩩ©5¤,ᢥ_ 。V¦ᐝ᪗ᩩ©§ᩭᑮ^ᓃᡠᢣḄᙢᙬᜐ。“¨©«¬”(RetumFromLastCan)ᢥ10© 。ᓫsᢥ_ᡈᙠᓫ⌱⚗⌱Á“¨©«¬”(RetumFromLastCall)=>ᡈᢥªᐝ᪗",ᐝᩩ©¨©ᑮY%«¬ðÕᜐ,�3-12ᡠD。K9HHHMMBMflHHMHHHMMHMMMHMMHIHHMBMMHBMHMKi^.>:'■'^*^^^vj1vr£bM’vvsv^;*^*M^■>r%A^#01006636♦ft«f«rtmcnc6tulitir(C>9adlCiffiD*lJuap.*|],�*^᪗�ᶇᙠ�ᜐḄCALLLne:13044Pg261376CodeData@:01006631@0ft«etCOXBA31hr>Fte:C:VOocunert*and$e*tn»jhUHBi«CNOTEPAq_^mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmtmmmmmmmmmmmmmmmmmmmmmmmmmmmmfm/mmmmm�>12¨©ᑮY%«¬ðÕ(8)ᦪÙᐭ¥¦:(inported)ᙠᓫ¥¦⌱⚗,ᐸQᵨö⌕ nÏtoports²Exportsᦪ。ᓫs³ᢥᡈᙠᓫ¥¦⌱⚗⌱Á“-Û”(Exports)=>,VK©ᑡ-�#ᦻ�Ḅ´?0118ᦪ。�3~13ᡠD。 ��⌮ᔣᑖ᪆�ᵨᢈ�;^^~~TZ~'■;:'3::=^^^^^^^^%li^^_--^3;URSo||J(W3^TOMffl!BBMBBBMBiMdIS5ToSearchDiwssembtyforFunction,DoubleDickCar>celSeafch☡ᜎAUVAHj2.lslexiurncode:01001D1IB81ADVAPI32.RegCtoseKey1、���☢Ḅ�ᦪ,ᓽ�ᑮ:01001D23CZli28CCCOMCTL32CfeateStalusWindowV0X00U)29CCcomdlg32.ChooseFonlW01001Z>2ACCcomdlg3ZCommDlgExtendedErrcxcomdlg32.FindTextWGe13ᦪÙ-(9)ὃ¥¦(References):ᙠ¾¿ᓫ⌱⚗,ᨵ“ᓫὃ”、“bὃ”²“Qᦪ�ὃ”3¿=>。ᑖ�&ᢥ:¸,ᙌ²。øý:ᐸKᦗ�ὃ¥¦ᙠᡃñÍKᑖ᪆ÆÌ���¦-/⌕,�3-14ᡠD。UKSoftff32DasmVer8/93ProgramDisassemb]er/Debu.^S0»;;:Mᓫὃgefs「HelpMeauReferences-ToSearchDisasjemUyforString0H6.DoubteCickonTexlCancelSeatch»,,.^-nialogReferences=ssssssssllllllllERRRRRRRRSMsMMMsJᲱὃ|SStringDataReferencesIDQloQgsi?^srMcl!eDg臂,^!DcleSJfir>gResourceID^0011**?SpU-14ὃ¥¦(10)ᑴÌ�ÔṹᦻM。:ᮞ320^ᐕ_ᡭᓺᡈᑴᢣVḄÌ�Ôṹ。✌ᐜ©¿᪗{ᑮ>^320GÀḄᨬªᓫs,©§-%¿Á²,ᢥÂ3—",{ᑮ◤⌕ḄJ%V,ᓫs¿᪗,©⌱K%Ü,ᢥQrl+CÙᔠ"ᑴᡈᙠᓫ⌱⚗K⌱Á“ᑴᢣḄV”(0^^LinesofText)=>ᡈᓫs@ᢥ,òᦪ�ᑴᑮÃÄÅ,ᯠKÆÄᡂᦻMᦻ�,�3-15ᡠD。(11)3�ᜐᳮ(LoadProcess)。⌱ÁᓫKḄ“3�ᜐᳮ”(LoadProcess)=>,ᡈᢥCtrl+LÙᔠ",§-%¿3�b᪾,»Qᐭ⌱⚗=>。ᙠ»ᓫs“�”(load)ᢥ。>^01^?^᳝î£ᙠ 3200501N,©-ªr¿NnÛ,�3-16ᡠD, S3kN*ᐹḄᵨ17ᙠü6ᓄ>«7£?^0.£5{£DEK,ᢣ>©ដᶇᙠᐭÛ²(EntryPoint)ᜐ,URSoftW32DasmVer8.93ProgramDisassembler/Debu.&isassemblerErojectDefcugSearchSLotoExecuteTextEunctionsHex^ataRefsHelp^^^^j^^lZ[ZZ:QJ^92^s.C2.;oQ.Q.,ᡃ�ᵨ»᪗ᙠ01002398�☢���������,ᯠ��ᢥ�3���ᑮ0100239「ᜐᓫ�,ᓽ�⌱����*1iii0oooo3:01002398CCluklt3:01002399CC3:0100239A.CC3:0100239BCCnt.3:0100239CCCXJ''~,'o.*^>?'v«0,^^v»'0%«l*'*v»#iw_'8BF7mov«di,edi:0i00239fS5pushebp:010023A08BKCaiov«bp,esp:010023A2S?pushediLine:3615Pg73of378CodeData@:0100239F@Offset0000179FhinFite:C:Documen*sand5©ᕸ35^,☢ᡂᦻ^0.£ᓹ40£>€�3-15ᑴÌ�Ôṹ5Z3TETTT^Cod«lsxnRoduJ.^CALC.SXSUlp-0040S34ft^C^|1|lU0040533BjmpCJLLC.0040S342L^K*0040S34^J^^^V;gfc-^¾tajc-0040S34tt^>x-00S40000rr0040533D»ov«cx#00000002癱參ooooo00405342movdi,byt«ptr(0040C0S8]81610ff0*p00oo0141SIDX-81611030^Mft*p••00參•oo0100405346movbyt,mpt,x【《^x+€cxl,dl•il-81610fd0S»hx*p00oog00cJl0040534Br^t0008•dl-8i€149300000?70064tf?e00oo00'É!00405354puth«bpooo♦ooooooooooo00405355mov«bp#«spl#^*p♦oo41-816149300040S3S7pushFFFFPPFFi*p♦♦oo8)-81610fd0*poccl•0054000000405359push0040A6305n>ooo10)oooo0040S3SKpush00406S6C-636c6143i**p+000000l4]-4SS84500lXl[|^^^」--------^^yf^w->^?.J^l2Ca^s±1PXnablftPoctm«nt:edAPID«^ails»>****>~^>^f^^«■^m‘__,_■^9_,‘.,、、•_••_••»__•_w^y**m^m*•,W»_«^^*^—vS*»••、•^*^-*»—N^.S>*Icopy|r~-g»urcm!----forD^m&i>pZcyp_rlPfn#bl^tMbocurncm#dAPI^ttt^iiiAPIti>iWi|Addr#s*:BF788F7Si»inHoSOTIL32.DLLr^tnmblmLocalFunctionD«tallsC^coAddfst|UAi1charlOOO):•_DW0M>:*bd84S89.VOW>:4S09,BYTI89CS>13Z.Vll�3topAut-oOnAPIP«t.chCoda••%JCOD^:»ovdworp^t(^>p"29)#mmMᔆºProcCr«»t'^_^m^w^^^^^ss*,ww%^yr"StcpInto_x:4ip**InstructionBypassrProclxi%BrkTrOOOlProcess^r09rflZntry•ip:0040$34«Co_BvlrThrjLSl^-�3~163�ᜐᳮḄNnÛªḄNnÛᑡ-ᔜÑÊᘤ,:CPUÖ×ᘤ,CPU¤ᑴÖ×ᘤ,Ô²,ḄDLL,ÍÎÜÖ×ᘤÏ。r�ᒹ½V、ᨚÌᡈ�DE,ᓫs“½V”(Run)ᢥᡈᢥ?9",NOTEPAD.EXE©½V9ᩭ。ᓫs“ᨚÌ”(Pause)ᢥᡈᢥ3",.DE©ᨚÌ,¾ᙠᓫkr�¦pïᵨᑮ,ᓫs�ᢥ(Terminate)ᢥ,DE©Ì,⌨-N�。ᙠDE3�K,ÌᶇᙠᐭÛ²,�¦»ᢥ?7ᡈ?8"ᓫkNDE,¾¿"ᡠW�Ḅ ?7rÖ€¡ᓃ,?8O·。ÖᐭNᢥ?5",°Nᢥ?6",�3-16ᡠD。(12)³Õ Ô²。⌱ÁᓫKḄ“3�ᜐᳮ”(LoadProcess)=>ÇK,SW32Pa3mḄᓫK⌱Á“ÚᑮÔṹᜐ”(801000£^),Qᐭ“0100Î90”,ᓫs“~”ᢥ,W32DasmḄönÛᩭᑮ01007890ᙢᙬ%V。ᐝᩩᙠ¾%V£¤⁐,ᢥ",ᡈᢥÂ-"ᵨ¿᪗ 18��⌮ᔣᑖ᪆�ᵨᢈ�ªsᨬª³ÕÔ²-Ï⁐ᙽ,Ô²ᓽ³Õᡂ¥,�3-17ᡠD。URSoftff32DasmVer8.93ProgramDisDisassemblerErojectDebug^earch£otogxecuteTextFunctionsHex&ataEefsHelpImp^1^¾^¾!^;010078898500t-eszduordptr[6&x]d_—_—,____-—_—w_*—8M>8600xchgbyC*ptrlMxr>:adf^&aa'"gycr"ptr■_r-0023[esp-00000004J0000000000000000fs>■0038[esp+00000004)78746341Actx%_-WfM__--_u____■■_mJ_____•__<«_■_■_»»___,_____^.__9_"_mmmmmm9______________________________�3-18Ô²³ÕÓᡂ(14)ᙠW32DasmJ©¤⁐Ḅᐝᩩ{ᑮ8%VÔṹY,ᙠnÛvnᨵ%VQᢣDᐸᙢᙬ。)*ᙢᙬ:CodeDaTa@:010041B6,ú2{ᙢᙬÁ:@Offset000035B6h,�3-19ᡠ$。 S3kN*ᐹḄᵨ19|J^P||。!Cod,::MrnujDLGj5t»_j|^fe&-H.Mia,,j...:;FnoH.::-:L:H.;:.::.jf:eFrJ:sr::f:erMJLkitaKiMtfMnMMw^^MiiiUMLc^^MM^MMtafaL&kMifldMrffcA^**M&*MMHMM#010041A.3S1pushecx01004L&4S3pushebx010041ASS6pushesi010041A68B7S08movesi,dwoiptr【《bp+081010041A9S7pushedi0X0041AA33FFxoredi,Qdi010041AC8BC6ᐝ᪗ÌÒᙠ¾VÔṹY.0X0041ABB9SC170001.n.i.nniiRa,^.?3>.gc__________-.,srSiui5ZfB^r_ri-_pfcx-:,uhjf_a4jidxt:0lQ04^S8Snyj>mT^UQia03P4C:6iob41BB^SCCit:esteax,«ax010041BD0P8S28010000010042BB2、�ᜐÁ)*ᙢᙬpushedi3、�ᜐÁ2{ᙢᙬ.Line:7649Pg153and154of376jCodeData@:010041B6|^Dffset000035B6hJnFile:C:DocumentsandSeUirMMMMMMHBBMMHnmMMMMmMdHHHHHHHHHHHBHHHHBkMHHHHHBHHHHHBHhMHMMMHMMM>HMMiMHmMHi�3-19nÏ)*ᙢᙬ²2{ᙢᙬ2.EDAProAvanced©M?《)M¥(^1 %ó¹ïðḄ⌮ᔣÆÌ�*ᐹ,Ḅ$Ð¥¦Ô·ÿᐸ�ḄNᑖ᪆*ᐹ��。EDAß+W32DasmᩭUᐹᨵ-ÐḄ▬3¥¦²Qᵨ,ÍÎᩖឋ。©MNᘤö⌕¥¦ )ᢝMᙢᡈÕD10>Ö>o�N,î86、^^064Ḅ^3(^?£ᦻ�,Îx86ḄLinuxELFᦻ�ḄN。(1)¥¦¹ï%ᜧḄ*ᐹ,�3-20ᡠD。SttrcKVitwD.bu“^rOpti◤¶·7Ü~—OpenSubviews^Disassembly=>ᩭᡭ}ᐸ$ḄnÛ,S%¿nÛ᪗⚪ÁDDA^ew-A,ÝÞJᩭḄ᪗⚪ÁEiAView-B、roAView-O"。_¿nÛ�¾ÛḄ»Íᙠ8%nÛKᵨᦻQ�,úᙠ$ḄnÛKᵨ��,ᡈᡠᨵnÛ�ᵨ�%�。 20��⌮ᔣᑖ᪆�ᵨᢈ�(4)HexView-A:ᓝ³Öᑴ�Ï/�¯DEnÛ。�¦ᙠrḄnÛàßá_^1Ôṹ。ùÆÌ�nÛß�Ḅ ,»Í�¦ᡭ}пᓝ³Öᑴ��nÛ。~mw^(5)NamesView-A:+ÀnÛ,DÖᑴᦻ�Ḅᐰâ+À。+Àᓽ)*$4KḄQ。①Mᙠü6ᓄ�ᐭᦻ�Ḅ·D�K,nT⊤ÍÎᵨÚ+ᑖ᪆ᩭV�+»^+À»Í᪷�QãE�»᪷�)*ᙢᙬE(ᓣEᡈὅåEᙳ»)。ᙠ+ÀnᐷK:/çñ¦¢¶·+Àᙢðᑮß&ḄðÕ,ýsnÛ�KḄ⚗§ÚᑮÆÌ�nèéß&ðÕᜐ。*1(6)Exports:Q-nÛ。£î?<^8ᑡ-�DEᐭÛ²,ÎDEQ-Ḅᐸ�DEᵨḄᦪᡈὅ5ḄᐭÛ²(7)toports:QᐭnÛ。ឰ?0«8ᑡ-ᡠᨵᦻ�æᐭḄᦪ(5)。.、(8)Functions:ᦪnÛ。>《^0ê>ᑡ-10M¦¢¡ᦪ�pᦻ�KÊ-Ḅᦪ。(9)Structures:°᪀nÛ。810^1^$ᵨᩭDᩖḄᦪ�°᪀。(10)Enums:ëìnÛ。ù°᪀nÛ��,10MmmᑮDE᪗ûëì��K,©ᐸᑡ+ëìnÛ�K。ᡃñᨵÿ¥¦%ᜧḄ^³Nᘤ,ᵨḄÆÌ�²N¥¦,»ÍM¦MᙢᙢÖV☟ᑖ᪆²N。3.HiewHiew %ó�íḄᓝ³Öᑴ�¯ᘤ,..ᱯ�»Í&ᵨDEÖVÆÌ�,ú*�¦)ᢝ»Vᦻ�Ḅᓝ³ÖᑴÔṹÎÌ�;<Ôṹᦋ,ᵨ9ᩭ¹ïÞ&。ᙠHiew�äKᑮHiew.exe,½V,¾¦Hiew☢-Ḅ Hiew�äᦻ�,�3-21ᡠD。�¦ᙠîïvnḄ=>VᨵßᐵnD,&Ḅ ¥¦"F(n),ᢥF1"§-DE,"⊤3-1<»ᔆ…::;:_m__":_jijpg^-------------^^^mmmmmmmmmmmmmammmmmmmmmmmmmmmmmmmBsmmmmmmC:Documentsa.ndSettin«sa.jSififHIow-v7.10hiew...•^^^�3'___________________________________________________________________________________________�3-21ᔊ6Ö�äᦻ� 3N*ᐹḄᵨ21⊤3»1ð6ñDEF2-Hidden■ᡭ}ᡈᐵò◚iᦻ�DCtrl-ᩭᑮ�ᘤḄ᪷�äF3-Name-ᢥᦻ�ECtrlPgUp-©ᑮY%�äF4-Exten-ᢥó+Ehisert-ᡭ}/¶·ᦻ�F5-Time-ᢥᦻ�¦4EAlt-Fl•⌱Á�ᘤ|F6-Sizc-ᢥᦻ�ᜧEAit-F2-⌱Á�ᘤF7-Unsort-Aᑖ�EAlt-F4-/tjs�äᦻ�F8-Revers-ÆÚECtrl>F(n)-©�#�äOu�×F9-Files-nÏ4ᡭ}Ḅᦻ�ᔊôCtrl-F(n+l)-©ᑮ�×Ḅ�äK;F10-Filter-³Õ·õ______________________©ö"-»Öᐭè�äᡈ¡è�ä⌨-'HiewḄJMPQJ。(1)ὃ⊤3-1PQᡭ}◤⌕ᦋḄᦻ�。’(2)ᢥF1",îïî§-ßᐵḄDE�Ò,.�3-21ᡠD。(3)ᡭ}ᦻ�K,÷�îïvnḄ4(Mode),�¦ᢥ?4",©-%b᪾,þᵨᡝ⌱Á¯1(ᦻM),Hex(ᓝ³Öᑴ)ᡈ060^(ÆÌ�)�。(4)�¦»᪷�◤⌕,⌱ÁßᐵḄ�。WDecode(ÆÌ�)�ÁS,ᙠ��J,$/0éêúṹ,ᡃñ»Íᦋ¾(Ôṹ。ᙠᢥ?3"©Öᐭ�¯�,ᢥ?5"©oᑮᢣ᰿Ḅᙢᙬ(ø: 2{ᙢᙬ),ᢥ?7" nð801ṹᡈᓝ³Öᑴᦪ�。ᢥᩡ"Öᐭ�¯^K,{ᐝ᪗ᑮß&ḄVUᢥñᡈ©ö",-%b᪾,»ᦋÌ�Ôṹ。ᦋðK,ᢥú"×f(ᢥ©ö"KᑮJ%V,ᢥ"b᪾Ñᜫ,ᯠKᢥẖ")。K-3.3Nᑖ᪆*ᐹ|1.ᕂ06«^2345ᑴ|:(1)SoftICE�#ᨬtḄ᱐M 80«14.30᱐,·�J�80ý€£Ḅᨬt᱐M,¾᪵þᱨð(。½V5€1².^}6T,-�>22ᡠDḄ☢。�3-2230ý05☢ 22��⌮ᔣᑖ᪆�ᵨᢈ�(2)ZJᩭj¿☢ ⌕¨⌱Ou²TÙ�,W�þ§-ᓱ²¿᪗�ᑴb᪾,�3-23ᡠD。DriverStudioConfigurationonchine-ASoftICEWtiabationSerlalDebUgg^gNetworkDebug9ngKeyboardMappings33:r4aaoDcflnibonsjIThistestwiMtakeafewsecoods,andyourdisp^ymayI®54jbecomeLiwtabte.Atthe©ndofthetest,yourdkspiaywfberestored.•、•》、、n*^¾>•»w•〜•«•••■_、i-^—^^-»'<—_■•*»••••,••_o•—■____•—,•«■'•_«^、^^^»9〜«^»♦'、、••^^^••p^^^^RevtewtheSoftICEReddMeMeforadd*tonalVideoJ[I,.�3-23.ᓱ²¿᪗�ᑴb᪾(3)winice.dat�ᑴ。30«€£ᙠ�¦§ᐭ%(DU7EXEḄ�Ò。ᡃñ»Íᙠ80ý€£T�äJᑮ%1^(^.(^,»ᵨ�ᦻM�¯��ᡭ}(Ñ�M)。»Í᪷�Ḅ◤⌕%0^6.(^ÖVᐹ~�Õ。(4)J☢Í>¥^^6.�ÁSᩭÖÉ,✌ᐜ,ᙠ^0ᓃᦻ�KᑖT“;”⊤Dø{,ᓽᑖTKḄ%V⊤Dø{�Ò,W§3(^«3£V,±QÁUVÇᵨ;"⊤3-2。⊤>2winice.dat�Õᦻ�⊤PENTnjM=ON;<=PentiumOjvCodesNMI=ONECHOKEYS=OFFNOLEDS=OFFNOPAGE=OFF.srwvroRTHREAD1LOWERCASE=OTFWDMEXPORTS=OFFMONTTOR=O?^—=128;<=¾¿@.Ḅᱥᳮᑁ×ᜧSYM:1024’'1«¯=256;<=ᔊô[Á256KBTRA=8^^05=32;<=PQḄᨬᜧ¿ᦪ,�ᜐ ¿ S3kN*ᐹḄᵨ23q⊤DRAWSEE=2048;<=ᓱᑁ×ᜧ2®,�ᜐ@ᓱᑁ×ᜧMT="wd2;wc20;FAULTSOFF;DCHEREOFF;rYHEREOFF;setfont2;Unes40;code0^;;";<=ü6ᓄ,�ᜐ�ÊḄ 800600ᑖ�᳛;7 ᐰîgᣚY:Unes57Fl="h;"F2="^wr;"F3=,,Asrc;MF5=,,Ax;MF6=,,^ec;"F7="^here;"F8="^t;"F9="^bpx;"F10="^p;"Fll="^G@SS:ESP;HF12=,,Apret;MSF3="^format;"CF8="^XT;"CF9="TRACEOFF;"CF10=HAXP;MCFll="SHOWB;"CF12="TRACEB;"AFl="^wr;"AF2="^wd;"AF3="^S0LFFFFFFFF8B,CA,F3,A6,74,01,9F,92,8D,5E,08;";<=VB3ᱯÝQAF4="^s0lfffiffif56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14,33,C0,F3,66A7;M;<=VB4ᱯÝQAF5="^s0lfffiffiFF,753)JE8,85JEFJFF^FJDC,lD,28,10,40,00X)F>E0,9E,75,03;H;<=VB5ᱯÝQAF8="^XTR;"AFll="^dddataaddr->0;"AF12="^dddataaddr->4;"CFl=''altscroff;bnes60;wc32;wd8;"CF2="^wr;^wd;^wc;";<=ÍJPQ=>:MACROs7878=;'S30:0Lffffffff78787878_"MACROsname="S0LFFFFFFFF'toye'••MACROswide=''s01FFFFFFFF1,8,'T,,8,7,,.8,T,'8,7’,f8,T,,8,T,,8.,T,.8",MACROreg="bpxregqueryvalueexaif*(esp->8)>='Soft'dortd(esp->14)••"MACRObpxpe="bpxloadHbraryado"ddesp->4"" 24��⌮ᔣᑖ᪆�ᵨᢈ�q⊤MACRObpxgeta="bpxGetDlgItemTextA;bpxgetwindowtexta;bpxgetdlgitemint;bpxgetdlgitemtext;";*****ExamplesofsymfilesthatcanbeincludedifyouhavetheSDK*****;Changethepathtotheappropriatedriveanddirectory;LOAD=c:windows^ystemuser.exe;LOAD=c:windows^ystemgdi.exe;LOAD=c:windows^ystem^cml386.exe;LOAD=c:windows^ystemmmsystem.dll;LOAD=c:windows^ystemwin386.exe;Exports•changethepathtotheappropriatedriveanddirectoryEXP=c:windowskystenAadvapi32.dU;<=^4V#W⌕3ᑖT,ᔲᑣW�,501^^£»¦®<��WᑮEXP=c:windows^ystem^cemel32.dllEXP=c:windows^ystemuser32.dllexp=c:windows^ystemgdi32.dllexp=c:windows^ystemV:omctl32.dll;7⌕⌮ᔣᑖ᪆^DE,J☢Ḅ^½Vp©⌕�,80^0£Ê@ᨵ¾jVḄ,◤⌕ᡃñÞ3Y<;EXP=c:windows^ystem^nsvbvm60.dU;<=VisualBasic6EXP=c:windows^ystem^nsvbvm50.dll;<=VisualBasic5;EXP=c:windowsVsystemvb40032.dll;<=VisualBasic4(32bit);EXP=c:windows^ystemvb40016.dlI;<=VisualBasic4(16-bit);EXP=c:windowssystemvbrun300.dll;<=VisualBasic3;EXP=c:windows^ystemvga.drv;;EXP=c:windows^ystemvga.3gr;EXP=c:windows^ystem^ound.drv;EXP=c:windows^ystem^nouse.drv;EXP=c:windowsVsystenAnetware.drv;EXP=c:windows^ystemVsystem.drv;EXP=c:windows^yst^mMceyboard.drv;EXP=c:windows^ystemtooUielp.dll;EXP=c:windowshystenAshell.dll;EXP=c:windows^ystemVx)mmdlg.dll;EXP=c:windows^ystemolesvr.dU;EXP=c:windows^ystemV)lecli.dll;EXP=c:windows^ystem^nmsystem.dU;EXP=c:windows^ysterawinoldap.mod;EXP=c:windowsprogman.exe;EXP=c:windowsVkwatson.exe;*****ExamplesofexportsymbolsthatcanbeincludedforWindows95***** S3kN*ᐹḄᵨ25__________________________________________________________________________________________________a*;Changethepathtotheappropriatedriveanddirectory--------------------------ÍJ=>SofflCE3�ᔜ¿xZp----------------------------------------EXP=c:windows^ystem^:emel32.dUEXP=c:windows^ystcm^iser32.dllEXP=c:windows^ystcm^di32.dUEXP=c:windows^ystemVx)mdlg32.dllEXP=c:windows^ystem^heU32.dUEXP=c:windowsVsystemWlvapi32.dUEXP=c:windows^ystem^heU232.dUEXP=c:windowsV5ystemcomctB2.dU;EXP=c:windows^ystemVntdU.dn;EXP=c:windows^ystemversion.dUEXP=c:windows^ystem etUb32.dU;EXP=c:windows^ystemVnsshrui.dUEXP=c:windows^ystem^nsnet32.dUEXP=c:windows^ystemVmspwL32.dU;EXP=c:windows^ystem^npr.dll(5)Óᡂ�ÕÍK,�Ẇ³0%8�50««^K,ᢥÂ011+0Ùᔠ",801^«᳝�,ᢥCTRL+DÙᔠ"©ᑮ ^0ᥟ8J,ᡈᢥF5"�»Í¨©。�¦NnÛ&�êWindowsḄnÛ%᪵,7ê005ᐰînÛ%᪵,;þ ᙠTᓱ¦,ᦪᨵ³Õð,�¦ᢥYᦻÃᓽ»。(6)J☢Ḅ=> 50«^£nÛÊ:cᦑ�1,2,3)³ÕQ~;M�·�cᦑ2(ᙠ800᱄600ᩩ�J)setorigin᱄,)^,>0┝nÛðÕ;linesn1^=(25-128)³ÕDVᦪ;M�·�lines40;Ctrl+Ak+ᐝ᪗"{nÛ;Ctrl+Alt+Home/³nÛðÕܲ(0,0);Ctrl+Lᑵt。,(7)7ÍÊḄwinice.dat�SoftICE,ᨵ»¦◤⌕ᵨWDᡭ}ᦪ�nÛ,ᵨSETFONT2³ÕQ~Ï/*Q。$»Íᙠ%1^^c1ᦻ�ᑁ³ÕV=>PQ,ÞÓ ᙠ�¯¾%V,ᔜ=>ᵨᑖTᑖ},:DSnT="WD2;WC14;FAULTSOFF;DCHEREOFF;1��0�;86〖U0ᦑ2;1Uᾍ40�;"¾᪵�ᑴ。(¾( ᙠ800᱄600ᩩ�JḄª«,7W�ᑖ�᳛»setfontn;linesn)。ᙠNTJ,�ᑴSoftICE ᵨSofUCELoader(¡}6ᓫ⌱Á),⌱Á£<�%80ý€£=>,%Ḅ⌱⚗ü6ᓄ,¾ᡃñ»ὃÞ,ÿÉW�Ḅ}ᐵ⌱⚗Ḅ��Ä。 26��⌮ᔣᑖ᪆�ᵨᢈ�CPU=_—•------------t!rtXvCIOOOOfjOUKBX-Ot!SDOOOOr.CX--004ri:iB60K0X-RrFCn*J3On;]Oi^CAV^iEDI•OOOGOQtlOKBP--U06DFDA6ESF--006nFD91EIP--BFF7DfJSBOVT}Uf!:10i;S-t)lO?KOU)FS3v-016rEi>---OlbrF3--1lK?GS-l)tHJO2-.ft:[>y--lC--C»JOJO:um_)(Hj*JKfjrC9m(>b0170uti16at)3.1ui>6bO't71[JUUft:fiW30:8O0O8QlOf>SlMVrt00MFFG0KfiVZnmF0CB1:(,Gll'JMi¢.•iJfJ3U:000000/.0ru'j00OJJCfi!mfn0¾-(,Fl:FuoeaU,l:F|}i:}mi|U)U))J^J%i800ttt)0.iUfiFsr00iViA'EFmK00Ufnust.Son?(JUQc*il.,:U3i>K0,H)l---}l^C^:m(JJ67:t:n/D0StJKKTUiU167:BFF7D0bBPUSMbYTEMUiu67:t;nrvw)soru^HDW<>HUn:stsmntUfj7:BFr?tH>jJVimDWOUDfWFCAt:fmi)ih?:i:frvoor,?cr»Li.unrv#HiMt)ir3v:tifrvb0^ciu:ru-4KLKNKi.3^TlsBadCodePl.rlU67:i:iT700(,rPUSHl!VTK,mHif>y:i;Fr?i)rj?)pu:>HDwonutr.sr*ooitM6?:HFrVOO?^CftI.LKERNEL3E?IsRdum.,fKHP»oc)....................................----------------------Kt'KNt:L3Z!.Utyt»4�l.i*cM!l:«“t*(^Oh,j-UflfJ-1J>rjy:Ofr--Ut6K:BKK1DlKlOi.en^HOtjJJSOO<)Mmlmn32■"■inn32:¾H»d?,i�>24NnÛ(8)NnÛ。Ꮇ³SofttCEïpÃï½V,�¦ᙠWindowsᢥCtrl+DÙᔠ"þ»Í-SofflCEḄNnÛ,�◤⌕¨©ᑮWindowsȦ,>◤⌕ᢥCtrl+DÙᔠ",�»ᵨ=>ᡈᢥ"5"。 ḄNnÛ�3-24ᡠD,ᑖÁÖ×ᘤnÛ、ᦪ�nÛ、ÔṹnÛ、#²nÛ²=>nÛÏnᑖ。(9)80«^£N=>n⊤,"⊤3»3。⊤>3N=>$⊤•=>Äoð�#ᢣ>7•¢£%¿⊤Ḅ@AᑏᐭÌ�ÔṹADDRᙠSofttCEKDᡈᑗᣚᑁ×[öALTKEVᦋ5ᵨᩭ«¬SofflCEḄ&"ALTSCRᑗᣚSofUCEḄ�îQ-ANSWER�¤¶�'ÛΩQ-Ú{ᑮMODEMBC◀%¿ᡈпԲBD%¿ᡈпԲᜫᦔ____________________________________________________ S3kN*ᐹḄᵨ27Z⊤=>_______________________________Ä_______________________________BE%¿ᡈпԲឮᨵᦔ:BHᙠSoWCEᔊôᦪ�pKDᡈ⌱Á4p³·ḄÔ²BLD�#ᡠ³ḄÔ²BMSGᙠWindowsḄÑÒY³ÕÔ²BPE�¯%¿ï×ᙠḄÔ²BPmTᙠ8¿KÔᔣ*Y³)Ô²BPIOᙠQᐭQ-'ÛY³ÕÔ²BPMᙠᑁ×ᓫᐗY³ÕÔ²BPRᙠ%¿ᑁ×BY³)Ô²BPRWᙠ8¿WindowsDEᡈÔṹÜᡠᙠḄᑁ×[öY³ÕBÔ²BPTÍ#ḄÔ²Á�Å,³tḄÔ²BPXᙠ»V;PY³(ᡈÌ◀)Ô²BSTATD8¿Ô²ḄÊCcBᑁ×Kᙽ[öḄᑁ.CLASSDWindowsḄ�Ḅ�ÒCLS◀=>nÛKḄQCODEDᢣ>ṹCOLORDᡈᦋîï¥⁐CPUDÖ×ᘤᑁ.csn>ÁᡠᨵÔ²³%¿ ▲(05:?ᙠᐸᑁ)(16ðDE)DD8ᑁ×[öḄᑁ.DATAD$%¿ᦪ�nÛDEXᙠᦪ�nÛKD(ᡈ+,)8¿⊤DL^JL©¤ᑴA/ᔣᑮMODEMEᦋᑁ×ᓫᐗECÖᐭᡈ⌨-ÔṹnÛExrr%V⌨-DOSDEᡈWindowsDE•EXPD00^KḄ-Û�ᦪF-ᐙ8%ᙽᑁ×[öFAULTSᡭ}ᡈᐵò┯Sr�¥¦HLEDᡈᑗᣚ�#Ûᦻ�FKEYDᡈᦋ�#+ᣩ"ñFLASHᙠP²T=>V·DKᑵtWindowsîï 28��⌮ᔣᑖ᪆�ᵨᢈ�q⊤=>______________________________________________________________________FORMATᦋ5ᦪ�nÛḄDGVᑮ8%ᙢᙬGDTDᐰâÄ⊤GEMNT%Vº¹%¿KÔHDDE�ÒHBOOTÈ/t�HEAPDWindowsᐰâᚮHEAP32DWindowsᐰâᚮHERE½Vᑮ�#ᐝ᪗ᡠᙠVHWNDDnÛP.Ḅ�ÒI¡Qᐭ®-(UO)'Ûjᐭᦪ�IlHERE⍗ᑮᑁ/ḄmT1ᢣ>¦ SoWCEI3HEREᙠ⍗ᑮ0^3ᢣ>¦ 80«^^JDTDKÔÄ⊤LDTDânÄ⊤LHEAPDWindowsânᚮUNESᦋ5SoWCEnÛḄDVᦪLOCALS¡�#᪘Kᑡ-ân50M〈ᦪ�MACROñ%¿=>,ÇV%Èᑡ30(«^^ᢣ>MAP32D�#ᡠᨵ32ð�ᙽḄᑁ×êMAPV86D�#)*¤ḄDOSᑁ×êMODDWindows�ᙽᑡ⊤0ᔣÍ0'ÛQ-ᦪ�PᓫkVDEPAGED⚓⊤�ÒPAUSE1îKᔲᨚÌDPCIDÈK_¿PCI³ᜓḄª«PEEK¡ᱥᳮᑁ×Kjᦪ�PHYSD8¿ᱥᳮᙢᙬ&Ḅᡠᨵ)*ᙢᙬPOKEᔣᱥᳮᑁ×ᑏᦪ�PrintScreen"ᡭᓺîïᑁ.PROCDÈKᡠᨵÖDḄ⌕�Ò____________________________________________ S3kN*ᐹḄᵨ29q⊤=>—Ä—QUERYD8¿ÖDḄ)*ᙢᙬê:RDᡈ-ᦋÖ×ᘤḄᑁ.RSᨚ¦ឮDEîïSEWAL©¤ᑴAÚ{ᑮÛ�'YSETDᡈᦋ55^^^£ḄᑁnᦪSHOWᑡ-©2r�ᔊô[KḄᢣ>SRCᙠÛDE,ÆÌ�Ôṹᡈὅ3ᔠÇ4ᑗᣚDSSᙠÛDEᦻ�KnQ«STACKD8¿ᵨSYMDᡈ³ÕTSYMLOC/ðTJᙬTᓫkr�TABLEᦋ5ᡈD�#T⊤TABSDᡈᦋᙠDÛᦻ�¦Tab"Ḅ4»TASKDWindowsmᑡ⊤THREADDD�ÒTRACHÖᐭᡈ⌨-᥏*r��TSSDmÊܲyo'ÛḄᢞZTYPESᑡ-�#ᑁ×[ö(context)KḄ��+UÆÌ�ᢣ>VCALLDVxD»ᵨSDḄ+Q²ᙢᙬVERDSoftfCE᱐MTVMD)*¤Ḅ�ÒVXDD%1040^0?^)êWATCH3ᐭ~¿��nÛWCᡭ}ᡈᐵòÔṹnÛ:ᡈᦋ5ÔṹnÛᜧWDᡭ}ᡈᐵòᦪ�nÛ:ᡈᦋ5ᦪ�nÛᜧWFÍ#²ᡈMMxD#²᪘WHATᵨᩭ~%¿+Qᡈ⊤ᔲq��WLᡭ}ᡈᐵòMᙢnÛ:³ÕMᙢnÛḄᜧWMSGDWindowsÑÒḄ+Q²ÑÒÔṹWRᡭ}ᡈᐵòÖ×ᘤnÛWWᡭ5ᡈᐵò��nÛ;ᡈᦋ5��nÛḄᜧ 30��⌮ᔣᑖ᪆�ᵨᢈ�q⊤��____________________��____________________X¡5070£nÛK⌨-XFRAMED�#Ḅï-┯P.᪾XGᙠ�*(©2)r�ÊK½VDEᑮ8%ᙢᙬXPᙠ�*r��KVDEXRSET/Õ©2r�ᔊô[XTᙠ�*r��Kᓫkr�DEZAP©ᑁ/Ḅ5¯1²^3ÌÁ?^0?(10)+ᣩ""⊤34。⊤3^+ᣩ"’+ᣩ"__________________________________________UV__________________________________________F1DEF2Ö×ᘤD/ᐵòᑗᣚF3ÛDE/ÆÌ�Ôṹᑗᣚ(DEᨵÛDE¦»ᵨ)F4SoftICE☢/îïÜ68☢DᑗᣚF5⌨-SoMCEtPF6Öᐭ^1-ÔṹnÛF7DE½Vᑮᐝ᪗ᡠᙠᜐF8ᓫkr�F9ᙠᐝ᪗ᡠᙠðÕ³Ô²F10ᓫkV(o·èDE^ᓃ)FllDEVᑮES:ESPᢣᔣḄᙢÞF12DEVᑮê¯ᢣ>ᜐ,ᓽ¡èDEᓚ^^:K¨©Shift+F3ᦋ5ᦪ�nÛḄD,ᢥ᯿“Q⁚->Q->ýQ->;��-><��->10Q⁚��”ḄÞ=�DCtrl+F8�*r��Kᓫkr�Ctrl+F9⌨-�#�*r��Ctrl+F10�*r��KᓫkVCtrl+Fll¡ᔊôr�[ḄᨬK%ᩩ}6Dᢣ>Ctrl+F12¡ᨬüḄ%ᩩᢣ>}6�*r�Alt+FlD/ᐵòÖ×ᘤnÛAlt+F2D/ᐵòᦪ�nÛAlt+F3D/ᐵòDEnÛAlt+F4D/ᐵò��nÛAlt+F5◀=>nÛKḄQAlt-fF8____________�*r��KÆÞᔣᓫkr�____________________________________________ S3kN*ᐹḄᵨ31Mᦻ>sofacEḄJMᵨÞÓ,ᨵᐵsofacEḄ��ᵨÞÓg▅M��▬�Ḅ=>Þ²PQÞ。2.Trw2000ᵨ1^000 KLð}UḄ%óN*ᐹ,=>ᵨÓù50««:£?.,�?tÛ3ÿ$Ð¥¦。ᙠᨵ$Ð���é┐SoWCEZÿ■,@Aᨵ%(◚iSoWCEḄ*ᐹ,ᦔ7W-ð,⍗ᑮ¾᪵Ḅª«WNᵨ%J1^2000。(1)1^2000ḄT。1^2000ù!50ý0£c9ᩭ,1^2000þ�W-Ðÿ,ÉKḄᦻ��W·jOKBú。⍡CḄ Trw2000>¦)ᢝWindows9X,ᨚ¦?ᨵWindowsDḄ᱐M。1^2000ḄT-ᓫ,]Z©ᐸᦻ�Éᑮ8¿�äJþ»Íÿ,ú*W◤⌕/t�Èþ»ÍEY�ᵨ,ᐸ½VöDE Trw2000.EXE。(2)1^2000Ḅ�Õ。1^2000Ḅ�Õ ¶·1^2000.1^ᦻ��Ḅ,²80ý06Ḅ�Õᦻ�cBß�,ᡃñ»Í᪷�Ḅ᰿ðᩭ�Õ, ¶ïᡃñᵨÊ�Õᓽ»^(3)�Õᦻ�。Trw2000²SofUCEḄwinice.datᦻ�%᪵,ᵨᑖT“;”⊤Dø{�Ò。;Trw2000LiitiaUzefile;Pleasemodifyitasyourhabit;remPLUGS=C:^LUGS^ffiLLO.SYSTrw2000»)ᢝplug-insD4IT="Unes35;wr3;wd4;wc16"ü6ᓄ=>Q(4)Trw2000Ḅᵨ。½VTrw2000.EXEDEᓽ»�Trw2000,ᐸ� ☢�3-25ᡠD。ᵫ+1^2_=>²PQÓᐰ?.80«^£,��WᱯGUV,ᙠMᦻSoftICEḄH�〉ᔠTrw2000。[HHH>KOX-BOr.>I)OniM>ECXOfMA.{HiSlJm.r(:rt*vHit:sU»n['>lH)()EliF*ClfJC>DFDriHKMFIJUf»DriV^JtirVDltMt<>'tlD*>8t>tr.K*>i;.i1c>rKSOU>I^r:;oJt»“s017ftorj'J-FKHOF<rnUtiljOcuzt""•*”<>*»r,ii:r[JI>O:Kli、FKFlJOIII(,[;.:■'«.:i:;._..t.fJf:l(t(i/orjf>dHKT1H7DMSUl*llSHBYTKMU?D05^DlHKSHfiUOftD8l‘:S?D061IMU;Hi)UOfiOIurl>f.a]>D6VCrtH.RFfmo.HXj<>iniv^>n.n>nocHI:*!mDM<%i>ro1)U()tLsHmlro<>riti?nn?irus»Jl.*WORP1VMIitt!:nnor>rmvii/uu?scr>r.LKKKNKL32?H.ri7of:f:rlH/mm、T*llJ>flKHI*yiuivKm)«.»hni^.i:、srVIH5tHi^m*d.liVTK/i)iurjPtJMH:v,x.vmi(i4MOMF*ncjHHKI.>)Zti..()(«M:»):OtH>F:KFK1mrtizf^tHJj^5l>>K:muIMMH^.Trw2000☢Trw2000ḄᡠᨵPQ�U¹ᙠ%¿»ÍM¦» ḄNnÛK,ᙠ¾¿nÛK»Í� 32��⌮ᔣᑖ᪆�ᵨᢈ��Windows&ᵨDE²ÈḄ½V。(5)NnÛ。 1^2000ᨵÑÞ:S%ÑÞ:Ctrl+MᱯᩗÉOÉḄ&",¦¢ᙠ�¦ÛᓽKÔIþ^%c,ß�+SoftICE&"Ctrl+DḄ*QÞ。SÑÞ:CtrUNᱯᩗÉ3ÉḄ&",¾ ᡃñᨬïᵨḄ�,»ÍKÔ^³0〜8Ḅᱯᩗ;3;Ḅ<=。⚜>?vw�@ᣩ�ḄþᵨB⊤3-5。⊤3_5⚜ñ¥¦Î+ᣩ"ḄQᵨ___________+ᣩ"______________________________________UV___________________________Fl=^HELPDE(=><»W¦·15¿Q,M^1£0>Á5¿Q<»)F3=^SRCÛDE/ÆÌ�ÔṹᑗᣚF4=^RSTrw2000☢/îïÜ68☢DᑗᣚF5=^X⌨-1^2000nÛF6=^ECÖᐭ>^⌨-ÔṹnÛF7=^HEREDE½Vᑮᐝ᪗ᡠᙠᜐF8=^Tᓫkr�F9=^BPXᙠᐝ᪗ᡠᙠðÕ³Ô²F10=^PᓫkV(o·èDE^)F12=^PRETDEVᑮJᢣ>ᜐ,ᓽ¡èDE0M1^K¨©;HOTKEY=320D;Ctri+MÈ0ÉÞ &";R3HQTKEY=310E;Ctrl+NÈ3ÉÞ &"GRAPHICS=ONDÁ��VESA=OFFᐵòᔳM�VGA=ON�ᵨ00M�DSTTELUMOUSE=ON7ᵨᡝḄ¿᪗inteUmousc,ᑣᡭ}¾%⚗;NORESCHANGE=OFFWᦋ5¥⁐�;HST=256ᔊô[ᜧÁ256KB.SYMBUFFER=1024SymboI[ᜧÁ1024KBCAPrTAL=ONîïDᜧᑏÔṹWONDER=ON}�Trw2000îïvnḄL1¥⁐ᦔ7TESTMODE=OFFᐵòmN�(��1^2000-M¤¦»Í©¾%⚗ᡭ},Trw2000§yz┯SÔṹ)__________________________________________________(6)1^2000Ḅ-nÛ ☢Ḅᵨᢣᓭ,Ḅ=>、ᵨÓ²50Ô1€£?.,JMY %᪵Ḅ,ᡠÍ»ÍLὃSoftICEḄᨵᐵôᧇ。Trw2000»)ᢝplug-ins,�»�0ᓃᓃᦻ�,1^2000Jᨵ%¿00^�ä,>⌕©◤⌕3�Ḅ00^ᦻ�ᑴÖLþ»Í S3kN*ᐹḄᵨ33ÿ。◀ÿ²30«ᑍ^ß�ḄᙢÞ,Trw2000?ᨵ-ÐtḄ¥¦,ᐹ~»Í᯿ᐸ1^1^«^£ᦻ�。..:'::?、:3AOllyDbg1.10®^>0c058 %¿32ðÌ�ÉḄ^÷Ḅᑖ᪆Nᘤ。ᙠᡃñW»�ᑮÛÔ¯Ḅª«J,ᡈὅᵨᐸ�Ḅ�Yᘤ¦ᡃñ⍗ᑮÿ⚪Ḅ¦-ᨵᵨḄ。•,■-••«•OUyDbg»*QᙠWindows95,Wndows98,WindowsMe,WindowsNTᡈὅWindows2000,XP。»½V+�ᝂPÉ�Ḅ¤ᘤY:◤⌕%¿«ª300MHzḄᜐᳮᘤ。0d�ᓅ8ᑁ×Ḅ⌕¨Bᜧ,7ᵨ8(óᱯឋ,Q�ÏØ512!6ᡈ-Ðᑁ×。0c0S§1.10᱐ḄUC᱐M ¿ᒹ,>◤⌕Éᑮ%¿�äJ,½VOUyDbg.exeþ»Íÿ。,.1.OUyDbgKᔜ¿nÛḄ¥¦OUyDbgḄᔜ¿NnÛÞ]÷。J☢ᑖ�%Jᔜ¿nÛḄN�ᵨ¥¦,�3-26ᡠD。011yDhc-[CP0]墙sJc¾bt^i^2g%MNlMu-JJXi^UC^HEl^lpE-赴m『.n.^迚u^TJc^5J^^HrJiWJHi/IK_^^-—«——一:*_^^_*%ᢕ~*L_rv^..-.■•■*..._n:*,-_-^_JTT^,__<^.__v_-^?_‘¡,¢一^(FPU)ÆÌ�nÛÖ×ᘤnÛ■^V________________�ÒnÛ|ᦪ�nÛ1ᚮUn4��:=>nÛ|o:iy&t<�3~26OUyDbg^P(1)ÆÌ�nÛ:DNDEḄÆÌ�Ôṹ,᪗⚪YḄᙢᙬ、HEXᦪ�²ÆÌ�ø{。»Í¶·ᙠnÛKrs⌱Áᓫ“☢⌱⚗”%◚i᪗⚪(ᡈD᪗⚪)ᩭÖV ᔲD。ᓫsø{᪗Ú»Íᑗᣚø{DḄÞ。(2)Ö×ᘤnÛ:D�#ᡠ⌱D0?0Ö×ᘤḄᑁ.。�᪵ᓫs“Ö×ᘤ”(FPU)᪗Ú»ÍᑗᣚDÖ×ᘤḄÞ。-(3)�ÒnÛ:DᙠÆÌ�nÛK⌱KḄ=>ᦪÎ%(ßᐵḄoÚ�᪗ᙢᙬ、QÏ。(4)ᦪ�nÛ:Dᑁ×ᡈᦻ�Ḅᑁ.。r"ᓫ»ᵨ+ᑗᣚDÞ。 34��⌮ᔣᑖ᪆�ᵨᢈ�(5)ᚮ᪘nÛ:D�#DḄᚮ᪘。(6)=>nÛ:ᙠ�#nÛQᐭNDE^1Ô²=>。2.ïᵨ*ᐹOlIyDbgï"*ᐹ�3-27ᡠD。011yICE-[CPUJfitbu<£lutimOpiionsSindowUtlp{EBQiaaniK3BiafflPK3gBOooEEa^Baooo^oRegisters(FPtt>�ᑮE.FGMtoMJKMMMHtMH,©§-Appearanceb᪾,ᓫsᐸKḄDirectories�ä᪗Ú。S:ᡃñòOUyDbgÉᙠE:OUyDbg�äJ,ᡠÍß&ḄUDDPathÎ{��äþᙠEAOUyDbg�äJES51UndojCW☢。7-ᦋÿ{�Ou,þ⌕/t�l—W^—^WWflk^*rt^M^--^i�3>28Ou�ÕOUyDbg,ᙠ�b᪾Yᓫs0«:ᢥ/t�0%06§K,ᑮ ☢⌱⚗KÏ%J,UÜᐜ³ÕðḄOu��×ÿ。ᜧh»¦q⍝{�ḄQᵨ,UDDOuWÌÍ。ᙠ¾ᓫÉ{%J:UDDOuḄQᵨ �×ᡃñN·D�KḄ³Õ。S:ᡃñᙠN%¿��¦,³ÕÿÔ²,X3ÿø{,�OᨵZÓ,�¦ḄOllyDbg§òᡃñᡠZḄ*Q�×ᑮ¾¿UDDOuJ,Í&+ᡃñJN���¦»Í�ZÍ#Ḅ*Q。ᡃñ7W³Õ¾¿UDD�ä,OllyDbgÊḄ ᙠᐸT�äJ�×¾(K[+ÁuddḄᦻ�,¦4<ÿþ§�-,ᡠÍᡃñ?·�é³Õ%¿�äᩭ�×¾(ᦻ�。¾¿ᙢÞ¶·ᓫsBrcwseᢥ³ÕÁ“Z”ḄOu。(2)ï³Õ。üᵨ%W◤-ᦋ¾Ḅ⌱⚗,OUyDbgÊï�Õð,»Í]Zᵨ。·�ᙠOllyDbgïpcB7Ḅª«JᩭÖV�Õ。�3~29ᡠDḄï᪗ÚKḄ⌱⚗pï§ᙠῃKᵨᑮ,·�ᜧhᨵ%NJẠ}6ῃ¦�Õ。..(3)X3ᑮôÛAᳮᘤ。OUyDbg»ÍQÁ�¦(just-in-time)Nᘤ。¾◤⌕ᙠÈḄø⊤KÖVø。ᙠᓫK⌱Á0?V0�%>^^-111-110^debugging=>Oᙠ-Ḅb᪾KᓫsMakeOUyDbgjust-in-timedebuggerᢥ。�K,78¿&ᵨDEU¹ÿ¹ÓPQ,È©nD]ᔲᵨ0c058N¾¿DE。PQȧ�(》^1«O]ZÌᙠU¹ïḄᙢÞ。7⌱Áÿ“ᢞZ¦W^”(&«^´^#�0ᦑ001^01^0^),ᑣᙠ�¦N¦OUyDbgW§-^b᪾。7µឮᡂÍ#Ḅ�¦Nᘤ(Restoreoldjust-in-timedebuger),ᓫsß&Ḅᢥᓽ»,�>30ᡠD。$%ÑÞÓ òCWyDbgX3ᑮù»Vᦻ�ᐵὶḄ+ᣩᓫK,ᙠöᓫK,⌱Á0?1}0�%³3(^0£î`0ᔊ[=>。ÍKᡃñ»ÍᙠᡠᨵḄᦻ�ᑡ⊤K,ᵨ¿᪗r"ᓫs»Vᦻ�ᡈ01ᓃ,ᙠ+ᣩᓫK⌱Á€«^0^^。¾¿¥¦§¶·4¿ø⊤"@:- 36��⌮ᔣᑖ᪆�ᵨᢈ��3-29ï³Õckwt*n32faconfirnHKEY_CLASSES_ROOTexefi1eshe11Openwith011yDbgHKEY_CLASSES_ROOTexefi1eshe11Openwith011yDbgcotnmandHKEYCLASSESROOTdllfileshellOpenwith011yDbg:LASHKEYCLASSESROOTdllfileshellOpenwith01lyDbgcommand:LAS4.½VOUyDbg(1)½V0c0&ᾠ�ᐭNDE。ᨬᓫḄÞÓ :½VOUyDbg,⌱ÁᓫYḄFik S3kN*ᐹḄᵨ37—0?ᓺ=>,⌱Á◤⌕NḄDE。7DE◤⌕=>Vᦪ,»Íᙠb᪾vnḄ=>QᐭK,Qᐭᦪᡈὅ⌱ÁÍ#N¦Qᐭ·Ḅ%ᩩᦪ。(2)Nᓹᓃᓃ。OllyDbg¦¢N¾ÛḄ00^(stand-aloneDLLs)ᦻ�。ᙠbѪ«J,OUyDbg§¶·O½V%¿Ḅ&ᵨDEᩭ3�xZpO᪷�ᡃñḄ◤⌕ᵨQ-ᦪ。(3)7µ/t�Y%NḄDE,>⌕ᢥCtrl+F2Ùᔠ"(¾ /�DEḄ+ᣩ"),¾᪵OUyDbg§Í�᪵Ḅᦪ½V¾¿DE。$%ÑZÓ ᙠᓫK⌱Á?1^=>,¡ᔊôᑡ⊤K⌱ÁDE。�»ÍᙠWindowsôÛAᳮᘤK©»Vᦻ�ᡈDLLᦻ�jcᑮOUyDbgK。�ᯠ,»ÍᙠOllyDbg�¦,½Vᢣ�ᨵ½VᦪḄNDE。S:ᡃñᙠ%☢¶·%¿OUyDbgḄ+ᣩÞ,rsO⌱Á“bឋ”=>,ᙠ“+ᣩÞ”KḄ“�᪗”KX3NDEḄᐰOu。¾᪵,_ýs+ᣩÞ¦,OUyDbg©½VNDE(øý:0^ᦻ�W)ᢝ¾ÑÞ)。�»ÍòÃᙠ½VḄÖD▬3ᑮOHyDbgK。ᙠᓫK⌱Á>^—M�³=>,¡ÖDᑡ⊤K⌱Á⌕▬3ḄÖD。øý:ᙠᐵòOUyDbgḄ�¦,¾¿ÖD�§ᐵò。øý:W⌕▬3ÈÖD,ᔲᑣ»¦§Ùd¿PQÈḄef。(��YᙠᜧÐᦪª«J,PQÈἭ▬3ghÖDḄ。)(4)D。OllyDbg)ᢝNÐD&ᵨDE。»Í¡%¿Dᑗᣚᑮ$%¿,ᢞ9,ឮ²KDᡈὅᦋ5ñḄ�ᐜÉ。DnÛD_%¿DḄ┯S�Ò(¶·ᵨ06j081£1^:ᩭ¨©)ᑖ᪆。(5)ᑖ᪆ᘤ(Andysis)。ᑖ᪆ᘤ0c0S8/⌕Ḅ%nᑖ,ᑖ᪆ᘤᨵ-ªḄ�Uឋ。¦[ᑖÔṹ²ᦪ�,᪗ÑᐭÛ²oÚ�Ḅᙢᙬ,r�Úᣚ⊤(switchtables),ASOI²UNICODE,ð�ᦪ·D,=�,¢▤Úᣚ(high-levelswitches)O*¦Éṹ᪗ûAPIᦪḄᦪ。OllyDbgḄᐸ�nᑖ�Njᙢᵨÿᑖ᪆KḄᦪ�。(6)01^ÍkÄᘤ(Objectscanner)。kÄᘤ©ᱯḄ�᪗ᦻ�ᡈὅ�᪗p(ᒹ0�^²〔0ẖÑ),ns-ÔṹÜ,ᯠK©¾(Üðᙠ�#�ᙽḄÔṹ⁚(Codesection)K。7Üððÿ,kÄᘤ©¡�᪗ᦻ�KḄN�Òns+À(�þ ᡠÄḄp᪗Ú(Ubrarylabels))。¾ᜧᙢÛ3ÿÔṹùᦪ�Ḅ»jឋ。kÄᘤOW§ïr�Ḅ�᪗ᦻ�ÖV᪗Úᓛ�,ᡠÍW¦r�¹ïḄᡈß�Ḅᦪ(c:¿ᦪ> ᙠ/ðᨵ[�)。��⌕pïmnkÄᘤU〈ᑮnänÛḄozᑡ⊤。(7)nvlPLIBkÄᘤ。%(DLLS>ᢥ᯿EᦪQ-ñḄsymbols(T)(c:MFC42.#1003),¾¹ïW&+ᳮÉ,¾+ᡃñḄpqᩭU®<ýñḄ。»rḄ ��stᖪn¬ÿQᐭxZp(implibs),ùETT+ßᐵ。_⍗ᑮETT,&ḄxZpïpøᑮOUyDbgK,¾¿ETT§OUyDbg³Y©ÁsymboUc+À。(8)UMCODE。juᡠᨵASCn»ᵨḄPQ+UMCODE�Óᐰ)ᢝ»ᵨḄ。(9)+À。OUyDbgDᡠᨵQᐭ²Q-Ḅsymbols(T),ᢥ᯿3(^10^ò+À¡N�ÒKns-ᩭ。kÄᘤᐕ$r�pᦪ。ᡃñ»ÍÛX3Ḅ+Q²ø{。78(01^KḄᦪ ¶·EᦪQ-Ḅ,ᡃñ»Í▬3%¿QᐭpᑮOUyDbgK,ÍឮÜ6+À。OllyDbg�»Ír�$ÐïᦪḄsymboUC+À,ênÛÑÒ,┯SÔṹᡈðÜ,ᯠKᙠWvKòñÉṹÁïqḄᦪ。 38��⌮ᔣᑖ᪆�ᵨᢈ�(10)ïq�ᦪ。0c068¦¶·+Àr�-ᜧw2100¿0:;<²¥^(^8^1⚣yᵨḄᦪ,O¦ÉṹñḄᦪ。ᡃñ»ÍX3ḄÄ,ᡈὅᑖ�⚜ᐜñḄYṹ。»Íᙠïq�ᦪY³Õ1<^^ᓄ0^(ÑäÔ²)OòᦪÑäᑮzÑK。(11)᪘。᪘_¿DEᙠÈK½V¦ᓰᨵḄ%ᙽZḄ)*Ḅᑁ×34,ᙠᦪV¦,᪘KḄᑁש�ᦪᡠᵨ。%Çᦪ½VÓ{,¾(34þ§{}。(12)ôÛ。7^(^^8M?1ᦪᵨÿὃôÛ,011705§»Í{}OD,ᐸ���Ḅ>▲ᑴᙠᑡ-▬bôÛ,Ú©²ÖᑴḄ�¯。(13)V。ᡃñ»Í%kkᙢVDE,ᡈὅÖᐭèDE,ᡈὅÛ|V。»Í½V}E]ᑮ¨©ᡈὅ½VᑮᢣḄᙢÞ,ᡈὅZV。�DE½V¦,ᡃñ5ᯠ◤⌕ᐸᐹᨵÓᐰḄ¤ᑴ,ú*?»ÍnÏᑁ×,³ÕÔ²,~«ᙠ½V¦�¦Ôṹ。ú*,ᙠ�¦�¦ᨚ̲/�NḄDE。(14)11^r�。ᡠ1r�»ÍD-�#ïVḄᢣ>ᡈ�ᦪ·D,@(=>ᡈÖDVÿ,DEᡃñmmÔṹḄᡠᨵᑖ)。Hitᙠ_¿ᢣḄ=>Y³ÕÔ²,*ᙠ=>VÇKò¾¿Ô²Ì◀ᣵ。(15)½VQ�。Runtrace»ÍᓫkᙢVDE,ᙠ%¿-ᜧḄ=�[K�*½VDE。¾¿�*ᘤᒹóÿ◀85£ᢣ>ÍḄᡠᨵÖ×ᘤ、᪗Ñ、D┯S、ÑÒ²pᦪḄᦪ。ᡃñ»Í©?r��Ò�×ᑮ%¿ᦻ�K,¾᪵þ»Íc½VḄ�。Runr�»Í©2ᑖ᪆ïpV·ḄYOᩩ=>Ḅ�⁚,O��ᑖ᪆ᜧ=>VḄp·。(16)¢。¢(ProfUer)»Íᙠr�¦¢£8ᩩᢣ>ᑡ-Ḅᦪ。ᵨ¢ᡃñþ¦q⍝ÿ@(Ôṹ⚣yᙢV*ÑὑÿᨬÐḄᜐᳮ¦4。(17)⊡¯。ᑁ·ḄÌ�ᘤ⌱Áᨬ;»¦ḄÔṹ。Öᑴ�¯ᘤ�¦ÍASCn,■030£²ᓝ³ÖᑴḄ�kDᦪ�。îᨵḄᑴÆÄ¥¦5ᯠ »ᵨḄ。Üᦪ�NᜓP,Í&ᦪ�ឮ¦�ᵨ。OUyDbg?§ÑäÍ#ᙠN·DKᵨ·Ḅᡠᨵ⊡¯,»Í¶·3"�⊡¯Ḅ ᡈὅἭ。(18)Éᦻ�。�NÉᦻ�Ḅ¦,¹ï◤⌕o·Énᑖ,ᯠKÌᙠDEḄÜ6ᐭÛ²。0»^^^Óᡂ8?^(É)Q�,©Nð^�ḄᐭÛ。51^Q�ïï+3ÿ��ḄÉDE ¿¦Á]Ḅ。ú%ÇUᐭÛ(ᡈὅᢣ)K,OUyDbg»Í-+²»☠ᙢo·ÉDE,Oû~ᙢᑮᐭÛ²。(19){�。ᡃñ»Í�ᑏḄ{�,ÍÛ3tḄ¥¦。0^^^&8Ḅ{�¦¢�juᡠᨵ/⌕Ḅᦪ�Ḅ°᪀,ᙠ0^^068ḄnÛK»ÍX3ᓫ²+ᣩ",»Íᵨ100п{�Ḅ^1ᦪ,{�Ḅ^1ᦪᨵ��ḄUV²ᦻ。ÊTᒹóÿ¿{�:=>V{�²�Ú{�。(20)UDDo0^7058שᡠᨵDEᡈ�ᙽḄßᐵ�Òᑮᓫ¿ᦻ�,Oᙠ�ᙽ�Ḅ¦jᐭ。¾(�Òᒹ᪗Ú,ø{,Ô²,��,ᑖ᪆ᦪ�²ᩩ�Ï。(21)ᑴ。ᡃñ»ÍᑴrḄQ~²¥⁐ÏÞᫀ。(22)��²nÏ*ᐹ。_¿��� %¿⊤O¦�¦D⊤Ḅ@。ᡃñ»ÍᵨÖ×ᘤ、ïᦪ、ᙢᙬ⊤、C�@ÍÎ�ᩖÔᦪ½£,?»ÍcBASCU²UMCODEQ。��ᘤ(inspectors) %Ñᒹóÿ¿åæEᑡḄ��(Watches), Í,⊤ S>3kN*ᐹḄᵨ39ḄᕈḄ,»ÍᦪÙ²°᪀ÖVÉṹᑖ᪆。(23)0«^%ḄÔ²。Ô²:0%068)ᢝᡠᨵÑ�Ḅï�Ô²、ᓫÔ²,ᩩ�Ô²,KÔU¹¦òÔ²�ÒᑏᑮzÑᦻ�(S,ᦪḄᦪ)。ᑏᡈ�Ḅᑁ×Ô²,�Ô²。ᙠ1^(10^(=KQ�)Ḅ'SèJ,_KԻͳÕᙠ�ᙽḄ_¿=>J。7ᡃñᙠ500MHzᜐᳮᘤḄWindowsNT�K,OUyDbg»Í_»Íᜐᳮ5000¿ÍYḄKÔ。5.³ÕÔ²�ᙠ0ᔩ^^^K³ÕðÔ²,+⌮ᔣᑖ᪆Ḅᡂ¥¹ï/⌕,J☢É{%(ïᵨḄÔ²Ḅ¥¦。(1)%Ô²(Ordinarybreakpoint)。OUyDbg©ᡃñ◤⌕KÔḄ=>ḄS%¿Q⁚,ᵨ%¿ᱯG=>s13(Nᘤ◍▟)ᩭÔ。ᡃñ»ÍᙠÆÌ�nÛK⌱K⌕³Ô²Ḅᢣ>VOᢥJF2"þ»Í³%¿���ḄÔ²,�»Íᙠ+ᣩᓫK³Õ。ᢥJF2"¦,Ô²©ᑤ◀。øý,DE©ᙠ³Ôᢣ>VÇ#KÔJᩭ。‘D^T3Ô²³Õᦪ ᨵ▲ᑴḄ。�ᡃñᐵòNᑖ᪆ḄDEᡈὅNᘤḄ¦,0^70ᓃ8©ò¾(Ô²�×ᑮ000K,W⌕ᙠᦪ�Üᡈὅᢣ>ḄK4³Õ¾ÑÔ²,7ᙠÔṹÜͳÕÔ²,0%058©§z。ᡃñ»ÍᙠTᐰ⌱⚗(Securityoptions)KÕᐵò¾¿nD,ᙠ8(ª«JNᘤ§{ᐭ�Ḅ¦^3Ô²。(2)ᩩ�Ô²(Conditiondbreakpoint)。ᩩ�Ô² %¿�ᨵᩩ�⊤Ḅ¶^^ñÔ²,�Nᘤ⍗ᑮ¾�Ô²¦,©¢£⊤Ḅ@,7°7¹sᡈὅ⊤¿ᦔ,©ᨚÌNDE。�ᯠ,ᵫᩩ�ÁᎷḄÔ²æ9Ḅ}├ ¹ïªḄ(ö⌕Ü�PQÈḄÆ&¦4)。ᙠ>^1^0>¥8>0ᝂP11/450ᜐᳮᘤ�J0c0&§_ᨬлÍᜐᳮ2500¿ᩩ�ÁᎷḄÔ²。ᩩ�Ô²Ḅ%¿ᐺ��ᵨª«þ ᙠWindowsÑÒY³ÕÔ²(WM_PA^T)oÁ�,»Í©5MSG�〉�ḄᦪUVὶᔠᵨ。7nÛ ,ὃ%JK☢ḄÑÒÔ²Ä。(3)ᩩ�ÑäÔ²(ConditionaMoggingbreakpoint)。 %Ñᩩ�Ô²,011)^^_�⍗ᑮ��Ô²ᡈὅ1ᩩ�¦,©Ñäïq�ᦪ⊤ᡈᦪḄ@。S:ᡃñ»Íᙠ%(nÛ·DᦪY³Õᩩ�ÑäÔ²,Oᑡ-�ᦪḄᡠᨵᵨ,ᡈὅ>ZᦈᑮḄ_0»4^^0ÑÒ᪗r³Ô,ᡈὅ¶·ᦻ�Ḅᦪ(CreateFUe)³Ô,O*ÑäÍ>jÞᡭ5Ḅᦻ�+Ï。ᩩ�ÑäÔ²²ᩩ�Ô²»ß�,O*¡ÑänÛKØÙYOᩩÑÒ⌕cᢥYOo"UV�Ð。ᡃñ»ÍÁ⊤⌱Á%¿⚜ᐜñðḄÉ{UV,³Õ¶·Ḅᦪ,_ᔠᨚÌᩩ�¦,¢ᦪᘤþ§1。7¶·¢ᦪᙠ1#,WÏ+s,01^0S8þ§�ZV。7%¿=�V100(ᓝÖᑴ),ᙠ=�~ᑁ³Õ%¿Ô²,O³Õ¶·ᦪÁ99(ᓝÖᑴ),0«^^^©§ᙠᨬK%V=�~¦ᨚÌ。$,ᩩ�ÑäÔ²ᐕ$⌴%¿ᡈп=>¥{�。S:◤⌕ᵨ=>V{�ᦋ5%¿Ö×ᘤḄᑁ.,ᯠK�ZVDE。(4)ÑÒÔ²(Messagebreakpoint)。²ᩩ�ÑäÔ²JMß�,◀ÿ(》^^§º¹%¿ᩩ�,¾¿ᩩ�ᐕ$ᙠnÛ·DḄᐭÛᜐ³Õ8(ÑÒ(c」>50^)Ô²,ᡃñ»ÍᙠnÛK³Õ。、(5)r�Ô²(Tracebreakpoint)。 ᙠ_¿⌱K=>Y³ÕḄ%ÑᱯGḄ0^3Ô²。 40��⌮ᔣᑖ᪆�ᵨᢈ�7³Õÿ《^r�(hittrace),Ô²§ᙠ=>VK{◀,Oᙠ�ᙢᙬᜐZ%¿᪗Ñ。7ᵨḄ ?r�(nmtrace),0117068§X3r�ᦪ�ÑäO*Ô²5ᯠ�ᢝ Ê。(6)ᑁ×Ô²(Memorybreakpoint)。011)^5§_%¦|>ᐕ$ᨵ%¿ᑁ×Ô²。ᡃñ»ÍᙠÆÌ�nÛ、0?ÛnÛ²ᦪ�nÛK⌱Á%nᑖᑁ×,ᯠKᵨ+ᣩᓫ³Õᑁ×Ô²。7ᨵÍ#Ḅᑁ×Ô²,©ᑤ◀。ᡃñᨵ¿⌱Á:ᙠᑁ×�(j,ᑏ,V)¦KÔ,ᡈᙠᑁ×ᑏᐭ¦KÔ。³Õ��Ô²¦,0«^058©§ᦋ5ᡠ⌱nᑖḄᑁ×ᙽḄbឋ。ᙠ80X86?.ḄᜐᳮᘤY©§ᨵ4096Q⁚Ḅᑁ×ᑖ�O��9ᩭ。ᓽ�±⌱Áÿ%¿Q⁚,OllyDbg�§©¿ᑁ×ᙽ���9ᩭ。¾©§æ9ᜧḄ┯Soz,giᵨ��Ô²。8(Èᦪ(ᱯ� ᙠ>^“0^895/98J)ᙠ�ô��ḄᑁצWW§º¹N��,Æú§⌼ᡂNDEḄef。�,ᑁ×Ô²ᙠ01ᓃ068/t½VK§Ñᜫ。(7)�Ô²(Hardwarebreakpoint)。ᙠ80᱄86?.ḄᜐᳮᘤY,ᐕ$³Õ4¿�Ô²。²ᑁ×Ô²W�Ḅ :�Ô²OW§åV»,ᨬÐ>¦⌚4¿Q⁚。ᙠᓫkVᡈὅr�Ôṹ¦,OUyDbg¦¢ᵨ�Ô²ÔINT3Ô²。�Ô²01©68ᡠᱯᨵḄÔ²,W§�Á/t½Vú├,>⌕ᡃñWᑤ◀¾¿�Ô²,r�¾¿DE¦þᨵᦔ。�Ô²᪷�ᐵ"᪗Ñ©⌮ᑮᐵ"ÔṹḄÞÓ。³ÕKÔḄÞÓùᑁ×Ô²ḄÞÓJMß�,ᨵ3¿Þ:��、�ᑏᐭ²�V。�᪵ᐹᨵᑁ×Ô²Ḅᱯឋ,ᡠÍᵨᑁ×Ô²ḄᙢÞ�»Íᵨ�Ô²。ᙠᦪ�nÛK⌱Áᑮ᪗Ñ×}Ḅᑁ×ᙢᙬᜐ,ᯠK⌱Á᪗Ñ@。³Õ“�ᑏᐭ”KÔ(᪷�᪗ÑḄQ⁚³ÕW�Ḅ<»)。/t½VDEᡃñUOllyDbgWÔᙢKÔᙠ¾¿᪗ÑḄᑁ×ᙢᙬᜐ。ᙠ¥¦ᓫḄ“N”⌱⚗J⌱Á“�Ô²”þᡭ}ÿ�Ô²ḄnÛ,ᙠ¾¿nÛK⌱Á“r�”,¾¦Ú×nÛþ§ᩭᑮ³ÕKÔḄᑁ×ᙢᙬᜐ。½VDEr�ᑁ×ᙢᙬKḄ@þ§q⍝+᪗ÑḄÔṹ,r�ᑮ¢£Ḅ᪶i。“��”Ḅᵨ»Íq⍝DEᙠ½V¦ÐªᙢÞᵨᑮÿ¾¿᪗Ñ。(8)ᑁ×�%ឋÔ²(Single-shotbreakonmemoryaccess)。ᡃñ»Í¶·ᑁ×nÛḄ+ᣩᓫ(ᡈᢥÀ"),¿ᑁ×ᙽ³Õ��Ô²。�◤⌕ᣓᣍᵨᡈ¨©ᑮ8¿�ᙽ¦,��Ô²þ�ᱯ�ᨵᵨ。KÔU¹ÍK,Ô²©ᑤ◀。(9)ᨚÌ?r�(Runtracepause)oᙠ_%kRunr�¦�⌕mnḄ%¿ᩩ�,»ÍᙠED>Öᐭ8¿Bᡈ-8¿B¦ᨚÌ,8¿ᩩ�Á^¦ᨚÌ,ᡈὅ=>ùᢣḄ�ᓛ�¦ᨚÌ,ᡈὅ�=>»ᶧḄ¦ᨚÌ。.øý:�⌱�wᜧᙢRSTUVḄWX(YZ20%)。OllyDbg�»Íᙠ%(N��“debuggingevents”YᨚÌDEV,c3�ᡈᔂ�DLL,�ᡈ�D,ᡈὅDEU-NQḄ¦。(10)^1Ô²。0c06�^1Ô²┐_%¿M?1ᦪḄ,ᐹᨵV~Ḅ�Ḅ。%ÑÞÓ ᙠÆÌ�nÛKrs,-¥¦ᓫ。ᙠ“µå”⌱⚗Jᨵ“�#�ᙽḄ+À”²“ᐰn�ᙽḄ+À”⚗,⌱ÁᐸKḄ%⚗þᡭ}ÿDEᵨ^1ḄnÛ。ᙠ¾¿nÛK⌱Áᡃñ◤⌕r�ḄAPIᦪ+,ýs¾¿ᦪþ¦ᑮDEḄᵨᙢᙬ,ᯠKᵨF2"³ÕKÔ。�»ÍᙠM?1nÛK⌱Á◤⌕r�Ḅᦪrs-¥¦ᓫ,⌱Á“ᙠ_¿ὃ³ÕÔ²”,�᪵»Í³ÕÔ²。 S3kN*ᐹḄᵨ41$%ÑÞÓ ᙠ=>VnÛKQᐭBPX3APIᦪ+、ᡈὅBP3APIᦪ+ᯠK©ö。¾¦-ÿᡠᨵᵨ¾¿ᦪḄᙢᙬḄnÛ,ᙠ¾¿nÛK»ÍÏᑮᵨ¾¿M?1ᦪḄᙢᙬïᦋ5ÿ¥⁐。UV³ÕðÿÔ²。BPX%KÔᙠDEᵨAPIḄᙢᙬᜐ,BP§KÔᙠAPIḄᑏᐭᙢᙬᜐ。ὅᨵᡠW�,᪷�◤⌕⌱Á。6.OllyDbg+ᣩ"�CPUnÛKḄÆÌ�☢Å(Ertsassemblerpane)ᜐ+ ʦ,»ÍᵨÍJ+ᣩ"。(1)©ö":©⌱KḄ=>X3ᑮ=>ᔊô(commandhistory)K,7�#=> %¿oÚ、ᦪᡈὅ Úᣚ⊤Ḅ%¿nᑖ,ᑣÖᐭᑮ�Ḅᙢᙬ。(2)⌨":{◀⌱KnᑖḄᑖ᪆�Ò。7ᑖ᪆ᘤ©ÔṹSr�Áᦪ�,¾¿+ᣩ"þ¹ïᨵᵨ。gὃÉṹnD(decodinghints)。(3)AU+⌨":├ᡠ⌱nᑖḄᦋ,ÍᜓXᦪ�Ḅß&ᑁ.ᣚᡠ⌱nᑖ。±ᙠᜓXᦪ�×ᙠ*ùᡠ⌱nᑖW�¦»ᵨ。(4)Ctrl+Fl:7M?1DEᦻ�ïp⌱Á,©ᡭ}ù✌¿⌱ÁVᑁḄT+ßᐵὶḄDEö⚪。(5)F2:ᙠ✌¿⌱ÁḄ=>Y}ᐵs73Ô²,�»Íýs�VSᑡ。(6)Shift+F2:ᙠ✌¿⌱Á=>Y³Õᩩ�Ô²,"£ᶍKemel32Kᑁ×�ï(IgnorememoryaccessviolationsinKemel32)o(7)F4:Vᑮᡠ⌱V,ᙠ✌¿⌱ÁḄ=>Y³Õ%ឋÔ²,ᯠKᢥF4"�ZVNDE,]ᑮOllyDbgᣓVᑮïᡈὅÌᙠ�Ô²Y。ᙠDEVᑮ�=>Ç#,�%ឋÔ²%]ᨵᦔ。ᨵ�⌕,»ᙠÔ²nÛ(Breakpointswindow)Kᑤ◀。(8)Shift+F4:³ÕÑäÔ²(%Ñᩩ�Ô²,�ᩩ�1¦%(⊤Ḅ@§ÑäJᩭ),�ª"ᩩ�ÑäÔ²。(9)Ctrl+F5:ᡭ}ù✌¿⌱ÁḄ=>ß&ḄÛᦻ�。(10)Alt+F7:ÚᑮY%¿ᑮḄὃ。(11)Alt+F8:ÚᑮJ%¿ᑮὃ。(12)Ctrl+A:ᑖ᪆�#�ᙽḄÔṹÜ。(13)Ctrl+B:}6Öᑴµå。(14)Ctrl+C:ᑴᡠ⌱ᑁ.ᑮÃÄÅ。ᑴ¦§ᓫᙢᢥᑡ4 ÔW»"ᑁ.,7¡¢◀W◤⌕Ḅᑡ,»ò¾(ᑡḄ4»ᑮᨬ。(15)Ctrl+E:ÍÖᑴ(ᓝ³Öᑴ)�¯ᡠ⌱ᑁ.。(16)Ctrl+F:}6=>µå。(17)Ctrl+G:Úᑮ8ᙢᙬ,�=>©-Qᐭᙢᙬᡈ⊤ḄnÛ,�=>W§ᦋEH>。(18)CtrI+J:ᑡ-ᡠᨵḄKÎᑮ�ðÕḄᵨ²oÚ,ᙠᵨ¾¿¥¦Ç#,�ᵨᑖ᪆Ôṹ¥¦。(19)Ctrl+K:nÏù�#�ᦪßᐵḄᵨ(CaUtree)。ᙠᵨ¾¿¥¦Ç#,�ᵨᑖ᪆Ôṹ¥¦。 42��⌮ᔣᑖ᪆�ᵨᢈ�(20)-+^µåJ%¿,/Y%Ḅµåᑁ.。(21)Ctrl+N:ᡭ}�#�ᙽḄ+À(᪗Ú)ᑡ⊤。(22)Ctrl+O:kÄ0P6^ᦻ�。�=>§DkÄ0P6^ᦻ�b᪾,»Íᙠ�b᪾K⌱Á0P6^ᦻ�ᡈὅ¤)ᦻ�,Okľ¿ᦻ�,N�ᑮᙠ�▭ÔṹÜKᵨᑮḄ�᪗�ᙽ。(23)Ctrl+R:µåᡠ⌱=>Ḅὃ。�=>kÄ �ᙽḄᐰn»VÔṹ,»ÍᑮKÎ✌¿⌱KḄ=>²ᐰnßᐵὃ(ᒹ:ï、oÚÎᵨ),»ÍᙠὃKᵨ+ᣩ"Alt+F7²M11+?8ᩭØÙ¾(ὃ。Á&+�ᵨ,ὃḄ=>�ᒹóᙠ�ᑡ⊤K。(24)Ctrl+S:=>µå。�=>D“n=>”(Findcommand)b᪾¬ᡃñQᐭÌ�=>,O¡�#=>}6µå。(25)¥T(*):ÚᑮÜ6ðÕ( DḄ£⌮ᜐ)。(26)Ctrl+¥T:ᢣtḄ96ðÕ,³Õ�#ᡠ⌱DḄ£«>Á✌¿⌱ÁQ⁚Ḅᙢᙬ。ᢥJ011+¥T(*)»Í├�PQ。(27)3T(+):7?r�ᨵ ,ᑣ᪷�=>ᔊô(commandhistory)oᑮJ%ᩩ½V·=>ḄᙢÞ,ᔲᑣoᑮRunr�ḄJ%¿Ñä。(28)Ctrl+3T:oᑮ#%¿ᦪ}6ᜐ。(øý:>oᑮ,OWV。)(29)T(-):7Runr�ᨵ ,ᑣ᪷�=>ᔊô(commandhistory)oᑮ#%ᩩ½V·=>ḄᙢÞ,ᔲᑣoᑮ?r�Ḅ#%¿Ñä。(30)Ctrl+T:oᑮJ%¿ᦪ}6ᜐ。(øý:>oᑮ,OWV。)(31)3:ᦋ=>。»ÍᙠDb᪾KÍÌ�;<ᦋ�▭ᢣ>ᡈQᐭtᢣ>,¾(ᢣ>©ᣚ�▭Ôṹ,�»Íᙠµ⌕ᦋḄᢣ>ᜐýs¿᪗。(32)ᑈR:X3᪗Ú。D“X3᪗Ú”(Addlabel)nÛᡈ“ᦋ᪗Ú”(Changelabel)nÛ,»ᙠ�Qᐭù✌¿⌱ÁḄ=>KḄS%¿Q⁚ßᐵὶḄ᪗Ú(T+)。(øý:ᙠÐÑ�D;ḄS%¿Q⁚ßᐵὶḄø{(ø{§DᙠᨬK%ᑡK)。(øý:ÐÑÌ�;<�ᵨᑖTQÁø{}6,�»Íᙠø{ᑡýs◤⌕ø{Ḅ=>V。)7.¶ᵨ+ᣩ"�#ḄOUyDbg¿X ᙠ®,7�#=> %¿ᦪ(CALL),ᑣ§Ìᙠ¾¿ᦪ~ḄS%ᩩ=>Y。7�#=>óᨵ¬?#[,ᑣ>V%/PQ。(ᓽ :ᓫkr�ÖᐭèDE^^)(6)Shift+F7:ù^ß�,7NDEU¹ïúK,Nᘤ§✌ᐜNkᐭNDEᢣḄïᜐᳮ。(7)Ctrl+F7:kᐭ,ᙠᡠᨵḄᦪᵨK%ᩩ%ᩩᙢV=>(þêᢥÂF7"%᪵,>-+%()。�Vᐸ�%(ᓫk=>,ᡈὅDEᑮÔ²,ᡈὅU¹ï¦,kᐭ·D�§Ì。_ᓫkkᐭ,OllyDbg�§-tᡠᨵḄnÛ。ᡠÍÁÿnªkᐭḄ»,&ᐵòW�⌕ḄnÛ,+�ᶇḄnÛᨬð@�。ᢥÂᡷ",»ÍÌkᐭ。(8)F8:ᓫkk·ᑮJ%ᩩ=>。7�#=> %¿ᦪ,ᑣ%VÓ¾¿ᦪ(◀¹¾¿ᦪᑁnᒹóÔ²,ᡈU¹ÿï)。7�#=>óᨵê?#[,ᑣ§VÓ/PQ,OÌᙠJ%ᩩ=>Y。(ᓽ :ᓫkr�WÖᐭèDE€®1。)(9)Shift+F8:ù?8ß�,7NDEU¹ïúK,Nᘤ§✌ᐜNk·NDEᢣḄïᜐᳮ。(10)Ctrl+F8:k·,%ᩩ%ᩩᙢV=>,OWÖᐭ�ᦪᵨᑁn(þêᢥÂF8"%᪵,>-+%()。�Vᐸ�%(ᓫk=>,ᡈὅDEᑮÔ²,ᡈὅU¹ï¦,k··D�§Ì。_ᓫkk·,OllyDbg�§-tᡠᨵḄnÛ。ᡠÍÁÿnªk·Ḅ»,&ᐵòW�⌕ḄnÛ,+�ᶇḄnÛᨬð@�。ᢥ£%",»ÍÌk·。(11)F9:þDE�ZV½V。(12)Shift+F9:ùF9ß�,7NDEU¹ïúK,Nᘤ§✌ᐜNVNDEᢣḄïᜐᳮ。(13)Ctrl+F9:V]ᑮ¨©,r�DE]ᑮ⍗ᑮ¨©,ᙠ�94WÖᐭèᦪ�W-tCPUᦪ�。�ÁDE %ᩩ%ᩩ=>VḄ,ᡠÍ»»¦§᠒%(。ᢥ£ᡷ",»ÍÌr�。(14)Alt+F9:V]ᑮ¨©ᑮᵨᡝÔṹÜ,r�DE]ᑮᢣ>ᡠb+Ḅ�ᙽWᙠÈ�äK,ᙠ�94WÖᐭèᦪ�W-t0?1ᦪ�。�ÁDE %ᩩ%ᩩVḄ,ᡠÍ»»¦§᠒%(。ᢥ£8(:",»ÍÌr�。(15)Ctrl+Fll:?r�kᐭ,%ᩩ%ᩩV=>,Öᐭ_¿èᦪᵨ,OòÖ×ᘤḄ�Ò3ᐭᑮRunr�Ḅשᦪ�K。Runr�W§�k-tCPUnÛ。(16)F12:ÌDEV,�¦ᨚÌNDEḄᡠᨵD。gW⌕ÞឮD½V,ᨬðᵨ�ZV+ᣩ"ᡈᓫ⌱⚗(��ᢓ)。(17)Ctrl+F12:?r�k·,%ᩩ%ᩩV=>,WÖᐭèᦪᵨ,OòÖ× 44��⌮ᔣᑖ᪆�ᵨᢈ�ᘤḄ�Ò3ᐭᑮRunr�Ḅשᦪ�K。Runr�W§�k-tCPUnÛ。(18)Esc:7�#ᜐ+½Vᡈr�Ê,ᑣ̽Vᡈr�。70?ᓹDḄ r�ᦪ�,ᑣD^�ᦪ�。(19)Alt+B:DÔ²nÛ。ᙠ¾¿nÛK,»Í�¯、ᑤ◀ᡈrÖᑮÔ²ᜐ。(20)Alt+C:D0?1;nÛ。(21)Alt+E:D�ᙽᑡ⊤(listofmodules)。(22)Alt+K:D“ᵨ᪘”(CaUstack)nÛ。(23)Alt+L:DzÑnÛ。(24)Alt+M:Dᑁ×nÛ。(25)Alt+O:D“⌱⚗”b᪾。(26)Ctrl+P:D⊡¯nÛ。(27)Ctrl+T:ᡭ}“ᨚÌ?r�”b᪾。(28)Alt+X:ᐵòOllyDbg。ᜧÐᦪnÛ�)ᢝÍJḄ"f=>。(1)Alt+F3:ᐵò�#nÛ。(2)Ctrl+F4:ᐵò�#nÛ。(3)F5:ᨬᜧᓄ�#nÛᡈ©�#nÛᜧᦋÁÃïᓄ。(4)F6:ᑗᣚᑮJ%¿nÛ。(5)Shift+F6:ᑗᣚᑮ#%¿nÛ。(6)F10:ᡭ}ù�#nÛᡈ☢ÅßᐵḄ+ᣩᓫ。(7)ªÞᔣ":DnÛªÞ%¿Q⁚4»Ḅᑁ.。(8)Ctrl+ªÞᔣ":DnÛªÞ%Ḅᑁ.。(9)rÞᔣ":DnÛrÞ%¿Q⁚4»Ḅᑁ.。(10)Ctrl+rÞᔣ":DnÛrÞ%Ḅᑁ.。8.ᨵᐵDEᦻDEᦻ☢ᒹóḼÉ{²ᵨOUyDbgᡠ◤Ḅ/⌕�Ò。7òWindowsAPIDEᦻ�²OUyDbg▬3ᑮ%9,ᙠÈᵨḄ¦þ»ÍV�DE。nD:OllyDbg?ᨵ-ÐtḄ¥¦,ᐹ~᯿ᐸᜐ^^ᦻ�。 �4�^32[?1Ôeᳮ^ᐵ*ᦪ4.1WindowsÑÒ>¥^^0〜$ %¿ÑÒ(Message)�È,〜^(1(^5ÑÒn¬ÿ&ᵨDEù&ᵨDEÇ4、&ᵨDEùWindowsÈÇ4ÖV¶�ḄÞÜ。&ᵨDE⌕�Ḅ¥¦ᵫÑÒᩭ°U,O☠ÑÒḄ2&²ᜐᳮᩭÓᡂ。WindowsÈKᨵÑÑÒ±ᑡ,%Ñ ÈÑÒ±ᑡ,$%Ñ &ᵨDEÑÒ±ᑡ。¢£¤ḄᡠᨵQᐭ³ᜓᵫ”ᓃ3(^^�¤,�%¿��U¹¦,Windowsᐜ©QᐭḄÑÒ}ᐭÈÑÒ±ᑡK,ᯠK©QᐭḄÑÒᑴᑮß&Ḅ&ᵨDE±ᑡK,&ᵨDEKḄÑÒ¡ḄÑÒ±ᑡK=�må_%¿ÑÒOU〈ᑮß&ḄnÛ�ᦪK。%¿��ḄU¹,ᑮᜐᳮḄnÛ�ᦪ�pᔊY·D。@�øýḄ ÑÒḄ¹²ᐜឋ,ᓽWX��Ḅញù,BᢥᑮḄᐜKÝE±(8(ÈÑÒ◀),¾þ��%(n�¦��»¦�WᑮΦḄᜐᳮ。ᵫ+WindowsM�ᵫÑÒ�Ḅ,ᡠÍ⌮ᔣᑖ᪆¦r�%¿ÑÒ§�ᑮß&v«Ḅ³ᫀ。S:ᡭ}8¿&ᵨDE,�DEJᨵ%¿?1^ᓫ,;<,ᙠ½V�&ᵨDEḄ¦,7ᵨᡝᓫsÿi1^ᓫḄ^^〜=>¦,¾¿Q©^1^(^8(úW&ᵨDEM�!)ᡠᣓV,〜^^0%8p·ᑖ᪆�q¾¿Q&�ᵫY☢ᡠUḄ;¿&ᵨDELᜐᳮ,Ýᯠ ¾᪵,”^_8þU〈ÿ¿¬Z—%0^^^^0ḄÑÒ¥&ᵨDE,�ÑÒᡠᒹóḄ�Òz´&ᵨDE:“ᵨᡝᓫsÿ>^〜ᓫ”,&ᵨDE�q¾%ÑÒÇK,õsß&ḄQᩭ2&,¾¿·DÀÁÑÒᜐᳮ·D。^^Uᓄ0>^Á_%¿&ᵨDE(~ᑗᙢU_%¿D),�Ḽß&ḄÑÒ±ᑡ,&ᵨDEḄmþWÌᙢ¡ḄÑÒ±ᑡKVsÑÒ,ᑖ᪆ÑÒ²ᜐᳮÑÒ,]ᑮ%ᩩZᑮ¬Z—%ᓹ—ḄÑÒÁ,¾¿·D¶ï ᵫ%ѬZÑÒ=�ḄDE°᪀ᩭ�Ḅ。4-2Win32APIᦪᜧhᙠ$Ð�YÏᑮ·API,ᐸµᦻᐰÀ ApplicationProgrammingtoterface,WD^32API�þ«(^8¶”^^0%832ð@AḄ&ᵨDE�DZÛ。¾¿ñḄᳮÉ,◤⌕Q2ᑮPQÈḄUóᔊôY,�¥U³(^8PQÈ}6ᓰ�öÙᙢðḄ¦,}U^~8@AJḄ&ᵨDEᡂÁðñḄ◤⌕。úᙠ>^^0〜8DE³¢⚞öᜐ+UóḄü9,―^^DEᕒᡠ¦ᵨḄ�D*ᐹ½ᨵAPIᦪ,¾(�ᦪ Windowsn¬¥&ᵨDEùPQÈḄZÛ,ñ¹“ᩈᙽ”%᪵,»Í»·-ᔜÑ☢��,¥¦ᮣḄ&ᵨDE。ᡠÍᡃñ»ÍÊÁAPIᦪ ᪀½¿Windows᪾¾ḄJ¿,ᙠḄJ☢WindowsḄPQÈ᪶i,úḄY☢ᑣ ᡠᨵḄ¹ḄÀ1^(^¥8&ᵨDE。ᡃñö⌕¢X—32^1ᦪ®¯¤ᑴ°᪀ÎᐸᙠÌ�;, ⌮ᔣᑖ᪆*Dᨬ/⌕Ḅ&ᵨÇ%,n¬YPQឋ。ᓽ¶·,6⌮ᔣ*D,ᡃñ»Í-ᨵᦔᙢùSÞÔṹÖVîY(¾ ᜧÐᦪDEᕒ_ᜩ�ᙠZḄ�ªÇ%)。¾ �Á⌮ᔣ*D-Áᨵᦔᙢ�ᐭSÞÔṹn¬ÿ%¿�Þᫀ——þᡃñ¦Æᦻ,ᙠ⌮ᔣ*Dᑖ᪆Ç#þᡃñÿÉ%(Windows^1ᦪ。¡ᥟ“0^ܹM?1(NativeAPI)K⌱Áÿ%(⌮ᔣ¦pïᵨᑮḄ^1ᦪ,O*�ᐭᑖ᪆¾(�ᦪ,ᡃñ¦ÓᐰᳮÉ_¿ᦪᙠZ(®<²Ç᪵�ᵨ¾(�ᦪ,ú.ᡠ⌕ZḄ>n²ᵨ,ᡈ⊡ᐙ。J☢%(�ᦪ⌮ᔣ¦pïᵨᑮḄM?1ᦪ,"⊤4~1〜⊤4~8。(1)b᪾ᦪ。⊤“1ïᵨḄ^1b᪾ᦪ___________ᦪ+____________U^l—CreateDialog¡ôÛ�Å·Û%¹�bn______________________________CreateDialogParam¡ôÛ�Å·Û%¹�bn______________________________CreateDiaIogLidirect¡ᑁ×�Å·Û%¹�bn______________________________CreatcDialogLndirectParam¡ᑁ×�Å·Û%¹�bn S4k 1^2^1NÜᳮÎßᐵᦪ47Z⊤____________ᦪ+_____________________________________UV_________________________DialogBox¡ôÛ�Å·Û%�bnDialogBoxParam¡ôÛ�Å·Û%�bnDiaIogBoxLadirect¡ᑁ×�Å·Û%�bnDialogBoxLidirectParam¡ᑁ×�Å·Û%�bnEndDialog°%�bnMessageBoxD%�Òb᪾MessageBoxExD%�Òb᪾MessageBoxbidirectD%ᑴ�Òb᪾GetDlgItemInt�ᑮᢣQᐭ᪾ᦪ@GetDlgItemText�ᑮᢣQᐭ᪾QᐭQ•GetDlgItemTextA�ᑮᢣQᐭ᪾QᐭQ__________________________________Hmemcpyᑁ×ᑴ(¹&ᵨDE]Zᵨ)____________________________�ᦪ¶·%¿ÈñḄ¿�iᓄb᪾,ᵨᡝᢣ%¿FindTextᩭnᦻMᑁḄᦻQ)--^^'—�ᦪ¶·%¿Opendᐳb᪾,ᵨᡝᢣ�ᘤ、�ä²ᦻGetOpenFileName�+、ᡈ�ᵨᡝᡭ}ᦻ��ᦪ¶·%¿3&〃6dᐳb᪾,Í&ᵨᡝᢣ�ᘤ、�ä²ᦻGetSavcFileName�+�ᦪ¶·%¿PageSetupb᪾,�b᪾¦ᵨᡝᢣᡭᓺ⚓PageSetupDlgḄbឋ。¾(bឋᒹÉᜧ²ᩭÛ,〈ÉÞᔣ²⚓Ê�ᦪ¶·%¿ÈñḄ¿�b᪾,�b᪾ᵨᡝnᡈReplaceTextÔ%¿,ᡈV¤ᑴ²ÔPQ(2)▲ᑴDE¥¦ᦪ。⊤‘2ïᵨḄ^1▲ᑴDE¥¦ᦪᦪ+UVEnableMenuItemᐕ$、Ἥᡈ5ᮞᢣḄᓫᩩ0,EnableWindowᐕ$ᡈἭ¿᪗²"f¤ᑴᢣnÛ²ᩩ�(Ἥ¦ᓫ5ᮞ)(3)efᜐᳮᦪ。 48��⌮ᔣᑖ᪆�ᵨᢈ�⊤‘3ïᵨḄ>0>1efᜐᳮᦪ_____________ᦪ+_____________________________________UV________________________GetDiskFreeSpaceAVsù%¿efḄÙËᨵᐵḄ�Ò,ÍÎÿÉᒕÍ34Ḅ.ÎGetDiskFreeSpaceExAVsù%¿efḄÙËÍÎᒕÍ34.ᨵᐵḄ�Ò____________GetDriveTypeAᑨÔ%¿ef�ᘤḄ��__________________________________GetLogicaU>rivesᑨÔÈK×ᙠ@(®¯�ᘤQã__________________________GetFuUPathNameAVsᢣᦻ�Ḅ��Ou____________________________________GetVolumeMormationAVsù%¿efᔁᨵᐵḄ�Ò________________________________GetWindowsDirectoryAVs〜1^0〜5�äḄÓOu+GetSystemDirectoryAs�>^(10〜8È�ä(ᓽ8>51601�ä)ḄÓOu+(4)ᦻ�ᜐᳮᦪ。⊤4_4ïᵨḄ^1ᦻ�ᜐᳮᦪ____________ᦪ____________________________________UV________________________CreateFileAᡭ}²¶·ᦻ�、A⍝、`Ð、¶�lm、³ᜓÍΤᑴAOpenFile¾¿ᦪ¦Vᜧ0W�Ḅᦻ�PQReadFile¡ᦻ�Kj-ᦪ�ùReadFileß�,>>¦ᵨ+kjPQ,Oᒹóÿ%¿ÓReadFileExḄ©WriteFiic©ᦪ�ᑏᐭ%¿ᦻ�ù〜1116iᓄ��,>>¦ᵨ+kᑏPQ,Oᒹÿ%¿ÓWriteFileExḄ©SetFiiePointerᙠ%¿ᦻ�K³Õ�#ḄjᑏðÕ____________________________SctEndOfRle┐%¿ᡭ}Ḅᦻ�,©�#ᦻ�ðÕ³Áᦻ�Ñp____________ᐵò%¿ᑁ᪶。ᐸKᒹᦻ�、ᦻ�u、ÖD、D、TᐰCloseHandlc²�kÏ_lcreat¶·%¿ᦻ�JopenÍÖᑴ�ᡭ}ᢣḄᦻ�________________________________Jread©ᦻ�KḄᦪ�jᐭᑁ×[_lwritc©ᦪ�¡ᑁ×[ᑏᐭ%¿ᦻ�_Hseek³Õᦻ�KÖVjᑏḄ�#ðÕ______________________________JcloscᐵòᢣḄᦻ�_hread©ᦻ�KḄᦪ�jᐭᑁ×[_______________________________hwrite©ᦪ�¡ᑁ×[ᑏᐭ%¿ᦻ� S4k”1^2M?1NÜᳮÎßᐵᦪ49Z⊤ᦪUVOpenFileMappingAᡭ}%¿ᡂḄᦻ�uCreateFileMappingA¶·%¿tḄᦻ�uMapViewOfFile©%¿ᦻ�uuᑮ�#&ᵨDEḄᙢᙬ34MapViewOfFileEx(ᑁ.�Y)_________________________________________________CreateDirectoryA¶·%¿t�äCreateDirectoryExA¶·%¿t�äRemoveDirectoryAᑤ◀ᢣ�ä_______________________________________________SetCurrentDirectoryA³Õ�#�äMoveFilcA{ᦻ�DeleteFileAᑤ◀ᢣᦻ�_______________________________________________CopyFileAᑴᦻ�___________________________________________________CompareFiIeTimec¿ᦻ�Ḅ¦4SetFileAttributesA³Õᦻ�bឋSetFileTime³Õᦻ�Ḅ¶·、�ÎYᦋ¦4________________________FindFirstFileA᪷�ᦻ�+nᦻ�_________________________________________FindNextFileA᪷�ᵨRndFirstFileᦪ¦ᢣḄ%¿ᦻ�+nJ%¿ᦻ�FindCloseᐵòᵫFindFirstFUeᦪ¶·Ḅ%¿µåP.SearchPathAnᢣᦻ�_______________________________________________GetBinaryTypeAᑨÔᦻ� ᔲ»ÍV_______________________________________GetFilcAttributesAᑨÔᢣᦻ�Ḅbឋ_________________________________________GetFileSizeᑨÔᦻ�<»_______________________________________________GetFileTimes�ᢣᦻ�Ḅ¦4�Ò____________________________________GetFileTypeᙠ¥-ᦻ�P.Ḅ#nJ,ᑨÔᦻ���______________________(5)ø⊤ᜐᳮᦪ。⊤‘5ïᵨḄð?1ø⊤ᜐᳮᦪᦪ+UVRegOpenKeyAᡭ}%¿ᨵḄø⊤⚗RegOpenKeyExA•ᡭ}%¿4Ḅø⊤⚗'RegCreateKeyAᙠᢣḄ⚗J¶·ᡈᡭ}%¿⚗ 50��⌮ᔣᑖ᪆�ᵨᢈ�Z⊤ᦪ+UVRegCreateKeyExAᙠᢣ⚗J¶·t⚗Ḅ-ᩖḄÞRegDeleteKeyAᑤ◀ᨵ⚗JÞ%¿ᢣḄè⚗RegDeleteValueAÒ◀ᢣ⚗JÞḄ%¿@RegQueryValueAVs%¿⚗Ḅ³Õ@RegQueryValueExAVs%¿⚗Ḅ³Õ@RegSetValueA³Õᢣ⚗ᡈè⚗Ḅ@RegSetValueExA³Õᢣ⚗Ḅ@RegCloseKeyᐵòÈø⊤KḄ%¿⚗(ᡈ")(6)¦4ᜐᳮᦪ。⊤“ïᵨḄ>^>1¦4ᜐᳮᦪᦪ+UVCompareFiIeTimecBᦻ�¦4GetFileTime�ᑮᦻ�·Û、ᨬK�、ᦋ¦4GetLocalTime�ᑮ�#Mᙢ¦4GetSystemTime�ᑮ�#Ȧ4GetTickCount�ᑮWindows�«¦~SetFileTime³Õᦻ�¦4SetLocaITime³ÕMᙢ¦4SetSystemTime³ÕȦ4________________________________________________(7)ÖDᦪ。⊤4«7ïᵨḄð?1ÖDᦪᦪ+UVCreateProcessA¶·%¿tÖDExitProcessÍÓÔḄÞᐵò%¿ÖDFindExecutableAnù%¿ᢣᦻ�ᐵὶᙠ%9ḄDEḄᦻ�+FreeLibray{}ᢣḄxpGetCurrentProcessVs�#ÖDḄ%¿P. S4k”1032¡1NÜᳮÎßᐵᦪ51Z⊤ᦪ+UVGetCurrentProcessIdVs�#ÖD%¿½%Ḅ᪗r________________________________GetCurrentThreadVs�#DḄ%¿P.____________________________________GetExitCodeProcesVs%¿ï°ÖDḄ⌨-ÔṹGetExitCodeThreadVs%¿ï°DḄ⌨-ÔṹGetModuleHandleAVs%¿&ᵨDEᡈxZpḄ�ᙽP.______________________GetPriorityClassAVsᱯÖDḄ�ᐜÉ�LoadLibraryA�ᐭᢣḄxZp,O©uᑮ�#ÖDᵨḄᙢᙬ34LoadLibraryExA�ᢣḄxZp,OÁ�#ÖDòuᑮᙢᙬ34Lx>adModule�ᐭ%¿Wiwiows&ᵨDE,OᙠᢣḄ�K½VTerminateProcess°%¿ÖD________________________________________________(8)ᢥᦪ。⊤4»+ïᵨḄ>^1ᢥᦪ..___________ᦪ+____________________________________UV_________________________Button�ᦪᦋ5ᢥ¤ᑴḄ⌱KÊ~~�ᦪ¥%Ùᓫ⌱ᢥKḄ%¿ᢣᢥ3Y⌱K᪗Ñ,O*Ì◀ÙCheckDlgButtonKᐸ�ᢥḄ⌱K᪗Ñ__________________________________________�ᦪ»Í~8¿ᢥ¤ᑴ ᔲᨵ⌱K᪗Ñ,ᡈὅᢥ¤ᑴ IsDlgButtonCheckedᔲÁᮞ⁐Ḅ、⌱KḄᡈὅ�W____________'___________________3.◤⌕ᩩ�ᙠWindowsJᵨḄᡠᨵDE,� ¶·ᵨ%¿î%¿ḄWindowsAPIᩭVß&mḄ,ᨵ^1,DE®<�ZWÿ。ᵨVB、DelphiḄÕÖ�$§Uᡃ᪷Mᨵᵨ®^>1,úᙠi3132K,þ>ᨵ]ZᵨM?1¾%ÑÞÓ。]ZᵨAPI,þᢣᡠᨵḄPQ�¶·ᨬÜ6ḄAPIᩭÓᡂ。¶·]ZᵨAPIᩭ¹ᡂ¾᪵%¿DE,ᡃñ�⌕ᐜønÛ�(◀¹�ᵨA^mdows⚜ñḄnÛ�,MessageBoxᡈDialogBox);ᯠKº¹nÛ,7µ^Ãᙢþ¾¿DE¦Ãïᙢ½VJᩭ,?⌕3ᐭÍJkl。(1)⌕�ᑮ&ᵨDEḄP.。 52��⌮ᔣᑖ᪆�ᵨᢈ�(2)n~DKþÖᐭ¿▲ḄVsnÛÑÒḄ=�。(3)7ᨵÑÒᑮ,ᵫ�nÛḄnÛ©ᦪᜐᳮ。(4)7ᵨᡝᐵònÛ,ÖV⌨-ᜐᳮ。Y☢¾(kl,�◤⌕ᵨß&ḄAPIᩭÓᡂ。cU�ᑮDEḄP.ᵨGetModuleHandle,ønÛ�ᵨRegisterClassᡈRegisterClassEx;øK,?⌕ᵨCreateWindowExᦪᩭ¹ᡂß&nÛ,úKᵨ8“¥¡11^0%ᩭD,ÇK?§ᵨÛ%816>^³(^ᩭ-tÙᡝ[Ï。Y☢UḄ¾(,>W· M?1KḄ%nᑖ,^ÃḄ³?1ᨵᡂᓟY¿,ᒹÈᔜ¿Þ☢ÖVḄPQ。ᨵAPI,DE®<�ÓWÿ。cUDEKᨵ%¿Edit¤�,VBK&�¬ZΤ�,ᡃñµ©ᵨᡝQᐭᑮ☢Ḅ�Ò}ᑮ%¿5KL,;<:DelphiK»Íᵨ5Ú=£Û1ᐕ11ᩭ�。VBKᵨStr=Textl.Textᩭ�。7ᡃñᵨAPI,µ⌕�ᑮEditQᐭ᪾ḄᦻMᑁ.,þ⌕ᵨGetDlgItendnt(EditKQᐭḄ@�Qᦪ@ᩭᵨ),GetDlgItemText²GetDlgItemTextA(EditKQᐭḄ@�QQᩭᵨ)。úY☢ᡠUḄ08、06ᓄ1^�ᑮ�¯᪾KQᐭḄᑁ.ḄÞÓ,ᨬ�ᙠ�Yᡂ»Vᦻ�Ḅ¦,�§ᵫ�YᘤᐸÖVß&ḄÚᣚ。ᡃñ>⌕V×%��þ»Íÿ,;þᡃñᡠᵨḄDE,¿¦¿|WᙠᵨḼÈKḄᔜÑᔜ᪵ḄM?1ᦪ。ᐸ�ᑩᓄ(^5KḄM?1,þß�+�008ÈKḄÈ¥¦ᵨ,ÎKÔ21。>W·ᙠᦪY²¥¦Y,�DOSÈ¥¦ᵨᡠWÎḄ。ïᵨḄMiᦪ"⊤4-9。⊤44ïᵨḄ^1ᦪMessageBoxD%�Òb᪾______________________________________________MessageBoxExD%�Òb᪾______________________________________________McssageBoxLidirectD%ᑴ�Òb᪾¾�¶·nÛb᪾ᦪ-Ð,»ÍᵨᩭKÔ;(┯SnD,cUDEþ»¦¶·¾��ᦪnD┯SGetDlgItendnt�ᑮᢣQᐭ᪾ᦪ@__________________________________________GetDlgItemText�ᑮᢣQᐭ᪾QᐭQGetDlgItemTextA�ᑮᢣQᐭ᪾QᐭQ_______________��»ÍᑭᵨÍY¾��ᦪᩭ�ᑮᵨᡝQᐭḄ�Ò______________________________________________GetLocalTime�ᑮ�#Mᙢ¦4______________________________________________GetSystemTime�ᑮ�#Ȧ4____________________________»Í¶·ÍY¾��ᦪᩭᑨÔᔲ·9_______________________________________RegQueryvalueAVs%¿⚗Ḅ³Õ@____________________________________________RegQueryvalueExAVs%¿⚗Ḅ³Õ@RegSetvaJueA³Õᢣ⚗ᡈè⚗Ḅ@RegSetvalueExA³Õᢣ⚗Ḅ@___________________________7ᵨø⊤ש�ÒḄb,;<ÍY¾��ᦪ§ᵨᑮ__________________________________________ ~4Win32APIᳮᐵᦪ53ᡃñ¾ÖḄ>j¿@¦cBï"Ḅ、ᐺ�ḄM?1ᦪḄᵨ,-Ðg"^þ1(Ö8}UðᕒÞ。'4.3⌮ᔣᑖ᪆ïᵨÔ²³Õ��⌮ᔣᑖ᪆Ḅ*ᐹÍOUyDbgÁö⌕*ᐹ,�ᙠOllyDbgK³ÕðÔ²+⌮ᔣᑖ᪆Ḅᡂ¥ ¹ï/⌕Ḅ。⊤4^0ᑡìÿ%(ïᵨḄÔ²³Õ,¾(Ô²�᪵〉ᔠ+306Ú£²1^2000,(ὅJMY?.Ḅ)0c0&8Ḅ=> :&0ᡈᓃ?3M?1ᦪ,SoftICEḄ=>:bpxSAPIᦪ。⊤‘10z{|}bpLockmytask�ᵨᐸ�Ô²�¿ᦔ¦»ÍN%J,¾¿Ô²� ᢥ"ḄQ� nÛ:____________________________________________________________________________bpCreateWindow-tnÛ________________________________________________bpCreateWindowEx(A)-tnÛ________________________________________________bpShowWindow-tnÛ________________________________________________bpUpdateWindow-tnÛ________________________________________________bpGetWindowText(A)VsnÛᦻM� ÑÒ᪾:__________________________________________________________________________bpMessageBox(A)¶·ÑÒ᪾_____________________________________________bpMessageBoxExA¶·ÑÒ᪾_____________________________________________bpMessageBoxhidirect(A)¶·ᑴÑÒ᪾_________________________________________� ÜzÝ:______________________________________________________________________bpMessageBeepU-ÈÜzÝ(7ᨵÝᓱþ]Z�ÈᗓßUÝ)� b᪾:__________________bpDialogBox¶·�b᪾_________________________________________bpDialogBoxParam(A)¶·�b᪾_________________________________________bpDiaIogBoxLidirect¶·�b᪾_________________________________________BpDialogBoxJDndirectParam(A)¶·�b᪾_________________________________________bpCreateDialog¶·¹�b᪾——bpCreateDialogParam(A)¶·¹�b᪾—bpCreateDialogtidirect¶·¹�b᪾—bpCreateDialoghidirectParam(A)¶·¹�b᪾_______________________________________bpGetDlgItemText(A)Vsb᪾ᦻM_________________________________________bpGetDlgItemIntVsb᪾ᦪ@_______________________________________ 54��⌮ᔣᑖ᪆�ᵨᢈ�Z⊤� ÃÄÅ:—bpGetCHpboardData—VsÃÄÅᦪ�� ø⊤:_________________________-____________________________________bpRegOpenKey(A)ᡭ}è"(S:bpRegOpenKey(A)if*(esp+8)=****')bpRegOpenKeyExᡭ}è"(S:bpRegOpenKeyExif*(esp+8)='****')bpRegQueryValue(A)nè"(S:bpRegQueryVdue(A)if*(esp+8)='****')bpRegQueryValueExnè"(S:bpRegQueryValueExif*(esp+8)='****')bpRegSetValue(A)³Õè"(S:bpRegSetVdue(A)if*(esp+8)=•****•)bpRegSetValueEx(A)³Õè"(S:bpRegSetVdueEx(A)if*(esp+8)='****')“****”Áᢣè"+Ḅ#4¿Q,è"Á“Regcode”,ᑣ“****”=“Regc”________________¥¦▲ᑴ� Ô²:bpEnableMenuItemἭᡈᐕ$ᓫ⚗_______________________________________bpEnableWindowἭᡈᐕ$nÛbmsghMenuwm_command� ᓫᢥ"��,ᐸK—£1^ÁᓫP.________________bpK32Thkl632Prolog�ᔠbmsghMenuwm_commandᵨ,»Í¶·¾¿Ô²ÖᐭᓫᜐᳮDE&ᵨDS:CALL[KERNEL32!K32Thkl632Prolog]CALL[••••••]<-ᵫ�0¡^[……]r�ÖᐭᓫᜐᳮDECALL[KERNEL32!K32Thkl632EpUog]� ¦4:bpGetLocaTTimeVsMᙢ¦4bpGetSystemTimeVsȦ4___________________________________________bpGetFileTimeVsᦻ�¦4_bpGetTickCountV�Èᡂ¥�ÍᩭᡠpᔊḄ~ᦪ—bpGetCurrentTimeVs�#¦4(16ð)____________________________________bpSetTimer¶·¦ᘤbpTimerProc¦ᘤ¦©ᦪ� ᦻ�:__________________________________________________________________—bpCreateFileA¶·ᡈᡭ}ᦻ�(32ð)_________________________________bpOpenFileᡭ}ᦻ�(32ð)_________________________________bpReadFilejᦻ�_________(32ð)_________________________________bpWriteFileᑏᦻ�(32ð)— S4kWin32APINÜᳮÎßᐵᦪ55q⊤� �ᘤ:_____________________________________________________________________________bpGetDrivetype(A)Vsef�ᘤ��_____________________________________bpGetLogicalDrivesVs®¯�ᘤT_____________________________________bpGetLogicaU)rivcStringsAVs�#ᡠᨵ®¯�ᘤḄ᪷�ᘤOu___________________� à:50«0£²™”bpio-h378(ᡈ278、3BC)R378、278、38<: OVᡭᓺ'Ûbpio^3F8(ᡈᑛ、3E8、2E8)R3F8、2F8>3E8、2£8V'ÛVBDE�ᵨÔ²:__________________________________________________________________________bpmsvbvra50!_vbaStiCmpcBQᔲßÏ_____________________________________bpmsvbvm50!_vbaSttCompcBQᔲßÏbpmsvbvm50!—vbaVafTstNecB5 ᔲWßÏ____________________________________bpmsvbvm50!—vbaVafTstEqcB5 ᔲßÏ_______________________________________bpmsvbvm50!—vbaStrCopyᑴQbpmsvbvm50!_vbaStrMove{Q_____________________________________________bpMultiByteToWideCharANSIQÚᣚᡂUMCODEQbpWideCharToMultiByteUNICODEQÚᣚᡂANSIQY☢ḄÔ²&VB5DE,7VB6DEᑣ©msvbvm50ᦋᡂmsvbvm60ᓽ» �5�éê~üẠ5.1Ì�;%%&,ᙠ%(ᱯGḄãᔠ,�ᵫÌ�ᩭ�,S��Ḅ'ÛÏ。¢£¤È ᵫ�²��ᜧnᑖÙᡂḄ。1.a�(Hardware)� ¢£¤ÈḄ¤ᘤnᑖ, ¢£¤*QḄᱥJẠ。¢£¤Ḅ�ᑖᡂ5ᜧÙᡂn�:½£ᘤ、¤ᑴᘤ、שᘤ、Qᐭ³ᜓ²Q-³ᜓ。Ì�; ¤ᘤᢣ>ḄT⊤D,ù¤ᘤᢣ> %%&Ḅ,��ù¢£¤ᨵḼÊᑗḄᐵÈ,W���Ḅ0?0ᨵW�ḄÌ�;<,�þᨵᔜÑW�ḄÌ�DE。Ì�;<ÛDEùªÉ;<ÛDEßc,ᐸ¶ᵨឋ²»{|ឋ⌕�Ð。(2)Ì�; ᵨ¤ᘤᢣ>ḄT⊤DḄ,_%ᩩᢣ>�&%ᩩ¤ᘤᢣ>,*Ì�;ESP、EBP、£51²¯01。ᙠDEK_¿8ð、16ð、32ðÖ×ᘤ�»Í¾Ûᵨ。ᐸK,EAX〜EDX¾4¿Ö×ᘤî»ÀÁᦪ�Ö×ᘤ,◀ÿ]Z�,?»ᑖ�ᐸª16ð²16ðÖV�。16ðþ òñ#☢ḄELᣵ,ᓽEAXḄ16ðþAX、BX、CX²DX,ᐸ_¿î»ÍQÁ2¿¾ÛḄ8ðÖ×ᘤ�ᵨ,ú*16ðî»Íᑖ�ÖV8ð�,þU,^»ÍÖVᑖÉ,ᓽ“?»ᑖÁ>^(ª8ð)²ᜐ(8ð)。ᐸ�3¿Ö×ᘤBH、BL,CH、CL,0>²1^。¾᪵ᡃñþ»Íᑖ᪆ᔜѪ«。S:ᡃñµPQḄ %¿8ðᦪ�,»Íᵨ:MOVAL(8ðᦪ�)ᡈ^^^AH(8ðᦪ�);7ᡃñPQḄ %¿16ðᦪ�,»Íᵨ:10¥^(16ðᦪ�);7ᡃñPQḄ 32ðḄb,þᵨ:MOVEAX。 58��⌮ᔣᑖ᪆�ᵨᢈ��1161587EAX(AH)AX(AL)EBX(BH)AXOBL)>ᦪ���ᘤECX(CH)AX(CL)通用寄存器EDX05H)DX(DL)JESPSPᚮ᪘ᢣ┐•ᢣ┐1��ᘤEBPBP�ᙬᢣ┐ESISI��ᙬ?�ᘤ^EDIDI0Ḅ�ᙬEn>ffᢣ�ᢣ┐�ᑴ;��ᘤFLAGSFLAGS᪗�CS�ṹ���ᘤ、SSᚮ᪘���ᘤDSᦪ����ᘤ���ᘤES▬����ᘤFSGS^5-18086〜PentiumCPUDE»"Ö×ᘤÙSP、ESP¬Zᚮ᪘ᢣ┐Ö×ᘤ,ᐸK×}�#ᚮ᪘Ü᪘⚔Ḅ2{,ñB ùssᚮ᪘ÜÖ×ᘤ�ᔠ×sᚮ᪘KḄᦪ�。ᙠ��ÞJᵨ8?,ᙠ80386ÍYḄ���JfflESPo◀5?、£8?ᚮ᪘ᢣ┐W¦Mýᦋ、◤⌕òᵨ,ᐸ�¶ᵨÖ×ᘤ�»Í]Zᙠᢣ>Kᵨ,ᵨÍ×}PQᦪ,¾ ñḄ¶ᵨÇᜐ。ᙠK¢Xᢣ>Ȧ,»ÍÏᑮ8(¶ᵨÖ×ᘤᙠᐹ~Ḅᢣ>K?ᨵᐸ�ᵨ⌶,S£“、AX、AL(¶ïᑖ�ÀÁ32ð、16ð、8ðó3ᘤ),ñᙠô◀Ó、ᓝÖᑴ½£ÎQᐭQ-ᢣ>Kᨵ�éᵨ⌶。$ᨵ(¶ᵨÖ×ᘤ�»Í×}ᙢᙬᵨÍ4Z[ᙬᑁ×ᓫᐗ,Sᙠ��K80、BP、51²〇1»ÍQÁ4Z[ᙬḄÖ×ᘤ,ᵨÍ[ᙬ64KBÍᑁḄᑁ×ᓫᐗ。ᙠ���KEAX、EBX、ECX、EDX、ESP、EBP、£51²£01»ÍQÁ4Z[ᙬḄÖ×ᘤ,ᵨÍ[ᙬ4〇8ÍᑁḄᑁ×ᓫᐗ。EAX、EBX、£00²£00¾4¿Ö×ᘤ,ö⌕þ ᵨᩭᨚ¦×}¢£·DKᡠᵨḄPQᦪ、°7ᡈᐸ��Ò。úESP、EBP、£01²£51¾4¿Ḅö⌕ᵨ⌶ ᙠשᘤ[ᙬ¦,n¬2{ᙢᙬ。��,»ÍÀÁᢣ┐ᡈ5ᙬÖ×ᘤ。(1)£3?ÀÁᚮ᪘ᢣ┐Ö×。ᚮ᪘, Í“KÖᐜ-”Þ*QḄ%¿×©[,�×ᙠ+ᚮ᪘ÜK,�úᐸÜᙢᙬ×}+SSÖ×ᘤK。>ᨵ%¿-ᐭÛ,ᡠÍ>ᨵ%¿ᚮ᪘ᢣ┐Ö×ᘤ。ESPḄᑁ.ᙠ�¦�ᢣᔣ�#Ḅ᪘⚔。ᚮ᪘þ ¾᪵,ḄJᙬ}6+%¿ªᙢᙬ,ᯠK_�ᨵᦪ�ᐭ᪘,þᔣᙢᙬḄÞᔣÖVש。ß&Ḅᐭ᪘ᢣ>PUSH。_�ᨵᦪ�ᐭ᪘,ESPþrḼᦋ5,BÇ,ÕᢣᔣᨬK%¿ᐭ᪘Ḅᦪ�。ᯠú,7⌕ᵨᐭᚮ᪘Ḅᦪ�,þᵨ-᪘ᢣ>©ᐸs-。ß&Ḅᢣ>?0«>,Ô^ᢣ>VK,ESP§3Yß&Ḅᦪ�ðᦪ。ᱯ� ᙠᑮÿᑩ1^2ÈJ☢,ᚮ᪘ḄQᵨ-W»£�,ᡠᨵ S5kÌ�;©ß&Ḅᦪ�-᪘,ᯠKPQ。(2)EBP,ÀÁJᙬᢣ┐Ö×ᘤ,»Íùᚮ᪘ÜÖ×ᘤ88ὶᵨᩭ~ᚮ᪘KḄ8%שᓫᐗḄᙢᙬ,£8?ᵨᩭᢣDÜ⚔Ḅ2{ᙢᙬ,ú£8?»QÁᚮ᪘[KḄ%¿JᙢᙬÍ&�ᚮ᪘KḄ�Ò。.(3)ESI(Û5ᙬÖ×ᘤ)²£01(�Ḅ5ᙬÖ×ᘤ)%ùᦪ�ÜÖ×ᘤ08ὶᵨ,ᵨᩭ~ᦪ�ÜK8%שᓫᐗḄᙢᙬ。¾¿5ᙬÖ×ᘤᨵÛ²Ḅ¥¦,»Í-Þ&ᙢᵨ+5ᙬ。ᙠᜐᳮᢣ>K,£81²£01QÁ◚óḄÛ5ᙬ²�Ḅ5ᙬÖ×ᘤ¦,ESI²DSὶᵨ,‘EDI²▬3ÜESὶᵨ,ᑖ�ᑮᙠᦪ�ܲ▬3ÜK[ᙬḄ�Ḅ。2.¤ᑴÖ×ᘤ(1)n>,ED>£ ᡠᨵÖ×ᘤKᨬ/⌕Ḅ%¿ÿ,Ḅý´þᢣ>ᢣ┐Ö×ᘤ,ᵨᩭ×}ÔṹÜKḄ2{ᙢᙬ。ᙠDE½VḄ·DK,6�ᢣᔣJ%ᩩᢣ>Ḅ✌ᙢᙬ。ùÜÖ×ᘤcsὶᵨ~J%ᩩᢣ>Ḅᱥᳮᙢᙬ。�¾%ᙢᙬ〈ᑮשᘤK,¤ᑴᘤ»Ís�J%ᩩ⌕VḄᢣ>,ú¤ᑴᘤ%Çs�¾ᩩᢣ>þEYᦋ£⌮Ḅᑁ.,�6�ᢣᔣJ%ᩩᢣ>Ḅ✌ᙢᙬ。ᙠ��ÞJᵨẆ,ᙠ80386ÍYḄ���Jᵨ£0>。»",¢£¤þ ᵨ£0>Ö×ᘤᩭ¤ᑴᢣ>EᑡḄVÒDḄ。;(oÚᢣ>,þ ¶·ᦋ£ẆḄ@ᩭᑮß&Ḅ�ḄḄ。(2)᪗ÑÖ×ᘤ(FLAGS)îÀ?3>¥(ProgramStatusWord)o᪗ÑÖ×ᘤ�ÀÁÊÖ×ᘤ, ×}ᩩ�᪗Ñṹ、¤ᑴ᪗ѲÈ᪗ÑḄÖ×ᘤ。ᵫ½£°7ᱯÝ᪗Ѳ¤ᑴ᪗ÑÙᡂ。8086~802860?1^Á16ð,80386ÍYÁ32ð,�5-2ᡠD。ᐸ�ᡃñ᪷MW◤⌕öÐᙢLÿÉ,�#>◤⌕q⍝Ḅ*QÜᳮþ»Í。�KᡃñïpÏ-ñÓᐰᔣJ?.,3×ðÁ©ᩭ�ᶇ,ᨚAñ。31302928272625242322212019181716151413121110987654321_|_J|OF|DF]ff[TT|SF|ZF||AF[|pF||CF|8086^088^T|IOPL|OF|DF|BFlTF|SF|ZFlpVF||PF||80286~M_NTIOPL|OF|D^ff^^TFSF|ZF|~KF|~HPF^~^F80386/80486DX________^CVN^RFNTIOPLOFDFtfTFSFZF|APPFCF80486SXlD|ro^ff^F|AC^RF||NT|IOPLOF|DF|ff|lfSF|ZF||Afj?f|CTPentium�5-2᪗ÑÖ×ᘤ½£°7ᱯÝ᪗Ñ:ᵨ+ÑäDEK½V°7ḄᱯÝ,8086~PentiumCPUḄ᪗ÑÖ×ᘤᙳóᨵ¾6ð᪗Ñ。CF(CarryFlag):Öð᪗Ñ,Ñä½£°7Ḅᨬªðᔣ#º¹ḄÖðᡈð。¹ᨵÖðᡈðᑣÕ0?=1,ᔲᑣÌs。»ᵨ+mm¿TᦪÖᑴ3Ó½£¦ᔲU¹÷-(÷-¦(^=1)。PF(ParityFlag):Ꮤ᪗Ñ,Ñä½£°7Kó1Ḅ¿ᦪ。¹¿ᦪÁᏔᦪᑣÕ??=1,ᔲ 60��⌮ᔣᑖ᪆�ᵨᢈ�ᑣÌs。»ᵨ+mmᦪ�〈·DK ᔲU¹┯S。AF(AuxiliarycarryFlag):éEÖð᪗Ñ,Ñä½£°7ᨬ4ð(úQ⁚)ᔣ#º¹ḄÖðᡈð。¹ᨵÖðᡈðᑣÕAF=1,ᔲᑣÌs。>ᨵᙠVᓝÖᑴ½£ᢣ>¦¨ᐵi�ð。ZF(ZeroRag):s᪗Ñ,Ñä½£°7ᔲÁs,¹°7ÁsᑣÕ1,ᔲᑣÌs。SF(SignHag):T᪗Ñ,Ñä½£°7ḄT,¹°7ÁᑣÕ1,ᔲᑣÌs。OF(OverflowHag):÷-᪗Ñ,Ñä½£°7ᔲ-ÿPQᦪᡠ¦⊤DḄB。¹-ᑣÕ1,ᔲᑣÌs。»ᵨ+mm�Tᦪ½£¦ᔲU¹÷-。¤ᑴ᪗Ñ:¤ᑴ᪗ѤᑴᜐᳮᘤḄPQ,⌕¶·�éḄᢣ>¨¦�¤ᑴ᪗ÑU¹5ᓄ。ÍJ¤ᑴ᪗Ñ8086~PentiumCPUᙳᨵᦔ。ff(LiterruptFlag):KÔᐕ$᪗Ñ,�ff=l¦ᐕ$CPU2&n»îëKÔg¨(0010;�0^=0¦Ἥ2&ûÎ。üḄ¤ᑴ>0^119Qᵨ。DF(DirectionFlag):Þᔣ᪗Ñ,�élm+QPQᢣ>。�0?==1¦,⊤DPQᢣ>KPQᦪᙢᙬÁ,¾᪵��QḄᜐᳮ ¡ªᙢᙬᔣᙢᙬÞᔣÖV;�0?=0¦,⊤DPQᢣ>KPQᦪᙢᙬÁÛ。TF(TrapHag):◍▟᪗Ñ,ᵨ+DEN。�11^1¦,0?。ᜐ+ᓫkÞ;TF=0W,CPUᜐ+ZÞ。Ê᪗ÑðḄT⊤D"⊤5-1。⊤5«1Ê᪗ÑðḄT⊤D__________᪗Ñð____________________᪗ÑÁ1_____________________᪗ÑÁ0__________>Öð(ᨵ/ᔲ)CYNCᓹ?Ꮤ(Ꮤ/)PEPO…úÖðACNAýᐰs( /ᔲ)ZRNZ5?T(/Ã)NGPLþKÔ(ᐕ$/Ἥ)EIDI〇?Þᔣ(Ûᨬ/)DNUP(^÷-(´ᔲ)__________________________OV_______________NVÍJ¤ᑴ᪗Ñ>80286ÍYCPUᨵᦔ。IOPL(VOPrivilegeLevel):ᱯᩗ᪗Ñ,ᓰ013²012ð。�ᙠ���J*Q¦,IOPLᢣ⌕¨VVQᢣ>ḄᱯᩗÉ。¹�#mḄᱯᩗÉcIOPL¢(ÉᦪÆᱯᩗÉÆ¢,00ÉᨬªÉ),ᑣVÊ)ᢣ>;ᔲᑣ§mn�mḄ^0$»ð�,¹ð�KḄ@Á1ᑣU¹%¿��ï,ÙdVDEᢞ9。NT(NestedTask):/ᝅm᪗Ñ,ᵨ+���PQ,ᙠVKÔ¨©ᢣ>�£1¦⌕mN^@。�ᔯ1¦,⊤D�#VḄm/ᝅ+$%mÇK,VÓ�mK⌕¨©ᑮ$%m,㈣ÿᢣ>ḄV ¶·mᑗᣚ�Ḅ。�^=0¦,ᵨᚮ᪘K�×Ḅ@ឮ᪗ÑÖ×ᘤ、ÔṹÜÖ×ᘤ²ᢣ>ᢣ┐Ö×ᘤḄᑁ.,ÍVï�Ḅ㈣¯KÔ¨©PQ。ÍJ¤ᑴ᪗Ñ>80386ÍYCPUᨵᦔ。 S5kÌ�;80486SXÍYCPUᨵᦔ。AC(AlignmentCheck):ᙢᙬ�mn᪗Ñ,¹M01¦ÖVᙢᙬ�mn,�-ᙢᙬW�¦§æ9ᙢᙬ�ï,>ᨵᙠᱯᩗÉ3½VḄ&ᵨDE¨mnæ9ᙢᙬ�ᦑ�。¹M0=0¦WÖVᙢᙬ�mn。>ᨵ8048630ëᜐᳮᘤ�ᵨ�ð,ö⌕ᵨᩭ��ᝅḄ�ᜐᳮᘤ80487SX�k*Q。ᙢᙬW�ᢣÍJª:1¿Q¡ᙢᙬ}6,ᡈ1¿ýQW ¡4ḄîᦪḄᙢᙬ}6。ÍJ¤ᑴ᪗Ñ>PentiumÍYCPUᨵᦔ。m(Identification):᪗r᪗Ñ,gH>=l,ᑣ⊤D?6�001)ᢝ€?0«)ᢣ>,0?010ᢣ>¥Èn¬Pentiumëᜐᳮᘤᨵᐵ᱐MTÎᑴ⌼ᖪÏ�Ò。VIP(VirtualInterruptPending):)*KÔᢞ9᪗Ñ,ù0Ã�ᔠ,ᵨ+Ðm�J,¥PQÈn¬)*KÔᢞ9�Ò。•VTF(VirtualInterruptFlag):)*KÔ᪗Ñ, )*ÞJKÔ᪗ÑðḄê。:CmpEAX,EBX;ᵨ£“ùÂ60ßJNZ00470395;WßÏḄb,þoᑮ¾¾ᩩᢣ>-ᓫ,þ ᵨ£“Ö×ᘤḄᦪL£80Ö×ᘤKḄᦪ,ᩭcB¾¿ᦪ W ßÏ,�1^ᢣ>V·K,þ§ᙠ�^^^ḄÎ(&^?^)s᪗ÑðYÕß&@,7°7Á0,�þñ¿ßÏḄb,ÎÕ1,ᔲᑣÕ0。ᐸ�?ᨵ0?(÷-᪗Ñ),SF(T᪗Ñ),CF(Öð᪗Ñ),AF(éEÖð᪗Ñ)²??(Ꮤ᪗Ñ)Ï。¾(ᡃñᐿ#�⌕ÿÉ;<ÌÍ,q⍝ß&ḄÚ{ᢣ>þ»Íÿ。3.ÜÖ×ᘤÜÖ×ᘤ%ᐳᨵ6¿,ᑖ�05ÔṹÜ,08ᦪ�Ü,5▬3Ü,55ᚮÜ,FSW&GS,K¿?▬3Ü。ᙠᑍKשᘤõᵨᑖÜAᳮḄÞÓ,��%¿ᱥᳮᙢᙬ◤⌕ᵨÜJᙢᙬ²2{⊤D。%¿DE»ÍᵫпÜÙᡂ,+8086〜80286〇?0,ᵫ+>ᨵ4¿ÜÖ×ᘤ,ᡠÍᙠ8%¦|Ãᙠ½VḄDE>»Í�4¿�#Ü,ú+8^86ÎᐸÍYḄ¢£¤,ᵫ+ᨵ6¿ÜÖ×ᘤ,ᑣ»Í�6¿�#Ü。ᙠ��JÜÖ×ᘤ×}�#Ãᙠ½VDEḄÜJᙢᙬḄª16ð,ᙠ���J×}�#Ãᙠ½VDEḄÜ⌱Áè,Ü⌱ÁèᵨÍ⌱ÁÄ⊤KḄ%¿Ä,ÄÄÜḄJᙢᙬ、<»²�ᩗ▲Ï,ᯠᙠ���JÜÖ×ᘤ5ᯠ⌱Á%¿ᑁ×Ü,>Wê��;᪵]Z×}ÜJᙬÿ。ÔṹÜÖ×ᘤCSᢣ�#ÔṹÜ,ÔṹÜK×}�#Ãᙠ½VḄDEÜ。ᚮ᪘ÜÖ×ᘤSSᢣ�#ᚮ᪘Ü,ᚮ᪘Ü ᙠᑁ×}Ḅ%ᙽᱯG[ö,ᐸKḄᦪ��ᢥ᯿KÖᐜ-(LasthiFirstOut,UFO)ḄÜᑣÖV,ᐕ${ᐭ²ᑤ◀Ḅ%'¬Z᪘⚔。PC*SP(ᡈESP)ᢣᔣ᪘⚔,33ᢣᔣᚮ᪘ÜJᙢᙬ。ᦪ�ÜÖ×ᘤ05ᢣ�#½VDEᡠᵨḄᦪ�Ü。▬3ᦪ�ÜÖ×ᘤᢣ�#½VDEᡠᵨḄ▬3ᦪ�Ü。ÜÖ×ᘤFS²GS>80386ÍY0?Ûᨵᦔ,ñᨵ&ḄKᦻ+À,ᵨ+ᢣ�#½VDEḄ$¿×}ᦪ 62��⌮ᔣᑖ᪆�ᵨᢈ��ḄשÜ。�ᯠ5、ES、?8²08(~«+05、SS)ᡠᢣḄÜK�»Í×}ᦪ�,08 öᦪ�ÜÖ×ᘤ,ᙠʪ«Jᵨ05ᡠᢣᔣÜḄᦪ�。ᐸ�ᑮÿWin32�J,ÜÖ×ᘤïpWDOS¦Ô;᪵/⌕ÿ。ᡠÍ,ᡃñq⍝þ»Íÿ。5.4ïᵨḄÌ�ᢣ>Ì�nÞ"⊤5_2〜⊤5-14。ᦪ�Qᢣ>ᙠשᘤ²Ö×ᘤ、Ö×ᘤ²Q^Q-'ÛÇ4〈ᦪ�。(1)¶ᵨᦪ�〈ᢣ>。⊤5-2¶ᵨᦪ�〈ᢣ>__________ᢣ>___________________________________________________________________________________UV_________________________________________________________________________MOV〈QᡈQ⁚MOVSXᐜTó,;&—MOVZXᐜsó,〈_____________________________________________PUSHòQᐭᚮ_________________________________________________POPòQ-ᚮ_________________________________________________PUSHAò^,CX,DX,BX,SP,BP,SI,01«ᐭᚮ᪘POPAò01,SI,BP,SP,BX,DX,CX,^«-ᚮ᪘PUSHADò£^,ECX,EDX,EBX,ESP,EBP,ESI,£ᓹ1«ᐭᚮ᪘POPADòᓺ1,ESI,EBP,ESP,EBX,EDX,ECX,Â^«-ᚮ᪘BSWAPîᣚ32ðÖ×ᘤQ⁚ḄÝEXCHGîᣚQᡈQ⁚(«ªᨵ%¿PQᦪÁÖ×ᘤ,ÜÖ×ᘤW»QÁPQᦪ)CMPXCHGcBOîᣚPQᦪ(S¿PQᦪ�Áó3ᘤᔯM^>^)XADDᐜîᣚó3(°7ᙠS%¿PQᦪ)—Q⁚n⊤Úᣚ——BXᢣᔣ%256Q⁚Ḅ⊤Ḅ9²,¡Á⊤ḄåXLATæ@(0~255,ᓽ0〜�);¨©ALÁn⊤°7([BX+AL]—AL)(2)Qᐭ/Q-'Û〈ᢣ>。⊤5»3Qᐭᡂ》-'Û〈ᢣ>ᢣ>___________________________UV_________________________JNÊ)'ÛQᐭ(;Ó:mó3ᘤ,{'ÛT|00})'ÛQ-(;Ó:007{'ÛT|00},ó3ᘤ)Qᐭ^-'ÛᵫOUTÛᓽÞᢣ¦,ᐸB0~255;ᵫÖ×ᘤDXᢣ¦,ᐸB0-65535 S5kÌ�;。⊤5^¤Ḅᙢᙬ¥〈ᢣ¨_______________ᢣ¨_______________________________________________________©ª_______________________________________«ᐭᨵᦔᙢᙬLHA¯:LEADX,string;°±²ᙢᙬ³ᑮµ¶¥〈¤᪗ᢣ┐,°ᢣ┐ᑁº«ᐭ05LDS¯:LDSSI,string;°»ᙢᙬ:±²ᙢᙬ³ᑮ05:SI¥〈¤᪗ᢣ┐,°ᢣ┐ᑁº«ᐭ¼5LES¯:LESDI,string;°»ᙢᙬ:±²ᙢᙬ³ᑮ£5:DI¥〈¤᪗ᢣ┐,°ᢣ┐ᑁº«ᐭ½LFS¯:LFSDI,string;°»ᙢᙬ:±²ᙢᙬ³ᑮFS:DI.¥〈¤᪗ᢣ┐,°ᢣ┐ᑁº«ᐭ65LGS¯:LGSDI,string;°»ᙢᙬ:±²ᙢᙬ³ᑮ05:DI¥〈¤᪗ᢣ┐,°ᢣ┐ᑁº«ᐭᕂᕂLSS¯:LSSDI,string;°»ᙢᙬ:±²ᙢᙬ³ᑮ38:DI(4)᪗Ñ〈ᢣ>。⊤“᪗¿¥〈ᢣ¨_______________ᢣ¨______________________________________________________©ª•___________________________________LAHF᪗¿À³ᘤ¥〈,°᪗¿«ᐭ^______________________________________________SAHF᪗¿À³ᘤ¥〈,°>^ᑁº«ᐭ᪗¿À³ᘤPUSHF᪗¿ᐭ᪘POPF᪗¿Ã᪘PUSHD32Ä᪗¿ᐭ᪘POPD32Ä᪗¿ÃÅ(5)£�½£ᢣ>。⊤5«6ÆÇÈÆᢣ¨%^t1—T_____________________________©ª_____________________________ADDÉÊADCËÌÄÉÊ______________________________________________________________________________DSfCÉ1_______________________________________________________________________________________AAAÉÊḄÍ503ṹÏDAAÉÊḄᓝÌᑴÏ 64��⌮ᔣᑖ᪆�ᵨᢈ�Ó⊤ᢣ>__________________________UV■_________________________SUBÓSBB�ðÓDEC1NEC¨Æ(Í0Ç)CMPcB(PQᦪQÓ,±ᦋ᪗Ñð,W©〈°7)AASÓḄAscnṹDASÓḄᓝÖᑴMUL¿TôÓJMULᦪôÓÍYᩩ,°7©〈ᐭ>²Mᓃ(Q⁚½£),ᡈ〇0²々(Q½£)AAMôÓḄAscnṹDTV¿T◀Ó____________________________________________________EDWᦪ◀ÓÍYᩩ,°7©〈:ᖪ©〈^,Íᦪ©〈>^,(Q⁚½£):ᡈᖪ©〈^,Íᦪ©〈00,(Q½£)_________________________;__________________________________________________AAD◀ÓḄM501ṹCBWQ⁚ÚᣚÁQ(ò^KQ⁚ḄTóᑮ^KL)CWDQÚᣚÁýQ(ò“KḄQḄTóᑮ0îKL)_______________CWDEQÚᣚÁýQ(ò^^KḄQTóᑮ£“KL)CDQýQó(ò£“KḄýQḄTóᑮ£00KL)(6)®¯½£ᢣ>。⊤5^ÔÕÈÆᢣ¨ᢣ>UVANDù½£ORᡈ½£XORᡈ½£NOTsÆTESTmN(PQᦪQù½£,±ᦋ᪗Ñð,W©〈°7)_____________SHL®¯ª{SAL£�ª{(=SHL) S5kÌ�;________________________________________UV______________________________SHR®¯r{_______________________________________________________SAR£�r{(=SHR)ROL=�ª{ROR=�r{_______________________________________________________RCL¶·ÖðḄ=�ª{_____________________________________________RCR¶·ÖðḄ=�r{_____________________________________________K☢8Ñ{ðᢣ>,ᐸ{ðᦪ»255。{ð%¦,»]ZᵨPQṹ_________________________(7)ᢣ>。⊤5>+ᢣ>__________ᢣ>____________________________________UV__________________________DS:SIÛÜÖ×ᘤ:Û5ᙬ_______________________________________ES:DI�᪗ÜÖ×ᘤ:�᪗5ᙬ__________________________________CX/ᦪ¢ᦪᘤ_______________________________________________AUAXkÄ@_______________________________________________________0᪗Ñ0⊤D/PQK51²01&Ûᨬ:1⊤D&᪗Ñᵨᩭ¤ᑴkÄᡈcBPQḄ°,_____________________________MOVS〈(«^53〈Q;MOVSW�〈�;MOVSD〈ýQ)CMPScB(CMPSBcBQ:CMPSWcBQ)kÄ,ò¡ᡈ“Ḅᑁ.ù�᪗QcB,cB°7Æᙠ᪗ÑSCAS_a___________________________________________________________________________________ᐭ,òÛKḄᐗÄ(QᡈQ⁚)⌲%ᐭALᡈAXK(LODSBLODS〈Q:LODSW〈Q;LODSD〈ýQ)STOS�×, ^08Ḅ⌮·D____________________________________REP�CX^CXoO¦/REPE7REPZ�2^1ᡈcB°7ßÏ,*CX^CXoO¦/REPXE^EPNZ�2?=0ᡈcB°7WßÏ,*€%0000¦/REP(:�CF=d*CX7ECXo0¦/REPNC�CF=O*CX^ECXoO¦/'、(8)DEÚ{ᢣ>。①¿ᩩ�Ú{ᢣ>(<Ú{)。 66��⌮ᔣᑖ᪆�ᵨᢈ�⊤5«9¿ᩩ�Ú{ᢣ>__________ᢣ>________________________________________UV______________________________JMP¿ᩩ�Ú{ᢣ>________________________________________________CALL·Dᵨ______________________________________________________RET7RETF·D¨©②ᩩ�Ú{ᢣ>(;Ú{,_128〜+127ḄÊᑁ)(�*±�(SFXOROF)=1¦,OPl_________ᢣ>________________________________________UV_______________________________JA/JNBEW+*WÏ+¦Ú{____________________________________________JAE/JNBᜧ+ᡈÏ+Ú{__________________________________________________JB/JNAE+Ú{________________________________________________________JBE/JNA+ᡈÏ+Ú{__________________________________________________ÍY4ᩩ,mN¿Tᦪ½£Ḅ°7(᪗Ñ0:²2)____________________________________________JG/JNLEᜧ+Ú{________________________________________________________JGE/JNLᜧ+ᡈÏ+Ú{__________________________________________________JUJNGE+Ú{________________________________________________________JLE/JNG+ᡈÏ+Ú{__________________________________________________ÍY4ᩩ,mN�Tᦪ½£Ḅ°7(᪗Ñ3,0²)________________________________________JE/JZÏ+Ú{________________________________________________________JNE/JNZWÏ+¦Ú{__________._________________________________________JCᨵÖð¦Ú{____________________________________________________JNC¿Öð¦Ú{____________________________________________________JNOW÷-¦Ú{___________________________________________________^JNP/JPOᏔឋÁᦪ¦Ú{______________________________________________JNSTðÁ“0”¦Ú{___________________________________•_________JO÷-Ú{________________________•_________________________•JP/JPEᏔឋÁᏔᦪ¦Ú{____________________________________•JSTðÁ“1”¦Ú{_______________________________|③=�¤ᑴᢣ>(;Ú{)。 S5Ì�;ᢣ>UVLOOP00WÁs¦=�__________________________________________________________________LOOPEa,CX)PZCXWÁs*᪗ÑZ=1¦=�LOOPNE^OOPNZCXWÁs*᪗ÑZ=0¦=�JCXZCXÁs¦Ú{JECXZECXÁs¦Ú{④KÔᢣ>。⊤5»12KÔᢣ>_________ᢣ>_________UVmrKÔᢣ>mro÷-KÔmETKÔ¨©________________________________________________________⑤ᜐᳮᘤ¤ᑴᢣ>。⊤5^3ᜐᳮᘤ¤ᑴᢣ>_________ᢣ>_________UVHLTᜐᳮᘤᨚÌ,]ᑮ-KÔᡈð�T¨�Z________________________WATT�æᱏæTESTÁªᵯ@¦�CPUÖᐭÏ�ÊESCÚᣚᑮᜐᳮᘤ__________________________________________________LOCK�┝B________________________________________________________NOP3PQ__________________________________________________________STCÕÖð᪗Ñð____________________________________________________CLCÖð᪗Ñð____________________________________________________CMCÖð᪗ÑsÆ____________________________________________________STDÕÞᔣ᪗ÑðCLDÞᔣ᪗ÑðSTIÕKÔᐕ$ð____________________________________________________CLIKÔᐕ$ð(9)ᢣ>。 68��⌮ᔣᑖ᪆�ᵨᢈ�⊤5^14ᢣ>ᢣ>_________UV___________________________DWñQ(2Q⁚)__________________________________________________PROCñ·D—ENDP·D°SEGMENTñÜASSUME·ÛÜÖ×ᘤ[ᙬ________________________________________________ENDSÜ°ENDDE°S:CMPA,BcBMùᓃᐸKMù8»Í Ö×ᘤᡈᑁ×ᙢᙬ,�»Í�¦¿Ö×ᘤ,W¦�ᑁ×ᙢᙬ。¾¿ᢣ>öï"ÿ,$ÐVṹcBḄ��,�ᵨ¾¿ᢣ>。MOVA,Bò3Ḅ@〈¥M,ᐸK,³ù8» Ö×ᘤᡈᑁ×ᙢᙬ,�»Í�¦¿Ö×ᘤ,W¦�ᑁ×ᙢᙬ。Xorax,axᡈPQ,ö⌕�Ḅ ©§Ì3。LEAᐭᙢᙬ,S1^�0,string©QḄᙢᙬᐭÛ0Ö×ᘤ。5.5��ᢣ�1.]Z᪗ÑÚ{ᢣ>(8ð[ᙬ)]Z᪗ÑÚ{ᢣ>⊤"⊤5-15。⊤5»15]Z᪗ÑÚ{ᢣ>⊤ᢣ>¤ᘤṹmNᩩ�_________…ᑣÚ{_________JC72C=1ᨵÖðJNC73C=0¿ÖðJZ/JE74Z=1s/Ï+JNZ/JNE75Z=0WÁs/WÏ+.JS78S=1TJNS79S=0>ÃTJO70____________0=^_____________ᨵ÷-JNO710=0¿÷-•JP/JPE7AP=1_________ᏔðÁᏔ_________JNP/JPO7B_____________p^______________________ᏔðÁ_________ S5kÌ�;(8ð[ᙬ)4Z᪗ÑÚ{ᢣ>"⊤5-16。⊤5»164Z᪗ÑÚ{ᢣ>⊤ᢣ>_________¤ᘤṹmNᩩ�__________…ᑣÚ{__________】>^8£(cB¿Tᦪ)77c^z=o>¢+/W+ᡈÏ+JAE/JfNB(cB¿Tᦪ)73C=0>=ª+ᡈÏ+/W+JB/JNAE(cB¿Tᦪ)72C=1<+/Wª+ᡈÏ+JBE/JNA(cB¿Tᦪ)76C^Z=1<=+ᡈÏ+/Wª+JG/JNLE(cB�Tᦪ)7F(�ᡈ0)*^>ᜧ+/W+ᡈÏ+JGE/JNL(cB�Tᦪ)7D5ᡈ0=0>=ᜧ+ᡈÏ+/W+JLyJNGE(cB�Tᦪ)7C$ᡈ0=1<+/Wᜧ+ᡈÏ+JLE^JNG(cB�Tᦪ)7E(ᕂᡈ0)ᡈ2=1<=+ᡈÏ+/Wᜧ+3.ÜᑁÚ{ᢣ>ÜᑁÚ{ᢣ>"⊤5-17。⊤5^17ÜᑁÚ{ᢣ>⊤ᢣ>¤ᘤṹVPQUVÜᑁ]Z;Ú{EBJmpshort(0>)—(0>)+8ðð{ÎÚ{B-128〜+127Q⁚JmpnearPTR(n>)—(n>)+16ððÜᑁ]ZâÚ{E9Ú{ᑮÜᑁḄ%ðÕ{_____________________________________Üᑁ4ZÚ{FFJmpwordPTR(EP)—(ᨵᦔᙢᙬ£M)10^^ᙬ?1�(0>)—(2{ᙢᙬ)(CS)Ü4]Z(Õ)Ú{EA—(Üᙢᙬ)_________________________JmpdwordPTR(D>)%(EA)(CS)Ü44ZÚ{EA<~(EA+2) �6�⌮ᔣÕᢈ'6.1⌮ᔣ��ᢈ�Ḅ���!"ᓫ%(ᙠ,6⌮ᔣ*DḄᑖ᪆·DKpï⍗ᑮḄ�;,Î⌮ᔣᑖ᪆��Ḅᵨ。¾(�;ḄᭆI ◤⌕ᡃñ�V×Ḅ,�Áᨵ-ÐḄᭆI ᙠK☢⌕ᵨᑮḄ,ᡠÍ¡¢¶·J☢Ḅ¢X¥ᜧh%ḄDE。•1.ᜐ1APIZÛ�Windowsᡭî⍝,¿X®<᪵Ḅ&ᵨDE,ᐸv«ᨬ�� ¶·ᵨᔜÑAPIᦪᩭ�ᔜÑ¥¦Ḅ。¶ïAPIᨵÑJM,Winl6²Win32。16ðḄAPIᦪ²32ðḄAPIᦪḄ[�ᙠ+ᨬKḄ%¿Qã。Sᡃñ³ÕÔ²:.bpGetDlgItemText、GetDlgItemText16ðAPIᦪ。bpGetDlgItemTextA²bpGetDlgItemTextW32ðAPIᦪ,úGetDlgRemTextA⊤Dᦪᵨᓫ⁚,GetDlgItemTextW⊤DᦪᵨýQ⁚。ᙠ⌮ᔣᑖ᪆KïᵨᑮḄ Win32ᓫQ⁚M?1ᦪ,þ ²GetDlgItemTextA��Ḅᦪ,ᐸ�ḄÑ(^-16^1²^1^2ýQ⁚APIᦪ)cBª"。>^^32APIᦪᒹóᙠxZp,ᒹóᙠkemel32.dU、user32.dn、gdi32.dll²comctl32.dHK。Q⁚(Byte)ᑍK×s�ÒḄJMᓫð,»ᵨᜧᑏQã3⊤D。1¿Q⁚ᵫ8ðÖᑴᦪÙᡂ,ᐸð�Tª«rÁb7,b6,b5,b4,b3,b2,bi,bo。1¿Q⁚ᓰᵨ1¿×©ᓫᓫQ:1¿Q16ð,ᐸð�TÁc5〜50。1¿Qᓰᵨ2¿×©ᓫᐗ。ýQ:1¿ýQ32ð,ᐸð�TÁ^!〜^。1¿ýQᓰᵨ4¿×©ᓫᐗ。Q:1¿Q64ð,ᐸð�TÁ1^〜1>0。1¿Qᓰᵨ8¿×©ᓫᐗ。ÁÿÃ~ᙢ[ᑖW�Ḅᑁ×ᓫᐗ,¥_¿ᓫᐗᑖ�%¿×©ᘤᙢᙬ,ᙢᙬ¡0}6�T,ÝE⌴Û1。ᙠ¢£¤Kᙢᙬᵨ¿TÖᑴᦪ⊤D,»ᑏÁᓝ³Öᑴᦪ。%¿×©ᓫᐗK×}Ḅ�ÒÀÁ�ᓫᐗḄᑁ.。S2TᓫᐗK×}ÿ%¿ᦪQ8,ᑣ⊤DÁ:(2)=8。+Q、ýQ²Qᦪ���,ᵫ+ñ_¿ᦪ��⌕ᓰᵨпᓫᐗ,�¦>◤¥-ᨬᓫᐗḄᙢᙬTᓽ»,ᯠK«×sKZQ⁚。øý:ᢥ᯿11^1dñḄ6�,+Q、ýQ²Qᦪ���,ᐸᙢᙬK×}ðQ⁚ᦪ�,ªᙢᙬK×}ªðQ⁚ᦪ�,¾þ ᨵ(ôᧇKÀÁ“⌮E×}”Ḅóñ。Sᑁ×ᨵÍJᦪ�(K[>⊤Dᓝ³Öᑴᦪ)。ᙢᙬ:012345— S6k⌮ᔣ*Dᢈ�71ᑁ.:12H34H45H67H89HOAH-שª«�6>1ᡠD,ᑣ+W�Ḅᦪ���,¡1TᓫᐗsᑮḄᦪ� :245H3Q⁚=34>Q=4534>ýQ=89674534z45OAH2.Ô²Ô² DEKÔḄᙢÞ,®< KÔᕖ?KÔþᵫ+ᨵᱯG��(KÔ��)U¹,¢£¤ᨚÌ�#Ḅm(ᓽDE),ÚúLV$Ḅ�&1שᓫᐗm(KÔlmDE),ᯠK¨©ÜᐜḄm�ZV。¾þ %¿KÔḄᙢᙬ²ᑁ.·D。ᡃñᙠ⌮ᔣᑖ᪆Ḅ·DKþ ÏᑮDELVsᡃñQᐭḄ�ÒOûᜓßcBḄ¦©KÔJᩭ,ᯠKᡃñ¶·ᑖ᪆DE,ᑮÃ~Ḅßᐵ�Ò。3.DE34ùÈ34¾ ¿/⌕ḄᭆI,DEḄ34,þ DEḄᙢÞ,�þᡃñ⌕⌮ᔣᑖ᪆ḄDEᡠᜐḄðÕ。ᵨᡝ ᙠDE½VḄ¦³ÕḄÔ²,Á®^•ᦻM�ṹÞḄJẠASCIIṹ, %¿7ðḄ�ṹ᪗û,ᒹ26¿ᑏQã、26¿ᜧᑏQã、10¿ᦪQ、32¿T、33¿¤ᑴÔṹ²%¿3,ᐳ128¿Ôṹ。ᵫ+¢£¤¶ïõᵨ“Q⁚”Áᓫðש²îᣚᦪ��Ò,��-Т£¤ᔆh³80^1ṹÖVÿᐙ,ᙠÜᩭḄJẠYîÛ3ÿ128¿▬3Q,^51、。ᑩ0^^ÏQ。2.ANSI�ṹÁÿ¢£¤)ᢝ-Ð;<,¶ïᵨ0î804^�BḄ2¿Q⁚ᩭ⊤D1¿Q。c:�Q“K”ᙠKᦻPQÈKᵨ[0xD6,0xD0]¾¿Q⁚ש。W�ḄLh²ᙢ[ᑴÿW�Ḅ᪗û,ᵫ�º¹ÿ082312,8105Î�ÏᔜḄ�ṹ᪗û。¾(�ᵨ2¿Q⁚ᩭÔ⊤%¿QḄᔜÑ�QÞ��ṹÞ,ÀÁANSI�ṹ。ᙠ~KᦻÈJ,ANSI�ṹÔ⊤0�2312�ṹ,ᙠzᦻPQÈJ,ANSI�ṹÔ⊤:《�ṹ,W�^31�ṹÇ4YW?.。 72��⌮ᔣᑖ᪆�ᵨᢈ�3.UNICODEH+µᦻᩭÖ,AscnṹþÍ�ṹᡠᨵQ,+Kᦻ,ᑣ�ᵨ¿Q⁚ᩭÔ⊤%¿�Q,¾Ñ⊤D�QḄÞ6�YÀÁýQ⁚。�ᯠýQ⁚»ÍÉÜKµᦻQ3ᔠᵨḄª«,+W�QÈú<,þ⌕p·QṹÚᣚ,¹ï�,Kµ、KÊ、Ê!3ᔠḄª«。ÁÉܾ%⚪,-Ðdñὶᔠ9ᩭᑴÿ%ᝅ»Í〉ᵨ+ᐰ"ᡠᨵLhḄQṹ,WAìÞᦻQ?íÞᦻQ,%#ᵨ¿Q⁚ᩭ⊤D,¾þ000Â。6.3ï"�D;<ḄᐭÛÎ[ÜᱯÝM�B°ÿÍJï"Ḅ5Ñ�D;<ḄᱯÝ,ᒹñḄᐭÛÔṹ²[Ü,7q¾(ᑁ.ᨵ¿ðᜐ:S%,»Í᪷�ñ��&ᵨDEᵨ�Ñ�D;<ᩭ�;S,QÁ ᔲᑮ(^?ḄᑨÔ«�。1.BoriandC++0040163CB>/BB10'jmpshort-3orland_.0040164G0040163E|66:623Abounddii?dwordptrds*[edx]00401641.|43incebx00401642|2B2Bsubebp,dwordptrdsi[ebx]00401644|48deceax00401645|4F•decedi00401646|4Fdecedi00401647|4Bv.'rdecebx00401648|90nop00401649-|E998BQ4E00jrapSHELL32.008BF6E60040164EA18BE04E00raoveax,dwordptrds:[4GE08B]00401653C1E002shleax>2004P1656A38FE04E00movdwordptrds:[4EE08F],eax0040165B52pushedx0040165C6A00push00040165EE8DFBC0E00callß&[Ü:mnnmwrrBBflflHI098]TCr=lana^-BrroBgBBg1’w—Trmr—™™——™——oouoioooOOOEDOOOBorland—OOJ*OOOOO.^ext:codeOQi*EEOOOOOOOFOOOBorland:OOJ*OOOOO.dat:adataOOUFDOOOOOOOIOOOBot-Xand_00i«00000-tlsHOi*FEOOO00001oooBorlancS_OO^OOOOO.rdataOO^FFOO000003000Borland_OO^OOOOO.ldlat:adLraports0050200000012000Bor-Xand_OOi#OOOOO.edat:aexpo^^sOOSI^OOOOOOB1OOOBorland_OOi*OOOOO-Ksr*cr*esout*ces0B5C5000OOOIooooBorlandOOUOOOOO:「-?」-”-•:_—--relocations2.Delphi00458650D>55pushebp S6,⌮ᔣ*Dᢈ�73004586518BECmovebp,esp0045865383C4P0addesp,-1000458656B870844500..moveax,Delphi.004584700045865BE8OOD6FAFF--call•Delphi.00405C6000458660Al58A14500.moveax,dwordptrds:[45A158]004586658B00moveax,dwordptrds:[eax]00458667E8EOElFFFFcallDelphi.0045684C0045866CAl58A14500moveax,dwordptrds:[45A158]004586718B00moveaXfdwordptrdss[eax]00458673BAB0864500movedx,Delphi.004586B000458678E8DFDDFFFFcallDelphi.0045645C0045867D8B0D48A24500movecx*dwods:[45A248】•»-•••••••‘00458683Al58A14500,moveax,dwordptrds:-.[45A158]004586888BOOvmoveax,dwordptrds:[eaxp0045868A8B15EC7D4500novedx;dvrordptrds:'[^7EECJ00458690E8CPElPFFPcall-Delphi.00456864-00458695Al58A14500moveax,dwordptrds:[45A158]0045869A8B00moveax>dwordptrds:[eax]0045869CE843E2FFPFcallDelphi.004568B4:"ooToHoorToloTo6T*DeTpTTT100400000PEheader0040100000058000Delphi00400000CODEcode0045900006002000Delphi00400000DATAdata0045B00000001000Delphi00400000BSS00U5C00000003000Delphi00400000.idatainportsOO45FOO000001000Delphi00400000-tls00460000ooeoioooDelphioo4oeooo•rdataeo46iooo00007000Delphi00400000.relocrelocations0046800008007000Delphi00400008.rsrcresources3.VisualC++0046C07BU>55pushebp0046C07C8BECmovebp>esp0046C07E6APPpush-10046C0806818064C00pushUltraSna.004C06180046C08568F8364700pushUltraSna.004736F80046C08A64:Al00000000moveaix>dwordptrfs:[0]0046C09050pusheax0046C09164:892500000000movdwordptr£s:[0],esp0046C09883EC58subesp,580046C09B53pushebx 74��⌮ᔣᑖ᪆�ᵨᢈ�0046C09C56!pushesi0046C09D57pushedi0046C09E8965B8raovdwordptrssr*[ebp-18],esp0046C0A1FF1574824A00calldwordptrds:[]0046C0A7•33D2.xoredx,edx0046C0A98AD4^movdl,ah0046C0AB8915403F4F00movdwordptrds:[4F3F40],edx0046C0B18BC8movecx*eax0046C0B38151FFOOOOOOandecx,OFF0046C0B9890D3C3F4F00movdwordptrds:[4F3F3C],ecxß&[Ü:0'640o0T0Ti5iT5WUltraSnaTo4F00oo^PEheader00401000000^7000UltraSna00400008•textcodeOOM80OO00026000UltraSna00400000.rdataimports004CE00000029000UltraSna00400000.datadata004F700000018000UltraSna00400000.rsrcresources______________4.Ì�00401000?C>6A00push000401002E8C50AOOOOcall00401007A30C354000movdwordptrds:[40350C],eax0040100CE8B5OA0000call00401011A310354000movdwordptrds:[403510],eax••r••■•004010166A0Apush0A00401018Fr35l03540001pushdwordptrds:[403510]••.*•1,••|••0040101E6A00pU0^0,,.,、.00401020-•FF35OC354000-^'pushdwordptrds1[40350C]00401026E806000000call.004010310040102B50pusheax0040102CE88FOAOOOOcall0040103155pushebp004010328BECmovebp,esp0040103483C4,B0addesp,-5000401037C745DO30000000movdwordptrss:[ebp-30]»300040103EC745D40B000000movdwordptrs8:[ebp-2C],0B00401045C745D837114000movdwordptrss:[ebp-28],.00401137ß&[Ü: S6.⌮ᔣ*Dᢈ�75O05TO000^00001000^ra~"00ioo000nPEheader0040100000001000[00460000-textcode<0040260000001000「_^nfl00400060.rdatadata,imports、1Q040300600001000]「-^vW00400000-data004040880fl001000「_^^^^^.00400000,rsrcresources_____________i5.VB0040116CV>/$68147C4000pushVB.00407C1400401171|.E8FOFFFFFFcall00401176|.0000addbyteptrds:[eax],al00401178|.0000addbyteptrds:[eax]tal0040117A|.0000addbyteptrds:[eax],al0040117C|.3000xorbyteptrds:[eax],alß&[Ü:"TO4000M113"00001000TT*5oouooooFPEheader0040100000008000UB00400000.textcode,imports0040900000001000UB00400000.datadata0040A00000001000UB0Q4oeeoo.rsrcresourcesᜧh&��D;<ḄᐭÛÎ[ÜᱯÝᨵÿᐰ☢ḄÿÉ,7ÿÉÿ;<ḄᐭÛÎ[ÜᱯÝÜᳮþWbV×ḄᵨÞÓ,ᐸ��%Ñ�D$<�◤⌕pḄó。6.4?ÜDE~ḄÑ�,✌ᐜᵨ?1^1#0、!^(!Ï*ᐹᩭmmDE®<3Ê。2.ᐭÛ²(EntryPoint)ᜧÐᦪPE3DEᙠ3ÊḄDEK3Y%¿ᡈпÜ。ᡃñ7Ïᑮ%¿�ÜḄJMPþᨵ»¦ÿ。(0ᵨÿ%�ÜḄJMP,ASPACKᵨÿ�ÜḄJMP。¾ÑᑨÔ%r�ᑖ᪆DEúᑮᐭÛ²(EntryPoint),þ DEᙠÓᡂÿÜDEḄÉ,?ÜK,}6oÚᑮ©?ÜḄDEV,�¦ḄᙢᙬþᐭÛ²Ḅᙢᙬ。3.dumpᑮᐭÛ²K,ᙠ�ᜐ»Íᵨ€^^^ᔳ?¥¦ᩭᢕsᑁ×Kïp?ÜḄᦻ�。4.Ãdumpᵨ?£ᐹ¡¢ᐭ¤(EntryPoint)。:¦003§Ḅ^0^©?ª«ῃḄᦻ¯,⌕ᵨ¦000^)ᡈ?£^01?£ᐹ¡¢ᐭ¤。01^²ᓽ´1µḄᦻ¯,⌕ᵨImportREC¡¢ᐭ¤。- 76��⌮ᔣᑖ᪆�ᵨᢈ�5.üᙬ(ImageBase)Jᙬ ᢣᐭᑮᑁ×KḄEXEᡈDLLDE@}6ᙢᙬ,Win32KḄ%¿/⌕ᭆI。ᙠWindowsNTK,ÊḄ@10000:h5^j^&LMfÊ@Á400000h。ᙠWindows95K,10000hW¦ᵨᩭᐭ32ðḄVᦻ�,�^€ᙢ.ᙬᜐ+ᡠᨵÖDᐳÃḄឋᙢᙬ[ö,��Microsoft©Win32»Vᦻ�ḄÊJᙢᙬᦋ5Á400000h。6.RVAß)*ᙢᙬ(RelativeV^mlAddress,RVA),8¿⚗ß+ᦻ�êᙢᙬḄ2{。S:�DE©%¿?£ᦻ�ᐭᑮ)*ᙢᙬ34K,¡100001156Ḅᑁ×K,7?£K8¿⊤ᙠêKḄ96ᙢᙬ 10646h,;<�⊤ḄRVAþ646h。)*ᙢᙬ(RVA)=2{ᙢᙬ+Jᙬ(ImageBase)。6.5Þ?ÜDE1.UPXÁÿ��ᐳÃ��Ḅqrºᩗ,ᡃñᡠᵨḄDEᙳÁNotepad.exe。�᪗DE:ᵨUPX0.89.6•1.02/1.05-1.24·Ḅ4^otepad.exe。ᵨ*ᐹ:PEiDv0.94,OUyDbgl.lO。(1)ᐭÛ²(Â^^?0)~。�6~2ᡠDᨵ·ḄNotepad.exe。APA(EntryPoint)0000739D,EPSectioncîUᙽ,0*?01007390。f,i-^fY-rv-'ri^ntiiWtr*r--:*^>^YfnirM.m-,-_.4i^ft*'-■-■^jfo"a^>iXyA*ti^''^-^ii8toc^^^V^^i■>y^5wSiᓃ:UuFHe:C:Documentsand5ᩤᕸ053☢ᝅ^0£?.[%Entrypoint:0000739DEPSectk>n:.textFileOffset:0000679DFirstBytes:6A,70,68,LinkerInfo:7.10GenOEPMicrosoftVisualC++7.0Method2[Debug]Found0EP:0100739DMufeiScan|[TaskViewer)Qptionsj••••>a(.>*aaTla•••■•••••<¶·]|PStayontop�6«2~ᐭÛ²(2)J☢ᵨUPX0.89.6-1.02/1.05•1.24Áᐸ3。✌ᐜ½V0,ᯠKᓫs0^^>[ᢥÇK⌱Á⌕ḄDE,Notepad.exe,�6~3ᡠ(3)⌱ÁÓ⌕ḄDE^^01ᓺ&^61^ÇK(0ÖᐭᑮJ%⚗,ᐸ�⌱⚗Ê,s00ᢥKᓽÓᡂÿ,�6~4ᡠD。 S6k⌮ᔣ*Dᢈ�77OPXCiaphicalrnmCtose^r!刼fc)2002.2008byDdcP«eH)2002.fFfecy*are.1—1^¾¾¾?]1ooN^n1OpenFieCofrpcettOpbomAboutHntoiyOUputnUwwtemalUR、.,j^Ù^.r^iAtS^^^^ii^ifjfta.fcTjtfh*•“,.,^^ma^Z2mm^St^PlSP^ff^P^P^Wi^iO'l.-.■'J_⍞.、.,_^9[.——^^9[999.._.—91[,,_.,...-ᐭ--.~1|Tte:c:DocumontsandSetttngsaj|®NOTEPAD.EXeEntrypoht00014240EPScctkjo:UPX1RleOffset00004640RrstBytes:60,BE,00.00LinkerWo:7.i0UPX0.89.6•1.0211.05-1.24->Markus&l«zlo;Mufcl5can|;IaskVtewer|QptionsjW^ayontop�6>5n°7(5)Þ?Ü·ḄNotepad.exe。ᵨOUyDbg?ܾ¿UPXḄ,✌ᐜ�ᐭNotepad.exe,ᵨOUyDbg�ᐭNotepad.exeÌᙠ¾3DEḄᐭÛS%P“PUSHAD”,ᯠKᢥ?8"ᓫkr�,�“ÍÎJ☢ḄÌ�ÔṹᡠD。JT101H2M:0181M2W>!83CQFF01«1M?5»:»1iiii?5?tt1dlU2D3!�64.?Ü 78��⌮ᔣᑖ᪆�ᵨᢈ�ᙠr�·DK§-JÌ�Ôṹ:01014240>••.60,,...-_^fPUSHADᡠᨵḄ¾¿ᘤÁ᪘。.■~*••.01014241BE00000101MOVESI,NOTEEAD.OlOlOOOOÃÄÅᩩᢣ4^^^È。010142468DBEOOlOFFFFLEAEDI,DWORDPTRDS:[ESI+FFFF1000]0101424C57PUSHEDI0101424D83CDFFOREBP,FFFFFFFF01014250EB10'JMPSHORTNOTEPAD.01014262»6—7ᡠÉ。wWn??5CTTT*111*"1TTOTCT1----------------01O1^2i*Di83CDFFOREBP,FFFFFFFF81014250UEB10JMPSHORTN0TEPftD.01014262»6^701014250Ḅ1«>¿ᩩ�oÚᡃñ �ýḄ,þᢥ?8"�Zr�JL。ᡃñᙠ⌮ᔣ?ÜḄḄ¦7oÚ©o,þ⌕õs�6~8ᡠDḄÞÓ。8fi0067B01O1U258687!hOUAL,BVTEPTRDS:[ESI]u0101425ft84INCESI0101^258D1EDhOUBVTEPTRDS:[EDI],flL01014250INCEDI0O101^25E11788175B312ᕸEBX,EBX00161426017EEBEDJNZSHORTNOTEPflD.0101426901014262MOUEBX,DWORDPTRDS:[ESI]0101426^SUBESl,-H01014267ADCEBX,EBXBPmS0^8J^^K3W3Kyt?QJW^FiMSftP1?01014269JBSHORTNOTEPftD.01014258^»*º’MMOTI^n^^OT^^M^OT^HWOT|01014268jB801000000MOUEflX,1__________________________________________»6^801014269©oᑮ01014258,�¦⌱K01014266ᯠKᢥ?4"。<…-ᢥ?8"ᓫkr�。ᑮ��6-9ᡠD,「「';8^^—^^^ᥟ^『9—、—_9t33E223^1E209U!(IWSHORTNOTEPftD.«101U31F1010143468DBE00200100LEAEDI,DWORDPTRDS:[ESI+12000]0181434C8B07hOUEflX,DWORDPTRDS:fEDIl...•�〜9.…•-—.、.01014344E2D9LOOPDSHORTNOTEPAD.0101431F,�ᜐ=��᪵ᢥ?4"ᩭᑮ01014386,�6«10ᡠD。0101U370!09C0OREftX,EftX0101437F7407JESHORTN0TEPAD.01014388vO101i*3818903MOUDWORDPTROS:[EBX],EAX0101438383C304ADDEBX,4.,..:,,-::w^^MAt、»<^*iv•■i^>>ji-4.*>^*^^i<*yy*<^yv.01007390ᑮ€ᓹ3<1Ḅᐭᜐ。»6-11ᡠÉ《010143D048DECEAX010143D10000ADDBYTEPTRDS:[EAX],ALiftddr>sslHgxduwpiDisassenbl^|Conwentn6A7fl^immmmm.,mmwmm.mmfTOSH70■■■,.^^rnm■..................................__■■■,_,_■■■■,__■*■■_—_—__,",■_■>mmmmmmm...........................-■■_■_■■■__■_■_,_-_i_,■DIICUkMl*r^DAfA4flfl^onoO10073AiilE8BF010000cmxN0TEPAD.01087568010O73ft933DBXOREBX,EBX810073AB53PUSHEBX-p?1odule=>NULL01S073AC8B3DCC10000MOUEDI,DWORDPTRDS:[1001OCC]kernel32.GetHoduleHandler)018070B2FFD7CftLLEOI.GetModuleMandleftmmmm»hl1ÊᑮNotepadᐭᜐ(6)ᯠ£⌱¥1^^^—0¦0§1^>—0™^debugged9«^88=>,ᙠ�#ḄNÖDῃ,�6^2ᡠD。、aaxnthread.BodulcHOTEPADJWionsfi&d^r^tlp■Advtnc.dZAntlyz*TkisAPIbrttkplu^inAr»tdilloProctssDtltch£CX000;%ndBtrCOX7C9;ntdllEBX7FFl�CodtRipp*rESP000;1DtttRipptr8ExirtCopy|yaBmiT".1".1—">1..............._-^m__w*ayt«TEF».w]tmssmmmmmmwrnmmmamm^r*^^^^^^"""""*"^"""T"*"p^T^EP^y^nTnn^^p"ffrTn"into^011yScriptFindOEPbyS«ctionHopCTr%c*^vtx)OHyObfPID>nptrPuntoHyAOptions■•■■—_‘^—«*—ifc,______•—^^^^^%^^^»^»*^>*__•_*^OllyTbtrMtn^ctr&boot�6~UNÖDῃ(7)-�6^2ᡠDb᪾。DumpᐭÛ²(EntryPoint)14240ᦋÁ7390O*Vs£ÃQÁOEP(ÈÊ)。ᯠKᓫs1^»^ᢥῃ�×,�^13ᡠD。ᯠKᡃñᵨᓹ£0)mmÁ:(MicrosoftVisudC++7.0Method2)½V%ᑗÃï。2.UPX—APIijkᵨAPI“LoadLibraryA”l:mᐭᢣ>Ḅº¼,�prᑮst×ᵨḄᙢᙬuv。wmᐭ,ᓽyzᑁÑçḄ|ùGetProcAddressl:}¥¼ᑮDLLḄtÔᵨGetProcAddressᩭ~DLL/*ᦪḄᙢᙬ.×ᵨ〈Ḅ*ᦪᢣ┐ÔᵨDLL*ᦪ。GetProcAddress�ᵫLoadLibrary、AftLoadLibraryᡈ S6k⌮ᔣ*Dᢈ�810^110(^611i¨©Ḅ00^�ᙽP.²⌕ᵨḄᦪ+ᡈ�ᦪḄÙ-ETᵨQᦪ。ᐹ~PQJ:[t^m->Modify:*73^^r"^^^^r^^s57"""""""""^^"^7^^^"^^sssrV^£ixRawSizo&OffsetoiDumplrMgeSechon.:VirtualSi?e,VirtualO^se(;RawSfzeR^vvOftselCharaclaristics*^*—^»_■__--_^*^__o^____D_•___,_____■%i_mm■m_■■fcw^^^^^^^^^<__■_■■___■_,_____________,k___•,__■.♦•__■__,■•__^»_■•_.i_mi_.•»♦♦,______..■A^UPXOOOOOFOOO00001000OOOOFOOO00001000E0000080UPX100005000000100000000500000010000E0000040.rsrc00008000000150000000800000015000C0000040K?flebuildlmpor(�Mothod2:SearchJMPIAPIJICALL(API1inmemoryimageMothocC:SearchDLL&APIndmostringindumpnÛQᐭÔ²=>:bpLoadLibraryA,©öÇKᢥ"½VDEKÔ,�6^4ᡠD。mainthread,moduleROTEPAD]B_£il«Vi«rgebu{^la{insOp^ionslindov^tlpSXftddress|Hexduwp|PisassewblyRqiSy^^.s^ftpvDEEEEEEE£XXXosIosDE0101i|2^0m^9^mPUSHAD918142JH1iBE00000161MOUESI,N0TEPAD.910100e091014246|8DBE0O1flFFFFLEflEDI,DWORDPTRDS:[ESI*FFFF1000]s8101424C57PUSHEDIppII810142*iOi83CDFFOREBP,FFFFFFFF01014250:.EB10JMPSHORTN0TEPAD.0101426201814252:90HOP0181H25396NOP0ieiW5490NOPF000/FFCi4ܨLoadLibraryA|lWltXJfaus*d�6^4KÔᙠ¾ᢥALT+F9Ùᔠ"“Vᑮ¨©”,�6~15ᡠD。wr6ivr6i------------7C801O7955iPUSHEBP7C86107A8BECjHOUEBP,ESP7C801D7C837D0800CMPDWORDPTRSS:[E8P+8],7C881D80S3PUSHEBX7C801D8156PUSHESI7C861D827H^HJESHORTkernel32.7C801D98?G80108468FOE2807CPUSHkernel32.7C88E2F0ASCII"twain_32.dir7C861089FF7508PUSHDWORDPTRSS:[EBP+8]7C801D8CFF159C13807CCALtDWORDPTRDS:[<&ntdll.strcnpi>]ntdll._stricnp�6^5 82��⌮ᔣᑖ᪆�ᵨᢈ�ᢥÓALT+F9Ùᔠ"ÇK¨©ᑮ¾,�&16ᡠD。.........................................................0101^368r^------------------------1SCHB'TBgTCTP....................................................................01014369:8A07MOUftL,BVTEPTRDS:[EDI]I8101U36B47INCEDIJ^^m^^^J^J>-*%^r>ry7~^3M^I01Q1ii36Cj0SCOORftL,flL^^^^^^^^^^^^^^^^^i................�6^6ᢥF8"�Zr�ᩭᑮ¾,�6»17ᡠD。686378E1DA9539010143BDPOPAD___________________________H4o2ou810U3BEEcLEAEAX,OWORDPTRSS:[ESP-80J0101U3C2PUSHeu0101WCi*FccCMPESP,EftXCC010143C6^DJNZSHORTN0TEPAD.010143C2800101WC8SUBESP,~802010143CB-FlJMPNOTEPftD.0100739D�6^7010143BD61POPAD——-.................-᪘010143BE8D442480LEAEAX,DWORDPTRSS:[ESP~80]010143C26A0CI..PUSH0010143C439C4CMPESP,EAX010143C6A75FAJNZSHORTNOTEPAD.OlQl43C2010143C883BC80SUBESP,-80,v•010143CB-E9CD2FFFFFJMPNOTEPAD•0100739D---ᡃñ&�-7៉¾ᙠᢣᔣ;。(2)bpGetProcAddresSoOUyDbg�ᐭNotepad.exeÌᙠ3DEḄᐭÛ,ᯠKᙠ=>nÛQᐭÔ²=>bpGetProcAddress,©öÇKᢥo"½VDEKÔ,ᢥM^^ẖÙᔠ"ÇK¨©ᑮ¾,�6~18ᡠD。.mm^1^s^OT|^OREftX,EftXK•w■'kernel32.6etCurrentThreadId》n»*^'.-rr^f,~^vnÌr^.*-»*、*y•0181437Fv7k07JESHORTN0TEPAD.0161U388010143818903HOUDWORDPTBDS:[EBXj,EflX01tt1^38383C3fl4flDDEBX,,t�&18ᢥo"�Zr�ᩭᑮ¾,�6»19ᡠD。Wm???ÍÍÍÍÍ611----------------------1»................................................■■__■_■...............01oi^3Br;80442480LEAEAX,0V0R0PTRSS:[ESP-80]----------------------------------------------------------0101^i3C26A00PIICUR_____________________0101i*3Ci439C4CMPESP,EAX¨©ª«ᔣ0£ᓹ8101U3C6^75FAJHZSHORTH0TEPAD.01«tV1ft1^3C8g_*IKj1,,aJ%_>9JflQcr8flMMhkBiil............■*M*"^*^^"**^——^——^!_,ÅT^*T^'••■:B>E9i>iCD2FFFFF_>iJMPN0TEPflD.0100739Dt__________________________�6>190l0l43CB]Zᢣᔣ0£ᓹ?8�Z,DEoᔣ16?&3ᐭÛ,r"0^0^,�6-20ᡠD。 S6k⌮ᔣ*Dᢈ�83____UddrysOisassenblyCo_ent—■■■■■■■*■■———'■■■■■■^■■■_■_■__■___■■NULL010073flC8B3DCC10600M0UEDI,DWORDPTR0S:[1001OCC]kernel32.GetModuleHandleA01O073B?FFD7EDI.GetHoduleHandleA»6~20DumpKḄNotepad.exe½V%ᑗÃï。3.ASPack2.12�᪗DE:ᵨASPack2.12·ḄNotepad.exe。ᵨ*ᐹ:PEiDv0.94,OllyDbgl.lO。(1)Notepad.exeᨵÇ#ᡃñᵨPEiDᐸNotepadÖVmm,�6~21Ámm°7_"pPEiDv0,94File:C:pocumentsandSettings>U8^V^iOTffADy.EXeQEntrypont:0000739DEPSecton:.textI>FiteOffset:0000679DFw-stBytes:6A,70,68,98|>Linker^ifo:;7.10MicrosoftVisualC++7.0Method2^ebug]MultiScanTaskViewerQptionsP^Stayontop�6^21mm°7(2)ᐭÛ²(Entryᓹ0Û)~。ᵨASPack2.12·ḄNotepad.exeᐭÛ²(EntryPoint)ÏᐰnU¹5ᓄ。0£?ᓾ?ð0mmᑮÁÃïḄ,�6«22ᡠD。JT*''、^'••.:」.、:2>^^_2[:~^^T^^^^Jr7kVM^dW^l^M^ijitftfL^>vV'':、iM"_.-.rFte:C:pocumentsand^^☢^^-ᶯ:..UWrypojn〖:66biMfliLpy_;"_:5gsa?____1FiteOffiset:00005401RrstBytes:60,E8,03,00Linkerbifo:7.10GenOHP>ack2.i2->AlcxeySotedovnikovIFound0EP:01007:^HMHHdi-[t^itiScanOptonsWStayontop»^22ᐭ¤¶Î(3)OllyDbg�ᐭNotepad.exeÌᙠ3DEḄᐭÛS%P“pushad”,�6~23ᡠD。 84��⌮ᔣᑖ᪆�ᵨᢈ�01013001*-.|.1.、.•■.%-%'>.'i'.-vS、,v>:'*f).^1^<、v、J*^^*v-_、A^、-v,l>>:v'^V..:''-‘、、*々‘M�______________________E^01013002.E803000000C%llNOTE?^.01013C0Am01013007E9dbE9Bmww01013006EBdbEB^#rt.;'__Ḅ%”,dJ0101300904db040101300A•�5Dpopebp.0101300B.45incebp0i0i30QC.55pushebpQ1013Q0D^^>££>«____>»^S^EMHHMMMMaMHnMOTMMHHMMIMMBMMMHMHMM»6^3ᯠKþᢥF8"ᓫkr�。J☢ ⌮ᔣᑖ᪆ÛÔṹ:01013001>60PUSHADÐᐭÑÒÓÔᙠÖ•×,ᢥ78ÙÅÚ01013002E8CALLNOTEPAD.0101300AᑮÖ×Ûܾ¿ᘤÝ,ᢥ?7ÙÁᐭ0101300A5DPOPEBPNOTEPAD.010130070101300B45INCEBP•0101300C55PUSHEBP0101300DC3RETNÞßᑮ0101300801013008/EB04JMPSHORTNOTEPAD.0101300EÊàᑮ0101300£0101300A|5DPOPEBP0101300BÍ45INCEBP0101300C|5SPUSHEBP0101300D|C3RETN0101300EE801000000CALLNOTEPAD.01013014ᢥF7ÙÁᐭ010130145DPOPEBP01013015BB:MOVEBX,-13---------------------ᶍ---------------'-.......................................-01013140.AEBEBJMPSHOTTNOTEPAD.0101312D--------ßÊ⌱â01013140^EBEBJMPSHORTNOTEPAD.0101312D010131428B06MOVEAX,DWORDPTRDS:[ESI]01013144EB00I:;JMPSHORTNOTEPAD.0101314601013146803E06CMPBYTEPTRDS:[ESI],601013149^75F3JNZ'SHdRTNOTEPAD.0101313E,«.*••,••v^4••<‘••,.,0101314B240CU…,,ANDAL,00101314DC1C018ROLEAX,18.••"'v%•••••.010131502BC3SUBEAX,EBX010131528906MOVDWORDPTRDS:[ESI],EAX0101315483C305ADDEBX,50101315783C604ADDESI,40101315A83E905SUBECX,5 S6k⌮ᔣ;Dᢈ�850101315D^EBCEJMPSHORTNOTEPAD.0101312D0101315F5BPOPEBX010131605EPOPESI01013160.5EPOPESI0101316159POPBCX-0101316258POPEAX01013163EB08JMPSHORTNOTEPAD.0101316Däᓃàᑮ0101316D0101316D8BC8MOVECX,EAX0101316F8B3EMOVEDI,DWORDPTRDS:[ESI]——$-----------------------------------------%010133A98985A8030000MOVDWORDPTRSS:[EBP+3A8],EAX010133AF61POPADæᜐF2〜F9010133B07508JNZSHORTNOTEPAD.010133BA010133BA689D730001PUSHNOTEPAD.0100739DNotepadOEP010133BFC3RETNçÈèéÞßᑮ0100739ÑÒ,»6-24ᡠÉ。rgFn^nTa61POPftD01O133B0V7508JHZSHORTN0TEPAD.816133BA010133B2^B801000008MOUEftX^01O133B7C2OCOORETN0C010133Bft6890730001PUSMNOTEPnD0100739D0101336FC3RETH»6^240100739D6A70PUSH700100739F6898180001PUSHNOTEPAD•01001898010073A4E8BF010000CALLNOTEPAD•01007568010Q73A933DBXOREBX,EBX010073AB53.*iPUSHEBX010073AC8B3DCC100001MOVEDI,DWORDPTRDS:kernel32.GetModuleHandleA010073B2FFD7CALLEDIᯠKᓫsDumpᢥῃ�×。ᡃñᵨPEiDmmÁ:(MicrosoftVisualC++7.0Method2)½V%ᑗÃï,�&25ᡠD。^、'"B100739D~6A70PUSH70^010O739K6898180001PUSHNOrEPAD.01OO1898810073fli|E8BF010000CALLH0lEPAD.0100/568O10073ft933DBXOREBN,EBXfl10«73ftH53PUSHEBX010tt^3HC8U3DCC1U0001MOUEDI,DUORDPIRDS:[10«10CUJkcrnel32.GetModulMMHHHiMMHHHHMHHHHHMBHHHl^HHaHiKn^idlLS^*lKUMH»6^5 86��⌮ᔣᑖ᪆�ᵨᢈ�6.6?ÜḄᔜÑÞÓ-+DEQὅDEôÛ、ø��Ḅ�Ḅ,òᑖÁ²3ÊÑ。(+´ñ,> ÁÿDE~ôÛÖV,3Ê DEQᐭ⊤ÏÖV3Ê��,�ᯠ3ÊḄ��¦]⌕%�Ð!1.⚜ᜓqrPUSHAD(᪘):Ô⊤DEḄᐭÛ²。POPAD(-᪘):Ô⊤DEḄ-Û²,ù?0811M0ß&。OEP:DEḄᐭÛ²,��3þ◚iÿ€«?(ᡈὅᵨÿᎷḄ(^?$(^?),>⌕ᑮDE^ÃḄ0£?,þ»ÍÛ|?Ü。2.ᓫkr�Ó?Ü(1)ᵨ01~058�ᐭDE,ᓫs“Wᑖ᪆Ôṹ!”(2)ᓫkᔣJr�ᢥF8",�ᔣJḄoÚ。�þUᔣYḄoÚWþᐸ�!(¶·?4")(3)⍗ᑮDEᔣYoḄ(ᒹ=�),ᡃñᙠJ%PÔṹᜐᢥ?4"(ᡈὅr"ᓫsÔṹ,⌱ÁÔ²ᯠK½Vᑮᡠ⌱)。(4)¤⁐ᩩ⊤DoÚ�,Wᵨᳮ§,Á⁐ᩩ⊤DoÚïp�!(5)ᡃñ7©�ᐭDE,ᙠᐭÛ▬âþᨵ%¿^ᓃḄb,ᡃñþᢥ?7"rÖL,¾᪵-+þ¦ᑮDEḄOEP。(6)ᡃñᙠr�DEḄ¦,7ᑮ8¿0®ᓃDEþ½VḄb,ᡃñþᙠ¾¿0^ᓃᜐᵨᔆ"rÖ�CALL。(7)ᡃñᙠr�DEḄ¦%ᨵ-ᜧḄoÚ(ᜧ�Ü),c,jmpXXXXXXᡈὅJEXXXX※※ᡈὅᨵRETNḄ%-+þ§ᑮDEḄOEP。ø:ᡃñᙠr�DEḄ¦ᨵ(¿ÓᔣJr�,þ»Íᙠ▬âᑮᨵ�ḄᜧoÚ,rs⌱Á“rM”=>,ᯠKᢥ?2"³ÕÔ²,ᢥ81^14^9Ùᔠ"½VÌᙠ“rM”ḄðÕ,sÑÔ²,�Zᢥ?8"ᓫkr�。%ª«J»ÍUVᑮ0£ᓹ!3.ESPᳮÓ?Üᓹᳮ?Ü:£5?ᙠ00ḄÖ×ᘤK,>⌕ᙠ=>V³J£5?Ḅ��Ô²,þ§%JᑮDEḄ0£?。(1)ᙠrM}6þᢥF8",�¦ᡃñ⌕øý÷�0DrYºḄÖ×ᘤKESPᨵᨵ*(5ᡂÁ⁐)。(¾> %ª«J,-~ᑗᙢUᡃñ⌱ÁḄ£5?@ ᐵ"PÇKḄS%¿£ᕂ?@。)(2)ᙠ=>nÛ³ÕÔ²:ddXXXXXXXX(ᢣᙠ�#ÔṹKḄ£8?ᙢᙬ,ᡈὅ hrXXXXXXXX),ᢥ©ö"。(3)DEKÔK⌱KKÔḄᙢᙬ,³Õ��>^0Ô²。(4)ᢥ?9"½VDE,]ZᩭᑮÿoÚᜐ,ᢥ?8",ᑮDEḄ0£ᓹ。 S6k⌮ᔣ*Dᢈ�874.ᑁ×+ê?ÜÓ(1)ᵨ0〇�ᐭDE。(2)⌱Á“⌱⚗”—“N⌱⚗”—“ï”=>,ò☢Ḅ£ᶍᐰn,⌱Y!ᢥCtrl+F2Ùᔠ"/t�DE。(3)ᢥAU+MÙᔠ",ᡭ}ᑁ×+ê,ᑮDEḄS%¿c^。ᢥÀ"³ÕÔ²,ᯠKᢥ51^4^9Ùᔠ"½VᑮÔ²,ZḼᢥÛ+0Ùᔠ",ᡭ}ᑁ×+ê,ᑮDEḄS%¿^-Y☢Ḅ.03Û£(�þ00401000ᜐ),ᢥ^"³ÕÔ²,ᯠKᢥ51^1+?9Ùᔠ"(ᡈὅ ᙠ磌Jᢥẖ"),]ZᑮDEḄ0£?。5.%kᑮ€^ᓹᵨOD�ᐭDEÇK,ᢥCtrl+FÙᔠ"Qᐭ、000(1”(>〉ᔠªᦪ,ᒹUPX,ASPACK),ᯠKᢥ?2²?9"½Vᑮ�ᜐ,ᯠKᢥ?8"ᓫkr�ᑮ€®?。6.ᨬK%ïÓ(1)ᵨ00�ᐭDEÇK,⌱Á“⌱⚗”%“N⌱⚗”%“ï”,ò☢Ḅ“V”ᐰnLᣵ,ᢥ011+?2Ùᔠ"/�DE。(2)—}6DEþ %¿oÚ,ᙠ¾ᢥ3´《+?9Ùᔠ",]ᑮDE½V,ÑäJ¡}6ᢥShift+F9Ùᔠ"ᑮDE½VḄᦪm。(3)ᢥCtrl+F2Ùᔠ"/�DE,ᢥShift+F9Ùᔠ"(¾ᢥḄᦪÁDE½VḄᦪm-l)。(4)ᙠ00ḄrJºᡃñÏ"ᨵ%¿“5£P.”,¾¦ᢥᓚ-⑷Ùᔠ",Qᐭ5£P.#Ḅᙢᙬ,ᢥ"³ÕÔ²,ᯠKᢥ5�V+?9Ùᔠ"ᩭᑮÔ²ᜐ。(5)LᣵÔ²,ᢥ?8"᠒᠒ᔣJ/,ᑮDEḄ0£?。7.�*r�Ó(1)✌ᐜN½VDE,r�ᑖ᪆%DE,ÏᨵᨵSEHᨩ1Ç�。(2)ᯠKᢥᜐ+1Ùᔠ"ᡭ}ᑁ×+ê,ᑮ“ᒹó^Í,imports,relocations”。ᑁ×+ê,⚗�30ᙢᙬ=00548000※ᜧ=00002000(8192.)Owner=check00400000[Ü-.aspackᒹó=5Í,imports,relocations=$01001002�=?ü6�-RWE(3)ÑäJᙢᙬÁ00548000※,ᙠ=>nÛQᐭ“tceip<0054B000”Kᢥ©ö",�¦ODWÃᙠr�。l:ᜧᙠ×ᵨ�îḄs,>⌕ᙠ⌕ᳮp⌕ᙠ᪵Ḅ�¾×ᵨ。 88��⌮ᔣᑖ᪆�ᵨᢈ�8.“SFX”k*<(1)³Õ00,£ᶍᡠᨵï,�þUï⌱⚗ᓱ☢�ᡭY,。(2)ᑗᣚᑮSFX⌱⚗ᓱ,⌱_“Q⁚�r��▭ᐭÛ(»¹ï᠒)”,~。(3)/�DE(7- ᔲ“Ôṹ?”⌱Á“ᔲ”,00]Zᑮ0£ᓹ)。6.7、☟ᑖ᪆*■:•'r�᪗DE:CrackMel.O.exe。ᵨ*ᐹ:PEiDv0.91,OllyDbg1.10,W32Dasm8.93。(1)✌ᐜᵨPEiDv0.91mm%JCrackMel.O.exe。ᵨPEiDv0.91mmCrackMel.0Ḅ°7Á:BorlandDelphi6.0%7.0,�k26ᡠD。rrrr:Frfe:C:PocumentsandSettjngs^yftffiV^ARCKME1.0.cxe'.•••ῃÔet;<Á“Delphi”,*ᨵ3,ᡠÍPEiDm011yFlowᵪ⊤ᵨᡭ ¡ᓹ⇧ῃ(ÔetmÃï。ᢇ¤l¥①(3)rsnQ,�6~28ᡠW。ë��QD.UKIC0DEQ°7 :®<»^^&Ò�ᨵ,��ëU)�6~29ÁnQ°7,0«^^^®<�ᨵëvwU。»^28Ûíîï S6⌮ᔣ*Dᢈ�8900USD6DSPUSHCARCKNE1.004SD70Ctaskbarcreated0O45D725MOUEAX,CARCKME1.0045C8A0________j ___________________•0045D744!PUSHEBPÍ(ðñᓄcpu⌱óô)0045D74AMOUEAXVCARCKME1.0045CDC4�6^29n°7(4)ᵨW32Dasm8.93☟ᑖ᪆。ᵨW32Dasm�ᐭCrackMe,ᯠK⌱Á“ὃ”Qὃ”(ᙠ☟ᑖ᪆��Ḅ¦-/⌕),�6~30ᡠD。URSoftV32DasmVer8.93ProgramDisasse*bler/Debu...f^jf5^jfX|Disassembl*r£rojectDebug^earch2otoEx*cit*T*xtFunctionsHexfiat%RefsHeljDisasseaiblyofFile:C:Docuxaen^sandSect3Lngaai5:XCXaCKMSiCadeOff*er=00Q00400,CodeSizc»OOOSCOOODac&Cff*et*OOOSCCOO,DacaSize-00001200NunberafCbjccta*»0009(dec)t^aag«bajia00400000hObj*c*tOl:.textRVA:00001000Offset;00000400Sizs;0005C000r:0bjccr02:.i%ex&RVA:0005D000Offaet>:000sc400Siz*:.00000800rOb3*ct;03:.daraHVA:0005S000Offs*t:OOOSCCOOSiz«:00001£00r:Cbjact04:.bssRVA:000€00000ff3«t:000SZA00Sizar00000000r.Line:9Pg1of4187Fite:CADocumentsandSetting5a^K'vCARCKME1.0.exe•,_':.:ᵞ*☟°᪆:。'-(5)ᙠQὃ☢ᡃñUᨵJḄ»ὃᑁ.,ᯠKᓫsᐸKḄQ,�6~31ᡠD,V32DassListofStringDataItemsToSearchDisassemblyfo(StringData,DoubleCtickonTextCancelSearch_U"123456789CABCDEFGHUKLMN0PQRSTUW*WZ"'2812-8183**'4=D"'8765^32VnOT...................■__■■■■..............AM/PM._"AMPM_."AMPM""Anunexpectedmemoryleakhas""AnimateWindow"__Aff^"•'B0SUnthemedDesiqnef'CopyAl{CopyViewj�6^1Qὃᑁ.•.(6)ᓫsᐸKḄQÇK”320êÀᩭᑮ¾,�^32ᡠD,3�Ï☢ᨵ®<ᡃñ◤⌕Ḅ。 90��⌮ᔣᑖ᪆�ᵨᢈ�0045CC*7330、nop004SCC74SSpush«bp004SCC7S8B£C»ovetp,*sp004SCC77€A00push00000000004SCC79€A00push00000000004SCC?B53pushebx004SCC7C8BD8stov«bx,««x.0046CC7B33C0xoreax,eax004SCC80S5pu9hftbp1045CC8163FECC4B00puah0045CCFE)04&664FF30pushdwordpzsfs:【《aac】0045CC89€48920movdwordpcrfa:【《axJ,e«p0045CC8C80S5FCl«ft^bc,dwordpcr[.bp-o4]0045CC8F8Ba36803000ft,^4aovefix,dworleStringDataRaf0045CC9DBM4CD4S00*ov«dx,004SCD140045CCA22fl957FFATrc«lI00404C3C004SCCA7?53Ajn«004SCC=I3004SCaL9dDSSF3lftaedx,dvrordptrCebp-03]004SCC&CdB83€CC30000asoveax,dwordptr[abx4-0000036C]004SCCB2Ze39CSfDFFcall004391F0004SCCB78B4SF8xeoveax,dwordptr[ebp-091«5«Oto'»6^2.'_:ᔣYᡃñᑮÜ✌0Q45CC73ᜐ,�ᜐᡃñᨚ¦QÁᝰᶧḄᙢÞ©ᑮOUyDbg³ÁÔ²。(7)½V0%068,ᢥ&^+0Ùᔠ"Qᐭ“0045CC73”Kᓫs“~”ᢥ,ᯠK«ᢥÀ²6",DEKÔ,�6^3ᡠD。0O45CC7390ooSsccTS]§[¨《�Ḅ⊤Z¥5SEBPO0^CC75j8BECEBP,ESP~300^5CC776fl000004SCCA7753AJHZSHORTCARCKME1.0045CCE3Q0USCCA98DS5F8EDX,DWOfU>PTRSS:[EBP-8]OOiiSCCAC8B836C03000(_____EAX.DWOROPTR0S:[EBX^36C]004SCCB2E839C5FDFF;《■CARCKME1.OQ4391F000^SCCB78B45F8EAX,DWOROPTRSS:{EBF-8)00U5CCBfiBA28CDU500EDX,CARCKHE1.O0^5CD28ASCII**8765-4321**00U5CCBfE8787FFAFFᐱᢓCARCKME1.00404C3Cnonsccc0FB608MOVZXECX,BYTEPTRDS:[EAX]0045CCC475lDJNZSHORTCARCKME1.0045CCE3,�ṹ┯���Á�Ä☢Ḅêë0045CCC6B201MOVDL,1。Ã1�〈ᑮEDXḄ8¾¿ᘤ��"�8�8111"。0045CCC88B8370030000MOVEAX,DWORDPTRDS:[EBX+370]0045CCCE8B08MOVECX,DWORDPTRDS:[EAX]0045CCD0FF5168CALLDWORDPTRDS:[ECX+68]0045CCD38B9370030000MOVEDX,DWORDPTRDS:[EBX+370]0045CCD9AlF84C4600MOVEAX,DWORDPTRDS:[464CF8]0045CCDEE8FD56FFFFCALLCARCKME1.004523E0ᵨᦪ0^^1^111.��ÑÒ��00045CCE333C0XOREAX,EAX0045CCE55APOPEDX0045CCE659POPECX0045CCE759POPECX0045CCE864:8910MOVDWORDPTRFS:[EAX],EDX0045CCEB6805CD4500PUSHCARCKME1.0045CD050045CCF08D45F8LEAEAX,DWORDPTRSS:[EBP-8]0045CCF3BA02000000MOVEDX,20045CCF8E83B7BFAFFCALLCARCKME1.004048380045CCFDC3RETN6.8°ᙠ⌮ᔣᑖ᪆·DK,ᡃñ�§LDEK©QᐭḄøṹ²Ã~ḄøṹßcBḄᙢÞ,ᯠK¶·DEḄr�、ᑖ᪆ᑮÃ~Ḅøṹ。 Ã~Ḅøṹ¶ïᙠDEKÍÑ×ᙠ:Ḅ²◚Ḅ,+×ᙠḄøṹ,ᡃñ»Í]ZᙠDEᡠᜐḄᑁ×KÏᑮ,+øṹ×ᙠḄ��ẚÉ9ᩭcB.᧕; ᨵ(��ḄDEKOW§]Z©ᡃñQᐭḄøṹ²Ã~ḄøṹÖVcB,cᨵ»¦©øṹᣚ£ᡂᦪᡈ ©øṹ×},ᯠK©_%ðøṹᑖ}ᙠW�ḄᙢÞ⌲%ÖVcB,ᡈὅ ©ᡃñQᐭḄøṹÖV8Ñ5ᣚ,ᵨ8¿ᱯGḄDEÖV�(Ï。BÇ,&ᵨDE§õsᔜÑW�Ḅᩖ½£Þᩭ©7]ZḄøṹcB,+¾�DE,ᡃñ¶ï⌕3�ᙢr�、ᑖ᪆_¿DE¥¦,ᑮ3Ê£Ó,ᯠK¨¦Ã~ᙢᑖ᪆,�ᯠ¾◤⌕ᡃñᨵ%Ḅ8086Ì��Dqr²-ᜧḄὊiùK]。ᙠ⌮ᔣ*D⚞ö,ᨬᨵGḄ9⚪Ç%。ᙠÉ9Ḅ·DK,⌮ᔣᑖ᪆ðᕒ§V�$Ðᐵ+Èv«、⌮ᔣᢈWÏÞ☢Ḅqr。1.aijÃ~ᙢ³ÕðÔ²+ᨵᦔḄᑖ᪆¹ï/⌕,Ã~ḄÔ²»Íᑮᐵ"ḄDEÜ,WÃ~ḄÔ²⌮ᔣᑖ᪆§⌼ᡂW�⌕ḄÑὑ,~«W¦� ᑮDEḄᐵ"。ᐹ~®<Ô² S6k⌮ᔣ*Dᢈ�93cBᔠ〉-bU,◤⌕ᡃñóp。2.� b᪾b᪾GnbpDiabgBox)²ÑÒ᪾(bpMessageBox(A))Ï。WX+®ᨵ¹ᡂ¾(ᦻ�ḄDE¨¦r�ᨵᐵḄᦪ�。ᡃñp,6ÿÇ᪵ᑭᵨ⌮ᔣ*Dᢈ�L�ᐭᑖ᪆%¿Ad5ᦻḄDEᡠᵨḄᦪ�,S,Ad5Ḅᦻ�Ḅᡈὅo���ᑖ᪆,Í&ᡃñ¦¢ᑏ-%¿¦j-ßᐵᦻ� 94��⌮ᔣᑖ᪆�ᵨᢈ�Ḅᦪ�ᡈὅ¦¶·?.ßᐵᦻ�Ḅᦻ�ḄDE。ᑖ᪆%¿ᦻ�Ḅùᡃñq⍝Ḅ%ÔṹÉḄ⌮ᔣ*Dᢈ�O¿[�,ÃᜧhᙠMkᡠÏᑮḄÔṹÉḄ⌮ᔣ*Dᢈ�,ᙠ-Ц»Ín¬ᐵ+%¿DEḄᦪ�Íξ(ᦪ� Ç᪵ÙË9ᩭḄ³ᫀ。ᙠ$Ð�▭⌮ᔣ*DK»¦ᵨÿÕc¾ᩖḄᦪ�°᪀。JMḄ´O? %᪵Ḅ,°ᔠÔṹÉḄ⌮ᔣ*Dᢈ�²WÔᦋᦪ�O÷�DE�ḄÆ&,ᡃñ»Íß�<£ᙢᑖ᪆-ᜧÐᦪᦻ�ḄÎᐸ�=ᨵᦪ�。 �7�ᢙ⌮ᔣÕᢈ'7.1⌮ᔣᑖ᪆*D⌮ᔣᑖ᪆*DḄðᕒ,�ᯠÖV⌮ᔣ*Dᑖ᪆,OW%�>Ù。¶·¦ᨵᦔᢙ⌮ᔣ*Dᢈ�ḄDE ¹ïᨵðᜐḄ。Mk¡ÃÆ¿º»——}U��ḄDEᕒ²N�?lᢙ⌮ᔣ*Dᢈ�r�DEḄ@sὅ,ùᜧhᐳ�¢Xᜧnᑖï"Ḅ²¹ïᨵᦔḄᢙ⌮ᔣ*DᢈW。ᡃñᐜ⌕V~%²:⌕ÓᐰADEḄ⌮ᔣᑖ᪆r�W»¦Ḅ,ᡃñ? »Í@sὅḄ�,CD⌮ᔣ*DḄÖD,�¿⌮ᔣ*D5�ìk,⁎,ᨬ�E@sὅV}F@s。Üᢙ⌮ᔣ*DᢈWᨬ�ᔲᨵᦔḄ�ÄK?ᒹ@sὅḄ¦]ÍÎ�ñÖV⌮ᔣ*DḄ¤,ᨬK¾(ᢙ⌮ᔣ*DᢈWḄᨵᦔឋ~«?ᒹ.GýÁ�S¾(ᢈWú]-ḄÔ。ju_%Ñᢙ⌮ᔣ*DᢈW�ùÇᨵᐵ,Áÿ�¾(ᢙ⌮ᔣ*DᢈW,ᨵ(¦.§Hᜫ0?ÛḄᵨᦔ᳛,ᨵ(¦»¦§�.ḄDEḄ?I5ᜧ,?ᨵ(¦,DEḄ»☠ឋ²þឋ§��úôᑮ12。7£ᶍᣵY☢ÖḄᵨᢙ⌮ᔣ*Dᢈ�ᡠ�ᩭḄ�Ḅb,½ᵨ¾(ᢈ�ᑣZ ᨵýñḄ。WX}U�ÑDE,>⌕ᨬ�ᵨᡝW }UJ±Ḅ%ᕒú*��îW}}ÛÔṹ,þ&�Ê^ὃ⇋%JW ⌕ᙠDEKæᐭ8Ñᢙ⌮ᔣ*DᢈW。�ᯠ�W_¿DE�@�⌮ᔣ*DðᕒL¦4LÆÌ�,c,ᨵ(DEḄÔṹöᓫ,/ᑏ%M¾(Ôṹ�cÖV⌮ᔣ*Dᑖ᪆⌕.᧕�Ð。7.2ᢙ⌮ᔣ*Dᢈ�ḄJM�ÞMᦻö⌕ᐵø+ᡠᵨḄÆ⌮ᔣᢈ�,�¦�â¢ÿN·/Ἥᵨ¾(��RSḄ*ᐹÎᢈ�。»¦ᨵ(¶·ᢕsÖDê(dmnp)¦¢U᧕Ë,¾¦ᜐᳮÆ⌮ᔣᢈ��uᨵ�⌕, ᨵ(ª«J3ÊḄÔṹ◤⌕3Ír�²ᑖ᪆。S,◤⌕N·nᑖ3ÊÔṹÍ&ᢕsÖDê、þQᐭ⊤/·*ᐹÃ~ᙢ*Q。�ᐭᑖ᪆3ÊÔṹÍ&ᙠ%¿ÆOPºÚKᔠÖῃ)ᢝ。�,�Æ⌮ᔣᑖ᪆ᢈ�%ÇូýDE]Z&ᵨ,Í■r�Oᑖ᪆ᐸូýVÁ¦,ᡃñ7៉Æ⌮ᔣᑖ᪆ᢈ��-ᨵ@Ḅ。J☢jÑJMḄᢙ⌮ᔣ*DÞÓ,ñᔜᨵᔜḄ�²²Q²。ᙠ�▭ᵨ¦Áÿ¦ᨵᦔᙢ]⌮ᔣᑖ᪆ðᕒḄ*ᐹ,ᡃñ¶ï»Í�¦�ᵨᐸKḄjÑÞÓ。1.Ñ◀Q�ÒS%¿�ᨬVḄ%ÑAD⌮ᔣ*DḄÞÓ, òDEKᡠᨵVḄQ�Ò�Lᣵ。+;(¹J+Q⁚ṹḄDEᩭU,⌕Zᑮ¾%²,>⌕¡DEḄ»Vᦻ�KL◀ᡠᨵ 96��⌮ᔣᑖ᪆�ᵨᢈ�T�Òþ»Íÿ; +;(J+Q⁚ṹḄDEᩭU,¾(DEḄ»Vᦻ�Kpïᒹóᨵᜧ��+,�ᡂᕒ+²ᐰâḄ�SḄ+QÏᑁnT�Ò。ᱯ� +73;<ᡈὅ .ᕖ¯@AḄDE,¾(�Ò+⌮ᔣ*DðᕒᩭUᱯ�Ḅᨵᵨ。ᡠÍ�ᡃñ⌕%¿DE¦pô⌮ᔣ*DḄὃ¦,�⌕©¾(�Ò¡DEKÌ◀ᣵ。ᡠÍ+ju_¿Q⁚ṹ3RᘤᩭU�ò¦Zᑮ¾%²�Z%¿JMḄ¥¦,¶ï¾¿3Rᘤ§òᡠᨵḄT�Ò/=+Á%¿~¿ýñḄQ。2.ᡭ«¾ᡠUḄ“ᡭ”ᢣ�DE¦Sᢙ☟ᑖ᪆(cM�K¢XḄ⌮ᔣ*DᢈW)Ḅ%ÈᑡᢈW。¾ÑÞÓ ¶·ᦋDEḄ�ᑜ、®¯、ᦪ�ÍÎÙËᩭ�Ḅ,¦ᙠ�ᢝDEÜᨵḄ¥¦W5ḄJẠYᨬᜧD»ᙢåDEḄ»jឋ,ᨵ-ÐÞÓ¦Zᑮ¾%²。3.¬ᐭèÔeúṹ$%Ñï"Ḅᢙ⌮ᔣ*DᢈWḄᱯ² :³¢ᵨ+ADDEḄᑖ᪆,ᙠᑖ᪆%¿DE¦◤⌕%k%kᙢr�DEḄVÍÿÉDEḄᑁn��⁚。�¾ÑÞḄJM´µ :þDEᦑýV%(¦¢ÓNᘤḄÃï½V,ᡈὅ¦¢þNᘤᜫᦔḄPQ(7¾¿DE ᙠNᘤKVḄb)。¾(ÆNÔṹ§mmᔲ▬3ᨵ%¿Nᘤ,7ᨵ,ᨵ(Ôṹ§©Nᘤ�ᣵ。ú$%(ᑣ-3ᔍU,§ÓNᘤḄ½V。ÆNḄÞÓᨵ-Ð, ᜧÐᦪḄÆNᢈW ùᱯḄ@A~« ùᱯḄNᘤᨵᐵḄ。$ᵨᩭV⌮ᔣᑖ᪆ðᕒḄ$%ÑÞÓþ3Æ�YQ-。Æ-Æ�Y¶·☟ᑖ᪆ᳮÉÖᑴÔṹḄ·DᜧᜧᩩᓄḄᨵᦔÞ。7°ᔠᚗXÔṹ²Ôṹ5%9ᵨ©§-ᐹᦔ7。Æ-Æ�Yᢈ�Ḅ%¿ᐹ~ḄSè{ᐭ%¿ᚗXQ⁚ᯠKÛ3%¿ᩩ�ᑖ)�VoÚᑮᚗXQ⁚(ᓽLᢣ>)。 ¾¿ᑖ)Ḅᩩ�ÕÁFALSE。¾᪵ᚗXÔṹ©ÕW§V, Æ�YæY§}6Æ�YᚗXQ⁚Ḅᙢᙬ,ᨬ�ÙdWÃ~ḄÆ�YQ-。J☢ %¿3ÿ%(Æ-Æ�YÔṹḄᓫPEB.BeingDebugged᪗ÑmnSè。ª£ḄV ö⌕ᢣ>,ᐸÍḄ Æ-Æ�YÔṹ。ᵨᑮÿᚗXQ⁚0ᶭOÛ3ÿᵨᩭZVÆ�YæYḄoᑮᚗXQ⁚ḄᎷḄᩩ�oÚ。;Anti-disassemblysequencepush•jmp_real_01stcretnjmp_fake_01:jmp_real_01:moveax,dword[fs:0x18];Anti-disassemblysequence#2push.jmp_real_02 S7kᢙ⌮ᔣ*Dᢈ�97clcjc•jmp_fake_02retnjmp_fake_02:db0xffjmp_real_02:moveax»dword[eax+0x30]movzxeax,byte[eax+0x02]testeax,eaxjnzdebugger_foundJ☢I10^^KḄÆÌ�Q-:0040194A6854194000PUSH0X4019540040194FF9STC004019507301JNBimage00400000+0xl953(00401953)00401952C3RET00401953FF64A118JMPDWORDPTR[ECX+0X18]004019570000ADD[EAX],AL00401959006864ADD[EAX+0X64],CH0040195C194000SBB[EAX],EAX0040195FF8CLC004019607201JBimage00400000+0xl963(00401963)00401962C3RET00401963FF8B40300FB6DECDWORDPTR[EBX+0XB60F3040]0040196940INCEAX0040196A0285C0750731ADDAL,[EBP+0X310775C0]OllyDbgKḄÆÌ�Q-:0040194A6854194000PUSH004019540040194FF9STC004019507301JNBSHORT0040195300401952C3RETN00401953FF64A118JMPDWORDPTRDS:[ECX+18]004019570000ADDBYTEPTRDS:[EAX],AL00401959006864ADDBYTEPTRDS:[EAX+0X64],0040195C194000SBBDWORDPTRDS:[EAX],EAX0040195FF8CLC004019607201JBSHORT00401963 98��⌮ᔣᑖ᪆�ᵨᢈ�00401962C3RETN00401963FF8B40300FB6DECDWORDPTRDS:[EBX+B60F3040]0040196940INCEAX0040196A0285C0750731ADDAL,BYTEPTRSS:[EBP+310775C0]ᨬÓIDAProâḄ�ý�0040194Apush(offsetloc_401953+l)0040194Fstc00401950jnbshortloc_40195300401952retn00401953;------------------------------0040195300401953loc-401953:;CODEXREF:sub_401946+A00401953;DATAXREF:sub_401946+400401953jmpdwordptr[ecx+18h]00401953sub401946endp004019530040195300401957db000401958db000401959db00040195Adb68h;h0040195Bddoffsetunk0040195Fdb0F8h;00401960db72h;r00401961db100401962db0C3h;+00401963dbOFFh•00401964unk_401964db8Bh;1;DATAXREF:text:0040195B00401965db40h;@00401966db30h;000401967dbOFh00401968db0B6h;|00401969db40h;@0040196Adb20040196Bdb85h;0040196CdbOCOb;+0040196Ddb75h;uøýᡠᨵ¾3¿Æ�YæY/Nᘤ�[ᐭÆ-Æ�Y◍▟Ḅ,ᑖ᪆¾᪵ḄÆÌ�Ô S7kᢙ⌮ᔣ*Dᢈ�99ṹ+⌮ᔣᑖ᪆ðᕒᩭU-W.᧕Ḅ。?ᨵᐸ�ḄjÑÓÆ�YæYḄÞÜ,¾ᡃñ>ì%¿Sè。$¾(Æ-Æ�YÔṹ»Í�ṹᡂ%¿,¾᪵Ì�ÛṹþÌᨎÐÿ。4.3ÊÔṹ3ÊDEḄÔṹ ■DE☟ᑖ᪆Ḅ%Ñï"ÞÓ。%»ᙠDE�YÓᡂKDEÖV3Ê,O*ᙠ»Vᦻ�K/ᐭ%Ü�ÉÊ¥¦ḄÔṹᩭÓᡂÔṹḄ3Ê*Q。WḄ ,¾ÑÞÓ+ᨵpḄ⌮ᔣᑖ᪆ðᕒᩭU«Ð�þ ᙠÖV⌮ᔣ*D¦ÐÛ3ÿ%(��ÿ。�Á>⌕»Vᦻ�KᒹóÿÉÊḄDE,;<þ%ᒹóÿÉÊḄ£Ó²ÉÊḄkey(¾ ᨬᐵ"Ḅ)。$,DEÔṹᙠ^ýVÇ#�⌕ÉÊ-ᩭ,¾�þUᙠDEḄ½V·DK�ÉÊḄDEḄᐰnᡈὅnᑖ% ¥ᶇᙠᑁ×KḄ(ᔲᑣDEþ�µ½V)。@A�,Ôṹ3Ê? %ѦCD☟ᑖ᪆ḄïᵨᢈW。�Á¦℉ᙢnªDEᑖ᪆Ḅᩖ»,ᨵ¦~«¦E⌮ᔣᑖ᪆ðᕒW�WDEÖVᑖ᪆(¾ᢣ□1^0^0^^8)。WḄ ,ᙠᜧÐᦪª«J3ÊKḄDE»¦ᱯḄ-^^DEÉÊ-ᩭ(ÀÇÁ“ῃ”)。¾(unpackDE7៉ᱯ3Ê£ÓḄ��⁚,O*¦ᑮkey©DEÉÊ-ᩭ。¾(0²3ᓄDE¶ï§¹ᡂ%¿ÉÊ-ᩭḄDEḄ»Vᦻ�。]¾Ñῃ(unpacker)DEḄ½%cÓ(�ᯠ¾Wᵨ%¿�éḄùDEᑖḄ�ᩭשÉÊᵨḄkeyᡈὅÓᾪ©ÉÊDE}ᙠ�K)þ µcÓᙠDEK◚ikey。%¿ᨵᦔḄcÓþ ᙠDE½V¦�¦ᙢòᓃ7¢£-ᩭ。¾ÑÞÓ³¢¹ï.᧕, ⌕ᑏ%¿ᨵ┐ឋḄῃ(unpacker)DE᎔⌕⚟#%(ᕜᢚ。c,ᡃñ»ÍᙠDEK³Õпᐰâ5,ᵨ¾(ᐰâ5WÔᙢ�²ᦋDEḄᔜ¿W�nᑖ,_�◤⌕ÉÊDEÔṹ¦,¾(5»ÍQÁ%¿ᩖḄᦪ,dḄ%nᑖᩭ�ᵨ。ᙠÖVᑖ᪆¦,⌮ᔣᑖ᪆ðᕒ»¦»Í-.᧕ᙢV�ÁÐḄkeyKḄý%¿,⚪ key»Íᨵ-п,⌕�ᑮᡠᨵḄkey¨¦©DEÓᙢÉÊ-ᩭ, ⌕êᑮᡠᨵḄᓃ7»¦þ⌕LY%ܦ4ÿ。>⌕“7Ḅ¹ᡂ£Ó¢ᩖ,⌮ᔣᑖ᪆ðᕒþju¿Ó�⌮ᔣᑖ᪆Ḅ。>ᨵᵨ%¿ï%cḄᐰâᦪ�Òᑖ᪆*ᐹ¨¦V׿Sᙢᑖ᪆-(¾Ñ3ÊÞJḄ)ᓃ^Ç᪵º¹ÍÎÇ᪵�ᵨḄ。5.ÆNᢈ�ᵫ+ᙠ⌮ᔣᑖ᪆*DK-ᜧ%nᑖ*Q ᙠNᘤKÓᡂḄ,ᡠÍᙠDEK3ᐭ»ÍAᡈὅCDN(ᓫkVDEᡈὅᙠDEKJÔ²)ḄÔṹþ-ᨵðᜐ。ú*�Á3ÊÔṹ§E⌮ᔣᑖ᪆ðᕒᙠNᘤKDEÖVᑖ᪆Í&þDEÉÊ�,ᡠÍ�ÆNᢈ�ùÔṹ.3Êᢈ�ὶᔠᵨḄ¦,ᦔ7þ¹ïV。Ã#☢ᡠ¢X·Ḅ;᪵,�ᯠᨵ¦ᵨWḼL½VDE,»ÍᵨÍ^^deDEDEÖVῃ, ,ᡃñ »Í⌮ᔣᑖ᪆ðᕒᑏW-ῃDEᩭḄ。⌕ᳮÉÆNḄᢈ�þ�ᐜᳮÉNᘤḄ*QÜᳮ。ᙠᡃñ�ᐭ¢Xᵨᡝ�ḄNᘤ²ᑁ᪶�ḄNᘤ�▬3ᑮñ⌕NḄDEYḄ�⁚Ç#,ᡃñᐜᩭ¢X%JNᘤÇ᪵ᨚ̲¤ᑴñḄNḄ。�ᵨᡝᙠ8ᩩᢣ>Y³Õÿ%¿Ô²Ḅ¦,Nᘤþ§ò¾ᩩᢣ>ᦋᡂ“int3”ᢣ>。“int3” %¿ᱯ�ḄÔ²KÔ,�Vᑮ¾ᩩᢣ>Ḅ¦,§¶qNᘤ:ᙠ⍗ᑮ%¿Ô²ÿ。�Nᘤᦈᑮ%¿“int3”Ḅ¶q¦,þ§ò“int3”ᢣ>ᦋ©ÜᩭḄᢣ>,ᯠKf°DE,Í&ᵨᡝ(ᱯ� ��}Uὅ)¦¢mnDE�#ḄÊ。 100��⌮ᔣᑖ᪆�ᵨᢈ�ᙠDEK³ÕÔ²Ḅ$%ÑcÓ ᵨ�Ô²。�Ô² %ÑᵫᜐᳮᘤAᳮḄÔ²,ᙠᵨ�Ô²Ḅ¦,W§ᦋDEḄ�Ôṹ——ᜐᳮᘤ>◤⌕ÑÂ>⌕8¿ᢣ>⌕�;¿ᢣḄᑁ×ᙢᙬ,þò�ᢣ>�ᡂ%¿Ô²þ»Íÿ。¾ᡠUḄᢣḄᑁ×ᙢᙬ»Í DE⌕�Ḅᦪ�Ḅᙢᙬ(»¦ 8¿5Ḅᙢᙬ),�»Í »Vᦻ�K8ᩩᢣ>Ḅᙢᙬ(¾¦%¿�Ô²þß�+%¿��Ô²)。�DE⍗ᑮ%¿Ô²K,%ᵨᡝZJᩭ�§Lᓫk(singk-step)VJ☢Ḅ¹ÓVDEÔṹÍ&Ö%kᑖ᪆DE。ᓫkVþU_ᩩᢣ>�§ᓫ¾V,ú*V_ᩩᢣ>ÇK,CPU¤ᑴᩗþî?¥Nᘤ。ᙠÊ-32ᜐᳮᘤKᓫkN ¶·“EFLAGS”Ö×ᘤKḄ“◍▟᪗Ñð”(trapflag)ᩭ�Ḅ:��᪗Ñðᡭ}¦,ᜐᳮᘤ§ᙠ_ᩩᢣ>VÇK�º¹%¿KÔTÁ1ḄKÔ,¾þᓫkKÔ。¾%² �3ÊÈKḄ/KÇ/,¾%²ᡃñᙠ#☢ïp��▊ÿ。ᙠ¾ᡃñᵨÿnᑖÔṹᩭ■r�:% ᵨU�3(KÔé3)ᩭÖᐭsÉ(^80)。ᵫ+801^£ᵨKÔé3,ᡠÍ»ÍÙd%(Bὁ᱐MḄSoftICEM¤ᡈ*,Íᑮ■SofflCE�¤Ḅ�Ḅ;�Ï8(^1^^Ḅ�ᙽ(\.SICE)ᔲᙠᑁ×K,7×ᙠᑣUVÈ ᵫ80ý0£æÙ²ü6ᓄḄ,*ᑁ×K¥ᶇÿ50V《:£Ḅ�ᙽ。7ÈKᨵ30V《^¥ᶇ,ᑣDE⌨-,�KZDEḄV!¾(RS>¦9ᑮ■ᜧnᑖḄQᵨ。;(8(^«:£²⌮ᔣᑖ᪆ªÞᩭU, -.᧕Ḅ,Óᐰ»Íᵨ80ý0£UVi·!ᡃñḄÆr�DE?�¿▲ᑴᙢ3%,>ᨵÆr��]3%,¨¦�(ᡃñKZḄDEḄTᐰ²�(ḄᑨÔdÃ。>ᨵÆr��]3%¨¦�(ᡃñ3ÊÈ´O²ÉÊ£ÓḄ�Ê。ᡠÍ,Ær�¨ᨬᨬ◤⌕ᡃñj]ḄÞ☢!J☢ḄSèDÿ�ᵨCheckRemoteDebuggerPresent()²NtQueryMbrmationProcess()ᩭmm�#ÖD ᔲN。;usingKernel32!CheckRemoteDebuggerPresent()leaeax,[.bDebuggerPresent]pusheax;pbDebuggerPresentpush0xffffffffjhProcesscall[CheckRemoteDebuggerPresent]dword[.bDebuggerPresent],0jne.debugger_found:usingntdllINtQueryInformationProcess(ProcessDebugPort)leaeaxt[.dwReturnLen]pusheax;ReturnLengthpush4;ProcessInformationLengthleaeax,[.dwDebugPort]pusheax;ProcessInformationpushProcessDebugPort;ProcessInformationClass(7)push0xffffffff;ProcessHandlecall[NtQueryInformationProcess]dword[.dwDebugPort],0 S7kᢙ⌮ᔣ*Dᢈ�101jnedebugger_found•DebuggerbiterruptsᙠNᘤKk·s¯3²ᑩ¯1ᢣ>Ḅ¦,ᵫ+Nᘤ¶ï§ᜐᳮ¾(NKÔ,ᡠÍïᜐᳮSDʪ«J©W§ᵨ,£^6%§·^^0^>18þᑭᵨÿ¾¿��。¾᪵»ÍᙠïᜐᳮSDK³Õ᪗Ñ,¶·DTTᢣ>K7¾(᪗Ñᨵ³ÕᑣýᕡḼÖDÃᙠN。$,Kemel32!DebugBreak()ᑁn ᵨÿmT3ᩭ�Ḅ,ᨵ(�§�ᵨ¾¿APL¾¿SèᙠïᜐᳮSDK³ÕEAXḄ@Á0xFFFFFFFF(¶·CONTEXT6Ñä)Í�ᩭᑨÔïᜐᳮSD ᔲᵨ。;setexceptionhandlerpush.exeception_handlerpushdword[fs:0]mov[fs:0],esp;resetflag(EAX)invokeint3xoreax,eaxint3:restoreexceptionhandlerpopdword[fs:0]addesp,4;checkiftheflaghadbeensettesteax,eaxje.debugger_found:::.exeception_handler:;EAX=ContextRecordmoveax,[esp+0xc];setflag(ContextRecord.EAX)movdword[eax+0xb0],0xffffffff;setContextRecord.EIPincdword[eax+0xb8]xoreax»eaxretnᑖ᪆:ᵫ+NKÔúÙdV̦,ᙠ01~06§Kr�-ïᜐᳮSD(¶·��->5£11x)O³ÕÔ²,ᯠKᢥ81^^oÙᔠ"©NKÔ/ï⌴¥ïᜐᳮSD,ᨬ�ïᜐᳮSDKḄÔ²§ÔJᩭ,¾¦þ»Ír�ÿ。$%¿ÞÓ ᐕ$NKÔᙢ⌴¥ïᜐᳮSD。ᙠ01ᓃ068K»Í¶·“⌱⚗” 102��⌮ᔣᑖ᪆�ᵨᢈ�—“N⌱⚗”—“ï”%“£ᶍJᑡï”⌱⚗ᓱK,⌱“mT3KÔ”²“ᓫkKÔ⌱᪾ᩭÓᡂ³Õ,�7-1ᡠD。|Disasm|CPU|Registers|Stack;Analysis1jAna^sis2IAna^is3,SecurityjDebugjEventsExceptionsjTrace|SFX|StringsIAddresses)^lgnocememofyaccessviolationsinKERNEL32lgnae(passtopfogram)fotowingexceptions:^INT3bceaks^••—••^^•—••••Single-stepbreak]■•*•&—•——•__""_1Memoryaccessviolationᔆlrtegerdivisionby0「lnvMidorprivibgedinstructionᔆAflFPUexccp(ionsᔆIgnoreakofoBowingcustomexceptionsorranges:?.?'f!,^^.^iAddrangeDeleteseiec4ion0KUndom»7-1��⌱⚗6.IsDebuggerPresentIsDebuggerPresent %¿WindowsḄAPIᦪ。¶ïᵨZ%¿%Ḅ*ᐹᩭmmOllyDbg,WinDbgÇ�Ḅᵨᡝ�Nᘤᔲ×ᙠ。¾¿ᦪ¶·mnᜐᳮᘤ�#ḄPEB(ProcessEnvironmentBlock)ᩭ~ ᔲDE▬3ÿ%¿ᵨᡝNᘤ。DE»Íᵨ¾¿ᦪᩭmnNᘤᔲ×ᙠ。 ¾ÑÆNᘤᢈW+⌮ᔣᑖ᪆ðᕒᩭUOWᱯ�ᨵᦔ,�Á¾Ñkl-.᧕mn-ᩭO*i·。¾¿MmḄ+Q�ᙠ öVᙢòḄᵨ⌶n☄ÿ,�DEᵨ¾¿ᦪḄ¦,⌮ᔣᑖ᪆ðᕒ-+þ¦U,ᯠK>Ùþ»Íò¾¿ᵨLᣵᡈὅi·。ᡃñ»ÍᵨJ☢¾4ᩩᢣ>ᩭÔIsDebuggerPresentᦪ:moveax,fst[00000018]moveax,[eax+0x30]cmpbyteptr[eax+0x2],0jeRunProgram;¾¦DEោោᙢ�ÿ,¾᪵þ¦Í%ÑW;ḄQᵨ? ᨵ%b»Ḅ,ᡠ;ÑcÓ?£ %ÑᵨᡝḄNᘤcBᨵᦔḄÆNÞÓ。J☢ ᵨIsDebuggerPresent()API²ᵨPEB.BeingDebugged᪗Ñ~Nᘤᔲ×ᙠḄDSÔṹ。;callkemel321IsDebugc(erPresent'()call[IsDebuggerPresent】 S7kᢙ⌮ᔣ*Dᢈ�103testeax*eaxjnz.debugger_foundcheckPEB.BeingDebuggeddirectlyMoveax,dword[fs:0x30];EAX=TEB.ProcessEnvironmentBlock.movzxeax,byte[eax+0x02];AL=PEB.BeingDebuggedtesteax,eaxjnz.debugger_found7.DebuggerWindowNᘤnÛḄ×ᙠ,᪗ÑḼᨵNᘤÃᙠÈᑁ½V。ᵫ+Nᘤ¶·ḄnÛ`ᨵᱯ�+(OllyDbgḄ OLLYDBG,WinDbgḄ WinDbgFrameClass),ᵨuser32!FindWindow()ᡈὅ�6[32r³”^^(^^^()¦-.᧕ᙢr�¾(NᘤnÛ。J☢ḄDSÔṹᵨFindWindow()nOllyDbgᡈWinDbg¶·ḄnÛᩭr��ñ ᔲÃᙠÈK½V。pushNULLpushszWindowClassOllyDbgcall[FindWindowA]testeax,eaxjnzdebugger_foundpushNULLpushszWindowClassWinDbgcall[FindWindowA]testeax,eaxjnzdebugger_foundszWindowClassOllyDbgdbwOLLYDBG%0szWindowClassWinDbgdbwWinDbgFrameClass",08.◍▟᪗Ѿ¿cÓùY%¿ᨵ(ß�, ᙠᡃñ⌕ᦑýᙠ�#ÖDK³Õ%¿◍▟᪗Ñ,ᯠKmnᔲ-ÿ%¿ï,7ᨵï-Ḅb,ᡃñᜧdþ¦~ᨵ8¿Nᘤ“sJ”ÿ¾¿&�-Ḅï——�þU,.ḄDEÃᙠNᘤKN。¾ÑÞÓḄ%¿℉Ḅ�²ᙠ+:¦Uᡠᨵ��ḄNᘤ,WA ᵨᡝḄ?ᑁ᪶Ḅ,�ÁᡠᨵḄNᘤ�⌕ᵨ◍▟᪗Ñᩭr�DE。9.Ôṹ᪥ᡃñÇ#pU·ᵨᡝᙠ¶·Nᘤ³ÕÔ²¦,Nᘤ◤⌕©NDEKßᐵḄᢣ 104��⌮ᔣᑖ᪆�ᵨᢈ�>ᣚᡂU⛭3ᢣ>ᩭ�Ô²,ᡠÍᡃñ»Í¶·ᙠDE½V¦,�¦ᙢ᪥DEḄ%nᑖḄᡈὅ¿DEḄm,mnDE ᔲÃᙠ%¿NᘤN。ᡃñ»Í⚜ᐜ¢£-DEK8(�ᦪḄm²(ᱯ� DEK-gh,-ᐵ"Ḅᦪ),ᯠKM¤ᙢm¾(�ᦪ ᔲᦋ5ÿ。ᵨ¾ÑÞÓW> ¦.ḄDEᐹᨵᢙN¦],?¦.ḄDEᐹᨵᢙÔṹ⊡¥¦)。W·ᡃñ&�Ïᑮpïᙢ/t¢£ÔṹḄ᪥²,¾%}├?-ᜧḄ。W·¶·Ki³¢Ḅ£Ó,ᡃñ »ÍÉܾ¿}├öᜧḄ⚪Ḅ。c,8¿DEᨵ10¿ᦪ◤⌕��(¾ ᙠÔṹ��*DK-ï"Ḅ%Ѫ«),»Íþ¾10¿ᦪᙠ¨©Ç#¢£%JḄm²,7mᨵ¶·,DEþោោᙢ(W⌕æ9⌮ᔣᑖ᪆ðᕒḄøý)�ᣵᡈὅþDE-8ÑWï"ḄVÁᩭZV⌮ᔣᑖ᪆ðᕒ。¾%ÉÜÞᫀḄ�²ᙠ+¾᪵ZW§VᙢÛ3DE½V¦Ḅ}├,�Áᙠ>ᨵᙠᵨᦪḄ¦¨◤⌕¢£ᦪḄ᪥²。øý¾%ᢈW+�Ô²¿ᦔḄ,�ÁNᘤᙠ³Õ�Ô²¦W◤⌕ᦋDEÜᩭḄÔṹḄ。10.DEKᦪÉḄ3Ê��Y¾(ᢈ�ḄQᵨ�� ᨵ▲Ḅ,~�¾(ᢈWOW¦ÓᐰA%¿ᢈuªO*ᐹὊiḄ⌮ᔣᑖ᪆ðᕒDEÖV⌮ᔣ*D,ᡃñ~�¦⌮ᔣᑖ᪆DEḄ¾%·D5�-3ᩖ。Þ*]¾(klḄcÓ V~ᙢz´ÆÌ�ᘤ@¨^ÃḄÔṹḄ96ðÕ。�10M0^ᡈὅ 0^7068ᑁÕḄÆÌ��ᐕ$ᵨᡝVX3ÆÌ�ᢣD,¾᪵þ¦þÆÌ�ᘤÃ~ᙢÆÌ�Ôṹÿ。ᙠ_¿3ÊḄᦪ¨©Ç#,òñ/t3Ê©L。¾᪵§¥⌮ᔣᑖ᪆ðᕒ⌼ᡂ%¿WᜧWḄ�,�Á¾᪵DEᙠV·DKþW§ᨵ8¿¦| ÍVᦻ×ᦑᙠᑁ×KḄ,ᡠÍ⌮ᔣᑖ᪆ðᕒþWᑮ¶·ᑁ×0_ᩭῃḄ²ÿ(ᨵ( ò��ḄDE¿3Ê9ᩭ,ᯠKᙠ½V¦,ᐜò¿DEÉÊᑮᑁ×K,ᯠKLV��ḄDE,¾¦⌮ᔣᑖ᪆ðᕒþ»Íᙠò��DEÉÊᑮᑁ×KÇK,ò��ḄDE¡ᑁ×K0-ᩭ,ᑮῃḄ�Ḅ)。11.ᜐᳮᘤ¦4ᡙ᪥D%¿ß�ᨵᦔᙢA��Ḅ&ᵨDEᐭNᘤḄᢈ� :MACPU¦4ᡙ᪥D,¾@sὅ-bᙠNᘤDEÖVᑖ᪆。7ᡃñ3ᐭÿ%¿�éḄD,¾¿D§⚣ymn0?ÛKḄ¦4¢ᦪᘤ,7öDḄV¦4·<(ᓽDEᨚÌ·,»¦þ ᨵ%¿Nᘤᙠᑖ᪆),¾¿Dþ§ò¿DEḄÖD�ᣵ。ᙠ¾%ᢈ�K,-/⌕Ḅ%²þ]Zᵨv«ḄRDTSCᢣ>,úW@¿ÈAPIᩭ�CPU¦4¢ᦪᘤḄ�,¾᪵þ»Í■@sὅᢞwᡈὅᣚᨵᐵḄᦪ。�ÖDN¦,Nᘤ��ᜐᳮÔṹ、k·ᢣ>Ï©ᓰᵨ0?。=�。7ßxᢣ>Ç4ᡠL#Ḅ¦4ᜧᜧ-ï�,þýᕡḼÖD-»¦ ᙠN,úÃðᑭᵨÿ¾%²。J☢ %¿ᓫḄ¦4mnḄSè。ᙠ8%Üᢣ>Ḅ#KᵨRDTSCᢣ>(ReadTime^StampCounter)O¢£ß&ḄÛ。Û@0^00sÜ+¿ᔯ78€:ᢣ>Ç4ḄÔṹV。rdtscmovecx,eaxmovebx,edx S7kᢙ⌮ᔣ*Dᢈ�105;.•.moreinstructionsnoppusheaxpopeaxnop;...moreinstructions;computedeltabetweenRDTSCinstructionsrdtsc;Checkhighorderbitscmpedx,ebxjadebugger_found;Checkloworderbitssubeax»ecxcmpeaxt0x200jadebugger—foundᐸ�Ḅ¦4mnÞÜᒹ�ᵨkemel32!GetTickCount()API,ᡈὅÞ*mnð+0x7FFE0000ᙢᙬḄSharedUserDataᦪ�°᪀Ḅ"HckCountLowÎTRckCountMultiplierᡂᕒ。ᵨᚗXÔṹᡈὅᐸ�3Rᢈ�ÖV◚iÍK,¾(¦4mnÞÜ·ᐸᵨRDTSC©§5�bÍr�。ᑖ᪆:%ÑÞÓþ-¦4mnÔṹḄ~ᑗðÕ,7ck·¾(Ôṹ。⌮ᔣᑖ᪆ðᕒ»ÍᙠÛcBÔṹÇ#³ÕÔ²,ᯠKᵨ½VÔk·]ᑮÔ²ÔJᩭ。$�»Í³ÕGetTickCount()Ô²Í~¾¿M?1ᙠ®<ᙢÞᵨᡈὅᵨᩭᦋᐸ¨©@。€«^Mc0«0^õᵨ$%ÑÞÓ%Tÿ%¿ᑁ᪶��DEZÍJ*Q:(1)³Õ¤ᑴÖ×ᘤ0>48KḄ¦4ᡙἭð(TSD),�¾¿ð³ÕK7RDTSCᢣ>ᙠ¹iḄJV©§°U%¿¶ᵨ��ï(GP)。(2)KÔÄ⊤(roT)³ÕÍᢞw0?ï,O*?^«<:ḄV·õ。7ᵫ+ᔯ15(:ᢣ>æUḄ0?,;<±©#ᵨ¨©Ḅ¦4ᡙ31。@�øýḄ Y☢¢XḄ�»¦§ÙdÈWþ,&�6�ᙠ¹¹º¤ᘤᡈ)*¤KÖVN。12.èᑖ᪆ᢈ'Æ⌮ᔣᑖ᪆ᢈ�Ḅ�᪗⌮ᔣᑖ᪆ðᕒô��Ôṹ²(ᡈ)3KḄDEᑖ᪆²ᳮÉḄ»。ᡃñ©¢X�3Ê/、ᚗXÔṹ、Ôṹ5²Æ-Æ�YÏᢈ�,¾(ᢈ�Ḅ�Ḅ Áÿ3RÔṹ、ὃὊi、}#⌮ᔣᑖ᪆ðᕒḄ¦4,Éܾ(⚪◤⌕⌮ᔣᑖ᪆ðᕒ`ᨵὊi、y᠗ÏÚ。3ʲᨬJMḄÆᑖ᪆。ñük³■,■⌮ᔣᑖ᪆ðᕒ]ZᙠÆ�Yᘤᑁ3�ô��ḄDEᯠKᨵ�bᙢ}6ᑖ᪆。3ʶï�Ý3ÊM�Ôṹ�3Êô��ḄDE。W�ḄᡠõᵨḄ3Ê£ÓᜧWß�,ᨵ¹ïᓫḄXOR=�,�ᨵVᦪ 106��⌮ᔣᑖ᪆�ᵨᢈ���®Ḅ¯°ᩖḄ²³。¡¢´µ}�¶(,.■¸¹(Õᐹºᙢ�»(,p�$(ᡠ¼ᵨḄ$%®½§,⌮ᔣᑖ᪆úṹ¦�¶¾¿À§᪵。⌮ᔣᑖ᪆Áþᦪ、®、çÃýþḄ²³ÀÄ᧕ÆÇ。�☢È¡$%ḄDWORDÉ�ᦪ�XORýþḄäᓫḄ⌮ᔣᑖ᪆Á。0040A07CLODSDWORDPTRDS:[ESI]0040A07DXOREAX,EBX0040A07FSUBEAX,12338CC30040A084ROLEAX,100040A087XOREAX,799F82D00040A08CSTOSDWORDPTRES:[EDI]0040A08DINCEBX0040A08ELOOPDSHORT0040A07C;decryption�☢ÈÊ}�¶(Ḅ⌮ᔣᑖ᪆Á:00476056MOVBH,BYTEPTRDS:[EAX]00476058INCESI00476059ADDBH,OBD0047605CXORBH,CL0047605EINCESI0047605FDECEDX00476060MOVBYTEPTRDS:[EAX],BH00476062CLC00476063SHLEDI,CL:::Moregarbagecode00476079INCEDX0047607ADECEDX0047607BDECEAX0047607CJMPSHORT0047607E0047607EDECECX0047607FJNZ00476056;decryptionloop�☢Èᵫ}(ËᡂḄÊÌ⌮ᔣᑖ᪆Á:0040C045MOVCH,BYTEPTRDS:[EDI]0040C047ADDEDX,EBX0040C049XORCH,AL0040C04BXORCH,0D90040C04ECLC0040C04FMOVBYTEPTRDS:[EDI],CH0040C051XCHGAH,AH0040C053BTREDX,EDX0040C056MOVSXEBX,CL••••:Moregarbage0040C067SAREDX,CL S7kᢙ⌮ᔣ*Dᢈ�1070040C06CNOP0040C06DDECEDI0040C06EDECEAX0040C06FJMPSHORT0040C0710040C071JNZ0040C045;decryptionloopY☢¿DSK¢£ḄV ö⌕Ḅ⌮ᔣᑖ᪆ᢣ>,ᐸÍḄᢣ>� ᵨᩭZV⌮ᔣᑖ᪆ðᕒḄᚗXÔṹ。øýÖ×ᘤ�îᣚḄ,?ᨵ¿DSÇ4⌮ᔣᑖ᪆ÞÓ �ᦋ5Ḅ。Ḅö⌕�Ḅ Áÿ»Vᦻ�Ôṹ²ᦪ�Ḅᜧ,ᵫ+Ü6Ḅᒹó»jQḄ»Vᦻ�5ᡂÿᦪ�,���ᨵ;<%(3RḄQᵨ。ÏÏjóᡠᵨḄæy:UPXᵨNRV(NotReaUy▽8^1^)²LZMA(Lempel-Ziv-MarkovchahwUgorithm),?80ᵨ⌮1ᓄ,UpackᵨLZMA,70^3Ê�ᵨᓃü。¾ᐸKᨵ(æY»Íᵫᙢᵨ+¹ᖪá&ᵨ,ᖪá&ᵨ◤⌕$»/ø。7.3ᑖ᪆DEḄá²ᙠ,ᡃñ}6ᑖ᪆<^&0^61.0.§6DE。S%¿Sè-.᧕ᑖ᪆。DE⌕¨Qᐭ¿@,ᡃñᐜM&Qᐭ¿ᦪ,ᯠKᓫs0|ᢥOᨵ ,J☢ᡃñᑖ᪆%JÜÔṹ:unitUnitl;interfaceusesWindows,Messages,SysUtils,Variants,Classes,Graphics,Controls,Forms,Dialogs,StdCtrls,Buttons;typeTForml=class(TForm)Labell:TLabel;Label2:TLabel:Editl:TEdit;Edit2:TEdit;BitBtnl:TBitBtn;BitBtn2:TBitBtn;procedureEdit2Change(Sender:TObject);procedureEditlChange(Sender:TObject);procedureFormCreate(Sender:TObject);procedureBitBtn2Click(Sender:TObject);procedureBitBtnlClick(Sender:TObject);private{Privatedeclarations}public 108��⌮ᔣᑖ᪆�ᵨᢈ�{Publicdeclarations}end;varForml:TForml:implementation{$R*.dfm}procedureTForml.BitBtnlClick(Sender:TObject);begin//BitBtnlᡂ¥ ÇK7ᓫsþ§oᑮ¾½VEditl.Color:=clRed;editl.Text:=,����ᡂª�,》edit2.Text:='-------------------2008.3.12';end:procedureTForml.BitBtn2ciick(Sender:TObject)?begin//ᓫ⌨�close;end;procedureTForml.EditlChange(Sender:TObject);beginiflength(editl.text)=9then//EditlᑁýᐭḄîᦪê#forml.focuscontrol(edit2)end;procedureTForml.Edit2Change(Sender:TObject);beginif(editl.text='2812-8183')and(edit2.Text='8765-4321•)then"$%Ḅif^¯&'(ᐳ*+¯ᨬ,ᓻ◅Ḅᙢ/beginbitbtnl.enabled:=true?//forml.focuscontrol(bitbtnl);//7¿�¯᪾KḄQᐭ Ã~Ḅ,Okᢥ OV0ýᐭᯖ¤。end;end;procedureTForml.FormCreate(Sender:TObject);begineditl.Text:*•2,�341; S7kᢙ⌮ᔣ*Dᢈ�109edit2.Text:='56789:Ḅ;<、bitbtnl.Enabled:=false;end;end7.4anti-debuggersᢈ�â¢"anti-debuggersᢈ�,(+´ñþ■、■¾�*ᐹ9QᵨḄᢈ�,þ ÆN、Ær�Ḅᢈ�。Á®<§ᨵ00^3�ᔴ8�8ᢈ�Ḅ×ᙠ?Áÿ■Apᣴᩗ�ᵨ,ᡠÍᙠDEKᵨÿ3Êᢈ�。01^-0^1^^6^ᢈ�Ḅ�Ḅö⌕ ■debuggerḄr�、ᑖ᪆ÎN,ᡠÍ✌ᐜ ⌕µcÓUÈK×ᙠḄ€^1^^§6^,ᯠKtsVA€^6%86『59Qᵨ,ᐸ⊤þ -ïM¤、Èï/�、ï┯S、┯Soz、��,-/Ḅ?§ẚᦻ�~«ᜧᾖẚÈÏ。�ᯠ,WU� ⌮ᔣᑖ᪆·DK⍗ᑮ¾(ª«þ%UVDEᵨÿ^(1§05ᢈ�,✌ᐜ⌕◀ïḄª«ᔲᵫÈWþᡈr�ḄDE“Ãï”-Ḅ,7NᘤM�WþúÙdÈï,;þcÓÿ。úᙠḄ01^4U¬86^ᢈ�ö⌕ Ḽ5(^10£ᩭḄ。ᙠ◀“Ãï”Ḅ┯SÇK,?»Í¶·ᦋ5r�È、�΢£¤ḄÞÓᩭ/┯S��,7⚪«0,&�»Í SoftICEKÿanti-debuggersᢈ�Ḅ◍Ö。Anti-DebugÜᳮᐸ�-ᓫ,ᑭᵨWinDowsḄAPIᦪCreateFileAᩭN�ᡭ}NᘤḄ�DEP.,¾þ ℉+Ḅ^1【《^ÞÓ,ᑴQ-SoftlCE²Sma^tCheckḄNuMegadñḄDEᕒþᑭᵨ¾¿ÞÓᩭ�SymbolLoadermnSofdCEᔲïp (¾ÜÔṹð+1^110^.-1K),�ᯠ¾¿ÞÓᨬüᩭÛ+501〇£,ᐸ���Ḅ066%@6[mm«ᯠᨵᦔ,ú*�ÞÓᓫ᧕V,Í«�#ÆᩭÆÐḄ��� ᵨ¾ÑÞÓmm0ᓄ%8ÁḄ×ᙠ。ÍJ %(NᘤḄ�DEP.:SICE,SIWVID^SSoftICEWin9xfig)NTICE(^J^jSSoftICEWinNTfi6)TRW>TRW2000、TRDEBUG(^JE2TRWIN)REGVXD(¾^RegistryMonitor)BW2K(DBoyḄ=>2000)FILEVXD(?FileMonitor)ÿ¾<ÐḄanti-debuggersᢈ�,ᡃµÍKᑮ¾᪵Ḅª«þW§;<ᜮ᧿ÿᔳ!W·.§Ýᯠᨵ�ÐḄanti-debuggersᢈ�,;<ᡃñ�L■ñᕖ?ᨵ3ÑÞÓ»ÍN%J:(1)õᵨ�éḄ■01^6ᕖ§6^ᢈ�Ḅ*ᐹ,cBᨵ+Ḅþ?《^Ú£,ᵨ]ᜧnᑖóᨵanti-debuggersᢈ�Ḅ&ᵨDE ᨵ®<⚪Ḅ。(2)¶·DEḄ☟ᑖ᪆(ᵨÆ�Y*ᐹW32Dasmᑖ᪆DEÔṹ),ᑮᐸK0^^1%86WÔṹnᑖ,ᯠKᵨ�¯*ᐹ(>U6¥)ᦋDE,�ᐸ0^-(^86『8Ôṹᜫ ilO��⌮ᔣᑖ᪆�ᵨᢈ�ᦔ;§�Îî¡¢$(ḄᩭÏᨵᵨᜐ,Ð$(Ḅȧwt�☟ᑖ᪆Ḅ,ᡃÓ¾ᐜῃ(,ᯠÖ×ᵨèêØÕᐹt�ᑖ᪆。(3)ᙠ¡ḄºUVÙoᧅ,ºÛ0、Üᑮ0^-(^Ý€ÞúṹḄ�,ᯠÖ�ᐸàá,¡¢ijḄa,§Ḅanti-debuggersijḄaȧḄ。�ÎîâXÀᜧ,ᨵµsᓾÈäḄå,◤⌕ᨵÀᜧḄὊÂ。 m^cAᦪåæAbs(number)s�ᦪ@ḄZ@。Asc(String)s�Q⊤ḄS%¿QM801ṹ。Atn(number)s�%¿º»ḄÆÃᑗ@。CaUByName(object,procname,usecaUtype,[args()])V%¿ḄÞÓ、³ᡈ©Ḅbឋ。CBool(expression)Úᣚ⊤Á30016^。CByte(expression)Úᣚ⊤Á3>^。CChar(expression)Úᣚ⊤ÁQ。•CDate(expression)Úᣚ⊤Á0&1©。CDbl(expression)Úᣚ⊤Á00�16。CDec(expression)Úᣚ⊤ÁDecimal。CLit(expression)Úᣚ⊤Á^^8�。CLng(expression)Úᣚ⊤Áᓃ0%。CObj(expression)Úᣚ⊤Á0P6^。CShort(expression)Úᣚ⊤Á81^11。CSng(expression)àᣚ⊤BC,ᕂ^^ᓃE。CStr(expression)Úᣚ⊤Áᕂ-²。Choose(index,choice-l[,choice-2,...[,choice-n]])Íåæ@ᩭ⌱ÁO©ᡠ³Ḅᦪ。Chr(charcode)ͳ501ṹᩭs�Qᑁ.。Close(filenumberlist)°ᵨ05^1}�Ḅᫀ。Cos(number)s�%¿º»ḄÍ@。Ctype(expression,typename)Úᣚ⊤Ḅ。DateAdd(dateinterval,number,datetime)z9ᡈ¦4Q3。DateDiff(dateinterval,datel,date2)¢£¿z9ᡈ¦4Ḅ@。DatePart(dateinterval,date)«ZᦈḄz9ᡈ¦4ᦪ©、ᨴ、zᡈ¦4。DateSerial(year,month,day)©ZᦈḄᦪᔠOÁ%¿>ᨵz9Ḅ0316Ḅᦪ�。DateValue(datetime)s�ᔠL�³᪵Ḅz9@,Oᒹó¦4。Day(datetime)«ZᦈḄz9ᦪ©Ê。Eof(fiienumber)�S%¿}�Ḅᫀ°p¦§©11^。Exp(number)«ZᦈḄᦪ©eḄÞ@。FileDateTlme(pathname)©ᫀ·Û¦Ḅz9、¦4。FileLen(p^thname)©ᫀḄ<»,ᓫð6>ᦈ。Filter(sourcearray,match[,include[,compare]])µ[QᦪÙKḄᢣQ,� 112��⌮ᔣᑖ᪆�ᵨᢈ� ᦪÙᐗÄKóᨵᢣQ,§©ñ°ᔠᡂtḄQᦪÙO©。¹ ⌕©WóᢣQḄᦪÙᐗÄ,ᑣU1^106ᦪ³Á?31%。000^&^ᦪᑣ ³µ[¦ᔲ[ᑖᑏ,�¦>⌕¥TextCompareïᦪᡈ1ᓽ»。Fix(number)LᣵᦪḄᦪnᑖO©。Format(expression[,style[,firstdayofweek[,firstweekofyear]]])©z9、¦4²ᦪ@ôᧇÚÁ_¿Lh�»ÍZôḄ。#FormatCurrency(expression[,numdigitsafterdecimal[,includeleadingdigit]])©ᦪ@Q-Á。numdigitsafterdecimalᦪÁᦪQᦪ,includeleadingdigitᦪÁ�ᦪÁ0¦ᔲ⊡«ᦪQᦪ。FormatDateTime(date[,namedformat])©ᓄḄz9ᡈ¦4ᦪ�。FormatNumber(expression[,numdigitsafterdecimal[,includeleadingdigit]])©ᓄḄᦪ@ᦪ�。numdigitsafterdecimalᦪÁᦪQᦪ,includeleadingdigitᦪÁ�ᦪÁ0¦ᔲ⊡«ᦪQᦪ。FormatPercent(expression[,numdigitsafterdecimal[,includeleadingdigit]])©ÚᣚÁOᑖcḄᦪ@ᦪ�。01`è&1^(16€U0^1ᦪÁᦪQᦪ,U0(^^1-1^%U〖ᦪÁ�ᦪÁ0¦ᔲ⊡«ᦪQᦪ。GetAttr(filename)©ᫀᡈ�äḄbឋ@。Hex(number)©ᦪ@ᦪÚᣚÁᓝ³Öᑴ@。Hour(time)©¦4Ḅ¦QÜ,^^86%Iif(expression,truepart,falsepart)�⊤Ḅ©@ÁTrue¦VtruepartQÜḄDE,ÆÇᑣVU0^ᓺᢕQÜ。InStr([start,]stringl,8.1^2)µ[8^1²2ᦪ³ḄQ-ᙠQḄSj¿Q,8_ÁᵫSj¿Q}6[,%1Áµ[ḄQ,%2Áµ[ḄQ。Int(number)©+ᡈÏ+ZᦈᦪḄᨬᜧᦪ@。18^V(〃01001^)ᑨÔ%¿5 ᔲÁᦪÙ,¹ÁᦪÙᑣ©True,ÆÇᑣÁFalse。IsDbNull(expression)ᑨÔ⊤ᑁ.ᔲÁ1^11,¹ ᑣ©¯0^,ÆÇᑣÁ"056。IsNumeric(expression)ᑨÔ⊤ᑁ.ᔲÁᦪ@,¹ ᑣ©True,ÆÇᑣÁFalseoJoin(sourcearray[,delimiter])©QᦪÙᔠOÁ%¿Q,4600^6Uᦪ ³ᙠᔜ¿ᐗÄ43ᐭtḄQ。Lcase(string)©QÚᣚÁᑏQ~。Left(string,length)ᵫQª}6s�^²-ᦪ³<»ḄQ。Len(string)s�QḄ<»。Log(number)s�ᦪ@Ḅᯠᦪ。Ltrim(string)LᣵQḄª3×nᑖ。Mid(string,start[,length])s-QK81^ᦪ³ḄQK^ᢓ<»ḄQ,¹ᓄ1^�ᦪᨵ³,ᑣs©81^ÍKᐰnḄQ。,Minute(time)s�¦4ᑁ.Ḅᑖnᑖ,Á11^86^。 ▬äM�ᦪåæ113MkDir(path)·Û%¿tḄ�ä。Month(date)s�z9Ḅᨴnᑖ,Áឰ6+6『。MonthName(month)«ZᦈḄᨴXᦪ@s��ᨴXḄÓᑏÓ。Now()s��#Ḅz9²¦4。Oct(number)©ᦪ@ᦪÚᣚÁMÖᑴ@。Replace(expression,find,replace)©QKfindᦪᢣḄQÚᣚÁrephceᦪᢣḄQ。Right(string,length)ᵫQr}6s�ᓄV�ᦪ³<»ḄQ。RmDir(path){◀%¿3Ḅ�ä。Rnd()s�+0〜1Ḅᦪ,7_�⌕s�W�Ḅ@,ᵨ#3Y?“!H。Rtrim(string)LᣵQḄr3×nᑖ。Second(time)s�¦4ᑁ.Ḅnᑖ,Á11^ᕂ6。Sign(number)s�ᦪ@ᑁ. Ãᦪᡈᦪ,Ãᦪ©1,ᦪ©-1,0©0。Sin(number)s�%¿º»ḄÃ@。Space(number)s�Ö^ᓄ€1ᦪ³Ḅ3×Q。Split(expression[,deHmiter])Í(^1U11^61ᦪ³Ḅᩩ�Qᩭ©QᑖᒘÁQᦪÙ。Sqrt(number)s�%ᦪ@Ḅ@Þ᪷。Str(number)©ᦪQÚÁQK©。StrReverse(expression)s�Qᑁ.ÆÚKḄ°7。Tan(number)s�8¿º»ḄÃᑗ@。TimeOfDay()s��#Wᒹóz9Ḅ¦4。Timer()s�ᵫ0:00ᑮ�#¦4Ḅᦪ,Á^�S。TimeSerial(hour,minute,86€0»^)©ZᦈḄᦪᔠOÁ%¿>ᨵ¦40316Ḅᦪ�。TimaVaIue(time)s�ᔠL�³᪵Ḅ¦4@。Today()s�÷ᜩWᒹó¦4ḄÊ9。Trim(string)LᣵQ}ᜮ²°pḄ3×。TypeName(vamame)s�5ÎᡈḄ。Ubound(arrayname[,dimension])s�ᦪÙḄᨬ�åæ@,dimensionᦪ ᢣs�Sj,»Ḅᨬ�åæ@。Val(string)©Ô⊤ᦪQḄQÚᣚÁᦪ@,¹QKóᨵ¹ᦪQḄᑁ.ᑣ§©ᐸL◀K,ᔠOÁ%¿ᦪQ。Weekday(date)s�ᦪKḄz9 %¿¥9ḄSjᜩ,¥9ᜩÁ1、¥9%Á2、¥9Á3,«��Ø。-WeekDayName(number)«ZᦈḄᦪs�¥9Ḅ+À,»ZᦈḄᦪÁ1〜7,¥9ᜩÁ1、¥9%Á2、¥9Á3,«��Ø。 èὃᦻê[1]MattPietrek.Windows95SystemProgrammingSECRETS.ᩲ,Y.[2].ᐵ+Iᓄ0¥$95JḄ»Vᦻ�Ḅ3ÊẆ�.www.zoudan.com.[3]ᡂὀ.80086Ì�;
