API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 14th, 2016
1,321
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 21.09 KB | None | 0 0
raw download clone embed print report
  1. Log data
  2. Address Message
  3. Themida - Winlicense Ultra Unpacker 1.4
  4. -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  5.  
  6. 00340A0F Breakpoint at 00340A0F
  7. 00340A10 Breakpoint at 00340A10
  8. 00350054 Breakpoint at 00350054
  9.  
  10. OS=x64 64-Bit
  11. Warning!
  12. The StrongOD KernelMode will not work on a 64 Bit OS!
  13. Use the TitanHide tool instead or ScyllaHide plugin!
  14. 00350056 Breakpoint at 00350056
  15. 00370021 Breakpoint at 00370021
  16. 00370028 Breakpoint at 00370028
  17.  
  18. 2.000 MB +/-
  19.  
  20. 4.796 MB +/-
  21. Dll Can Move Option is Enabled! = Diffrent loading of targetbase!
  22. You need to disable this option or system ASLR!
  23. Dll Can Move was disabled in PE Header now before dumping later!
  24.  
  25. Your target is a >>> Dynamic <<< Link Library!
  26.  
  27. Note: If possible then don't use the VM OEP for dlls if real OEP is not stolen!
  28. Change VM OEP after popad to JMP Target OEP!
  29. Or
  30. Just set a another push 0 before VM OEP push = 2 pushes before jump to WL VM!
  31.  
  32. OEP change if you want to keep VM OEP for Dll
  33. -------------------------------------------------
  34. popad
  35. mov ebp, Align
  36. push 0
  37. push VM OEP Value
  38. jmp WL VM
  39. -------------------------------------------------
  40.  
  41. Exsample: Not stolen Dll OEP!
  42. -------------------------------------------------
  43. 100084D2 MOV EDI,EDI
  44. 100084D4 PUSH EBP
  45. 100084D5 MOV EBP,ESP
  46. 100084D7 CMP DWORD PTR SS:[EBP+0xC],0x1 <-- check for 1 must be inside to run the Dll
  47. 100084DB JNZ SHORT 100084E2 <-- Don't jump if value 1 is inside stack
  48.  
  49. Stack: At Target OEP / Not stolen
  50. -------------------------------------------------
  51. $ ==> 7C91118A RETURN to ntdll.7C91118A
  52. $+4 10000000 Dll_X.10000000 <-- Base
  53. $+8 00000001 <-- 1
  54. $+C 00000000
  55.  
  56. ImageBase in PE keep same = File was loaded with original ImageBase!
  57.  
  58.  
  59. PE HEADER: 6D920000 | 1000
  60. CODESECTION: 6D921000 | 114000
  61. PE HEADER till CODESECTION Distance: 1000 || Value of 1000 = Normal!
  62. Your Target seems to be a normal file!
  63.  
  64. Unpacking of NET targets is diffrent!
  65. Dump running process with WinHex and then fix the whole PE and NET struct!
  66.  
  67. 0038064B Breakpoint at 0038064B
  68.  
  69. Overlay found & dumped to disk!
  70.  
  71. Disasembling Syntax: MASM (Microsoft) <=> OK
  72.  
  73. Show default segments: Enabled
  74. Always show size of memory operands: Enabled
  75. Extra space between arguments: Disabled
  76.  
  77. StrongOD Found!
  78. ----------------------------------------------
  79. HidePEB=1 Enabled = OK
  80. KernelMode=1 Enabled = OK
  81. KillPEBug=1 Enabled = OK
  82. SkipExpection=1 Enabled = OK
  83. Custom Exceptions Enabled = 00000000-FFFFFFFF
  84. DriverName=TitanHid
  85.  
  86. DRX=1 Enabled = OK
  87.  
  88. ----------------------------------------------
  89.  
  90.  
  91. Basic Olly & Plugin Settings seems to be ok!
  92. No InfoBox to User to show now!
  93.  
  94. 6DDCE009 Breakpoint at x3.6DDCE009
  95. 6DDCE00B Breakpoint at x3.6DDCE00B
  96.  
  97. Windows 7 or higher found!
  98.  
  99.  
  100. Newer SetEvent & Kernel32 ADs Redirecting in Realtime is disabled by user!
  101.  
  102.  
  103. Kernel Ex Table Start: 76BA01A0
  104. 003C003F Breakpoint at 003C003F
  105.  
  106. PE DUMPSEC: VA 6DDD0000 - VS 3F000
  107. PE ANTISEC: VA 6DDD1000
  108. PE OEPMAKE: VA 6DDD1600
  109. SETEVENT_VM: VA 6DDD21D0
  110. PE I-Table: VA 6DDD3000
  111. VP - STORE: VA 6DDD2F00
  112. and or...
  113. API JUMP-T: VA 6DDD3000
  114. 003C003F Breakpoint at 003C003F
  115.  
  116. RISC VM Store Section VA is: 6DE10000 - VS 200000
  117. 003C0041 Breakpoint at 003C0041
  118. 6DA889C4 Hardware breakpoint 1 at x3.6DA889C4
  119.  
  120. Found WL Intern Export API Access at: 6DA88DF2
  121.  
  122. Use this address to get all intern access WL APIs!
  123. 76AF1832 Hardware breakpoint 2 at kernel32.VirtualAlloc
  124.  
  125. ---------- Loaded File Infos ----------
  126.  
  127. Target Base: 6D920000
  128.  
  129. Kernel32 Base: 76AE0000
  130.  
  131. Kernel32 SORD: 76AE01F0 | D0000
  132. Kernel32 SORD: 76AE01F8
  133.  
  134. User32 Base: 761E0000
  135. Advapi32 Base: 763A0000
  136. ---------------------------------------
  137.  
  138. WL Section: 6DA85000 | 21F000
  139.  
  140. WL Align: 61B15014 | EBP Pointer Value
  141.  
  142.  
  143. XBundler Prepair Sign not found!
  144. CISC VM is located in the Themida - Winlicense section 6DA85000 | 21F000.
  145.  
  146.  
  147. No VMWare Check Pointer Inside WL found yet!
  148.  
  149.  
  150. Found No SetEvent WL Location!
  151.  
  152. Found No LoadLibraryA WL Location!
  153.  
  154. Found No FreeLibrary WL Location!
  155.  
  156. TF_FIRST: 6DBC88ED
  157.  
  158.  
  159. Auto XBundler Checker & Dumper is enabled!
  160. If XBunlder Files are found in auto-modus then they will dumped by script!
  161. If the auto XBunlder Dumper does fail etc then disable it next time!
  162.  
  163.  
  164. Anti Access Stop on Code Section was Set!
  165.  
  166. Moddern MJM Scan Chosen!
  167.  
  168. Normal IAT Patch Scan Was Written!
  169.  
  170. No VMWare Check Pointer Inside WL found yet!
  171.  
  172. 70070000 Module C:\Windows\SysWOW64\winmm.dll
  173. 004C0306 Hardware breakpoint 3 at 004C0306
  174.  
  175. VMWare Address: 6DA8880A | 0
  176.  
  177.  
  178. VMWare Checks are not Used & Disabled by Script!
  179.  
  180. 004A0033 Hardware breakpoint 1 at 004A0033
  181. 771DE1AC Hardware breakpoint 3 at ntdll_12.771DE1AC
  182.  
  183. Heap Prot was redirected!
  184. 75FB0000 Module C:\Windows\SysWOW64\wininet.dll
  185. 758A0000 Module C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll
  186. 765C0000 Module C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
  187. 75DE0000 Module C:\Windows\SysWOW64\shlwapi.dll
  188. 75A10000 Module C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll
  189. 72480000 Module C:\Windows\SysWOW64\version.dll
  190. 761C0000 Module C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll
  191. 74B70000 Module C:\Windows\SysWOW64\normaliz.dll
  192. 75BA0000 Module C:\Windows\SysWOW64\iertutil.dll
  193. 75F60000 Module C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll
  194. 76BF0000 Module C:\Windows\SysWOW64\userenv.dll
  195. 75F50000 Module C:\Windows\SysWOW64\profapi.dll
  196. 769B0000 Module C:\Windows\SysWOW64\crypt32.dll
  197. 76950000 Module C:\Windows\SysWOW64\msasn1.dll
  198. 765D0000 Module C:\Windows\SysWOW64\setupapi.dll
  199. 76770000 Module C:\Windows\SysWOW64\cfgmgr32.dll
  200. 76960000 Module C:\Windows\SysWOW64\devobj.dll
  201. 71D50000 Module C:\Windows\SysWOW64\hid.dll
  202. 71D60000 Module C:\Windows\SysWOW64\IPHLPAPI.DLL
  203. 761D0000 Module C:\Windows\SysWOW64\nsi.dll
  204. 71D40000 Module C:\Windows\SysWOW64\winnsi.dll
  205. 74B80000 Module C:\Windows\SysWOW64\shell32.dll
  206. 75F70000 Module C:\Windows\SysWOW64\ws2_32.dll
  207. 6DC46135 Hardware breakpoint 2 at x3.6DC46135
  208. 6D921000 Problems when disabling memory breakpoint:
  209. 6D921000 Access to memory changed from RE to RWE (original RWECopy)
  210. 6DC4E1AB Memory breakpoint when writing to [6D921000]
  211.  
  212. 6DC4E1AB - REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
  213. 6DC4E1AD Breakpoint at x3.6DC4E1AD
  214. 004C02AF Breakpoint at 004C02AF
  215.  
  216. First Found 4 Magic Jumps!
  217. ------------------------------
  218. MJ_1: 6DC650FE
  219. MJ_2: 6DC6511A
  220. MJ_3: 6DC65158
  221. MJ_4: 6DC65187
  222. ------------------------------
  223.  
  224. Modern TM WL Version Found!
  225.  
  226.  
  227. -------- IAT RD DATA ---------
  228.  
  229. 6DBE7A14 - CMP R32, 10000
  230.  
  231. 6DC64597 - Prevent Crasher
  232.  
  233. 6DC650FE - Prevent IAT RD
  234. 6DC6511A - Prevent IAT RD
  235. 6DC65158 - Prevent IAT RD
  236. 6DC65187 - Prevent IAT RD
  237. --------------------------------
  238.  
  239. 6DC650FE Hardware breakpoint 2 at x3.6DC650FE
  240.  
  241. ----- First API In EAX -----
  242. API ADDR: 76AF1AF4 | MODULE NAME: kernel32 | API NAME: GetFileAttributesW
  243. ----------------------------
  244.  
  245. MJs and Nopper was patched!
  246.  
  247.  
  248. IAT LOG & COUNT WAS SET!
  249.  
  250.  
  251. IAT WAS MANUALLY PATCHED!
  252. 6DBAFD6B Breakpoint at x3.6DBAFD6B
  253.  
  254. EFL Patch at: 6DBAFD6B
  255. 6DB267C9 Breakpoint at x3.6DB267C9
  256.  
  257. Found no base in registers!
  258.  
  259. 6DC63DE5 Hardware breakpoint 2 at x3.6DC63DE5
  260.  
  261. Special >> NEW << IAT Patch was written!
  262. 6DC67F4C Hardware breakpoint 1 at x3.6DC67F4C
  263.  
  264. It can be that the VM OEP can not found yet at this moment!
  265. In some cases the WL code is not created at this late point!
  266. So if the created VM OEP data will fail then use the real OEP!
  267. Or find the VM OEP manually!
  268. Come close at the end and find VM On/Off switch!
  269. Do Input 1 / Output 0 steps via HWBP write!
  270. Test on CISC first - MemBPWrite Code = REP DW [EDI],[ESI]
  271. Now set HWBP on GetProcessHeap and return = close at the end!
  272. VM OEP = Align + Pre Push (TIGER & FISH VM Only) VM + Push + JMP Handler!
  273. For newer version you need to use Align to EBP before entering the VM!
  274. Find that later created commands at OEP in WL section...
  275. MOV R32,R32 | ADD R32,R32 | JMP R32
  276. Break on the founds and trace forward till Handler start and check push values!
  277. Check out my video to see a exsample about it!
  278.  
  279.  
  280. SetEvent VM AD was redirected to: 6DDD21D0 x 1!
  281.  
  282. 2.) NEWER VM SIGN FOUND!
  283.  
  284. 02610193 Breakpoint at 02610193
  285. Possible VM OEP STOP FOUND AT: 6DBC88ED
  286. 004A0033 Hardware breakpoint 1 at 004A0033
  287. 771DE1AC Hardware breakpoint 2 at ntdll_12.771DE1AC
  288.  
  289. Heap One was redirected!
  290. 004A0033 Hardware breakpoint 1 at 004A0033
  291. 771DE1AC Hardware breakpoint 2 at ntdll_12.771DE1AC
  292.  
  293. Heap Two was redirected!
  294. 6D9883B6 Memory breakpoint when executing [6D9883B6]
  295.  
  296. 000002DB
  297. 00379C19
  298. 0054011C Breakpoint at 0054011C
  299.  
  300. FOUND_API_COUNTS: 00000113
  301. 00580149 Breakpoint at 00580149
  302. 00580174 Breakpoint at 00580174
  303.  
  304. Problem!Logged API was not found in Code!
  305. ++++++++++++++++++++++++++++++++++
  306. Search Section: 6D921000
  307. Search End : 6DA34FF0
  308.  
  309. API_TOP: 02630010
  310. API_END: 0263045C
  311.  
  312. API_ADDR: 76AF1AF4
  313. API_ADDR: 75F73EB8
  314.  
  315. FOUND_API_COUNTS: 00000113
  316.  
  317. API_TOP_NAME: kernel32.GetFileAttributesW
  318. API_END_NAME: ws2_32.socket
  319. ++++++++++++++++++++++++++++++++++
  320. 00580174 Breakpoint at 00580174
  321.  
  322. Problem!Logged API was not found in Code!
  323. ++++++++++++++++++++++++++++++++++
  324. Search Section: 6D921000
  325. Search End : 6DA34FF0
  326.  
  327. API_TOP: 02630010
  328. API_END: 0263045C
  329.  
  330. API_ADDR: 76AF1AF4
  331. API_ADDR: 75F73EB8
  332.  
  333. FOUND_API_COUNTS: 00000113
  334.  
  335. API_TOP_NAME: kernel32.GetFileAttributesW
  336. API_END_NAME: ws2_32.socket
  337. ++++++++++++++++++++++++++++++++++
  338. 00580174 Breakpoint at 00580174
  339.  
  340. Problem!Logged API was not found in Code!
  341. ++++++++++++++++++++++++++++++++++
  342. Search Section: 6D921000
  343. Search End : 6DA34FF0
  344.  
  345. API_TOP: 02630010
  346. API_END: 0263045C
  347.  
  348. API_ADDR: 76AF1AF4
  349. API_ADDR: 75F73EB8
  350.  
  351. FOUND_API_COUNTS: 00000113
  352.  
  353. API_TOP_NAME: kernel32.GetFileAttributesW
  354. API_END_NAME: ws2_32.socket
  355. ++++++++++++++++++++++++++++++++++
  356. 00580174 Breakpoint at 00580174
  357.  
  358. Problem!Logged API was not found in Code!
  359. ++++++++++++++++++++++++++++++++++
  360. Search Section: 6D921000
  361. Search End : 6DA34FF0
  362.  
  363. API_TOP: 02630010
  364. API_END: 0263045C
  365.  
  366. API_ADDR: 76AF1AF4
  367. API_ADDR: 75F73EB8
  368.  
  369. FOUND_API_COUNTS: 00000113
  370.  
  371. API_TOP_NAME: kernel32.GetFileAttributesW
  372. API_END_NAME: ws2_32.socket
  373. ++++++++++++++++++++++++++++++++++
  374. 00580174 Breakpoint at 00580174
  375.  
  376. Problem!Logged API was not found in Code!
  377. ++++++++++++++++++++++++++++++++++
  378. Search Section: 6D921000
  379. Search End : 6DA34FF0
  380.  
  381. API_TOP: 02630010
  382. API_END: 0263045C
  383.  
  384. API_ADDR: 76AF1AF4
  385. API_ADDR: 75F73EB8
  386.  
  387. FOUND_API_COUNTS: 00000113
  388.  
  389. API_TOP_NAME: kernel32.GetFileAttributesW
  390. API_END_NAME: ws2_32.socket
  391. ++++++++++++++++++++++++++++++++++
  392. 00580174 Breakpoint at 00580174
  393.  
  394. Problem!Logged API was not found in Code!
  395. ++++++++++++++++++++++++++++++++++
  396. Search Section: 6D921000
  397. Search End : 6DA34FF0
  398.  
  399. API_TOP: 02630010
  400. API_END: 0263045C
  401.  
  402. API_ADDR: 76AF1AF4
  403. API_ADDR: 75F73EB8
  404.  
  405. FOUND_API_COUNTS: 00000113
  406.  
  407. API_TOP_NAME: kernel32.GetFileAttributesW
  408. API_END_NAME: ws2_32.socket
  409. ++++++++++++++++++++++++++++++++++
  410. 00580174 Breakpoint at 00580174
  411.  
  412. Problem!Logged API was not found in Code!
  413. ++++++++++++++++++++++++++++++++++
  414. Search Section: 6D921000
  415. Search End : 6DA34FF0
  416.  
  417. API_TOP: 02630010
  418. API_END: 0263045C
  419.  
  420. API_ADDR: 76AF1AF4
  421. API_ADDR: 75F73EB8
  422.  
  423. FOUND_API_COUNTS: 00000113
  424.  
  425. API_TOP_NAME: kernel32.GetFileAttributesW
  426. API_END_NAME: ws2_32.socket
  427. ++++++++++++++++++++++++++++++++++
  428. 00580174 Breakpoint at 00580174
  429.  
  430. Problem!Logged API was not found in Code!
  431. ++++++++++++++++++++++++++++++++++
  432. Search Section: 6D921000
  433. Search End : 6DA34FF0
  434.  
  435. API_TOP: 02630010
  436. API_END: 0263045C
  437.  
  438. API_ADDR: 76AF1AF4
  439. API_ADDR: 75F73EB8
  440.  
  441. FOUND_API_COUNTS: 00000113
  442.  
  443. API_TOP_NAME: kernel32.GetFileAttributesW
  444. API_END_NAME: ws2_32.socket
  445. ++++++++++++++++++++++++++++++++++
  446. 0058017B Breakpoint at 0058017B
  447.  
  448. 6D9D0000
  449. 6D9D0474
  450. 00000478
  451.  
  452.  
  453. Found IAT start and end!
  454.  
  455. No Second SAD Found!
  456. Found no first SAD in target!
  457.  
  458. ---------- NEW INFO ----------
  459.  
  460. NEW VM OEP SCAN
  461.  
  462. WL ALIGIN Mov EBP is: 61B15014
  463. VM OEP Push Pre is: 379C19
  464. VM OEP Push is: 2DB
  465. VM OEP Jump is: 6DBC88ED
  466.  
  467. ------------------------------
  468.  
  469.  
  470. No VM OEP Routines to rebuiled!
  471.  
  472. 005B0180 Breakpoint at 005B0180
  473.  
  474. ----- SLEEP APIS -----
  475.  
  476. ----- Found 1 --------
  477.  
  478. VM Sleep API Fixed at: 6DBDB472
  479.  
  480. ----------------------
  481.  
  482. 02610146 Breakpoint at 02610146
  483. 02610149 Breakpoint at 02610149
  484.  
  485. VM OEP Address found! - Is in use!
  486.  
  487.  
  488. VM ADDR: 6DC9A74E
  489. VM ALIGN MOV : 61B15014
  490. VM PUSH PRE : 379C19
  491. VM PUSH : 2DB
  492. VM JUMP : 6DBC88ED
  493.  
  494.  
  495. New Created OEP is: VA 6DDD1600
  496.  
  497. Your target is a DLL file so to use a VM OEP is a bad idea!
  498. Choose to use the real DLL OEP if its not stolen!
  499.  
  500. Stack:
  501. ------------------------------
  502. $ ==> | CFC38 | 771E9364
  503. $+4 | CFC3C | 6D920000
  504. $+8 | CFC40 | 1
  505. $+C | CFC44 | 1
  506. ------------------------------
  507.  
  508.  
  509. Using VM OEP in DLL was disabled by user choice!
  510.  
  511. 0261018D Breakpoint at 0261018D
  512. 0261018D Breakpoint at 0261018D
  513. 02610190 Breakpoint at 02610190
  514. 0261018D Breakpoint at 0261018D
  515. 02610190 Breakpoint at 02610190
  516. 026101E8 Breakpoint at 026101E8
  517.  
  518. ---------- SDK API LIST ----------
  519.  
  520. ----------------------------------
  521.  
  522. 026101A8 Breakpoint at 026101A8
  523. 026101AA Breakpoint at 026101AA
  524. 026101B0 Breakpoint at 026101B0
  525. 02610173 Breakpoint at 02610173
  526.  
  527. Found no JMP to wsprintfA APIs x2!
  528.  
  529. CRYPT-to-CODE will not fixed!
  530.  
  531.  
  532. --------------------------
  533. Check Code Integrity Macro Found at: 6DC960C0
  534. Check Code Integrity Macro Found at: 6DC9621D
  535. Check Code Integrity Macro Found at: 6DC963B3
  536.  
  537. Patch Check Code Integrity Macro Manually!
  538. --------------------------
  539. 02610197 Breakpoint at 02610197
  540. 02610199 Breakpoint at 02610199
  541. 02610197 Breakpoint at 02610197
  542. 02610199 Breakpoint at 02610199
  543. 02610129 Breakpoint at 02610129
  544. 0261018D Breakpoint at 0261018D
  545. 0261018D Breakpoint at 0261018D
  546. 02610190 Breakpoint at 02610190
  547.  
  548. ---------- IAT DATA ----------
  549.  
  550. IAT START: 6D9D0000 | 763B141E | advapi32.RegSetValueExW
  551.  
  552. IAT END : 6D9D0474 | 758F9CBB | ole32.CoCreateInstance
  553.  
  554. IAT SIZE : 478
  555.  
  556. IAT APIs : 275 | Dec
  557.  
  558. ------------------------------
  559.  
  560.  
  561. Start of new direct IAT fixing!
  562. Better search and fix pattern used!
  563. Only fixing direct APIs of real entered IAT start til End by user!
  564.  
  565. 02A60020 Breakpoint at 02A60020
  566. 02A60039 Breakpoint at 02A60039
  567. 02A60039 Breakpoint at 02A60039
  568. 02A60031 Breakpoint at 02A60031
  569. 02A60031 Breakpoint at 02A60031
  570. 02A6002E Breakpoint at 02A6002E
  571. 02A60033 Breakpoint at 02A60033
  572. 02A60035 Breakpoint at 02A60035
  573. 02A60035 Breakpoint at 02A60035
  574. 02A60035 Breakpoint at 02A60035
  575. 02A60041 Breakpoint at 02A60041
  576. 02A60035 Breakpoint at 02A60035
  577. 02A60035 Breakpoint at 02A60035
  578. 02A6003E Breakpoint at 02A6003E
  579. 02A6002F Breakpoint at 02A6002F
  580. 02A60031 Breakpoint at 02A60031
  581. 02A60036 Breakpoint at 02A60036
  582. 02A6003C Breakpoint at 02A6003C
  583. 02A60041 Breakpoint at 02A60041
  584. 02A60041 Breakpoint at 02A60041
  585. 02A60029 Breakpoint at 02A60029
  586. 02A60029 Breakpoint at 02A60029
  587. 02A60039 Breakpoint at 02A60039
  588.  
  589. New IAT Patching way was executed!
  590.  
  591.  
  592. API FOUND : 1403 and fixed DIRECT APIs to original IAT by user data.
  593.  
  594. 02610142 Breakpoint at 02610142
  595. 02A80001 Breakpoint at 02A80001
  596. 02A80015 Breakpoint at 02A80015
  597.  
  598. No Delphi Sign found and no TLS deleted!
  599.  
  600.  
  601. Codesection was set to writeable by script before dumping!
  602.  
  603. IATStore-Section is already set to writeable!
  604. 02A90047 Breakpoint at 02A90047
  605.  
  606. The old original Import Table was deleted!
  607.  
  608. No SetEvent to fix!
  609.  
  610. No LoadLibraryA to fix!
  611.  
  612. No FreeLibrary to fix!
  613.  
  614. eax: 02AA0000 | ASCII "D:\_RE\tools\odbg201\plugins\ARImpRec.dll"
  615. ecx: 76AF499F | kernel32.LoadLibraryA
  616. 40000000 Module D:\_RE\tools\odbg201\plugins\ARImpRec.dll
  617. eax: 40000000 | ASCII "MZP"
  618.  
  619. ecx: 02AA0000 | ASCII "TryGetImportedFunction@24"
  620. eax: 40000000 | ASCII "MZP"
  621. edi: 76AF1222 | kernel32.GetProcAddress
  622. eax: 4001F894 | ARImpRec.TryGetImportedFunction@24
  623.  
  624. esi: 6D9D0000
  625. edi: 02BD0000
  626. ecx: 00000478
  627.  
  628. ---------- Pre Calculated Table datas ----------
  629.  
  630. I_TABLE Start VA: 6DDD3000 - Size: 2CD8
  631.  
  632. P_TABLE Start VA: 6DDD5CD8 - Size: 11F0
  633.  
  634. S_TABLE Start VA: 6DDD6EC8 - Size: OpenEnd
  635.  
  636. ------------------------------------------------
  637.  
  638. ---------- ITA ----------
  639. Import Table Address RVA: 16406D
  640. Import Table Size : 95
  641. -------------------------
  642. 02BF02C4 Breakpoint at 02BF02C4
  643.  
  644. --------- ITA NEW --------
  645. Import Table Address RVA: 4B3000
  646. Import Table Size : 157C
  647. -------------------------
  648.  
  649. VP STORE: 6DDD2F00 - 76AF4327 - kernel32.VirtualProtect
  650. 02BF02C4 Breakpoint at 02BF02C4
  651.  
  652. PE ADS + IAT: VA 6DDD0000 | RVA 4B0000 | 9092 Raw
  653. 02BF02C4 Breakpoint at 02BF02C4
  654. 02BF02D8 Breakpoint at 02BF02D8
  655.  
  656. PE was dumped to disk!
  657. PE_ADS - 6DDD0000 - 9092
  658.  
  659. eax: 02C40000 | ASCII "D:\Games\GarenaAVA\GameData\Apps\AVA\Binaries\XIGNCODE.TPE\x3.xem"
  660. eax: 02C4003B | ASCII "x3.xem"
  661. x3.xem
  662. eax: 02C40041 | ASCII "msvcrt.dll"
  663. edi: 76AF499F | kernel32.LoadLibraryA
  664. eax: 75AF0000
  665.  
  666. malloc: 75AF9CEE | msvcrt.malloc
  667. free: 75AF9894 | msvcrt.free
  668. ldiv: 75AFF908 | msvcrt.ldiv
  669.  
  670. OEP_RVA: 004B1600
  671. 02C60192 Breakpoint at 02C60192
  672.  
  673. CodeStart VA: 6D921000 | CODE-FIRST-ZERO-BYTE-TILL-END VA: 6DA1B6D8 | CODERAWSIZE: FA6E0 +8
  674.  
  675. Codesection Splitting with Auto-optimizing not necessary!
  676. 02C8057D Breakpoint at 02C8057D
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!